The holiday season is, among other things, a time for toys. But as trains and teddy bears are replaced by tablets and TV dongles, our electronic diversions are coming back to haunt us. Like something from the pages of The Velveteen Rabbit, when these Internet-connected devices are neglected, they can take their revenge on the world as they’re conscripted into an army of hacked machines known as a botnet. This year, there are new botnets made of Internet of Things (IoT) devices. It has long been speculated that IoT devices would eventually be joined together to create their own toy army, that day has come with a vengeance.

What is an IoT botnet? You can think of it as a kind of March of the Wooden Soldiers for the 21st century, where compromised computers, smart devices and the “toys” of Christmases past—everything from CCTV cameras to home routers—are commandeered for the express purpose of overwhelming a specific website through an en masse attack. These distributed denial-of-service (DDoS) attacks can shut down a website for hours or even days—and, wouldn’t you know it, DDoS attacks are most popular around the holidays. Why? Because the holidays are when the stakes are highest: traffic is up, sales are on the line and DDoS attackers have more leverage to extort money or make demands.

Neustar’s October 2016 DDoS Report exposed that 61% of survey respondents are already using IOT devices. The number of IOT devices is expected to rise dramatically over the next decade, offering fertile ground for = botnet herders. 

One unusual aspect of these IOT botnets has been their use of HTTP and HTTPS requests. These request floods do not use any amplification. They are intended to exploit a website’s capacity to respond to the high volume of requests. Some recent reports have put their numbers in the range of:

CCTV botnet – 25,000 members

Home router botnet – 47,000 members

With this many “Toys” in the botnet army, you only need a few requests per device, per second, to generate a massive flood of requests. Further adding to the problem is the use of HTTPS or (TLS,SSL) traffic which requires extra processing on the web server side.

Whereas building a toy army botnet requires some hacking know-how, launching an attack is hardly rocket science. All you need is the IP address or URL of the site you want to attack—something anyone with an Internet connection can typically find out in less than a minute—and a credit card (you can “rent” a DDoS attack botnet on the Internet for as little as $40 an hour).

DDoS attacks can come hard and fast; the Massachusetts Institute of Technology, for example, was hit with 35 separate DDoS attacks just in the first half of 2016, with the largest attack measuring 58.6 million packets per second.

With the holidays around the corner, now is the time to prepare for the annual holiday hijinks of would-be hackers with a few ounces of prevention. Neustar offers two services—SiteProtect and UltraDNS—that can protect your site against DDoS attacks and keep your DNS secure and available. You can even turn these services on for the holidays --like those glowing reindeer on your front lawn—or keep them turned on for the entire year.

And, as a measure of protection, you may want to remember to power down your old toys and put them back in the box when you’re done “playing” with them, or they may come back to haunt you like the ghosts of Christmas Past.