Defending Against Those Evil IoT Botnets

By Special Guest
David Williamson, CEO, EfficientIP
March 14, 2017

Fall 2016. Nobody was expecting it: Spotify, down; Paypal, unresponsive; Twitter, offline. It was a day that will never to be forgotten by Dyn, the cloud DNS provider at the center of the debacle. What went wrong? Nobody expected those sites and services that Dyn was hosting to be at the center of a large-scale botnet attack.

Enter the rise of Mirai: a vicious botnet that takes advantage of unprotected Internet of Things devices like CCTV cameras, routers, DVRs, or even baby monitors. It is able to rapidly overwhelm DNS servers with requests, cutting off users from connecting to services they want to use- the definition of a distributed denial of service (DDoS) attack. It was Mirai that attacked Dyn as well as the French hosting service OVH.

Initially created to target Minecraft servers from competing Minecraft security organizations in order to woo customers from one another - essentially a digital version of the classic organized crime protection racket, Mirai has now proliferated. According to a report by security journalist Brian Krebs, who was also attacked by Mirai, it was the latest incarnation of an IoT botnet family that has been in development and in broad use for nearly three years. It also isn’t the only one. Others like Qbot, Bashlite or dozens of other copycats are all competing for the same pool of vulnerable IoT devices - spreading from one infected host to another

In these more recent high profile attacks, the botnet hijacked hundreds of thousands of IoT devices from all over the world, and now that its source code has now been released into the open, hackers have the ability to infect millions of smart devices swiftly and easily. Because of this access, security experts predict that large-scale attacks are likely to surge, and could possibly take almost any company offline.

This wasn’t the first time that these evil ‘hosts’ had launched an assault, but it was the size and scale that differentiated these attacks (as well as the fact that compromised PCs were not at the epicenter, but instead unprotected connected consumer devices). Considering nearly one quarter of consumers today have an Internet-connected device, such as an app-controlled smart thermostat or appliance in their home, many may have been unwilling participants in this attack – and it is likely to happen again. Dyn will not be a lone case; merely the most recent and highbrow public example of a major attack, given the services that were affected.

So how can we defend our networks and our users against this type of attack?
As it has become common practice to outsource DNS, users are sharing resources with thousands of other users- meaning an attack on one is an attack on all. Hackers know that the DNS is a weak link in the security chain, so relying on multiple layers of protection is essential. One option is to adopt a hybrid DNS architecture, in which your DNS servers are active all the time.

In this hybrid architecture, the protocol service is spread across multiple DNS servers. In the event of a major attack, the service will automatically switch to another unaffected server, giving users continued access. Using an alternate cloud DNS in conjunction with local DNS-based services allows you to ‘double down’, and ensures you are covered in the event of an attack. It’s a good idea not to rely on a single host for DNS, and where possible to use advanced DNS hardware that can handle very high traffic, as well as identify and block attacks.

While defending your own systems is important, is there anything else that can be done to stop the problem at its source?

DNS as an active defense
There’s a big problem facing anyone trying to defend against IoT botnets like Mirai: consumer internet services are hard to protect. They’re intended to be open by design, and most users don’t consider the hardware they’re using, or use a security model beyond a basic NAT firewall built into a router.

That means users cannot be expected or relied upon to keep their networks secure, or their IoT hardware up to date. The latter is made harder by vendors who may not provide appropriate patches and bug fixes in a timely fashion. It all adds up to an environment that’s increasingly hostile, and hard to manage.

How do we protect the wider internet from this risk? One option is for ISP’s to take a stronger stance on securing their networks, with stricter controls for customer premises equipment (CPE) and for user networks. Hardware in their networks can be used to detect common attack patterns, especially from known botnets like Mirai.

Once compromised networks have been identified, DNS security tools can use technologies like IPAM to switch the customer’s CPE from an open network to one that’s more restricted, and able to both filter botnet command and control packets. It can also provide users with quick access to tools and techniques to help remediate their network- assisting them in identifying and updating compromised hardware, while disrupting the botnet structure.

However, there is a risk associated with this approach, as it changes the relationship between the ISP and the customer (and could be seen as undue interference). If it’s to be used, it will need to be handled in conjunction with other ISPs at a regional level, and will need to become part of the contract between user and service provider.

Services and ISPs working together to defend the Internet
If we can bring service and ISP solutions like these together, along with an industry-wide approach to IoT updates and servicing, we might just have a solution. The key elements to focus on would be:

1)                  Advanced DNS services capable of handling DDoS traffic

2)                  Using multiple DNS services for key services to ensure their continuity

3)                  Using a DNS security layer for CPE, linked to attack pattern detection

4)                  Consumer ISP quarantine services linked to easy update services for IoT hardware

Preventing massive-scale botnet DNS attacks like those delivered by Mirai can’t be solved by just one action. It’s going to require an elaborate ‘sting’ operation in which providers, consumers, hardware vendors, and ISPs collaborate in order to deliver a multi-faceted solution.

David Williamson is the CEO of EfficientIP, a leading provider of DDI (DNS, DHCP, IPAM) headquartered in Europe, North America and Asia. EfficientIP is the world’s fastest growing DDI vendor. EfficientIP solutions have been selected by hundreds of the most demanding organisations across a spectrum of commercial verticals and government sectors. Previously Williamson held sales leadership positions and helped to accelerate growth through partnerships at Mercury Interactive (acquired by Hewlett-Packard Enterprise) and Boole & Babbage (acquired by BMC Software), the first software company in Silicon Valley to receive venture capital funding. Williamson is a graduate of the SKEMA Business School in France.

Edited by Ken Briodagh
Related Articles

IoT Evolution Health: Connected and Software Defined Care

By: Ken Briodagh    1/23/2018

IoT Evolution Health began this morning and we're feeling better already. The new event from IoT Evolution takes place this week in Orlando Florida at…

Read More

IoT Solutions Spotlight: oneM2M Addresses Need for Device Standards

By: Ken Briodagh    1/22/2018

The IoT Solutions Theatre opens Tuesday, January 23 at the IoT Evolution Expo and it will feature some of the best and most innovative IoT solutions i…

Read More

IoT Evolution Expo Kicks off with Certifications, Workshops and NIST

By: Ken Briodagh    1/22/2018

The IoT Evolution Expo is off to a huge start today, with a slate of workshops and certifications designed to bring attendees into 2018 with all the k…

Read More

From Unified to Universal Communications, The Extension to Things in Business Infrastructure

By: Cynthia S. Artin    1/22/2018

Unified Office, a managed services provider with pioneering virtualized private networking technologies originally crafted for human communications an…

Read More

Has Anyone Else Lost Control of Their iPhone?

By: Carl Ford    1/22/2018

At the IoT Evolution Expo this week, security is a key focus.

Read More