Rio Games faced olympic-sized DDoS attacks

Major public events with an online presence — like political or IT conventions and sports championships — can be targets for criminals or attention-seekers, so CISOs don’t like to tip off potential attackers how they defend their networks.

However after the events sometimes vendors give a peek at what went on. That’s the case with Arbor Networks, whose denial of service mitigation products were used by last month’s 2016 Rio Olympic Games to help protect the IT infrastructure.

In a blog Wednesday the company said the network faced DDoS attacks leveraging an Internet of Things-based botnet before and during the Games of up to 540gb/sec at public-facing properties and organizations affiliated with the Olympics such as Brazilian banks and telcos.

“A large proportion of the attack volume consisted of UDP reflection/amplification attack vectors such as DNS, chargen, ntp, and SSDP, along with direct UDP packet-flooding, SYN-flooding, and application-layer attacks targeting Web and DNS services,” the company said.

The particular botnet used is called LizardStresser, the company outlined in a separate blog. The code for it was released last year by the developer(s), allowing others who want to make use of DDoS attacks to build a botnet of their own. Some are using IoT devices — including Webcams — to build a network by taking advantage of shared default passwords many of these devices have. The LizzardStresser framework includes the ability to search for random IP addresses and a brute-force password-breaking capability that also includes a list of passwords to try first.

Some of those include the usual suspects, like admin, password, 1234, user, guest, login. Somehow the IT industry has to find a way to ensure organizations can’t use these and other obvious passwords on hardware.

Typically the botnet’s client runs on compromised Linux machines which connect to a hardcoded command and control server. The protocol is essentially a lightweight version of IRC chat. Infected clients will connect to the server and receive commands.

“The threat actors appeared to quickly evolve their tactics minute-by-minute, switching between a HOLD flood to UDP flooding and TCP flooding with a variety of flags,” says Arbor. “This was likely the threat actors tuning their attacks for maximum impact. The UDP-based portions of the attack were further characterized as originating from UDP high-ports to destination port UDP/443 with a packet size of ~1400 bytes.”

LizardStresser is becoming the “botnet-du-jour for IOT devices.” Arbor warns, because it is for threat actors to make minor tweaks to telnet scanning. “With minimal research into IOT device default passwords, they are able to enlist an exclusive group of victims into their botnets.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now