Don't take part in a DDoS botnet

DDoS attacks have been at the forefront of the media for weeks. The unprecedented scale of the attacks on Brian Krebs website lit the powder keg, and it hasn’t stopped, with the most recent example being the attack on Dyn’s servers that led to a major outage on the east coast of the US.

As The Register reported, the Krebs attack was the largest known single DDoS attack ever, with more than 152K devices involved, generating more than 620Gbps in the attack. The Dyn attack received even more coverage, as it affected many popular consumer sites, including media-friendly Twitter.

Nothing is new about DDoS attacks on DNS infrastructure, in fact, they are fairly common. But what has changed is the scale of the attacks, which is being achieved by the use of a network of compromised IoT devices.

According to security firm Flashpoint, the Dyn attack involved botnets compromised by the Mirai malware, which was also used in the Krebs attack, among others. What’s worse, the size and scope of these botnet rings is expanding, as is the world of IoT, which is greatly expanding the attack vector.

There are a variety of reasons why we can expect an increase in scale and frequency of attacks, including:

• The Mirai code is publicly available for any copycats to use, as is the code for other IoT-related malware such as the gafgyt/bashlite family.
• The number of IoT devices is going to increase rapidly, and the attack vector will increase along with it.
• Many easily compromised IoT devices are already in use and won’t be patched or removed from the Internet in any significant number. There are already 500,000 vulnerable devices that we know of -- the horse is already out of the barn.
• There are currently no significant economic incentives for IoT vendors to include appropriate security in their devices. IoT devices are often a low-cost commodity.
• It is very difficult for an Internet service provider to distinguish between valid requests and hostile (but perfectly formed) requests. There is not much that can be done to identify and block hostile requests while still servicing valid requests, which makes size the only effective weapon. ISPs need to have enough capacity to handle both the valid traffic and the flood of DDoS traffic without being overwhelmed.

Staying Ahead with Traffic Monitoring

ISPs like Dyn and Akamai are familiar with handling DDoS attacks. But, they're in an ongoing arms race with hackers trying to match the size, speed and frequency of attacks. Here are some thoughts on how they can stay ahead:

• Take advantage of network monitoring to help monitor bandwidth. By baselining metrics and comparing traffic patterns, it is easier to sniff out anomalous behavior.
• Make security a top priority when selecting vendors and products. Do not purchase devices that can’t be patched or that don’t allow users to change default passwords. And, immediately change defaults on all devices once deployed.
• Patch devices on a regular schedule, ideally as soon as new patches are available.
• Don’t give IoT devices access to the Internet unless they absolutely require it.
• Don’t allow incoming connections from the Internet to the IoT devices, unless they absolutely require it.

This problem has not yet hit its peak, but there are proactive steps that can be taken to ensure we are not constantly under siege from DDoS attacks.

Kimberley Parsons Trommler has been working in the IT industry for 20 years, with a focus on network architecture and network monitoring. She is currently product evangelist at Paessler AG, the maker of PRTG Network Monitor.

Photo Credit: Fabio Berti/Shutterstock