Today a vast army of hijacked internet-connected devices – from security cameras and video recorders to home routers – turned on their owners and broke a big chunk of the web.
Compromised machines, following orders from as-yet unknown masterminds, threw massive amounts of junk traffic at servers operated by US-based Dyn, which provides DNS services for websites large and small.
The result: big names including GitHub, Twitter, Reddit, Netflix, AirBnb and so on, were among hundreds of websites rendered inaccessible to millions of people around the world for several hours today.
We’re told gadgets behind tens of millions of IP addresses were press-ganged into shattering the internet – a lot of them running the Mirai malware, the source code to which is now public so anyone can wield it against targets.
- Dyn’s chief strategy officer Kyle York told The Register by phone that devices behind tens of millions of IP addresses were attacking his company’s data centers.
- A lot of this traffic – but not all – is coming from Internet-of-Things devices compromised by the Mirai botnet malware. This software nasty was used to blast the website of cyber-crime blogger Brian Krebs offline in September, and its source code and blueprints have leaked online. That means anyone can set up their own Mirai botnet and pummel systems with an army of hijacked boxes that flood networks with junk packets, drowning out legit traffic.
- One online tracker of Mirai suggests there at least 1.2m Mirai-infected devices on the internet, with at least 173,000 active in the past 24 hours.
- Mirai spreads across the web, growing its ranks of obeying zombies, by logging into devices using their default, factory-set passwords via Telnet and SSH. Because no one changes their passwords on their gizmos, Mirai can waltz in and take over routers, CCTV cameras, digital video recorders, and so on.
- York said the waves of attacks were separate and distinct – there are multiple bot armies out there now smashing systems offline. “We’re expecting more,” he added.
It is well known the Internet of Things (IOT) has very poor security. It could be improved if people would simply change the default password and manufactures write a mandatory change on a time basis. Not a cure all, but an improvement. But El Reg can saids it better
El Reg [ed. The Register] has been banging about IoT security for ages: Mirai is now targeting cellular gateways. Not enough is being done to patch insecure gadgets. Do gizmos need some sort of security-warning labels? The blame here is not with Dyn. It is not even with the owners of the hijacked devices.
It lies with the botnet operators – and, perhaps more crucially, the dimwit IoT manufacturers who crank out criminally insecure hardware that can be compromised en masse. Particularly China-based XiongMai Technologies, which produces vulnerable software and hardware used in easily hijacked IP cameras, digital video recorders and network-attached video recorders. These crappy devices were at the core of today’s attacks, according to Flashpoint.
Until there is a standards crackdown, and vulnerable devices are pulled offline, this will continue on and on until there is no internet left.