IoT Botnet Uses HTTP Traffic to DDoS Targets

The IoT botnet behind some of the largest publicly recorded DDoS attacks is flooding its targets with HTTP traffic, generating more than one million requests per second in some cases, in order to bring down web applications.

The attacks were recorded prior to the release of the source code fueling the Mirai malware, which scans the public Internet for IoT devices guarded by weak or default credentials and corrals them into a giant botnet.

Researchers at Cloudflare today published a report on two recent attacks that characterize a recent switch away from SYN flood- and ACK flood-based attacks at Layer 3, to HTTP-based attacks at Layer 7.

Reports of volumetric DDoS attacks using IoT devices peaked with the takedown of Krebs on Security with traffic peaking at more than 620 Gbps. Cloudflare said in its report that measuring HTTP requests per second is another indicator of the size of these attacks given the inbound bandwidth they generate against a targeted web server.

Cloudflare said in its report that it tracked two attacks of this kind topping out at more than 1 million HTTP requests per second. One peaked at 1.75 million requests per second and the attackers, Cloudflare said, used more than 52,000 IP addresses to send short HTTP requests of 121 bytes to the targets. After analyzing the traffic, Cloudflare said that hundreds of autonomous systems networks were the source of the attack, with the biggest sources in the Ukraine and Vietnam.

“These attacks are a new trend, so it’s not fair to blame the AS operators for not cleaning up devices participating in them,” Cloudflare said in its report. “Having said that, the Ukrainian ISP and Vietnamese AS45899 seem to stand out.”

The second attack differed in that the payloads were buried in longer HTTP requests, Cloudflare said. Its peak was 360 Gbps of inbound HTTP traffic, which it said was an unusually large number. The requests were similar to this:

screen-shot-2016-10-11-at-10-38-17-am

“It’s the long payload sent after the request headers that allowed the attackers to generate substantial traffic. Since this attack we’ve seen similar events with varying parameters in the request body,” Cloudflare said. “Sometimes these attacks came as GET requests, sometimes as POST. Additionally, this particular attack lasted roughly one hour, with 128,833 unique IP addresses.”

Cloudflare said that in both attacks, the attackers relied on Port 80-exposed closed circuit television cameras from hosts in Vietnam.

“Although the most recent attacks have mostly involved Internet-connected cameras, there’s no reason to think that they are likely the only source of future DDoS attacks,” Cloudflare said. “As more and more devices (fridges, fitness trackers, sleep monitors, …) are added to the Internet they’ll likely be unwilling participants in future attacks.”

The release of the Mirai malware source code also figures to ramp up the delivery of these attacks. The malware continuously scans the Internet looking for so-called IoT devices such as routers, IP-powered cameras, DVRs and more. The malware exploits those devices that rely on default, weak, or hard-coded credentials, and forces them to join these botnets used in DDoS attacks.

Experts are concerned that IoT devices will continue to be exploited and used in large-scale attacks. Most of the devices are easily found online and few can support additional security such as encryption for data protection or have an automated update mechanism for patching.

“These types of attacks have already superseded [traditional DDos attacks],” said Arbor Networks engineer Roland Dobbins. “IoT botnets are not an upcoming threat. I’m not concerned about the future; I’m concerned about the past. If I could wave a magic wand, I would make it so there are no unsecured embedded devices out there. We still have a huge problem; we still have tens of millions of these devices out there.”