Mammoth new DDoS attacks harness thousands of Internet of Things devices

ddos-attack-internet-of-thingsA new type of DDoS attack is worrying internet security experts and could have serious ramifications for online gambling sites.

Last week, digital security news portal KrebsOnSecurity was knocked offline for 24 hours after an unknown attacker hit the site with what was believed to be a 620-gigabit-per-second (Gbps) distributed denial of service (DDoS) attack, which would make it the largest DDoS attack on record.

Except these attacks were reportedly followed days later by even larger attacks on a French web host. Octave Klaba, founder and CTO of hosting company OVH, reported that his company was hit by two attacks, the first one reaching an astounding 1.1 terabits-per-second (Tbps).

The common thread linking the OVH and KrebsOnSecurity attacks were the use of a botnet that appeared to harness the power of thousands of Internet of Things (IoT) devices, including security cameras and digital video recorders. Klaba estimated that a full-bore attack by this botnet could reach 1.5 Tbps.

Digital security company Akamai Technologies, which was tasked with mitigating the KrebsOnSecurity attack, said the largest attack it had previously encountered had been a mere 363 Gbps. Akamai’s Martin McKeay said this new botnet has “capabilities we haven’t seen before.”

The KrebsOnSecurity attack occurred just days after the site had exposed a DDoS-for-hire service, vDOS, leading to the arrest of the group’s two 18-year-old owners by Israeli police. According to site owner Brian Krebs, there was a single message buried inside each attack packet that hit his site: ‘godiefaggot.’

Akamai’s McKeay told Ars Technica that such monster attacks, while for the moment rare, would soon become more common. “Now that people know those are a possibility, they’re going to start pushing that direction.”

In June, Akamai’s latest State of the Internet Security report revealed that online gambling sites represented 55% of the DDoS targets in Q1 2016. Sports betting sites, which do their most business around specific events like the Super Bowl and therefore cannot afford to be offline for long, are particularly vulnerable.

Countries that are perpetually at war tend to have better defenses than the Switzerlands of the world, and many larger gambling sites have become very good at mitigating DDoS attacks. But it’s clear that the defenses that worked in the past may need upgrading to deal with ever-escalating threats.