report / May 10, 2017

THE HUNT FOR IoT: The Networks Building Death Star-Sized Botnets

by Sara Boddy, Justin Shattuck

How in the world do Death Star-sized botnets come about? Attackers don’t possess such immense power on their own; they must commandeer it. That means they’re perpetually on the hunt for vulnerable IoT devices that they can compromise.

F5 Labs and our data partner, Loryka1, have been monitoring this hunt for over a year now. In our first report, DDoS’s Newest Minions: IoT Devices, we proved what many security experts had long suspected: IoT devices were not only vulnerable, they were already being heavily exploited to pull off large, distributed denial-of-service (DDoS) attacks.

Data collected throughout the remainder of 2016 shows an even steeper growth in “the hunt” than we had imagined. The annual growth rate was 1,473%, with a clear spike in Q4—1.5 times the combined volume in Q1 through Q3. This isn’t surprising, given the timing of the Mirai botnet. And while the number of participating networks in the second half of 2016 stayed relatively flat at 10%, the number of unique IP addresses participating within those networks grew at a rate of 74%. Clearly, threat actors within the same networks have increased their activity.

Explosive Growth in IoT Atacks

So, who exactly is involved in the IoT hunt? Here are some key findings of this report:

  • Networks in China (primarily state-owned telecom companies and ISPs) headlined the threat actor list, accounting for 44% of all attacks in Q3 and 21% in Q4.
  • Trailing behind China, the top threat actors in Q3 were Vietnam and the US, and Russia and the UK in Q4. (The UK surprisingly jumped to third place in Q4 with most activity coming from an online gaming network.)
  • Russia, Spain, the US, and Turkey were the top 4 targeted countries (in that order) in Q3 and Q4.
  • Russia, at 31% in Q3 and 40% in Q4, was the number one target of all top 50 source countries.

What can concerned enterprises do to deal with the IoT threat?

  • Have a DDoS strategy that can support attack sizes beyond your network capacity.
  • Ensure all of your critical services have redundancy, even those you outsource.
  • Put pressure on IoT manufacturers to secure their products, and don’t buy products that are known to be insecure or compromised.
  • Share your knowledge—about vulnerable devices, attacks and threat actors, successful mitigation efforts, and potential solutions—with other security professionals.

To see the full version of this report, click “Download” below.


MODIFIED: Aug 07, 2017

Tags: , , , , , ,
stay up to date

Get the latest application threat intelligence from F5 Labs.

There was an error signing up.
Thank you, your email address has been signed up.

Follow us on social media.