Defending Against Those Evil IoT Botnets


Fall 2016. Nobody was expecting it: Spotify, down; Paypal, unresponsive; Twitter, offline. It was a day that will never to be forgotten by Dyn, the cloud DNS provider at the center of the debacle. What went wrong? Nobody expected those sites and services that Dyn was hosting to be at the center of a large-scale botnet attack.

Enter the rise of Mirai: a vicious botnet that takes advantage of unprotected Internet of Things devices like CCTV cameras, routers, DVRs, or even baby monitors. It is able to rapidly overwhelm DNS servers with requests, cutting off users from connecting to services they want to use- the definition of a distributed denial of service (DDoS) attack. It was Mirai that attacked Dyn as well as the French hosting service OVH.

Initially created to target Minecraft servers from competing Minecraft security organizations in order to woo customers from one another - essentially a digital version of the classic organized crime protection racket, Mirai has now proliferated. According to a report by security journalist Brian Krebs, who was also attacked by Mirai, it was the latest incarnation of an IoT botnet family that has been in development and in broad use for nearly three years. It also isn’t the only one. Others like Qbot, Bashlite or dozens of other copycats are all competing for the same pool of vulnerable IoT devices - spreading from one infected host to another

In these more recent high profile attacks, the botnet hijacked hundreds of thousands of IoT devices from all over the world, and now that its source code has now been released into the open, hackers have the ability to infect millions of smart devices swiftly and easily. Because of this access, security experts predict that large-scale attacks are likely to surge, and could possibly take almost any company offline.

This wasn’t the first time that these evil ‘hosts’ had launched an assault, but it was the size and scale that differentiated these attacks (as well as the fact that compromised PCs were not at the epicenter, but instead unprotected connected consumer devices). Considering nearly one quarter of consumers today have an Internet-connected device, such as an app-controlled smart thermostat or appliance in their home, many may have been unwilling participants in this attack – and it is likely to happen again. Dyn will not be a lone case; merely the most recent and highbrow public example of a major attack, given the services that were affected.

So how can we defend our networks and our users against this type of attack?
As it has become common practice to outsource DNS, users are sharing resources with thousands of other users- meaning an attack on one is an attack on all. Hackers know that the DNS is a weak link in the security chain, so relying on multiple layers of protection is essential. One option is to adopt a hybrid DNS architecture, in which your DNS servers are active all the time.

In this hybrid architecture, the protocol service is spread across multiple DNS servers. In the event of a major attack, the service will automatically switch to another unaffected server, giving users continued access. Using an alternate cloud DNS in conjunction with local DNS-based services allows you to ‘double down’, and ensures you are covered in the event of an attack. It’s a good idea not to rely on a single host for DNS, and where possible to use advanced DNS hardware that can handle very high traffic, as well as identify and block attacks.

While defending your own systems is important, is there anything else that can be done to stop the problem at its source?

DNS as an active defense
There’s a big problem facing anyone trying to defend against IoT botnets like Mirai: consumer internet services are hard to protect. They’re intended to be open by design, and most users don’t consider the hardware they’re using, or use a security model beyond a basic NAT firewall built into a router.

That means users cannot be expected or relied upon to keep their networks secure, or their IoT hardware up to date. The latter is made harder by vendors who may not provide appropriate patches and bug fixes in a timely fashion. It all adds up to an environment that’s increasingly hostile, and hard to manage.

How do we protect the wider internet from this risk? One option is for ISP’s to take a stronger stance on securing their networks, with stricter controls for customer premises equipment (CPE) and for user networks. Hardware in their networks can be used to detect common attack patterns, especially from known botnets like Mirai.

Once compromised networks have been identified, DNS security tools can use technologies like IPAM to switch the customer’s CPE from an open network to one that’s more restricted, and able to both filter botnet command and control packets. It can also provide users with quick access to tools and techniques to help remediate their network- assisting them in identifying and updating compromised hardware, while disrupting the botnet structure.

However, there is a risk associated with this approach, as it changes the relationship between the ISP and the customer (and could be seen as undue interference). If it’s to be used, it will need to be handled in conjunction with other ISPs at a regional level, and will need to become part of the contract between user and service provider.

Services and ISPs working together to defend the Internet
If we can bring service and ISP solutions like these together, along with an industry-wide approach to IoT updates and servicing, we might just have a solution. The key elements to focus on would be:

1)                  Advanced DNS services capable of handling DDoS traffic

2)                  Using multiple DNS services for key services to ensure their continuity

3)                  Using a DNS security layer for CPE, linked to attack pattern detection

4)                  Consumer ISP quarantine services linked to easy update services for IoT hardware

Preventing massive-scale botnet DNS attacks like those delivered by Mirai can’t be solved by just one action. It’s going to require an elaborate ‘sting’ operation in which providers, consumers, hardware vendors, and ISPs collaborate in order to deliver a multi-faceted solution.

David Williamson is the CEO of EfficientIP, a leading provider of DDI (DNS, DHCP, IPAM) headquartered in Europe, North America and Asia. EfficientIP is the world’s fastest growing DDI vendor. EfficientIP solutions have been selected by hundreds of the most demanding organisations across a spectrum of commercial verticals and government sectors. Previously Williamson held sales leadership positions and helped to accelerate growth through partnerships at Mercury Interactive (acquired by Hewlett-Packard Enterprise) and Boole & Babbage (acquired by BMC Software), the first software company in Silicon Valley to receive venture capital funding. Williamson is a graduate of the SKEMA Business School in France.

Edited by Ken Briodagh
Related Articles

myDevices and Arm Partner to Simplify IoT

By: Ken Briodagh    10/18/2018

Combining myDevices' IoT in a Box technology with Arm Pelion IoT Platform creates an easy onboarding experience while providing enterprise-grade IoT c…

Read More

Afero Creates "Bank of Things" In Collaboration With MUFG

By: Ken Briodagh    10/17/2018

Afero has pointed the finger at the emerging world of IoT banking working to enable things to pay each other via secure micropayments, blockchain, and…

Read More

City of Tampere, Finland, Publishes The Smart City Cookbook

By: Ken Briodagh    10/17/2018

The city of Tampere, Finland has published "The Smart City Cookbook" to provide a guide that cities and other smart city program leaders can use when …

Read More

RoboticsX Opens New R&D Facility in Slovenia

By: Ken Briodagh    10/17/2018

According to a recent announcement, RoboticsX has opened a new research and development center in Ljubljana, the capital of Slovenia.

Read More

C3 and AWS Expand Collaboration to Drive Enterprise AI Adoption

By: Ken Briodagh    10/17/2018

C3 and AWS establish market development fund to fuel adoption of AI across commercial and public sector organizations

Read More