DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Data Engineering
  3. Big Data
  4. IoT Botnets and DDOS: A New Reality With New Responsibilities

IoT Botnets and DDOS: A New Reality With New Responsibilities

With Oct. 21's DDOS attack still fresh in people's minds, we look at how device manufacturers, device users, and governments need to respond.

Tim Armstrong user avatar by
Tim Armstrong
·
Oct. 28, 16 · Opinion
Like (0)
Save
Tweet
Share
3.01K Views

Join the DZone community and get the full member experience.

Join For Free

Image title

Last Friday, multiple massive distributed denial of service (DDoS) attacks hit Dyn, an internet performance management company headquartered in New Hampshire. Dyn is a managed DNS provider to many of the large companies on the internet such as Twitter, Reddit, GitHub, Paypal, Spotify, Heroku, SoundCloud, Crunchbase, Netflix, Amazon, and others.

News surfaced over the following weekend that the Mirai IoT (Internet of Things) botnet was at least partially responsible for the attack, and according to Dyn, was generating traffic from “10s of millions of discrete IP addresses.”

Instead of rehashing details of how this could have occurred, we want to discuss botnet attacks as part of the new reality in our connected world, and as such, how device manufacturers and device users need to respond. We also want to take a look at the role that governments can or cannot play.

Connected Devices of All Types, Everywhere

Ubiquitous — it’s an over-used word, but it truly applies here. A huge range and number of Internet-connected devices exist, including cameras, DVRs, thermostats, light bulbs, toothbrushes, teapots, clothes dryers, pet feeders, home security appliances, payment transaction devices, health monitors, personal emergency response systems, and on, and on. In other words, connected devices are everywhere — in the home, in the car, on our bodies, in the workplace, in our hospitals, and everywhere else you can imagine.

When there’s a DDoS, it isn’t just your ability to get on Facebook that’s impacted. All areas of our lives are disrupted, from entertainment to commerce to physical and personal security to health matters that have — potentially — very serious implications. Sometimes, denial of service is just an inconvenience; other times, it can be life threatening.

An Inconvenient Truth

Many of these devices are not inherently secure, and it’s way too easy to commandeer them with a botnet like Mirai.

So what to do? Let’s answer this from two points of view: the manufacturers’ and the end-users’.

Manufacturers’ Responsibilities

At the outset, we should mention that Hangzhou Xiongmai Technology, the manufacturer of many of the devices used in the attack, is planning to issue a device recall on some of its vulnerable products.

While a recall may help to get some of these insecure devices off the Internet, it’s incredibly likely that many will stay connected and unsecure and that far more devices from other manufacturers are sitting idle, waiting to be compromised — or are being used maliciously already.

So let’s shift the focus from after-the-fact “responsibility” to proactive steps that device manufacturers can and should take.

As we often say in this blog, security should be integrated from the outset, whether it’s into an organization’s infrastructure and practices or into an IoT device. With that in mind, manufacturers need to replace the current practice of shipping products that offer consumers no way to upgrade or protect themselves, with products that can be upgraded. A shift needs to take place whereby a much stronger focus on consumer security is built into the product development cycle. It’s not lack of processing power that makes devices vulnerable; it’s lack of will to build processing power into the devices in the first place. Some manufacturers already respect this and have a forced password reset on first login, or randomly generate a password per device.

End-User Responsibilities

Most of us, as end-users, show a degree of complacency in our acceptance of IoT devices and our generally lax approach to Internet security. But unless end-users follow basic security practices, the security loop is incomplete and devices remain vulnerable. At a minimum, consumers should research carefully whether any type of security update mechanisms are built into the devices they are planning to purchase, and they need to stop using default (or otherwise weak) passwords. Easier said than done, of course, but it would appear that many manufacturers only respond to market forces or public shame.

Government Responsibilities

When the well-being of the community is being threatened, can governments step in? Ironically, their options are often limited. In many democracies, it is not legal to access a computer without the owner’s permission, even if the intent is to do good. In the United States, for example, it is illegal to access a computer without authorization, according to the Computer Fraud and Abuse Act. The same is true in Holland where Dutch authorities came under fire in 2010 after uploading a file to computers that had been infected with the Bredolab botnet, in order to use that file to redirect users’ browsers to a web page in an attempt to inform them that they’d been hacked.

This leaves us with quite a dilemma. It is probably safe to say that many of the connected devices involved in last week’s DDoS will not be returned, can’t be updated, and will remain active. It is theoretically possible to “brick” these devices and render them useless. But should we? Should the U.S. or another country take action to prevent these devices from further targeting infrastructure? What are the implications of such an action? What if the intended fix introduces even bigger flaws?

Final Words...

The Mirai botnet was performing smaller scale attacks prior to the one against Dyn, and has continued to attack after Dyn successfully mitigated the attack on Friday. So this simply means that malicious activity from this botnet is an ongoing problem with no real end in sight.

While there’s no way of preventing attacks like Mirai, there are steps that the connected community can take — from manufacturer to end-user — to mitigate attacks when they do happen.

DDoS may be part of the new reality, but we don’t have to accept it as the new norm. 

Botnet IoT security

Published at DZone with permission of Tim Armstrong, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How To Check Docker Images for Vulnerabilities
  • The Quest for REST
  • A Brief Overview of the Spring Cloud Framework
  • How Observability Is Redefining Developer Roles

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: