Marie Hattar
Chief Marketing Officer

Defending Against the DDoS Armies of Things

October 4, 2016 by Marie Hattar

Brian Krebs, the author of the renowned security blog Krebs on Security, recently fell victim to a distributed denial of service (DDoS) attack of unprecedented scale, with traffic volumes of 700 gigabits per second pounding his website, forcing it offline.  For context, a majority of DDoS attacks don’t exceed 200 gigabits per second:  there were just 16 such attacks during the whole of 2015.

However, the really unusual factor in this attack wasn’t its size, but rather the sources of much of the malicious traffic.  The botnet which launched the attack contained a vast number of connected devices such as home security cameras and smart TVs.

While this was not the first instance of smart IoT devices being compromised and used in a cyber attack, they had never before been involved in a DDoS attack of such scale.  It’s no surprise that this incident is viewed by many industry observers as a portent of how future attacks may be mounted against organizations.

Many of the connected devices used in the attack will have been easily compromised, because their users never changed the passwords on the devices from the factory defaults. After all, why would a cybercriminal be interested in hacking into a camera or smart TV, compared with a smartphone or network? Even users who diligently manage their passwords in other areas may not consider their connected devices similar security risks.

IoT enabled devices hold other advantages for cybercriminals too. As this article underlines, they are specifically designed to be remotely controlled over the internet, and yet the software running them is unlikely to ever be updated. They are intended to be ‘plugged in and forgotten’. What’s more, they may be connected via poorly-protected WiFi routers, particularly in home network environments.

And the same issues apply to devices on business networks, such as connected printers, CCTV cameras, controllers for HVAC systems, and more.  Organizations need to remember that any connected device is part of their overall network architecture and information security posture - even if it doesn’t seem to be an obvious target for a hacker.  And of course, as more and more connected devices become available globally for criminals to compromise, businesses must ensure that DDoS mitigation is a central part of their cyber security strategies.

What can organizations do to reduce the impact of very powerful DDoS attacks? How do they prevent their own network assets from being unwittingly recruited into a botnet being used to launch a DDoS attack directed elsewhere? There are three key actions to consider:

1. Make your devices difficult to compromise

Every device on your network should have its administration password changed from default, and should be connected via a secure WiFi network.  These are simple steps that have a significant impact on the ability of criminals to target and take control of devices.

2. Reduce your organization’s attack surface

Although the use of smart devices in a large-scale DDoS attack is novel, organizations can defend themselves against this new tactic.  Once a device or network has been compromised and used for malicious purposes, its IP address can be identified and indexed as malicious.  Then, using a purpose-built threat intelligence gateway such as Ixia’s ThreatARMOR solution, traffic from those known compromised IP addresses is filtered and prevented from even touching the organization’s network – cutting the workload on perimeter protection tools and the network itself dramatically.  ThreatARMOR does this by using a continuously-updated database of known bad IP addresses, minimizing the risk of blocking legitimate traffic while reducing the organization’s exposure to attack.

3. Block devices on your network from communicating with known bad IP addresses

The same intelligent IP address filtering and blocking can also be used to prevent devices on your network that may have already been compromised from connecting out to their command and control centers, stopping them being used as part of a DDoS attacks elsewhere, and also stopping potential data exfiltration.  This technique also prevents other forms of cyber attack, such as ransomware attacks that need to download their payload from an external, maliciously controlled machine.

As the proliferation of connected devices is already fueling a similar increase in the power of DDoS attacks, it’s time to consider deploying advanced protective measures against these disruptive cyber-assaults.  Why not find out more about how ThreatARMOR can help by contacting us for a demo?