Major DDoS Attacks Involving IoT Devices

November 03, 2016
Suggested Reading


Recently, a series of massive (Distributed Denial-of-Service) DDoS [1] attacks have occurred. They were mainly propagated through compromised Internet of Things (IoT) devices and targeted Brian Kreb's website, "Krebs on Security", OVH, a known Web hosting provider, and "Dyn", a well-established DNS [2] provider. These massive attacks have highlighted the risks resulting from inadequate security mechanisms in Internet of Things (IoT) devices, together with their devastating effects on the Internet itself. This note provides an overview of these attacks through a series of suggested articles.

The Attacks

On 20 September 2016, "" became the target of a massive DDoS attack that eventually knocked the site offline. The site was initially protected from this attack by Akamai, the website's digital security service provider. The company decided to withdraw its pro bono protection shield, since the magnitude of the attack (approximately 620Gbps) was too vast to bear it without affecting other customers. Akamai's analysis indicated the use of a large botnet of compromised IoT devices. Upon Akamai's protection withdrawal, the website went offline until Google offered its DDoS attack mitigation service, Project Shield, to revive it. Brian Krebs provides more information on the attack through his blog.

OVH, a well-known Web hosting provider, was also a victim of an even more massive DDoS attack than the one that hit "Krebs on Security". According to a tweet from OVH founder Octave Klaba on 22 September 2016, a simultaneous DDoS attack of 990Gbps (combined) was launched by a botnet consisting of more than 145,000 compromised IoT devices (IP cameras and DVRs). OVH reported that it withstood the attack and provided more information in a long and detailed Q&A blog post.

Right after the DDoS attacks against "" and OVH, a user on a hacking forum released the source code of a malware dubbed "Mirai". The malware targets unprotected IoT devices and turns them into bots. The attacker is then able to launch a DDoS attack commanding all bots through a central command & control server as done in common botnets. As noted by Brian Krebs in his blog post on Mirai, in which he claims that Mirai is connected to the attack against his own website, this source code release will soon trigger more DDoS attacks leveraging on insecure IoT devices. A technical analysis of Mirai is available by "MalwareMustDie".

On 21 October 2016, the DNS provider Dyn, experienced a massive DDoS attack and initially claimed that the attack originated from tens of millions of IP addresses around the world (Sophos NakedSecurity referenced Mirai's source code to challenge that claim). A later update from Dyn, noted that malicious endpoints were actually estimated to be around 100,000. The attack caused issues to certain users trying to reach popular websites such as Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix throughout that day. According to Dyn's information on the Incident part of the attack involved IoT devices infected by the Mirai botnet. After several hours and several waves of attacks Dyn resolved the incident. The nature and source of the attack is under ongoing investigation.

What Did The Press Say - What Can Be Done About It?

TrendMicro published a good article regarding the security issues of the IoT ecosystem underscoring that security has not been a priority for IoT manufacturers and vendors, leading to serious security incidents.

NakedSecurity published an article that highlights the shared characteristics of the recent cyber-attacks that involve IoT devices, and provides general security recommendations that might also apply to IoT.

Addressing IoT security can often be challenging as highlighted by Flashpoint, a security company. According to its investigation on the recent large-scale DDoS attacks it is not possible to change the default credentials of particular IoT devices since they are hard coded in the devices, something that constitutes a bad security practice and leaves the devices vulnerable indefinitely.

On the aftermath of these attacks, a manufacturer whose devices were involved in the attacks has started recalling some of them to rectify the issue.

Following up on technological advancements and cyber security demands, the European Commission is preparing a new legislation to protect smart devices and IoT. It aims to create rules that will force companies to meet certain security standards and go through multi-faceted certification processes before they make their products available to the market.

ENISA is actively working in the area of IoT and Smart Infrastructures and has already published reports [3] that highlight the security challenges of this evolving field as well as provide good practices and recommendations.


As reported by Bruce Schneier in September 2016, the past two years several internet infrastructure companies have been targeted by DDoS attacks. According to him "someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services", and the recent massive DDoS attacks might elaborate on that statement. Having witnessed the disruptive power of compromised IoT devices, these DDoS incidents also highlight the need to address IoT security issues. These devices seem to be a low hanging fruit for cyber-attacks introducing a new attack vector to potential attackers.

About "Suggested Reading" from ENISA

With the "Suggested Reading" series ENISA aims at giving the interested reader guidance on controversial and inscrutable NIS related discussions that are carried out in Media, by suggesting selected pre-reviewed articles that in our view explain the issue at hand and related circumstances in a reasonable and understandable manner. This view is derived from past experiences and common sense; in no way should "Suggested Reading" be understood as recommended course of action in a specific incident or investigation, or being a final conclusion. Feel free to get in touch with ENISA to discuss or inquire more information to the "Suggested Reading" series (


[1] A DoS (Denial-of-Service) attack refers to the attempt to overload and knock offline a service by sending more traffic to the corresponding server than it can handle. When the attack's scale becomes large (usually by employing botnets) the attack is called a Distributed Denial-of-Service (DDoS) attack.

[2] DNS refers to Domain Name System and it is responsible for translating human-friendly Web sites to IP addresses in order to route Internet traffic accordingly.

[3] - Architecture model of the transport sector in Smart Cities

- Cyber Security and Resilience of Intelligent Public Transport

- Security and Resilience of Smart Home Environments

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information