Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks, talks about the issues around DDoS attacks on IoT devices
Embedded Internet-of-Thing (IoT) botnets are not a new phenomenon – we’ve seen them leveraged to launch distributed denial of service (DDoS) attacks, send spam, engage in man-in-the-middle (MitM) credentials hijacking, and other malicious activities for several years.
For instance, a few years ago, a 75,000-strong botnet comprised of embedded devices – consumer broadband routers, in that instance – was found to be launching DDoS attacks. We routinely see IoT botnets comprised of webcams, DVRs, cable television set-top boxes, satellite set-top boxes, and more used to launch DDoS attacks.
IoT botnets have been used to launch high-profile DDoS attacks against online gaming networks, to engage in DDoS extortion attempts, and to target organisations affiliated with large-scale events, such as the Olympics.
IoT devices are attractive to attackers because so many of these devices are shipped with insecure defaults, including default administrative credentials, open access to management systems via the Internet-facing interfaces on these devices, and shipping with insecure, remotely exploitable code. A large proportion of embedded systems are rarely if ever updated in order to patch against security vulnerabilities – indeed, many vendors of such devices do not provide security updates at all.
Embedded IoT devices are often low-interaction – end-users don’t spend much time directly interfacing with them, and so aren’t given any clues that threat actors to launch attacks are exploiting them.
There are tens of millions of vulnerable IoT devices, and their numbers are growing daily; they’re generally always turned on; they reside on networks which aren’t monitored for either incoming or outgoing attack traffic; and the networks where they’re deployed often offer high-speed connections, which allows for a relatively high amount of DDoS attack traffic volume per compromised device.
Organisations can defend against DDoS attacks by implementing best current practices (BCPs) for DDoS defence, including hardening their network infrastructure, ensuring they’ve complete visibility into all traffic ingressing and egressing from their networks so as to detect DDoS attacks, ensuring they’ve sufficient DDoS mitigation capacity and capabilities (either on-premise or via cloud-based DDoS mitigation services, or both), and by having a DDoS defence plan which is kept updated and is rehearsed on a regular basis.
In particular, ISP and MSSP network operators should actively participate in the global operational community, so that they can both render assistance when other network operators come under high-volume DDoS attacks as well as request mitigation assistance as circumstances warrant. Active, continuous cooperation between enterprise network operators, ISPs, and MSSPs is the key to successful DDoS defence.
It’s also very important that when measuring DDoS attack volumes, network operators take into account the baseline load of their normal Internet traffic so as to neither underestimate nor overestimate the amount of attack traffic targeting their networks and customers. This is vital when determining which DDoS defence mechanisms and methodologies to employ in the course of an attack, as well as to ensure that accurate information is provided to the global operational community and to the media.
