Protecting your networks from IoT botnets

Cisco estimates that there are approximately 10 billion things connected to the Internet today – and that’s only 0.6 per cent of all the things that could be connected. In short, the Internet of Things (IoT) has taken hold and shows no signs of slowing down. We are living in a radically interconnected world.

Other leading organisations and analyst firms share this assessment. Gartner, Inc., in its 2014 Hype Cycle for Emerging Technologies Report, noted that by 2019, companies would ship 1.9 billion connected home devices, bringing in about $490 billion in revenue. This stunning statistic has started more than the wolves of Wall Street talking; in fact, it has unleashed a new pack of wolves, and one with very big teeth.

Hackers are always hard at work devising schemes to take advantage of any new technology development. Last year, they became more efficient and effective at developing new methods to manipulate the protocol and accessibility of any home device that has an operating system and an open IP address. They create a nearly instantaneous volumetric assault on intended targets through the use of a massive number of networked machines (often called botnets or “zombies”) that can be overwhelming, flooding unsuspecting networks with unnecessary requests that eventually lead to a server crash or the insertion of malware. Either way, it’s bad for business and brand reputation, and very bad for the bottom line.

The New Threat Innovation

The simple home router, used to enable Internet access throughout a house, has today become an instrument of what is now known as the simple service discovery protocol, or SSDP, reflective amplification distributed denial-of-service (DDoS) attack. That’s a mouthful with a significant impact when we understand that globally, more than seven million SSDP devices have the potential to be exploited to launch SSDP and other DDoS attacks.

Because of its power, this new attack rose through the ranks last year to become the weapon of choice among hackers. SSDP attacks use smart devices (routers, webcams, etc.) to amplify attack bandwidth by as much as 75 times. With IoT bringing billions of such devices online, there will be an exponential growth in this type of attack.

Today’s smart devices are susceptible, here’s why

• Always accessible. Unless you have programmed your home to automatically shut down when you leave or go to sleep, routers and webcams generally stay online 24 hours a day, seven days a week.
• Fairly high bandwidth. It’s the router’s job to provide your household with the bandwidth you need to access the Internet, send email, stream movies and so on.
• Routers need a password. Like your home computer, laptop or phone, any equipment that connects to the Internet must be password protected. While consumers are familiar with creating passwords in those environments, accessing the interface to password-protect a router or webcam may not be quite as intuitive.
• Routers require updates. When was the last time you updated the firmware on your router? For most of us, the answer would be, “Never.” In fact, certain smart devices may never be upgraded after deployment.
• No lifeguard on duty. While there are federal standards groups investigating these types of attacks and developing recommendations, it is not up to the manufacturers to secure the consumer home network. Instead, currently this responsibility falls to the consumer who purchases the device.

A Response to the New Threat

Though the industry is aware of and working to defend against this new attack vector, it is obvious that in securing this rolling train of accessible end points, the battle against DDoS will continue to challenge enterprises and ISPs. At RSA 2015 in San Francisco, IDC analyst Chris Christiansen noted that with consumer devices, there is no money in security. He went on to say that as such, the security that is embedded in a consumer IoT device is minimal, which, he noted, will eventually lead to major privacy and future litigation issues, especially in Europe.

ISPs, hosting providers and enterprises alike need to think outside of the traditional security stack in order to prevent these traffic-based attacks that lead to unavailable network infrastructure or congestion of available bandwidth.

It’s important to know what to look for when researching solutions to mitigate DDoS attacks. It is important to not only defend against DDoS attacks on the transport layer, such as flood attacks related to SYN, SYN-ACK, ACK, FIN/RST, UDP, ICMP and IP Fragment, but also those targeting the application layer, such as HTTP GET/POST Flood, slow-rate attacks, DNS attacks, game service attacks and audio/video attacks. Furthermore, in terms of application scenarios, look for solutions that defeat DDoS attacks launched via a multitude of agent servers, like CDN and WAF gateways.

There are more evolved DDoS mitigation solutions available as well. For instance, instead of relying solely on traditional fingerprint matching or similar methods, these solutions also conduct behaviour anomaly detection, which can then be filtered through an intelligent multi-layer identification and cleaning matrix. This consolidates the mechanisms of anti-spoofing, protocol stack behaviour analysis, specific application protection, user-behaviour analysis, dynamic fingerprint identification, bandwidth control and so forth.

The IoT offers increased revenues, lowered costs and seemingly endless possibilities for businesses and consumers alike. Financial, governmental and other regulatory bodies are still working out how to implement standards and restrictions that will provide the greatest protection and benefit at the same time. The regulation process can be slow going, so enterprises and hosting providers need to act quickly to do what they can on their end to protect their own and their customers’ assets. They need a solution that can monitor and defend against today’s advanced traffic-based attacks.

For a more comprehensive discussion about SSDP DDoS attacks, other types of DDoS attacks and potential upcoming threats, download the NSFOCUS DDoS Threat Report here.

Rishi Agarwal is Chief Evangelist and Director of Product Marketing at NSFOCUS, Inc. He has 12+ years’ experience in Product Marketing, Strategy, Business Development and Product Management. He has broad domain expertise in Network Security, Compute and Storage. Prior to NSFocus, he was a Senior Manager at Arbor Networks. Additionally, he has worked for leading technology vendors such as Microsoft, Intel and SanDisk.