Major public events with an online presence — like political or IT conventions and sports championships — can be targets for criminals or attention-seekers, so CISOs don’t like to tip off potential attackers how they defend their networks.
However after the events sometimes vendors give a peek at what went on. That’s the case with Arbor Networks, whose denial of service mitigation products were used by last month’s 2016 Rio Olympic Games to help protect the IT infrastructure.
In a blog Wednesday the company said the network faced DDoS attacks leveraging an Internet of Things-based botnet before and during the Games of up to 540gb/sec at public-facing properties and organizations affiliated with the Olympics such as Brazilian banks and telcos.
“A large proportion of the attack volume consisted of UDP reflection/amplification attack vectors such as DNS, chargen, ntp, and SSDP, along with direct UDP packet-flooding, SYN-flooding, and application-layer attacks targeting Web and DNS services,” the company said.
The particular botnet used is called LizardStresser, the company outlined in a separate blog. The code for it was released last year by the developer(s), allowing others who want to make use of DDoS attacks to build a botnet of their own. Some are using IoT devices — including Webcams — to build a network by taking advantage of shared default passwords many of these devices have. The LizzardStresser framework includes the ability to search for random IP addresses and a brute-force password-breaking capability that also includes a list of passwords to try first.
Some of those include the usual suspects, like admin, password, 1234, user, guest, login. Somehow the IT industry has to find a way to ensure organizations can’t use these and other obvious passwords on hardware.
Typically the botnet’s client runs on compromised Linux machines which connect to a hardcoded command and control server. The protocol is essentially a lightweight version of IRC chat. Infected clients will connect to the server and receive commands.
“The threat actors appeared to quickly evolve their tactics minute-by-minute, switching between a HOLD flood to UDP flooding and TCP flooding with a variety of flags,” says Arbor. “This was likely the threat actors tuning their attacks for maximum impact. The UDP-based portions of the attack were further characterized as originating from UDP high-ports to destination port UDP/443 with a packet size of ~1400 bytes.”
LizardStresser is becoming the “botnet-du-jour for IOT devices.” Arbor warns, because it is for threat actors to make minor tweaks to telnet scanning. “With minimal research into IOT device default passwords, they are able to enlist an exclusive group of victims into their botnets.”