Building the right defences before the IoT botnets catch you

PayPal, Spotify, Twitter, Airbnb, the Sony PlayStation Network – what is the connection? These were some of the sites and services that were disrupted as a result of the DDoS attack on Dyn, the cloud DNS provider, last October.

The attack is believed to have been caused by the Mirai botnet, which takes advantage of unprotected IoT devices such as CCTV cameras, routers, DVRs and even baby monitors. It can rapidly overwhelm DNS servers with requests, cutting off users from connecting to services they want to use.

The botnet seized hundreds of thousands of IoT devices from all over the world. Now, with the source code released to the public, hackers have been given the tools to attack millions of smart devices quickly and easily. Experts thus predict a surge in large-scale attacks that could take almost any company offline. Moreover, considering nearly one quarter of consumers today have an Internet-connected device in their home, the number of victims to these attacks could reach unprecedented levels.

How to defend your networks and users against IoT botnets

Multiple users relying on one DNS provider means an attack on one is an attack on all, as was the case with the DDoS attack on Dyn. Adopting a hybrid DNS architecture, in which your DNS servers are active all the time, is a strong solution. In this hybrid architecture, the protocol service is spread across a number of DNS servers. If one server is attacked, the service will automatically switch to another unaffected server and customers will have uninterrupted access. Using an alternate cloud DNS together with local DNS-based services ensures you are covered in the event of an attack. It is also a good idea to use advanced DNS hardware that can handle very high traffic, as well as identify and block attacks.

Defending your own systems is important, but is there any way of cutting the problem at its root?

Using the DNS protocol as a defence

Consumer internet services are hard to protect against IoT botnets like Mirai because they are open by design. In addition, most users give little thought to their hardware and use solely a basic firewall already built into a router. Users cannot be expected to keep their networks secure or their hardware up to date, especially with vendors who do not always provide appropriate patches and regular bug fixes. This all creates an increasingly vulnerable and hard to manage environment.

How can the wider internet be protected from this growing risk? ISPs can take a stronger stance on securing their networks with tighter controls for customer premises equipment (CPE) and for user networks. Their network hardware can be used to identify common attack patterns, especially from known botnets like Mirai.

Once jeopardised networks have been detected, DNS security tools can be used to switch the customer’s CPE from an open network to a more restricted one. It can filter both botnet command as well as control packets. Users are also armed with quick access to tools and techniques to fix their networks and update compromised hardware, while disrupting the botnet structure.

However, this approach presents itself with a risk, as it changes the relationship between the ISP and the customer (and could be seen as undue interference). It must be handled together with other ISPs at a regional level, and will need to become part of the contract between user and service provider.

Services and ISPs join forces to defend the Internet

If service and ISP solutions like these are brought together, along with an industry-wide approach to IoT updates and servicing, we might just have a solution. Key elements would be:

  • Advanced DNS services that can handle DDoS traffic
  • Using multiple DNS services to avoid interruption of key services
  • Using a DNS security layer for CPE, linked to attack pattern detection
  • Consumer ISP quarantine services linked to easy update services for IoT hardware

Large-scale DDoS attacks via DNS like those on Dyn cannot be prevented by a single action. Providers, consumers, hardware vendors, and ISPs will need to collaborate in order to deliver a functional solution.