IoT and DDOS: security advice following the Marai botnet attack on Brian Krebs

A giant botnet made up of zombie internet-connected devices (or IoT devices) was used to strike a massive Distributed Denial-of-Service attack (DDoS) against Brian Krebs’ website, the site of a well-known cybersecurity blogger, last month.

Some have estimated the botnet’s size may have been a million strong.

Worse, as Krebs reported on the 1 Oct:

 “The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.”

This botnet attack showed how poorly secured internet-enabled devices can wreak havoc for websites and providers alike.

It also serves as a reminder to think more broadly about passwords. It has moved way beyond desktops, laptops, tablets and smartphones. In other words, we all would be wise to pull up our bootstraps when it comes to internet devices.

What happened?

What makes this DDoS so unusual is that it was made up of a myriad of internet-connected devices. We’re talking about devices like cameras, thermostats, lighting, baby and health monitors, home security systems – things one wouldn’t normally associate with at risk of being hacked.

The giant botnet, known as Mirai, was designed to scan internet for internet-connected devices, hammer the security with simple or popular passwords like “guest”, “support”, “user” “service” “admin” and “12345.” It seems they even tried having no password.

See the full list on CSO online.

Once a device is compromised, it can be turned into zombie device, where it is redirected to report an unauthorised central controller. This controller can then direct it and other compromised devices into working together to knock a website offline by flooding it with requests.

As previously mentioned, the Mirai DDOS attack was huge.

While “The attack did not succeed thanks to the hard work of the engineers at Akamai, the company that protects my [Kreb’s] site from such digital sieges. But according to Akamai, it was nearly double the size of the largest attack they’d seen previously, and was among the biggest assaults the Internet has ever witnessed,” wrote Krebs.

What can you do?

For device owners:

  • Don’t connect internet-enabled devices to the internet unless you have a specific reason to do so.
  • Always reset passwords before a device is connected to the internet, following recommendations for secure password creation.
  • Ensure every password is unique. Consider using a reputable digital safe for your passwords. Alternatively, create a personal algorithm to help you remember the passwords on different sites.

For web administrators:

  • Set up a network infrastructure that is distributed, hardened, and as secure as possible
  • Secure additional bandwidth with over-provisioning. DDoS attacks play the bandwidth game. The attack is trying to take the site offline, so if you can throw more bandwidth at the problem during the attack, you might be able to stay up and running.
  • Prepare an emergency skeleton version of your website that requires less bandwidth to deliver to users. You might consider removing images, scripts, and so on.
  • Do regular penetration tests on your systems to ensure your risk exposure is as low as possible.
  • Consider using a web application firewall to monitor, filter or block the HTTP traffic to and from a Web application.
  • Contact TBG Security about Penetration Testing and Vulnerability Scanning , as well as their new Red Team service.

About TBG Security Inc.

TBG Security is a leading provider of information security and risk management solutions for Fortune 100 and Fortune 500 companies. TBG designs and delivers cyber security solutions to work in harmony with existing operations. Companies depend on TBG services in areas including risk management, penetration testingsecurity policy developmentsecurity strategies for compliancebusiness continuitynetwork securitymanaged servicessoftware and service integration and incident response.

For more information on how TBG Security can help your organization with your information security initiatives please visit

Previous ArticleOffensive Security Unbound: introducing Red Team Service Next ArticleNYDFS propose new cybersecurity regulations, effective Jan 1 2017. Here’s what you need to know