The Hunt for IoT: The Networks Building Death Star-Sized Botnets

With a growth rate of 1,473% in 2016, the hunt for vulnerable IoT devices rages on...
May 10, 2017
40 min. read


How in the world do Death Star-sized botnets come about? Attackers don’t possess such immense power on their own; they must commandeer it. That means they’re perpetually on the hunt for vulnerable IoT devices that they can compromise.

F5 Labs and our data partner, Loryka1, have been monitoring this hunt for over a year now. In our first report, DDoS’s Newest Minions: IoT Devices, we proved what many security experts had long suspected: IoT devices were not only vulnerable, they were already being heavily exploited to pull off large, distributed denial-of-service (DDoS) attacks.

Data collected throughout the remainder of 2016 shows an even steeper growth in “the hunt” than we had imagined. The annual growth rate was 1,473%, with a clear spike in Q4—1.5 times the combined volume in Q1 through Q3. This isn’t surprising, given the timing of the Mirai botnet. And while the number of participating networks in the second half of 2016 stayed relatively flat at 10%, the number of unique IP addresses participating within those networks grew at a rate of 74%. Clearly, threat actors within the same networks have increased their activity.


So, who exactly is involved in the IoT hunt? Here are some key findings of this report:

  • Networks in China (primarily state-owned telecom companies and ISPs) headlined the threat actor list, accounting for 44% of all attacks in Q3 and 21% in Q4.
  • Trailing behind China, the top threat actors in Q3 were Vietnam and the US, and Russia and the UK in Q4. (The UK surprisingly jumped to third place in Q4 with most activity coming from an online gaming network.)
  • Russia, Spain, the US, and Turkey were the top 4 targeted countries (in that order) in Q3 and Q4.
  • Russia, at 31% in Q3 and 40% in Q4, was the number one target of all top 50 source countries.

What can concerned enterprises do to deal with the IoT threat?

  • Have a DDoS strategy that can support attack sizes beyond your network capacity.
  • Ensure all of your critical services have redundancy, even those you outsource.
  • Put pressure on IoT manufacturers to secure their products, and don’t buy products that are known to be insecure or compromised.
  • Share your knowledge—about vulnerable devices, attacks and threat actors, successful mitigation efforts, and potential solutions—with other security professionals.

To see the full version of this report, click “Download” below.


Join the Discussion
Authors & Contributors
Sara Boddy (Author)
Justin Shattuck (Author)

What's trending?

Forward and Reverse Shells
Forward and Reverse Shells
09/15/2023 article 5 min. read
Web Shells: Understanding Attackers’ Tools and Techniques
Web Shells: Understanding Attackers’ Tools and Techniques
07/06/2023 article 6 min. read
What Is Zero Trust Architecture (ZTA)?
What Is Zero Trust Architecture (ZTA)?
07/05/2022 article 13 min. read