Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

IoT Botnet Targets Olympics in 540Gbps DDoS Attacks

The 2016 Rio Olympics weren’t all about the games, but also about overcoming some of the largest distributed denial of service (DDoS) attacks, Arbor Networks researchers reveal.

The 2016 Rio Olympics weren’t all about the games, but also about overcoming some of the largest distributed denial of service (DDoS) attacks, Arbor Networks researchers reveal.

This year’s Olympic games, which took place in Brazil, were targeted by sustained, sophisticated, large-scale DDoS attacks reaching up to 540 Gigabits per second (Gbps) fueled by an Internet of Things (IoT) botnet, coupled with a few other botnets. The attacks, researchers say, were directed towards public-facing properties and organizations affiliated with the Olympics.

According to Arbor Networks, many DDoS attacks were going on for months before the Olympics kicked off, some in the tens of Gbps or the hundreds of Gbps ranges. However, the DDoS activity intensified as soon as the actual games started, and “the longest-duration sustained 500gb/sec-plus DDoS attack campaign” was observed.

“By any metric, the Rio Olympics have set the bar for rapid, professional, effective DDoS attack mitigation under the most intense scrutiny of any major international event to date,” the Arbor Networks researchers say.

A single IoT botnet was responsible for most of the pre-Olympics attacks, while help received from other botnets allowed it to fuel the record-breaking DDoS campaign. The botnet, Arbor Networks reveals, is none other than LizardStresser, which was already known to abuse IoT devices to launch DDoS attacks upwards of 400Gbps.

The malware that creates the botnet was written in C, was designed to run on Linux, and had its source code leaked online in early 2015. After DDoS actors decided to build botnets using the leaked code, researchers observed intensified activity related to LizardStresser, including an increased number of unique command and control (C&C) servers.

The Olympics-related DDoS attacks used UDP reflection/amplification vectors to power a large portion of the attack volume. DNS, chargen, ntp, and SSDP were the main vectors, but direct UDP packet-flooding, SYN-flooding, and application-layer attacks targeting Web and DNS services were also observed.

In addition to their Olympic-grade size and the use of an IoT-powered botnet, these attacks had another distinctive feature: they were leveraging the less-familiar Generic Routing Encapsulation (GRE) IP protocol, which is used for unencrypted ad-hoc VPN-type tunnels, researchers say.

DDoS attacks leveraging lesser-known protocols were observed in late 2000 in an attempt to bypass router ACLs, firewall rules, and other forms of DDoS defense that took into account only the three most used protocols, namely TCP, UDP, and ICMP.

The attacks observed during the 2016 Rio Olympics also generated significant amounts of GRE traffic as the attack methodology has been incorporated into the LizardStresser IoT botnet. The use of this old technique is a novelty, but researchers suggest that it won’t be too long before other botnets-for-hire and ‘booter/stresser’ services add GRE to their repertoires.

Moreover, uncomplicated, high-volume packet-floods destined for UDP/179 were also observed, and researchers say that this might have been intended to masquerade an attack on the BGP routing protocol used to weave Internet-connected networks together. Many UDP reflection/amplification attacks target UDP/80 or UDP/443 so that defenders would believe that the attackers are using TCP instead (TCP/80 – used for non-encrypted Web servers, and TCP/443 – for SSL-/TLS-encrypted Web servers), and the same evasion technique might have been employed in these attacks as well.

“BGP runs on TCP/179; the irony is that one of the few best current practices (BCPs) actually implemented on a significant proportion (not all!) Internet-connected networks is to use infrastructure ACLs (iACLs) to keep unsolicited network traffic from interfering with BGP peering sessions,” the security researchers explain.

Despite the sophistication and scale of these attacks, nobody noticed them (except for the security teams engaged in mitigating them, of course), the security firm says. “The stunning victory of the extended DDoS defense team for the 2016 Rio Olympics demonstrates that maintaining availability in the face of large-scale, sophisticated and persistent DDoS attacks is well within the capabilities of organizations which prepare in advance to defend their online properties,” Arbor Networks concludes.

Related: MIT Network Under Frequent DDoS Assault: Report

Related: DDoS Attacks Abuse TFTP for Reflection and Amplification

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...