DDoS: Internet-of-Things Likely to Fuel More Disruptive Attacks

October 27, 2016

TLP: WHITE | The NJCCIC assesses with high confidence that botnets formed by compromised ‘internet-of-things’ (IoT) devices will almost certainly lead to more frequent, more disruptive distributed denial of service (DDoS) attacks, many of which will initially lack a clear motive behind the selection of targets. While state-sponsored actors may utilize these capabilities along with other offensive tactics, we assess it is more likely that non-state actors such as politically-motivated hacktivists, profit-driven criminals, hobbyist hackers within the video game community, and terrorist groups or their sympathizers, will employ these tactics against government and private industry targets. The rapid growth of IoT hardware coming online—Gartner estimates there will be 20.8 billion devices by 2020—combined with the pervasive lack of security and the increasing availability of hacking tools and tactics to exploit them, has significantly lowered the barriers and reduced the costs, resources, and technical capability needed to conduct large-scale disruptive attacks.

  • Last Friday, one of the largest DDoS attacks on record resulted in a major disruption of the Domain Name Service (DNS) provider Dyn, whose DNS services act as a switchboard that connects internet users to websites, including many high-traffic services such as Twitter, PayPal, and Amazon Web Services. According to cybersecurity analysts at Flashpoint, the devices used in the attack were primarily commercial-grade hardware such as network-connected security cameras and digital video recording (DVR) systems, many of which are over a decade old. Flashpoint has assessed the incident was likely the work of non-state hackers who frequent the online forum hackforums[.]net. Flashpoint also confirmed that some of the infrastructure used in the attack was attributed to the Mirai malware; this followed the release of the Mirai source code earlier this month and a report that the number of devices compromised had nearly doubled to 493,000.
  • On September 20, 2016, the investigative journalist Brian Krebs’ security blog was targeted by a DDoS attack that reached 620 gigabits per second. Around the same timeframe, a French web hosting service, OVH, was targeted by a series of DDoS attacks that reportedly exceeded 1.1 terabits per second. Both of these attacks were attributed to botnets comprised of devices infected by the Mirai malware, which scans the internet for IoT devices with default or hardcoded passwords, similar to the Bashlite malware that has enlisted almost one million devices into botnets.


The NJCCIC recommends organizations consider contracting a backup DNS provider to maintain continuity in the event of an attack on primary DNS infrastructure. In the case of last week’s attack on Dyn, the companies whose websites were inaccessible could have mitigated the impact if a secondary DNS provider was available as a failover mechanism. In addition, the NJCCIC strongly advises all organizations establish Business Continuity, Disaster Recovery and Incident Response Plans that include DDoS protections through Internet Service Providers (ISP) or a third-party firm that specializes in DDoS mitigation. While these services do not guarantee that attacks will not result in outages, most organizations are not capable of defending against the many varieties of attack tactics on their own.

To prevent IoT hardware from being compromised and used to conduct attacks, users and administrators should:

  • Ensure all default passwords are changed to strong passwords.
  • Update IoT devices with security patches as soon as updates are released.
  • Disable Universal Plug and Play (UPnP) on routers unless it is necessary for business operations.
  • Discontinue the use of vulnerable IoT devices that have not been patched by the vendor.

For additional information, please see the following resources:

Traffic Light Protocol: WHITE information may be distributed without restriction.