Defending your network and customers against IoT-based DDoS attacks
Experts have long warned that the inherent lack of security in many of the devices that make up the Internet of Things would come back to haunt us. The DDoS events of the past year have brought this concern into sharp focus, by demonstrating just how damaging an IoT-powered botnet can be.
The attack against DNS provider Dyn in October was a real wake-up call, and finally made the security considerations around connected devices a hot button issue that could no longer be ignored.
It’s no secret that many IoT devices are poorly architected from a security perspective. Many have little or no security in place, with simple default passwords, making it simple for attackers to take control of them for malicious purposes. This makes them effectively sitting ducks, just waiting to be compromised and enslaved into a botnet for use in DDoS events, says Stephanie Weagle, VP, Corero Network Security.
As the attacks against Krebs on Security and Dyn demonstrate, such attacks are growing bigger and more dangerous. Additionally, attackers are becoming more creative by using new techniques to wreak havoc with IoT botnets. So what exactly can service providers do to protect their networks and customers from such attacks?
Know your enemy
The IoT introduces a wide range of new security risks for any organisation. The reality is that any device, infrastructure, application, etc. that is connected to the internet is at risk for attack, or even more concerning, to be recruited as a bot in an army to be used in DDoS attacks against unsuspecting victims. Botnets, also known as “zombie armies,” can be deployed on thousands — if not millions — of connected devices and can wreak havoc – spread malware or launch DDoS or spam attacks.
Commonly used DDoS toolkits abuse internet services and protocols that are available on open or vulnerable servers and devices, to create a class of attacks that are virtually impossible to trace back to the originating attacker, known as amplification DDoS attacks.
The only proper defence is to use an automatic, always-on, DDoS mitigation system, which can monitor all traffic in real-time, negate the flood of attack traffic at the Internet edge, eliminate service outages and allow security personnel to focus on uncovering any subsequent malicious activity, such as data breaches.
As with all DDoS threats, clear visibility is a crucial step in detecting and defending against attacks. Service providers have a duty to inform users if they spot malicious activity concerning a user’s devices. However, a majority of them do not monitor IP addresses, which makes such activity difficult to detect.
In addition, the sheer volume of devices involved poses a serious challenge. After all, any device that has an Internet connection and a processor can be exploited. In an ideal world, all devices should be forced to go through some sort of network configuration before being used, rather than being exploitable from a default position.
While much of the focus in the wake of recent IoT-related DDoS attacks was put on encouraging manufacturers to install proper security controls on Internet-connected devices before they are issued, ISPs also have an important role to play in reducing the number of future DDoS attacks.
At a local level, ISPs could significantly reduce the overall volume of DDoS attacks across their networks by employing systems to detect and remediate infected bots that are used to launch DDoS attacks. Further, best practices exist and can be leveraged to utilise ingress filtering to remove the problem of spoofed IP addresses that are widely used in reflection DDoS attacks. This simple improvement to service provider hygiene would be a great initial step at reducing the overall volume of DDoS traffic.
Service providers will find themselves at an important crossroads next year. By working together with governments and the international community, they can strengthen the underpinning infrastructure of the Internet and significantly reduce the volume of malicious traffic flowing across their networks.
The only way to ensure that service provider networks and their customers are fully protected is to use an automatic, in-line, DDoS mitigation system which provides clear network visibility and can withstand attacks of all sizes. Providers have a golden opportunity to modernise their DDoS defences in this way – or risk a slow shrinking of their customer base.
The author of this blog is Stephanie Weagle, VP, Corero Network Security
Comment on this article below or via Twitter: @ VanillaPlus OR @jcvplus