How the ‘Internet of unpatchable things’ leads to DDoS attacks

For at least the past year there have been repeated warning to makers of Internet-connected devices about the insecurity of their platforms. Another came today in a report from Akamai Technologies’ threat research team, which has delved into a recent burst of distributed attacks leveraging IoT devices.

In this case they are SSHowDowN Proxy attacks using a 12-year old vulnerability in OpenSSH.

“We’re entering a very interesting time when it comes to DDoS and other web attacks — ‘The Internet of Unpatchable Things’ so to speak,” Eric Kobrin, Akamai’s director of information security, said in a statement. “New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.”

Akamai emphasizes this isn’t a new vulnerability or attack technique. But it does show a continued weakness in many default configurations of Internet-connected devices.

These particular attacks have leveraged video surveillance cameras and digital recorders, satellite antenna equipment, networking devices (including routers, switches, Wi-Fi hotspots and modems) and Internet-connected network attached storage. They are being used to mount attacks on any Internet targets as well as internal networks that host connected devices.

Unauthorized SSH tunnels were created and used, despite the fact that the IoT devices were supposedly hardened and do not allow the default web interface user to SSH into the device and execute commands, Akamai said. Then attackers used to conduct a mass-scale HTTP-based credential stuffing campaigns against Akamai customers.

It offers this mitigation advice to infosec pros:

–if possible configure the SSH passwords or keys on devices and change those to passwords or keys that are different from the vendor defaults;

–configure the device’s SSH service on your device and either add “AllowTcpForwarding No” and “no-port-forwarding” and “no-X11-forwarding” to the ~/ssh/authorized_ keys file for all users, or disable SSH entirely via the device’s administration console;

–if the device is behind a firewall, consider disabling inbound connections from outside the network to port 22 of any deployed IoT devices, or disabling outbound connections from IoT devices except to the minimal set of ports and IP addresses required for their operation.

It also urges device vendors to

–avoid shipping Internet-connected devices with undocumented accounts;

–disable SSH on devices unless absolutely required for normal operations;

–force users to change factory default account credentials after initial installation;

–configure SSH to disallow TCP Forwarding;

–and to provide a secure process for end-users to update SSHD configuration

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now