David Williamson, CEO, EfficientIP
David Williamson, CEO, EfficientIP

We are all liable to fall victim to cyber-attacks that come from unexpected directions. We are familiar with ransomware, industrial espionage, nation-state actors, or hacker groups who commit credit card fraud. However, what we don't expect is for our sites and services to be damaged as a result of the hostile takeover of CCTV cameras, routers and DVRs.

This seems to have given the rise of the Mirai botnet, and its attacks on the Dyn cloud DNS provider and the French hosting service OVH in October 2016, according to a report by security journalist Brian Krebs.

The Mirai botnet exploited unprotected firmware in certain IoT devices to then quickly flood DNS servers, meaning the users were not able to contact the services. In the attack on OVH, the botnet compromised 170,000 devices from around the world.

What makes these attacks unique are their scale and their use of unprotected IoT devices, rather than compromised PCs. So, what can you do to defend your networks and users against attacks that benefit from consumer hardware?

Setting up a defence

Firstly, you can build a hybrid DNS architecture to protect your DNS services. It is best not to rely on just one host for your DNS and to use advanced DNS hardware that can manage very high traffic, as well as identify and block attacks.

Of course, a good defence is important, but is it possible to kill the problem at its root?

The DNS shield

Anyone who wants to defend against IoT botnets faces a big problem: consumer internet services are hard to protect. They are designed to be open, and most users don't take the hardware they're using into consideration and use a very basic firewall.

We can't expect customers to use advanced network security or to keep their IoT hardware up to date, which can be tricky when vendors don't provide regular, appropriate patches. Many are put off updating their IoT hardware when it can take over 20 minutes to update a lightbulb's firmware. This accumulates to an increasingly hostile and hard to manage environment.

How can the wider internet be protected from this risk? An option can be for Internet Service Providers (ISP) to take a stricter approach on securing their networks, with tighter controls around customer premises equipment (CPE) and for user networks. Common attack patterns can be detected by hardware in their networks.

When compromised networks have been detected, DNS security tools can use technologies like IPAM to turn the customer's CPE from an open network to a more restricted network, which can filter botnet command and control packets. Additionally, it can provide users with fast access to tools and techniques to help repair their network; supporting them in detecting and updating compromised hardware, while disrupting the botnet structure.

However, this approach presents a risk, as it changes the relationship between the ISP and the customer, and could be seen as undue interference. When using this approach, other ISPs at a regional level need to be handled concurrently, and will need to enter the contract between user and service provider.

Services and ISPs join forces

If services and ISPs work collaboratively, along with an industry-wide approach to IoT updates and servicing, we've got our solution. The main components of it are:

  • Advanced DNS services that are able to handle DDoS traffic
  • Multiple DNS services for key services being used to ensure their continuity
  • The use of a DNS security layer for CPE that is linked to attack pattern identification
  • Consumer ISP quarantine services linked to easy update services for IoT hardware

Large-scale botnet DNS DDoS attacks, such as Mirai, cannot be prevented by a single action. This internet-scale threat calls for service providers, consumers, hardware vendors and ISPs to join forces in order to deliver a multi-faceted solution.

Contributed by David Williamson, CEO, EfficientIP

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.