Renting an IoT botnet is probably less expensive than you think. IoT botnets are the new Flavor of the Month when it comes to cyber attack services for sale on underground forums. Last year we looked at hacking services available for hire on several crimeware sites and found that having a hacker create your own personal botnet would run you about $500. Following the global impact of the Mirai botnet and the fact that the number of active IoT devices is on the rise, we wondered how the underground botnet-for-hire market has changed. So we browsed several sites on the dark web to take a closer look. Here’s what we found.
IoT botnets are advertised in two different ways:
1 – IoT botnet setup services
Botnet setup services themselves are nothing new. Bad guys have been creating botnets since the early days of the internet, but in the past, these botnets were made up of PCs. Now they can be made up of IoT devices as well, so there’s a much larger pool of potential zombie bots in existence. The sellers advertise the ability to exploit and install an executable on a certain number of hosts for a fee. Sometimes this executable is a “homebrew” that the buyer has made themselves, but more commonly it’s botnet malware that the buyer obtained on a separate marketplace. Prices range from $0.25 to $1 per host, with minimum orders of around 50-100. Once the botnet is set up, the sellers turns it over to the buyer to do whatever they want with it.
2 – IoT botnet hosted “stressers” and “booters”
As with botnet setup services, stressers or distributed denial of service attacks (DDoS) have been around for a while. Stressers are usually advertised using the layer of the OSI model that their attacks use. Botnet-based stressers are usually layer-4 or layer-7 attacks. In a layer-4 attack, botnet hosts drain resources on the target with a flood of new connections or by abusing transport-layer protocols. The Mirai botnet for example, operated as a layer-4 attack by flooding the victim with GRE packets, a type of packet that would normally be used to create a point-to-point link over the internet. In a layer-7 attack, botnet hosts saturate bandwidth with application data like a large file download or upload. Both of these types of attacks require a huge number of hosts to be effective against a protected target.
Dark web merchants are advertising IoT botnet stressers similarly to traditional Windows-based stressers. Clients can purchase access to the stresser service for a period ranging from a day to several months. Within their service period, clients can launch a limited number of attacks per day with a guaranteed minimum duration ranging from a few minutes to a few hours. Some stresser services offer lifetime access with unlimited attacks for a much higher price, allowing rich buyers to execute DDoS attacks on a whim. Prices for these botnets range from a few hundred dollars for a short attack window to several thousand for larger IoT botnets.
Blast From the Past
Renting or buying an IoT botnets works just like renting or buying an old PC botnet. Their speeds are also similar. The only difference we found was an increase in popularity of IoT botnets – most likely due to high-profile attacks in the news. One marketplace we researched actually banned the sale of DDoS-as-a-service, evidently because they were getting too much heat. Outside of these underground marketplaces, we’re seeing a lot more requests for free tips and assistance in setting up IoT botnets as well.
Creating a DDOS attack seems very complex from an outside perspective, but the reality is that even an amateur can buy one of these attacks for a few hundred dollars for any reason, or no reason at all. Scary!
For more information on IoT botnets, see some of WatchGuard CTO Corey Nachreiner’s videos on the Mirai botnet and its creator.
Leave a Reply