Embedded Internet-of-Thing (IoT) botnets are not a new phenomenon – we’ve seen them leveraged to launch DDoS attacks, send spam, engage in man-in-the-middle (MitM) credentials hijacking, and other malicious activities for several years. For example, a few years ago, a 75,000-strong botnet comprised of embedded devices – consumer broadband routers, in that instance – was found to be launching DDoS attacks. We routinely see IoT botnets comprised of webcams, DVRs, cable television set-top boxes, satellite set-top boxes, etc. used to launch DDoS attacks.
IoT botnets have been used to launch high-profile DDoS attacks against online gaming networks, to engage in DDoS extortion attempts, and to target organizations affiliated with the Rio Olympics, as shown above and discussed in this blog post.
IoT devices are attractive to attackers because so many of these devices are shipped with insecure defaults, including default administrative credentials, open access to management systems via the Internet-facing interfaces on these devices, and shipping with insecure, remotely exploitable code. A large proportion of embedded systems are rarely if ever updated in order to patch against security vulnerabilities – indeed, many vendors of such devices do not provide security updates at all.
Embedded IoT devices are often low-interaction – end-users don’t spend much time directly interfacing with them, and so aren’t given any clues that they’re being exploited by threat actors to launch attacks.
There are tens of millions of vulnerable IoT devices, and their numbers are growing daily; they’re generally always turned on; they reside on networks which aren’t monitored for either incoming or outgoing attack traffic; and the networks where they’re deployed often offer high-speed connections, which allows for a relatively high amount of DDoS attack traffic volume per compromised device.
Organizations can defend against DDoS attacks by implementing best current practices (BCPs) for DDoS defense, including hardening their network infrastructure, ensuring they’ve complete visibility into all traffic ingressing and egressing from their networks so as to detect DDoS attacks, ensuring they’ve sufficient DDoS mitigation capacity and capabilities (either on-premise or via cloud-based DDoS mitigation services, or both), and by having a DDoS defense plan which is kept updated and is rehearsed on a regular basis.
In particular, ISP and MSSP network operators should actively participate in the global operational community, so that they can both render assistance when other network operators come under high-volume DDoS attacks as well as request mitigation assistance as circumstances warrant. Active, continuous cooperation between enterprise network operators, ISPs, and MSSPs is the key to successful DDoS defense.
It’s also very important that when measuring DDoS attack volumes, network operators take into account the baseline load of their normal internet traffic so as to neither underestimate or overestimate the amount of attack traffic targeting their networks and customers. This is vital when determining which DDoS defense mechanisms and methodologies to employ in the course of an attack, as well as to ensure that accurate information is provided to the global operational community and to the media.