Refuse to take part in a DDoS Botnet

by Kimberley Parsons Trommler, Product Evangelist at Paessler AG

Cybersecurity is the hottest topic in the IT world at the moment, thanks to the massive DDoS attacks against Brian Krebs' "Krebs on Security" website, against French hosting provider OVH, and, most recently, against Dyn’s DNS service, all of which came from compromised IoT devices, including DVRs and security cameras. The attack against Dyn, a provider of internet traffic management, was actually three separate attacks which impacted a large number of Internet estates, including Australian media, bank and retail sites

These attacks are the largest known DDoS attacks to date, with over 152K devices involved, generating over 620Gbps, and using tens of millions of IP addresses. The scale of the attacks raises the question; how can the compromised companies reduce the size of the attacks by ensuring that their IoT devices aren't part of a botnet?

The Insecurity of IoT Security

The sheer scale of the attacks, using a network of compromised IoT devices as the source of the attack was unprecedented. Flashpoint has confirmed that some of the infrastructure used to attack Dyn were botnets compromised by the Mirai malware, the same malware used against Brian Krebs and OVH. However, the botnets used against Dyn were not the same used against Krebs and OVH – they are separate and distinct bonnets from those in the first attack. So in reality, this is not the same botnet; it’s an additional one, even larger, using the same publicly-available technology. The attack on OVH used roughly 150,000 compromised devices, but a scan conducted by Flashpoint revealed that there are more than 500,000 vulnerable devices on the Internet and Level 3 Communications says that this number is not only vulnerable, but already infected.

We can expect to see an increase in both the size and frequency of attacks using IoT botnets, since:

  • The Mirai code is publicly available for any copycats to use, as is code for other IoT malware such as the gafgyt/bashlite family
  • The number of IoT devices is going to increase, so that there are even more devices available to be used in a botnet
  • The easily-compromised IoT devices are already out there, in the wild, and won’t be patched or removed from the Internet in any significant number. There are already 500,000 vulnerable devices out there – the horse is already out of the barn.
  • There are no significant economic incentives for IoT vendors to include appropriate security in their devices
  • It is very, very difficult for an Internet service provider to distinguish between valid requests and hostile (but perfectly formed) requests. There’s very little they can do to identify and block hostile requests while still servicing valid requests, so their most effective weapon is size. They need to have enough capacity to handle both the valid traffic and the flood of DDoS traffic without being overwhelmed.

Protection Lies in Endpoint Security

Many IoT devices simply don't offer endpoint security, but that's no excuse for leaving them unprotected. In fact, it’s quite the opposite – the "dumbest" devices are the ones that need the most protection, since they have no way to defend themselves.

There are five ways to defend even the simplest IoT devices by utilising your infrastructure. They include:

1.Running IDS/IPS systems to detect unusual activity in your network, not only from IoT devices. Keep in mind that the IDS requirements for IoT devices are very different from standard enterprise PCs and will depend on the protocols used by the IoT devices

2.Limiting outgoing communication from IoT devices to only the minimum required (e.g. do these cameras require Internet access, or only access to internal servers?). Limit communication to/from IoT devices to specific known hosts only

3.Separating your IoT network from the rest of your network, as much as possible. If the devices themselves don't offer embedded firewalls, place firewalls in front of them

4.Limiting bandwidth at the point where IoT devices access the rest of network

5.Monitoring bandwidth at the point where IoT devices access the rest of the network, to detect unusual patterns

Stay One Step Ahead with Traffic Monitoring

Internet service companies such as Dyn and Akamai (used by Brian Krebs) are used to handling DDoS attacks on a regular basis. However, they’re in an arms race against the hackers, trying to match size for size, and the sheer number of easily-hacked IoT devices has tipped the scales towards the hackers.

  • There is no easy solution here, and preventing DDoS attacks is going to involve serious effort from the Internet providers, the vendors of IoT devices and the consumers of IoT devices. But enterprise can stay one step ahead and utilise network monitoring to help monitor bandwidth; traffic sensors with limits will alert you when your outgoing traffic is higher than expected, and unusual detection heuristics will notify IT teams about unusual patterns in your registering on sensors. While you have no control over the internet at large, as corporate IT-department consumers, we can do our part by including security as a mandatory requirement in our purchasing:
  • Make security an important consideration when selecting vendors and products. Refuse to purchase devices that can’t be patched or that don’t allow users to change default passwords
  • Change default passwords on all devices immediately
  • Patch devices on a regular schedule, ideally as soon as new patches are available
  • Don’t give IoT devices access to the Internet unless they absolutely require it
  • Don’t allow incoming connections from the Internet to the IoT devices, unless they absolutely require it

Ensuring enterprise infrastructure is secure will help IT departments stay one step ahead of the Botnet.

Tags malwareendpoint securitybotnetakamaiDDoS attacksBrian KrebsOVHIP addressesDNS serviceIoT devicesFlashpointDVRsDDos Botnet

Show Comments