Refuse to Take Part in a DDoS Botnet, Revisited

 Originally published on October 24, 2016 by Kimberley Parsons Trommler
Last updated on March 03, 2022 • 10 minute read

This post is a follow up to our post from Oct 4, Refuse to Take Part in a DDoS Botnet 

The massive DDoS attacks against Dyn's DNS service last Friday demonstrated, again, that insecure IoT devices are not merely a minor annoyance, but rather pose a serious threat to the Internet economy. While the attacks against Brian Krebs and the French hosting provider OVH on Sept 20 were newsworthy in their scale, the attacks against Dyn demonstrate the level of damage possible when the attack is directed against important Internet services.

DDoS attacks on the DNS infrastructure are neither new nor rare. What is new, however, is the scale of the attacks, and the use of a network of compromised IoT devices as the source of the attack. Flashpoint has confirmed that some of the infrastructure used to attack Dyn were botnets compromised by the Mirai malware, the same malware which was used against Brian Krebs and OVH. However, the botnets used against Dyn were not the same as the ones used against Krebs and OVH - they are separate and distinct botnets from those in the first attacks. Read that sentence again: this is not the same botnet; It's an additional one, even larger, using the same publicly-available technology. The attack on OVH used roughly 200,000 compromised devices, but a scan conducted by Flashpoint revealed that there are more than 500,000 vulnerable devices on the Internet and Level 3 Communications says that this number are not only vulnerable, but already infected. This doesn't bode well.

What Does The Future Hold?

We can expect to see an increase in both the size and frequency of attacks using IoT botnets, since:

  • The Mirai code is publicly available for any copycats to use, as is code for other IoT malware such as the gafgyt/bashlite family
  • The number of IoT devices is going to increase, so that there are even more devices available to be used in a botnet
  • The easily-compromised IoT devices are already out there, in the wild, and won't be patched or removed from the Internet in any significant number.  There are already 500,000 vulnerable devices out there - the horse is already out of the barn.
  • There are no significant economic incentives for IoT vendors to include appropriate security in their devices
  • It is very, very difficult for an Internet service provider to distinguish between valid requests and hostile (but perfectly formed) requests.  There's very little they can do to identify and block hostile requests while still servicing valid requests, so their most effective weapon is size.  They need to have enough capacity to handle both the valid traffic and the flood of DDoS traffic without being overwhelmed.

What Can Internet Providers Do?

Internet service companies such as Dyn and Akamai (used by Brian Krebs) are used to handling DDoS attacks on a regular basis. However, they're in an arms race against the hackers, trying to match size for size, and the sheer number of easily-hacked IoT devices has tipped the scales towards the hackers.

There is no easy solution here, and preventing DDoS attacks is going to involve serious effort from the Internet providers, the vendors of IoT devices and the consumers of IoT devices. Unfortunately, only the first of these three groups is taking the issue seriously at the moment; neither the vendors nor the consumers have any real interest in IT security, since there's no economic incentive at the moment.  As Bruce Schneier writes:

"This is not something that the market can solve.
Like data privacy, the risks and solutions are 
too technical
for most people and organizations to understand;
companies are motivated to hide the insecurity of their own systems
from their customers, their users, and the public;
the interconnections can make it impossible to
connect data breaches with resultant harms;
and the interests of the companies often don't match the interests of the people."

What Can Consumers Do?

As consumers of IoT devices, our influence here varies widely, depending in what kind of IoT device we're talking about. The more sophisticated devices (e.g. manufacturing robots) offer significantly more capabilities than, say, an end-consumer DVR.

As corporate IT-department consumers, we can do our part by including security as a mandatory requirement in our purchasing:

  • Make security an important consideration when selecting vendors and products. Refuse to purchase devices that can't be patched or that don't allow users to change default passwords.
  • Change default passwords on all devices immediately
  • Patch devices on a regular schedule, ideally as soon as new patches are available
  • Don't give IoT devices access to the Internet unless they absolutely require it
  • Don't allow incoming connections from the Internet to the IoT devices, unless they absolutely require it

As private consumers, our options are much more limited. We can attempt to secure our IoT devices and our home routers, as much as possible. And we can keep asking about security until the vendors take notice. With time, there will be vendors who chose to differentiate themselves based on security. Vote with your wallet!

 
 

You work with ‪‎PRTG‬ and would like to voice your opinion?
Leave a short review on Trustpilot. Thanks, your feedback is appreciated!