THE IDEAL DDOS TOOL The Internet is (once again) awash with IoT botnets delivering record DDoSes Bigger, badder DDoSes are flooding the Internet. Dismal IoT security is largely to blame. Dan Goodin Jan 22, 2025 10:10 am | 7 Credit: Getty Images Credit: Getty Images Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreWere only three weeks into 2025, and its already shaping up to be the year of Internet of Things-driven DDoSes. Reports are rolling in of threat actors infecting thousands of home and office routers, web cameras, and other Internet-connected devices.Here is a sampling of research released since the first of the year.Lax security, ample bandwidthA post on Tuesday from content-delivery network Cloudflare reported on a recent distributed denial-of-service attack that delivered 5.6 terabits per second of junk traffica new record for the largest DDoS ever reported. The deluge, directed at an unnamed Cloudflare customer, came from 13,000 IoT devices infected by a variant of Mirai, a potent piece of malware with a long history of delivering massive DDoSes of once-unimaginable sizes.The same day, security company Qualys published research detailing a "large-scale, ongoing operation" dubbed the Murdoc Botnet. It exploits vulnerabilities to install a Mirai variant, primarily on AVTECH Cameras and Huawei HG532 routers. Late Tuesday afternoon, searches like this one indicated devices on more than 1,500 IP addresses were compromised, up from a figure of 1,300 reported a few hours earlier by Qualys. These devices are also waging DDoSes. Its unknown if Cloudflare and Qualys are reporting on the same botnet.Last week, security company Trend Micro said it also found an IoT botnet. The botnet, which is driven by variants of Mirai and a similar malware family known as Bashlite, has been delivering large-scale DDoSes since the end of last year, primarily to targets in Japan.A report early last week from security firm Infoblox revealed a botnet comprising 13,000 devicesmostly routers manufactured by MikroTikthat researchers likened to a large cannon, poised and ready to unleash a barrage of malicious activities. The primary activity Infoblox has observed from this botnet is a flood of malicious spam emails that attempt to trick recipients into executing malicious file attachments.On January 7, researchers at China-based security firm Xlab said they've been tracking an IoT botnet since last February. The botnet, named with an offensive term, was mostly unremarkable until later in the year when it began targeting zero-day and recently fixed n-day vulnerabilities to infect more devices. By November, it began exploiting a zero-day in industrial routers sold by Four-Faith and unknown vulnerabilities in routers sold by Neterbit and in smart home devices from Vimar. The botnet comprises on average 15,000 compromised devices, mostly located in China, the United States, Iran, Russia, and Turkey. Threat actors are using it to wage DDoSes.IoT devices are an ideal DDoS tool from the standpoint of an attacker. They typically ship running a version of Linux that is missing months, if not years, of security updates; infections are difficult to detect; and the devices often have lots of available bandwidth. In 2016when IoT botnets were a new phenomenonthey were observed delivering DDoSes as high as 1Tbps, a once-unimaginable size. Cloudflares revelation on Tuesday that it observed and blocked an IoT botnet delivering a DDoS more than five times bigger indicates that these attacks continue to grow more potent.A Cloudflare spokesperson said in an email that the attack was delivered not just by IoT devices but also virtual machines hosted inside cloud environments. The hybrid approach may be one example of the growing evolution of botnets in the race to create larger DDoSes.The most effective way to protect IoT devices from compromise is to replace all default passwords with long, randomly generated ones that are unique to each device. Turning off remote management is also a good move when possible. And as always, installing security updates promptly is a must.Dan GoodinSenior Security EditorDan GoodinSenior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 7 Comments