​Defending against the botnet army: why the invasion of IoT botnets should be a wake up call for the IT industry

By Robin Schmitt, General Manager, Australia at Neustar

With a number of recent high profile, high volume DDoS attacks occurring via cyber attackers compromising insecure connected devices to build massive botnets, security concerns around the influx of Internet of Things devices are justifiably rising.

The massive recent DDoS attacks on Krebs On Security and Dyn launched using IoT based botnets should serve as a wake up call for the IT industry.

The world is experiencing an exponential growth in the number of unmanaged, cheap and poorly secured devices connected to the internet, posing increased security risk. Neustar’s October 2016 DDoS Report found that 61 percent of organisations are already using IoT devices. The number of IoT devices is expected to rise dramatically over the next decade offering fertile ground for botnet herders. As the number of devices increase, so too does the potential size of attacks.

There are a number of key factors creating a greater threat environment caused by IoT devices. Firstly, there is little financial or regulatory motivation for IoT vendors to enhance security. Secondly, the Mirai code used in the Dyn and Krebs On Security attacks is readily available on the internet, greatly reducing the technical expertise required to amass a botnet army.

According to Ovum, for the manufacture of low-end IoT devices, security is largely an afterthought. Principal Analyst in Ovum's Australian Government practice, Al Blake was recently quoted:

“Products with no password, default passwords, no encryption, open insecure ports, known vulnerabilities, and an inability to patch flaws even if they are detected abound at the cheap commodity end of IoT…There are already 500,000 vulnerable devices out there.”

Several IoT device makers, including XiongMai Technologies, Hikvision, Samsung, and Panasonic will now require unique passwords by default, which is a good start towards improving IoT security – however imposing industry regulation will ensure this security measure is adhered to across the board. Following the attack on Krebs, XiongMai have also reported that they will be issuing a recall on millions of devices, mainly network cameras.

Nevertheless, given the number of IoT vulnerable units already shipped and installed over the last few years (conservative estimates are in the many tens of millions), it is likely that many organisations’ current DDoS defences are inadequate for the attacks of tomorrow. Organisations should review the risk imposed and consider varying their defences in line with increased risk exposure. Right-sizing the investment is key.

The ability to simply amass botnets, leads to more and cheaper, botnets for hire. According to Forrester, cyber criminals can rent botnets for as little as $USD100 a day. Launching this type of attack today is as simple as setting up a Gmail account and as paying an attacker $USD9.10 an hour to administer a DDoS on a chosen target. With the cost of an outage during peak times costing almost half of all organisations $100k or more, understanding the changing risk profile is key.

So what can be done to defend networks against the botnet army?

To protect against network and application layer attacks, organisations should look to engage a DDoS mitigation service. A mix between an on-premise and cloud based solution is best as together will ensure sound protection against smaller, yet more advanced, application level attacks, as well as providing the ability to mitigate large volumetric attacks. In selecting a provider, organisations should firstly explore which product or service best suits them. Currently, there are several options in the market with different price and performance considerations.

To protect against large-scale botnet generated DDoS attacks targeting DNS, organisations should consider employing a secondary/redundant DNS service. Employing a primary and secondary DNS service ensures that domain name resolution continues in the instance where one of the DNS providers suffers an outage.

Given the potential of connected devices with weak security endangering the operation of the internet, public and private organisations internationally must begin to work together to formulate security standards for IoT devices. Manufacturers who refuse to meet security requirements must be negatively impacted, if good practice is to prevail.