A Distributed Denial-of-Service attack on an unnamed U.S. college in February, which was recently made public by web application security company Incapsula, has put Internet of Things security into the spotlight once again.
Incapsula said the college's network was affected by the massive attack for "54 hours straight," indicating that the offenders are becoming more adept at launching application-layer assaults on vulnerable IoT devices.
"Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet," according to an Incapsula spokesperson in a blog post. "Our research showed that the pool of attacking devices included those commonly used by Mirai, including CCTV cameras, DVRs and routers."
Mirai, which mainly targets consumer devices, is malware that turns computer systems running Linux into remotely controlled bots.
According to Redwood Shores, Calif.-based Incapsula, the DDoS bots used in the attack were hiding behind different user agents than the five hard-coded in the default Mirai version. The attack may have exploited open telnet ports and TR-069 ports on the vulnerable IoT devices, said Incapsula.
The DDoS attack on the U.S. college could indicate that IoT attacks are being modified to launch more elaborate – and larger – application-layer attacks, according to Incapsula.
"Ever since the Mirai source code was made public last year, we’ve seen offenders continue to evolve the malware’s capabilities to expand its range and launch more elaborate and impactful assaults," said the Incapsula spokesperson.
Security vulnerabilities in IoT devices were underscored in October when a DDoS attack – which was launched through IoT devices including webcams, routers and video recorders – overwhelmed servers at Dynamic Network Services, taking down up to 1,200 websites.
The frequency of DDoS attacks increased in 2016 due in part to IoT botnets, according to information service provider Neustar. The Sterling, Va.-based company said it mitigated 40 percent more DDoS attacks from January through November compared with the same span last year.
Neustar warned that as botnet code assemblies are published, dangerous new DDoS developments will continue to emerge, such as persistent device enrollment, which enables botnet operators to maintain control of a device even after it's rebooted.