Massive DDoS attack on core internet servers was 'zombie army' botnet from popular smartphone app

The recent attack on the internet's core servers is even more severe than previously thought according to cybersecurity expert John McAfee, who believes it was brought about by a so-called "zombie army" botnet unwittingly installed on hundreds of millions of smartphones through an as yet unidentified app. It is unclear who the perpetrators of the attack are but McAfee speculates that the aim of the attack - taking down the internet - and the unsophisticated way the botnet could be implemented through a simple smartphone app, suggests hackers sympathetic to Islamic State (Isis) or another terrorist group may be behind it.

The distributed denial of service (DDoS) attack that took place between 30 November and 1 December targeted 13 internet root name servers, which combined are responsible for supporting almost the entire internet. There are thousands of secondary servers around the world that could function as temporary replacements, but the majority are cached systems that only hold the data for a temporary period of time.

There are 370 more permanent servers, but taking these servers down through a similar DDoS attack would be trivial. At the peak of the DDoS attack, the servers received more than five million queries per second, and more than 50 billion queries in total during the two-day period.

McAfee and other cybersecurity experts, including notorious hacker Chris Roberts and DEFCON organiser Eddie Mize, believe that smartphones are the most likely culprit for such a botnet, as one can be easily installed to a device through an app, such as a flashlight app.There are other possibilities for the botnets, such as Spam emails, but due to the sheer volume displayed in the attack that answer is unlikely. With more than 7 billion smartphones in the world, McAfee sees this route for an attack on the internet as the logical answer.

"There are smartphone apps with more than 100 million users that are known to be spying on us," McAfee tells IBTimes UK. "It is trivial to build a free app which gets its ideas from a central source. As to who may have done this, I always look to those who have the most to gain or who have the largest axe to grind. The majority of the domain servers are controlled by U.S. interests - three are controlled by the US government. Who has the largest axe to grind? Isis. Who has the most to gain? Isis. Isis certainly has the technical capability to write a popular app. But I have no direct evidence.

"If there were 100 million users of an app, only 0.1% of the phones would have to be activated in order to achieve the effects that we saw. I have not yet identified the app, and it may be multiple apps. But this is as serious as it gets. We have absolutely no defenses in place to counter this threat. If the perpetrators had activated a mere order of magnitude more phones we would have lost the internet."

It is the third time since 2012 that a DDoS attack has been carried out against the root name servers and operators have suggested that IP source addresses can be easily spoofed. However, the latest attack was notable for the fact that source addresses were widely and evenly distributed, while the query name was not.

"The problem with the recent attack is that the originating IP addresses were evenly distributed within the IPV4 universe," McAfee says. "This is virtually impossible using spoofing. The second oddity is that every single request asked to resolve the exact same address. There is only one circumstance that can explain the above: the mythical "Zombie Army" of botnets has been built and has been partially activated."

Should such a botnet be fully deployed, the global impact would be "catastrophic" for financial and essential services, according to Roberts, while Mize believes "we have no defenses [against a mobile app botnet] and it was entirely unanticipated. The people in power need to be woken up before the world, as we know comes to an end."