For just US$7500, you can buy access to a botnet of shitty, compromised Internet of Things gadgets that can break the 'net. You've got to know where to look, who to pay, and what digital target to aim at, but still. $10,000 is cheap.
Security company RSA has told Forbes that it had found a few weeks ago a listing on an "underground criminal forum" for a botnet comprised of thousands of hacked computers, available for rent for as little as $US4600 for 50,000 zombie machines capable of taking down individual websites or entire chains of sites. $US7500, or roughly $10,000, doubled that number to 100,000 unknowing attackers.
Over the weekend, a massive coordinated attack on Dyn from the Mirai botnet used IoT devices to take down the domain name service provider for Twitter, Netflix, Spotify, Amazon Web Services and dozens of other major internet sites. The attack, on Dyn's domain name server (DNS) systems, effectively cut off the ability for the company to redirect user requests pointing towards domain names (like www.twitter.com) to the IP addresses that host the sites themselves.
With over 180,000 bots on the network, the IoT swarm is apparently capable of 1 terabit of traffic per second. Access to 50,000 bots would give the buyer a week of roughly 270 gigabits of network traffic from worldwide sources in a DDoS that could take down all but the most resilient providers. DDoS mitigator and protection service Cloudflare says its servers have a total of 10Tbps capability, but is seeing regular attacks in the order of 400Gbps or more occurring with regularity since late January.
Internet-connected smart home devices like fridges, air conditioners, kettles and especially cameras have found unwanted publicity recently as the new darling of botnet builders, and in September an IoT network took down popular information security journalist Brian Krebs' KrebsOnSecurity site. The largest DDoS volume yet, although unverified, is a 1.1Tbps attack on French hosting provider OVH.
IoT devices may be relatively simple compared to a smartphone or laptop, but that also means they can be easier to compromise. Whether a DDoS relies on sheer volumes of internet traffic — reliant on end users' aggregate connection speeds, or having compromised servers in a high-bandwidth data center — or on a Layer 7 attack that overwhelms servers with legitimate file requests by the million, the increasing proliferation and generally poor security of IoT devices is a boon for hackers. And $10,000 is cheap.