Securing the Internet of Things against DDoS threats

May 01, 2017


Securing the Internet of Things against DDoS threats

Internet-based home automation devices, such as video baby monitors, remote thermostat programming, home surveillance and security kits, connected lig...


Internet-based home automation devices, such as video baby monitors, remote thermostat programming, home surveillance and security kits, connected lighting products, etc., are transforming how we manage our day-to-day lives. Remote management of these devices through smartphones, online portals and-the-like has extended to every home, car, business, building, and system in the world.

Despite its advantages, the Internet of Things (IoT) comes with a host of security disadvantages. As a whole, IoT devices are poorly managed, patched, and secured; they are sitting ducks for hacker infiltration and takeover. Aside from the personal privacy and security concerns that result from these security gaps, the bigger danger is that these connected devices can be harnessed by hackers for a variety of nefarious purposes; distributed denial of service (DDoS) attacks are prominent among them.

Thanks to the breadth of news coverage on the Mirai botnet and the damaging attacks against Krebs on Security, OVH, and Dyn in late 2016, it’s well known that cybercriminals can hack into any vulnerable device connected to the Internet to remotely take control of that device and enslave it into a botnet that is part of a DDoS attack. Given the recent, ongoing, and exponential increase of devices connected to the IoT, it is becoming easier for hackers to increase the size and frequency of DDoS attacks.

The reality is that any device, infrastructure, application, etc. that is connected to the Internet is at risk for attack, or even more concerning, to be recruited as a bot in an army to be used in DDoS attacks against unsuspecting victims. Botnets, also known as “zombie armies,” can be deployed on thousands, if not millions, of connected devices and can wreak havoc – spam attacks, spread malware, or launch DDoS attacks.

There is really no limit to the potential size and scale of future botnet-driven DDoS attacks, particularly when they harness the full range of smart devices incorporated into our IoT. By using amplification techniques on the millions of high-bandwidth-capable devices currently accessible, DDoS attacks are set to become even more colossal in scale.

For example, the Mirai botnet, which was responsible for a string of attacks in recent months, will continue to evolve as hackers take advantage of the billions of poorly secured, Internet-connected devices currently in use worldwide. In terms of its size, the Mirai botnet is currently believed to have a population of around 300,000 Internet-connected devices, but could increase significantly if hackers amend the source code to include root credentials for other types of vulnerable devices.

The Mirai botnet is expected to also become more complex in 2017 as hackers evolve and adapt the original package, equipping it with new methods of launching DDoS attacks. Mirai is currently believed to contain around ten different DDoS attack techniques – or vectors – which can be utilized by hackers to leverage an attack.

The bottom line is that attacks of this size can take virtually any company offline – a reality that any business must be prepared to defend against. And it isn’t just the giant attacks that organizations need to worry about. Before botnets are mobilized, hackers need to make sure that their techniques are going to work. This is usually done using small, sub-saturating attacks, which most IT teams wouldn’t even recognize as a DDoS attack. Due to their size – the majority are less than five minutes in duration and under 1 Gbps – these shorter attacks typically evade detection by most legacy and homegrown DDoS mitigation tools, which are generally configured with detection thresholds that ignore this level of activity.

This allows hackers to perfect their attack techniques while remaining under the radar, leaving security teams blindsided by subsequent attacks. If these techniques are then deployed at full scale with a botnet, the results can be devastating.

DDoS protection strategies must improve

Organizations must be better equipped to deal with the inevitable DDoS attack – IoT-related or otherwise. In the early days of DDoS attacks, more than two decades ago, operators handled an attack with a null route (i.e., a remote trigger blackhole). If they detected something going awry, they would look at the victim – the IP that was targeted – and null route everything associated with the victim. This got the attack traffic off the operator’s network and stopped the collateral damage against other unintended victims. However, it sacrificed the victim in the interest of keeping the rest of the network viable.

The DDoS mitigation landscape then evolved to a slightly more advanced technique, which involves routing the attack traffic to a scrubbing center, where human intervention and analysis is typically required to remove the attack traffic and return the legitimate traffic to its intended target. This process is resource-intensive and expensive. Plus, there’s often a lengthy delay between detection of the attack and when the actual remediation efforts begin.

The DDoS protection of today requires robust modern DDoS defenses that will provide both instantaneous visibility into DDoS events as well as long-term trend analysis to identify adaptations in the DDoS landscape and deliver corresponding proactive detection and mitigation techniques. Automatic DDoS mitigation is available today to eradicate the damage of DDoS and eliminate both the service availability and security impact. If desired, these solutions can be paired with an on-demand scrubbing solution.

A community effort is required

This type of effective DDoS defense can also be deployed as a premium DDoS Protection as-a-Service (DDPaaS) offering from an upstream Internet provider. Carriers are in a unique position to effectively eliminate the impact of DDoS attacks against their customers by surgically removing the attack traffic transiting their networks before it flows downstream. Providing such a service not only streamlines the operations of providers, giving them increased visibility and making their services more reliable, but drastically reduces the impact of IoT-driven DDoS attacks.

Preventing and mitigating the exploitation of the IoT is going to take quite a concerted effort. Device manufacturers, firmware, and software developers need to build strong security into the devices. Installers and administrators need to change default passwords and update patch systems – if this is even possible – when vulnerabilities do arise.

The home user must also be educated on best practices in securing their devices against vulnerabilities. The average user of connected devices – whether that be your smart home, smart appliances, smart car, or smart office – does not typically pay close attention to software updates or critical patching schedules. They also don’t quite understand how these devices are connected or share data. IoT devices often have just enough processing power to deliver their required functionality, with security as an after thought at best or often not present at all. Combine this with the fact that access control passwords are often left at their factory defaults, or users choose alternatives that are easy to crack using brute force techniques. The human component is often underestimated as a contributor to an overall lack of security of the IoT.

Stephanie Weagle brings more than 12 years of marketing and communications experience to Corero Network Security, where she is Vice President of Marketing for the Corero DDoS protection solutions.

Corero Network Security





Stephanie Weagle, Corero Network Security