A map showing how internet across the east coast was affected by a massive DDoS on DNS provider Dyn on Friday. Experts say the likes of Twitter and Amazon can do more to ease the pain for end users.
Think Friday’s massive outage was bad? Worse is expected, as hackers are selling access to a huge army of hacked Internet of Things (IoT) devices designed to launch attacks capable of severely disrupting web connections, FORBES has learned. The finding was revealed just days after compromised cameras and other IoT machines were used in an attack that took down Twitter, Amazon Web Services, Netflix, Spotify and other major web companies.
In what is a first for the security company, RSA discovered in early October hackers advertising access to a huge IoT botnet on an underground criminal forum, though the company declined to say which one. (F-Secure chief research officer Mikko Hypponen said on Twitter after publication that it was the Tor-based Alpha Bay market). “This is the first time we’ve seen an IoT botnet up for rent or sale, especially one boasting that amount of firepower. It’s definitely a worrying trend seeing the DDoS capabilities grow,” said Daniel Cohen, head of RSA’s FraudAction business unit.
The seller claimed they could generate 1 terabit of traffic. That would almost equal the world record DDoS attack, which hit French hosting provider OVH earlier this month at just over 1 terabit. For $4,600, anyone could buy 50,000 bots (hacked computers under the control of hackers), whilst 100,000 cost $7,500. Together, those bots can combine resources to overwhelm targets with data, in what’s known as a distributed denial of service (DDoS) attack.
Cohen said he didn’t know if the botnet for hire was related to Mirai, the epic network of weaponized IoT computers used to swamp DYN – a domain name system (DNS) provider and the chief target of Friday’s attack – with traffic.
RSA uncovered a botnet for hire, made up of IoT devices like connected cameras and fridges. It could generate an astonishing amount of power, the company warned.