Strangest Things: Defending Against the Future of IoT DDoS Attacks
Taking a post-mortem look at last week’s Mirai DDoS attack and how these attacks can be prevented in the future.
The latest massive DDoS attack from the Mirai botnet – the October 21 strike on DNS provider Dyn that took major websites like Twitter and Reddit offline for hours – has already gained notoriety as one of the worst DDoS strikes in history. The largest question remaining related to this attack is that of attribution. Attack attribution is hard. Many people think it’s not and it’s easy for a motivated party to falsely or errantly assign attribution of an action in cyber space to one group or another based on details which they believe are akin to smoking guns. This is one of the hardest concepts to grasp with respect to threat intelligence and research and it is one that is hotly debated on a global basis within those communities and beyond. With respect to this attack, let’s look at the timeline:
- 7am EST October 21, 2016, Dyn began experiencing a DDoS attack unlike those that they are/were typically used to receiving, acknowledging, and mitigating
- 9am EST October 21, 2016, Dyn was able to mitigate the attack and restore services to customers of their Managed DNS service
- During this attack many customers attempting to access what may be considered marquee brands of the Internet were unable to do so from the East Coast
- It should be pointed out that this was not the case for users attempting to access those same brands in the West
- Indicates that this was not a system wide outage
- 12pm EST October 21, 2016 a second wave of attacks occurred
- More global in nature – not simply limited to East Coast Dyn points of presence
- 1pm EST October 21, 2016
- Attack(s) mitigated and service restored
- No signs of this being a network-wide outage
- A third attack was detected, identified, and mitigated by the Dyn team
- No customer impact identified
- It is not totally clear who was behind the attack or their motive
- It is also unclear what the other sources of traffic were beyond those attributed to devices which were infected by the Mirai botnet
10s of millions of IP addresses were observed and involved in this highly visible DDoS attack. Many of those IP addresses, 10s of millions of the 10s of millions observed by Dyn, Flashpoint Partners, and Akamai, were tied to hosts infected by the Mirai botnet. Devices such as CCTV cameras and the more common digital video recorders (sold to individuals or provided by cable providers) were among those devices infected and noted as being active during this attack. These devices represent an example of the types of devices which comprise the “Internet of Things” – IP enabled devices which can communicate, for better or worse, via the Internet. So what can IoT users do to ensure their devices aren’t used in these attacks?
Preventing IoT Device Compromises
Users at home should take the time to properly secure any new device introduced to their home networks. Rudimentary steps including “hardening” of the devices’ security posture via means provided by the manufacturers and changing the default administrative passwords are good steps, but as Brian Krebs and the folks he interviewed from Flashpoint Partners (Allison Nixon and Wikholm) have pointed out, it’s not always quite that simple. In the case of the devices noted as being part of this attack, there are alternate means of accessing these devices (SSH or Telnet) which allow parties in the “know” access above and in some cases, beyond the access provided by the user consoles. This is a huge problem but one that could be curtailed through properly localized network hardening (e.g. denying all inbound Telnet or SSH attempts at the router/firewall level).
Whose job is it anyway?
However, responsibility for the attack is not shouldered by end users alone. In fact, end users can only provide a last-ditch preventative measure against these attacks, and as mentioned above, there is only so much that the average end user can do to secure their devices. It’s hard to say who is at fault for this or any other hack, whether advanced/sophisticated attacks or less sophisticated attacks such as DDoS attacks.
In this case Mirai, the botnet observed targeting at least a portion of the 10s of millions of discrete IP addresses identified within this attack, scans the Internet of Things (which is to say the Internet) for devices which are vulnerable to exploitation. Once found and compromised, those devices are added to the conglomerate of devices which comprise the botnet. Assigning blame is difficult in cases like this because most of the devices in question are not well known beyond their manufacturers and/or vendors or implementation partners. In other words, it is not always the case that a common corpus of knowledge related to not only the operation of said devices, but to their security is easily found, if found at all. In this case, at least one vendor, Hangzhou Xiongmai Technology has come forward and stated that security vulnerabilities involving weak default passwords on its products (DVRs and IP enabled cameras) were taken advantage of by Mirai operators. Ownership of fault in cases such as this one is shared in that manufacturers, vendors/providers, and private/consumer users all play a role however, in many cases (as observed in this case) the “traditional” or “obvious” means of protecting the user are not always enough.
In a sense it’s all of our jobs to protect the Internet from this sort of attack. We, as security researchers and product developers, certainly play a role in that via our research and the application of the technology we develop which enables organizations and individuals to detect, identify, analyze, remediate, and mitigate these types of attacks and others. End users owe it to themselves to be diligent above and beyond simply securing the devices in question; they need to consider the fact that the networks – where they are small office or home networks or enterprises – require diligence and observance from a security perspective. It is foolish to assume that just because we purchase an IP-enabled device and add it to our environments that the device in question is secure or that our networks are secured to the point of mitigating unwanted/unauthorized bi-directional communication and control.
Lastly, manufacturers and vendors have a growing responsibility, especially in the IoT space, with respect to their technology and how it will be applied in environments which are diverse/unique. A failure to test for and consider the potential for exploitation all but invites a motivated threat actor to seek these devices out, assess their vulnerability, and where possible exploit them, which allows them to then manipulate them singularly or add them to a greater corpus of compromised devices such as the Mirai botnet. Ideally, all devices should be assessed for risk at the manufacturer and then again by those who are responsible for selling/implementing them in enterprises. This, of course, becomes more of a challenge for the SOHO user community but again does not absolve them from the responsibility.
Governments must play a role in protecting against these attacks as well. The government of the United States has been very proactive since January 2008 when former President, George W. Bush and his administration (Cyberspace Policy Review) launched the Comprehensive National Cybersecurity Initiative (CNCI). The CNCI was launched as a part of National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD- 23). In May of 2009, President Obama accepted the results of the reports which were generated as a part of the actions of his predecessor and sought to enact the recommendations contained therein. The NSA’s mission is to focus on cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services designed and developed to enable Computer Network Operations (CNO) in order to gain a decisive advantage for the Nation and our allies under all circumstances. Their fundamental mission is different than those associated with organizations like the US Cyber Command (even though that was built at Ft. Meade and incorporates NSA networks).
The FBI is the “lead federal agency” for investigating cyber-attacks by criminals, adversaries, and terrorists. So they definitely play a role in observing the threat landscape and when and where appropriate engaging in the investigation of individuals or groups of individuals which meet the previously mentioned criteria defined by the bureau. There is no fast or easy way to prevent attacks like this from occurring in a globally connected world. Unlike attacks in the physical world; attacks which leverage conventional warfare tactics and/or weaponry, attacks in cyberspace are conducted remotely via IP-enabled hosts by actors leveraging myriad techniques and tools in order to obfuscate themselves from their enemies in order to complete their goal or mission.
All in all, combating these threats really begins with an informed defense. A defense which is most often built on the work of national agencies, the military, law enforcement, end users, and perhaps most importantly, the private threat intelligence and security research communities who work with these groups and agencies in sharing knowledge and information. It is only through collaborative efforts that we as a society can hope to curtail these events on a global basis.