IoT Security: DDoS Attacks

When it comes to the Internet of Things, security is undoubtedly a hot issue. As more and more devices become linked to the network, hackers have countless opportunities to use them for their own personal gain. However, arguably one of the biggest threats comes in the form of DDoS attacks—the largest in recent history occurring about half a year ago.

Background

On October 21, 2016, a Mirai botnet used the Internet of Things to conduct a giant DDoS attack. A Mirai botnet is essentially a piece of malware that scans the internet for IoT devices that still have their default usernames and passwords. The botnet then takes control of these IoT devices and uses them to overload servers with arbitrary requests. In this particular attack, a hacker launched two separate assaults on Dyn, a company which manages a DNS service. The first attack began early in the morning, and an abnormally large amount of traffic began to flood into Dyn’s DNS platform in Asia, South America, Eastern Europe, and the western United States. However, the attack ended up changing course and began to target the eastern United States (Statt).

As UDP and TCP packets flooded in from a plethora of IoT devices, it became almost impossible to identify real traffic from attack traffic. This is a common issue when it comes to defending against DDoS attacks, and is what leads to all requests ultimately being rejected; therefore, legitimate users are denied service. In turn, these users begin to refresh their caches, which makes the increase in traffic even worse. All of these factors caused Dyn to have difficulty combatting the attack. Unfortunately, just as Dyn was managing to get things under control, a second attack was launched. It was very similar to the first and utilized all the same protocols, leading it to be stomped out more quickly. However, small TCP attacks persisted throughout the following days (Dyn).


These are the areas most affected by the 2016 attack

The Impact

Giant DDoS attacks such as these have an extreme impact on users and companies alike. While users are denied service to websites they want or need access to, companies lose money at an exponential rate. Therefore, this issue poses a huge risk to the public, and there could be catastrophic consequences in the future.

In this particular DDoS attack, many large companies were affected. Twitter, Etsy, Vox, Spotify, Airbnb, Netflix, the New York Times, Pinterest, Reddit, Tumblr, PayPal, Verizon, EA, Soundcloud, Business Insider, and the Playstation Network. All of these companies rely on legitimate customer traffic to drive their revenues, so even a short outage can have disastrous effects. According to a study conducted by the Ponemon Institute, a DDoS attack can cause larges-scale companies to lose between $1-$100,000 per minute of downtime. This is a broad window; however, by averaging that range out to $50,000/minute, and taking into account that this attack lasted roughly six hours, it's possible that such an outage could have caused companies up to $18,000,000 in damages. DDoS attacks not only cause a massive loss of customer traffic, but also a loss of worker productivity--this forces companies to bleed money. Additionally, the attacks usually cause companies to take on costs associated with hardware and software replacements. (Lafrance).




A few of the companies affected by the 2016 attack

How to Mitigate These Attacks

As the Internet of Things continues to grow, the internet becomes increasingly more vulnerable to DDoS attacks like the one Dyn experienced last year. According to Anthony Grieco, the senior director of the security and trust organization at Cisco, one proposed solution for manufacturers is to update best practices concerning hardening routers against DDoS traffic. This would help ensure that, on a hardware level, routers would be better prepared to prevent such high-traffic attacks (Thielman).

Additionally, federal regulators could step in and set minimum security standards for IoT devices. These potential regulations could mandate that manufacturers assign unique username/password combinations on their devices, instead of having simple defaults. However, aside from taking preventative measures, reactive approaches are also important. DNS providers such as Dyn can hire third parties to clean traffic of malicious requests before they even reach their target. Furthermore, the malicious traffic can be “blackholed”, which means that it would be directed to a destination that would just throw the request away.

On an individual level, there are also things that we can all do to help combat these harmful breaches of security. For instance, we can protect our IoT devices by turning off remote access, so that outsiders cannot log in. Furthermore, we can change the usernames and passwords on these devices ourselves, which will make them more difficult to access (Ducklin).

Sources

Beal, Vangie. "The 7 Layers of the OSI Model." Webopedia. N.p., 02 Sept. 2016. Web. 06 Dec. 2016.

Ducklin, Paul. "Dyn DDoS – What Can We Do Right Now to Help Prevent the next Attack?"Naked Security. N.p., 24 Oct. 2016. Web. 06 Dec. 2016.

Hilton, Scott. "Dyn Analysis Summary Of Friday October 21 Attack." Dyn Content Hub. N.p., 26 Oct. 2016. Web. 06 Dec. 2016.

Lafrance, Adrienne. "How Much Will Today’s Internet Outage Cost?" The Atlantic. The Atlantic, 21 Oct. 2016. Web. 06 Dec. 2016.

Statt, Nick. "How an Army of Vulnerable Gadgets Took down the Web Today." The Verge. N.p., 21 Oct. 2016. Web. 06 Dec. 2016.

Thielman, Sam. "Can We Secure the Internet of Things in Time to Prevent Another Cyber-attack?" The Guardian. The Guardian, 25 Oct. 2016. Web. 06 Dec. 2016.