Defend Network and Customers Against IoT-Based DDoS Attacks

By: Stephanie Weagle

Experts have long warned that the inherent lack of security in many of the devices that make up the Internet of Things (IoT) would come back to haunt us. The DDoS events of the past year have brought this concern into sharp focus, by demonstrating just how damaging an IoT-powered botnet can be.

It’s no secret that many IoT devices are poorly architected from a security perspective. Many have little or no security in place with simple default passwords making it easy for attackers to take control of them for malicious purposes. This makes them sitting ducks, just waiting to be compromised and enslaved into a botnet for use in DDoS events. In addition, attackers are becoming more creative and using new techniques to wreak havoc with IoT botnets.

While 2016 marked a turning point for DDoS, attacks reached new heights in terms of both size and complexity. Mirai showed us how powerful an IoT-powered botnet can really be with the unprecedented attack against DNS provider Dyn just over a year ago. Overnight, the security considerations around connected devices went from being something that security consultants have long warned about into a hot button issue that demands to be addressed.

Internet-based home automation devices, such as video baby monitors, remote thermostat programming, home surveillance and security kits, connected lighting products, etc., are transforming how we manage our day-to-day lives. Remote management of these devices, through smartphones, online portals and-the-like has extended to every home, car, business, building and system in the world – and certainly this is only the tip of the iceberg.

Despite its advantages, IoT comes with a host of security disadvantages. IoT devices are often poorly managed, patched and secured, which makes them prime targets for hacker infiltration and takeover. Aside from the personal privacy and security concerns that result from these security gaps, the bigger danger is that these connected devices can be harnessed by hackers for a variety of nefarious purposes; DDoS attacks are prominent amongst them.

These increased threats will mean that defending against DDoS attacks will become a top security priority for any organization that relies on the internet to conduct business. So how can organizations defend against such attacks? In preparing a robust defense against botnets like Mirai it’s important to consider how they work. Effectively acting like a giant cloud computer, botnet-driven attacks are launched and then disappear without leaving enough information for victims to trace its origins. This leaves organizations really no choice but to defend themselves at the edges of the network. Legacy out-of-band scrubbing solutions, which require human intervention and reactive countermeasures to block the attack, will not be successful, and using traditional security infrastructure (firewalls, IPS, etc.) will also allow hackers to experiment on your networks undetected, finding vulnerabilities and testing new methods through smaller, hidden attacks.

The reality is that any device, infrastructure, application, etc. that is connected to the internet is at risk for attack, or even more concerning, to be recruited as a bot in an army to be used in DDoS attacks against unsuspecting victims. Botnets, also known as “zombie armies,” can be deployed on thousands — if not millions — of connected devices and can wreak havoc - spam attacks, spread malware, or launch DDoS attacks. 

There is really no limit to the potential size and scale of future botnet-driven DDoS attacks, particularly when they harness the full range of smart devices incorporated into our IoT. By using amplification techniques on the millions of very high bandwidth capable devices currently accessible, DDoS attacks are set to become even more colossal in scale. 

The bottom line is that attacks of this size can take virtually any company offline – a reality that all businesses must be prepared to defend against. The impact of a successful DDoS is far ranging: revenue loss, customer dissatisfaction, and brand damage to name a few. Businesses that rely on internet availability to conduct business or deliver services to their customers cannot deal with DDoS in a reactive manner.

Furthermore, DDoS goes beyond the giant attacks that make the headlines every few months. Before botnets are mobilized, hackers need to make sure that their techniques are going to work. This is usually done using short duration, low volume attacks, which most IT teams wouldn’t even recognize as a DDoS attack.