Anatomy of an IoT Botnet Attack

The Fastly security team is focused on leveraging our network intelligence to proactively defend the modern web. We took a look at some of the more recent (and troubling) threats on the internet, and found that the emerging IoT market is under attack. Internet-connected devices are being churned out of factories and infected by malware, or malicious code, at an alarming rate. Armies of compromised IoT devices immediately try to enroll new devices, join a botnet, and participate in large-scale DDoS attacks. As a result, we’ve recently seen some of the biggest DDoS attacks in history against journalist Brian Krebs and Dyn, launched by a massive IoT botnet of hundreds of thousands of infected devices.

Just how big of a problem is this? We did an analysis of the anatomy of an IoT botnet attack, all the way down to the individual device level – and exposed some interesting data:

  • On average, an IoT device was infected with malware and had launched an attack within 6 minutes of being exposed to the internet.

  • Over the span of a day, IoT devices were probed for vulnerabilities 800 times per hour by attackers from across the globe.

  • Over the span of a day, we saw an average of over 400 login attempts per device, an average of one attempt every 5 minutes; 66 percent of them on average were successful.

The majority of attacks were automated attacks run by malicious scripts targeting common IoT devices such as DVRs, IP cameras, and NVRs (network video recorders). The most common malware dropped was intended for IoT and other devices, including processors, as well as hardware platforms used by the automotive industry, electronic meters, healthcare, and more. The scope of these attacks goes far beyond IP cameras and home routers.

Meanwhile, attackers were distributed around the world, with the top 5 locations being:

  • 13.5% coming from China

  • 9.9% coming from Brazil

  • 8.6% coming from Republic of Korea

  • 7.1% coming from Vietnam

  • 5.8% coming from India

The recent Mirai attacks have focused attention on the threat that IoT places on the broader internet. As 6.4 billion devices come online, that’s a lot of firepower. Presently, thinking in the security community is that IoT vendors created this mess with fully capable Linux-based computers on those devices together with a handful of default usernames and passwords that the bots simply guess at. This enables attackers and now malware to log in, upload arbitrary botnet code, and begin attacks.

Companies and consumers who are running these devices, or anyone deploying the devices, such as broadband providers, need to take some responsibility to keep the hardware from being used in attacks. They need to change the default passwords and disable logins from the open internet. In the long term, however, security standards will need to come into play. To accomplish this, the industry will need to establish requirements for devices to be sold or installed. Big broadband equipment vendors and industry groups like CableLabs are a natural place to work together to address this issue. If not, we’ll possibly see the FCC take a role, although enforcing rules on millions of devices won’t be an easy task, if it comes to that. Such regulations are also under discussion in Europe. But we’ve got to figure it out. If we don’t do something to keep attackers from turning all these devices into DDoS weapons we’ll see more sites go dark. And nobody wants that.

In our next post, we’ll take a look at how manufacturers have responded to these threats — we took a couple of IoT devices for a spin to see how they fared on the internet.

Interested in more from the Fastly security team? Stay up to date on our blog.

Jose Nazario, PhD
Senior Director of Security Research

3 min read

Want to continue the conversation?
Schedule time with an expert
Share this post
Jose Nazario, PhD
Senior Director of Security Research

Jose Nazario is a Senior Director of Security Research at Fastly, where he manages security research and WAF engineering. Dr. Nazario joined Fastly after several years in cybersecurity contract research, where he tackled a number of open challenges in the space. Prior to this he managed the ASERT team at Arbor Networks. His research interests include large-scale network data projects.

Ready to get started?

Get in touch or create an account.