How infected IoT devices are used for massive DDoS attacks

One of the largest and most devastating distributed denial-of-service, or DDoS, attacks to date used a mix of infected computers and internet-connected security cameras to take a prominent news website down, Tuesday.

One of the largest and most devastating distributed denial-of-service attacks to date shows how a mix of infected computers and internet-connected devices is giving attackers more firepower than ever before.  

Cybersecurity journalist Brian Krebs first became aware Sept. 20 of a massive 665G bits-per-second DDoS attack hitting his website, impacting and exhausting the bandwidth of the site’s content delivery network and host provider Akamai. Largely due to exceeding mitigation costs, Akamai forced Krebs on Security offline, forcing him to find another partnership.

The hack is significant beyond the damage it caused to Krebs’ blog, because it illustrates a lack of even basic digital security measures evident in many currently deployed Internet of Things devices, explained Rami Essaid, CEO of Distil Networks, a San Francisco-based cybersecurity firm that specializes in stopping botnet-style attacks

The hacker practice of leveraging a network of infected computers to launch powerful DDoS attacks is nothing new. What is a relatively new phenomena, Essaid told FedScoop, is the use of compromised internet-connected devices like smartphones, live cameras and routers to augment the attack’s size. 


Over the last 5 years, these weaponized IoT DDoS-based attacks have become more common, as many IoT devices share common operating systems, which can carry known, unpatched or easily discoverable software flaws. 

Existing cybersecurity for these internet-connected devices pales even in comparison to traditional computers, said Essaid — in some cases, for instance, malware is not needed to breach these newer IoT systems.

Once a hacker has access to an IoT device, they can use bots to search the web for other similar models — some of which may be insecurely connected and already publicly viewable on the internet — before then employing the same exploit on numerous systems. The result is an easily acquirable and yet large traffic scale attack force that can confuse a defender because of its unique behavior and irregular IP signature. 

Though the number of connected devices is expected to exceed 50 billion by the year 2020. Roughly 70 percent of the most commonly used Internet of Things devices continue to contain software vulnerabilities, according to a 2014 Hewlett Packard study

IoT-centric DDoS attacks are no more powerful than traditional attacks that rely solely on infected computers. According to Essaid, the danger is presented by the opportunity inherent in a massive library of security deficient devices that can be easily discovered, exploited and weaponized to disrupt or damage services. 


“I think the biggest lesson here is that these IoT developers need to improve their thinking about their cybersecurity,” Essaid said. 

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts