FBI Cyber Bulletin: Denial of Service Attack Against DNS Host Highlights Vulnerability of Internet of Things Devices

Distributed Denial of Service Attack Against Domain Name Service Host Highlights Vulnerability of “Internet of Things” Devices

Page Count: 4 pages
Date: October 26, 2016
Restriction: TLP: GREEN
Originating Organization: Federal Bureau of Investigation, Cyber Division
File Type: pdf
File Size: 574,670 bytes
File Hash (SHA-256): D3A49C035DDE083CE5ED3FCD0E93877D56E01CF93EBEA0D45D98C3F965CE656C

Download File

The exploitation of the “Internet of Things” (IOT) to conduct small-to-large scale attacks on the private industry will very likely continue due to the open availability of the malware source codes for targeting IoT devices and insufficient IoT device security.


On 21 October 2016, a domain name service (DNS) host and Internet management company for more than 80 Web sites experienced at least two waves of a distributed denial of service (DDoS) attack by botnets comprised of Internet of Things (IoT) devices believed to be infected with a variation of the Mirai malware. Despite certain groups claiming responsibility in open source, the FBI does not have any confirmation of a group or individuals responsible for the DDoS.

Malware Source Code Availability Enables IoT DDoS Attacks

In late September 2016 the hacker operating the Mirai botnet released its source code online – leading to the use of the malware by cyber actors to create botnets and launch independent DDoS attacks. The Mirai malware primarily targets the IoT devices such as routers, digital video records, and webcams/security cameras by exploiting their use of default usernames and passwords and coordinating them into a botnet used to conduct DDoS attacks.

Recent reporting demonstrates that botnets comprised of IoT devices can be used to conduct unprecedented and powerful attacks that can take down Web sites. Additionally, in September 2016, two of the largest IoT DDoS attacks using the same malware disrupted the operations of a gaming server and computer security blogger Web site.

Computer security researchers over the past several months have identified dozens of new malware variants targeting Linux operating systems. The emergence of malware targeting Linux devices is likely based on the large number of mobile and IoT devices running exclusively on the Linux operating system. Most of the Linux malware variants scan the Internet for IoT devices that accept Telnet, which is used to log into a device remotely, and try to connect to vulnerable devices by using brute force attacks with common default login credentials.


The FBI suggests precautionary measures to mitigate a range of potential DDoS threats and IoT compromise to include, but are not limited to:

  • Have a DDoS mitigation strategy ready ahead of time and keep logs of any potential attacks.
  • Implement an incident response plan that includes DDoS mitigation and practice this plan before an actual incident occurs. This plan may involve external organizations such as your ISP, technology companies that offer DDoS mitigation services, and law enforcement. Ensure that your plan includes the appropriate contacts within these external organizations. Test activating your incident response team and third party contacts.
  • Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
  • Review reliance on easily identified Internet connections for critical operations, particularly those shared with public facing Web servers.
  • Ensure upstream firewalls are in place to block incoming UDP packets.
  • Change default credentials on all IoT devices.
  • Ensure that software or firmware updates are applied as soon as the device manufacturer releases them.

Share this: