Attacked By A Botnet Army

It may not be too hard to monitor a computer for malware, but how do you tell if your thermostat or your light bulb has been conscripted into a remote-controlled army?

A little over three months ago, seated in a co-working space in Mumbai’s Santa Cruz that houses his travel start-up, Shaunk Modi was faced with a bit of a headache. The Internet connection in the office, and subsequently the productivity of his workforce, had crawled to a standstill over the span of a few hours.

Mumbai ke sab computer mein virus ghus gaya hai ,” (All Mumbai computers have been attacked by a virus) was the helpful response offered by the customer support helpline of his Internet Service Provider (ISP).

Despite the seemingly dubious nature of that explanation, it was not far from the truth: at the time, a number of ISPs across Mumbai were the target of a massive Distributed Denial of Service (DDoS) attack. The Internet equivalent of repeatedly bludgeoning someone with a great big club, a DDoS attack involves directing a large amount of Internet traffic at a specific target, thereby overwhelming the victim’s bandwidth capacity and choking the connection.

Internet users across Mumbaifelt the hit as the attack left the networks of major ISPs like Airtel and Tata Communications — as well as numerous smaller operators — reeling from the damage. It took close to a week for normal service to resume.

“Our services were affected very badly,” explains Nikunj Kampani, head of Syscon Infoway, a Mumbai-based ISP. “We filed complaints with the Cyber Crime department, but they have been unable to trace the attackers and have no leads.”

Three months on, the attacks have resumed. “We have been under continuous attack from September 15,” says Kishore Desarda of Gazon, an ISP in Pune with close to 50,000 subscribers. “It is under control for the moment because we have subscribed to certain attack mitigation services. But if the intensity increases, we will be in trouble again.”

To put the scale of the attacks in context, consider that the National Internet Exchange of India (NIXI), which acts as an interconnect point for ISPs, sees peak traffic of about 40 gbps (gigabits per second) at its Mumbai hub. Desarda says that the DDoS attack in July pushed 50–70 gbps of traffic to his company’s network alone.

Syscon, which is also under renewed attack, has also bought itself protection. However, Kampani admits that despite that, his network is compromised by 10–15 per cent.

DDoS attacks are typically perpetrated using an army of malware-infected computers, referred to as a botnet, that can be remotely directed to do its controller’s bidding. The concept is almost as old as the Internet itself. “We’ve received attacks in the past. In 2010, 2011. Almost every other year. But the intensity was so low that we could manage,” says Desarda.

However, the advent of the Internet of Things era has greatly enhanced the peril. A plethora of loosely-secured connected devices have flooded the market, exponentially multiplying the building blocks from which a botnet can be built. It may not be too hard to monitor a computer for malware, but how do you tell when your thermostat or your light bulb has been conscripted into a remote-controlled zombie army?

A simple experiment that highlighted the nature of the threat was conducted recently by Johannes Ulrich, Dean of Research at SANS Technology Institute. Ulrich plugged an old digital video recorder (DVR) into the Internet and monitored it. Within minutes, it was flooded with malicious attacks attempting to enslave it. “Not all attacks were successful,” writes Ulrich in his report of the experiment. “But a couple times an hour, someone used the correct password.”

Last week, access to several major websites including Twitter, The Guardian, Netflix, Reddit and Spotify was disrupted after an attack by a botnet of hundreds of thousands of webcams and DVRs located around the world. These devices were under the control of the Mirai malware, which was also used to attack the website of independent security researcher Brian Krebs in August this year. It was deluged with a torrent of traffic that added up to a little more than 600 gbps — an incredible and unprecedented volume in the history of DDoS attacks. The record lasted less than two months. Last week’s attack topped out at an astounding 1.2 tbps (terabits per second). “The size of the attacks is certainly increasing,” says Ulrich. “There are now more vulnerable Internet-connected devices available for attackers to turn into bots. And these devices now have more and more bandwidth available to them as ISPs provide more bandwidth to consumers.”

The explosion of botnetshas led to a situation where complex technical knowledge is no longer a prerequisite to wield these weapons. “There are services available on the Internet where you pay $100–200 and they’ll attack a target of your choosing. It’s almost like DDoS as a service,” explains Desarda. It turns out he quoted too high. A 15-minute saunter through the dark web turns up several services far cheaper — some go as low as $2 for an hour’s worth of unfettered mischief.

Internet service disruptions, as seen in Mumbai, are only the tip of the iceberg as far as the botnet threat goes. A concerted attack could do critical damage to a nation’s digital infrastrucutre.

India, with its massive population that is slowly beginning to dip its feet into the digital ocean, is particularly vulnerable both as a source and target of these attacks. Ulrich insists that the problem is global, but also adds, “Customers who are more likely to buy lower-cost devices are more likely to buy a vulnerable device. In addition, cheaper devices often offer less support and a shorter support lifetime.”

Unfortunately, the crisis is probably going to get a lot worse before it gets better — if it ever does. Retrieving the hundreds of thousands of already infected devices is a near impossible errand and any protection measures that a target adopts can be breached if bombarded with sufficient force. As Bruce Schneier, one of the world’s most renowned network security experts said in a recent essay on the spate of high-profile DDoS attacks, “What can we do about this? Nothing, really. But this is happening. And people should know.”

Originally published by The Hindu on November 5, 2016.