There are two sides to every story, a flip side to every coin and a dual threat for every DDoS botnet. You might not be ultra-aware of it since distributed denial of service attack articles and warnings tend to focus on the threat presented to website owners. Understandably so, since a successful DDoS attack is a devastating thing for a website and business.
But what about the other half of the equation: all those hijacked devices being used in botnets? You could be walking around with a cyber weapon in your pocket right now and have no idea.
Even botnets have gone mobile
It used to be that botnets were made up of infected computers. Which means it used to be that if you knew your computer was properly secured and were careful with your internet habits, you could rest pretty well assured that your machine wasn’t being used to launch DDoS attacks.
But now our devices with internet connections extend well beyond computers, and any so-called smart device with a connection – collectively known as the Internet of Things or IoT – has the potential to be hijacked and used in a botnet. Mobile phones are very much at risk due to how frequently we use them, especially for things like downloading files or installing apps, compared to how well-secured they are, which is typically not well at all.
Strength in numbers
The sheer number of unprotected or poorly protected devices available to attackers is a problem because the bigger the botnet, the more damage it can easily inflict. One of the largest (to date) DDoS attacks took place on September 23rd and came courtesy of a mobile botnet made up of devices like low-powered cameras, blasting security journalist Brian Krebs and knocking his website offline for days with an attack that topped a staggering 620 Gbps. The same mobile botnet went on to cripple French hosting provider OVH with a 1 Tbps attack.
Avoiding the peer pressure of a botnet
With a few simple steps you can make great strides towards keeping your devices out of a mobile botnet. Firstly, don’t download any apps on your Android device that do not originate from the Google Play Store. No matter how badly you want to play Pokemon Go in some obscure location.
Even if you’re downloading from the Google Play Store, make sure you stick with apps that are both popular and verified. Read the permissions as well and only allow them if they don’t seem excessive. If an app for helping you pick a baby name requires permission to access your camera, something funny might be going on.
A couple of other seemingly obvious but important tips: don’t let your kids use your phone or tablet. Not only is this a fast pass to getting your devices broken or smeared with peanut butter, but they probably don’t know what to avoid when it comes to installations. A cheapo tablet with limited connectivity will do the trick for entertaining your brood. And lastly, change your device’s default password. According to security blogger Graham Cluley, a total of 60 weak passwords can unlock upwards of 500,000 IoT devices.
And now, for the website owners
Website owners and organizations essentially have two choices when it comes to distributed denial of service attacks coming from mobile botnets. Count on the general public to secure those six billion devices in the IoT, or invest in professional DDoS protection.
Professional DDoS protection like the kind provided by leading online security firm Incapsula can keep attack traffic from ever reaching the target website or server, inspecting traffic at a granular level and letting legitimate traffic through without any hint of an issue. With a strong enough network of data centers and scrubbing servers, even a tremendous attack like those levied at Brian Krebs and OVH can be handled without the network being bogged down.
Perhaps best of all, cloud-based DDoS mitigation is scalable and much more affordable than on-premise solutions.
Mobile botnets are a potential problem for almost literally everyone, doubly so for website owners who own internet-connected devices. But by being aware, following a few easy tips and taking distributed denial of service attacks seriously enough to proactively procure protection, the issue of mobile botnets can roll right off your back.