Internet Performance Delivered right to your inbox

The Big One is Coming: Reaper Botnet Grows in the Shadows

Researchers with security firms Check Point and Qihoo 360 Netlab have been monitoring a new botnet for the past two months. Dubbed IoT_Reaper, they estimate its current size to be a staggering two million infected devices made up mostly of IP-based security cameras, network video recorders, digital video recorders, and routers from companies such as GoAhead, D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys, and Synology. Based on their observations, the botnet is continuing to grow and has infected devices worldwide.

Not only is Reaper much larger in scale than what we’ve seen before, it’s more advanced as well. Rather than using weak or default credentials to access open Telnet ports, Reaper exploits numerous vulnerabilities in different IoT devices to forcibly take over unpatched devices, and add them to its command and control infrastructure. Exploits are continuously added, and the infrastructure is expanding to accommodate new bots. Researchers also believe Reaper is able to “evolve” by adding new exploits and spreading the malware to devices as they come online, which is how it’s been able to grow so quickly.

Performing a simple math exercise, the botnet that took OVH offline with a 1+ Tbps DDoS attack appeared to made up of about 150,000 IoT cameras. This means that each infected IoT device was capable of generating about 7 Mbps of DDoS attack traffic on average. If the IoT_Reaper botnet is made up of over 2 million IoT devices, and if each device is capable of generating 7 Mbps of DDoS attack traffic, that means the botnet may be capable of generating upwards of 14 Tbps of attack traffic. That’s enough DDoS traffic to take a smaller country offline in some cases.

Reaper has yet to be leveraged to execute any attacks, and the intentions are unclear, but one thing is for sure: it’s not sitting there for nothing. Attacks of previously unseen magnitude are perched on the horizon, lying in wait to wreak havoc on a scale we haven’t seen before. Perhaps this time next year we’ll be preparing in advance of a 5 million device botnet. With the IoT market growing, there is seemingly no limit to how far this can go.

What can organizations do to prepare for Reaper and ensure they are not part of the problem?

  1. Make sure you have DDoS defenses in place BEFORE an attack occurs.
  2. Ensure that your cloud-based DDoS solution provider has enough bandwidth to thwart a massive attack.
  3. Ensure that no vulnerable IoT devices are connected to the Internet, that you’re responsible for.
  4. Run a vulnerability scan against all of your IoT devices; ideally with a third-party using the latest techniques so nothing is missed.
  5. Patch your vulnerable IoT systems and keep checking for any new patches from IoT manufacturers.
  6. Scan again to make sure nothing was missed.

Oracel Dyn can help. Visit here to learn how our cybersecurity suite can help to defeat DDoS attacks, manage your bots, and prevent harmful malware from infiltrating your systems.


Share Now

Whois: Rebecca Carter

Rebecca Carter is a Product Marketing Manager at Oracle Dyn Global Business Unit, a pioneer in managed DNS and a leader in cloud-based infrastructure that connects users with digital content and experiences across a global internet.