Glimpse Inside IoT-Triggered DDoS Attacks and Securing IT Infrastructures

Why do IoT devices get involved in DDoS attacks? How are these attacks executed and what consequences do they lead to? Is it possible to secure connected devices and web applications within an enterprise network in the Internet of Things era? This post will attempt to answer those questions.

A Distributed Denial of Service (DDoS) attack is an activity designed to bombard web servers, network infrastructure, and application layers with traffic and heavy files from multiple resources, thus causing websites and applications to become slow or temporarily unavailable.

Today, over 30 percent of all documented downtime accidents are caused by DDoS attacks. Globally, two thousand DDoS attacks are registered on a daily basis. The average DDoS attack costs a large company as much as $250 thousand per hour.

A recent surge in the number (up 91 percent between Q1 and Q3 in 2017) and severity of such attacks is attributed to the greater adoption of the Internet of Things solutions. Gartner reckons the global IoT installed base will reach 20.4 billion units in 2020; nearly 40 percent of those devices will be used by businesses.

What Makes IoT Devices Particularly Vulnerable to Hacker Attacks?

Embedded systems and firmware (C/C++, LUA, Linux) run on connected gadgets, enabling device-to-device communication and data exchange which are considered to be IoT’s Achilles’ heel – largely due to limited update and patch capabilities stemming from poor IoT hardware design choices.

As Jack Wallen of Tech Republic put it, “couple unsupported Linux kernels with the fact that may IoT devices lack space for kernel updating”, and we’ll have a perfect recipe for disaster.

Even devices that support the latest version of an operating system upon release will soon become vulnerable, unless they are programmed to update firmware automatically, like Amazon Echo. This, however, does not guarantee absolute protection against malware attacks since some malicious programs are resistant to device reboots.

Furthermore, both businesses and ordinary consumers remain ignorant of IoT security threats and continue to use default passwords set by a device manufacturer (at least 15 percent of users do so) or choose the most popular credentials like admin/admin and user/12345. According to Positive Technologies, five common username and password combinations are enough to get control of 10 percent of all connected gadgets in the world. The team behind the infamous Mirai attack, for example, used a list of 62 conventional passwords to successfully hack over 150 thousand consumer devices, including baby monitors, Wi-Fi routers, and IP cameras.

Chip manufacturers don’t make our lives easier. Intel’s Meltdown and Spectre vulnerabilities affected most of the hardware produced by the company since 1995. For example, this may reveal any sensitive data stored in a device’s protected memory and apps.

How are DDoS Attacks Executed?

Not all IoT devices become hackers’ target — small gadgets, like sensors and relays which operate modest amounts of data, use encrypted communication protocols, like Z-Wave and Zigbee, and often require NFC-like pairing to be integrated into a Smart Home or building management system cannot be exploited over a wireless network. It is devices that connect directly to the Internet and have dedicated IP addresses that pose the real threat.

A typical IoT-related DDoS attack is carried out by a botnet – a network of connected devices that have been compromised via phishing, “malvertising,” and password-guessing attacks.

During the process, a Command and Control (CNC) program scans through the IP addresses of devices exposed to the Internet, detects poorly protected gadgets, and infects them with the malware needed to execute an attack. Thus, a hacked gadget becomes a bot waiting for further instructions, and device owners don’t even know about it unless they monitor network traffic using tools, like Wireshark.

It can be idling for hours, days or even months before the botnet reaches the desired size; then the gadget is called to action. Bots overwhelm their victims with HTTP, DNS and UDP floods or spam.

300 Gbps is enough to bring down the majority of websites that do not employ DDoS mitigation tools. In the case of the 2016 Mirai botnet attack that targeted Dyn servers and affected the performance and availability of websites such as Netflix, Reddit, and Twitter, the traffic volumes peaked at 620 Gbps.

Why We Should All Be Aware of DDoS Attacks

First and Foremost, IoT-based Cyberattacks Continue to Evolve

Hajime, a botnet twice the size of Mirai which surfaced in early 2017, was designed to support five different platforms and stayed off the traffic detection radar by mimicking acceptable human behavior. Reaper, its successor, learned to target nine documented IoT device vulnerabilities simultaneously instead of just guessing passwords. What’s going to happen if hackers decide to enhance IoT malware with some machine learning capabilities?

Downtime Costs are Rising

According to the NETSCOUT Arbor's 13th Annual Worldwide Infrastructure Security Report, the number of entrepreneurs who estimated downtime cost at $ 501-1 thousand per minute in 2017 grew by 60 percent from the previous year. Besides direct financial losses, DDoS attacks can have a lasting effect on a company’s reputation, which is acknowledged by 57 percent of respondents.

DDoS Attacks may Lead to Irreparable Consequences.

It’s one thing to bear losses due to website downtime caused by a botnet attack; it’s quite another to lose control over a federal IT system.

Four Tips to Protect IT Infrastructures in the Internet of Things Era

Protection against DDoS and other types of cyberattacks starts with understanding the complexity of modern security threats. The Internet of Things has introduced new security challenges to both businesses that make connected gadgets part of their IT infrastructures and companies that operate all kinds of web-based solutions, including corporate websites, CRM systems, and custom social networking solutions.

By following these general, yet effective, security best practices, you’ll be able to significantly reduce IoT-related security risks and keep your IT infrastructure (and those of your partners') safe:

• Never forget to reset default passwords and update firmware — As simple as it sounds, the use of default IoT device passwords is the main reason why Mirai happened. 47 percent of IT departments added new connected gadgets to their corporate networks without changing the passwords set by device manufacturers. If you go to the management interface and discover default passwords cannot be changed, do not hesitate to send the gadgets back. The same goes for firmware updates that should be done automatically or at least require little supervision from an IT team.
• Do not expose devices to the Internet — IoT solutions that handle large amounts of data and, therefore, require high-speed bandwidth – for example, surveillance cameras which made up a great share of the Mirai bot army – should always be protected by a firewall solution like Cujo, Norton Core, or a custom IoT security product. Also, you can use a third-party port and traffic scan solutions, like BullGuard, to determine whether an IP address is publicly exposed and detect devices with open ports.
• Work with reliable IoT vendors — Most well-known IoT device vulnerabilities, including the improper usage of authentication and authorization mechanisms, the lack of transport layer encryption, and firmware patching issues, stem from poor decisions made during the Internet of Things hardware and software development. Whether you consider implementing a third-party or custom connected solution in the workplace, make sure to address companies with a proven track record in IoT solutions development only.
• Reinforce web application security — The bad news about IoT-triggered malware attacks is that any company or individual – whether they make use of IoT solutions for business purposes or not – can easily come under fire. There are several ways to protect your web apps against IoT botnets. First, you could implement a VPN solution to mask your web traffic. Second, make use of secure ready-made CMS plugins and other open-source software components without documented security vulnerabilities. And, finally, you should never compromise on quality assurance. QA might push your web development project delivery date a bit further, but it will save you the trouble of paying ransom to hackers and handling customer complaints.