inside an iot botnet - resources | arbor...
TRANSCRIPT
WHAT IS A BOTNET?A botnet is a network of devices, usually PCs, that have been infected with malware allowing them to be controlled remotely by threat actors.
HOW DO BOTNETS GROW?Botnets grow by continuing to spread its malware to new devices.
Attackers commonly use social engineering,and even breaking or celebrity news, to create malware infested links that people are likely to click onin large numbers. Once they do, their PC is now part of the botnet.
WHY IS THIS IMPORTANT?When a botnet reaches a certain size, it becomes a revenue generating platform. Botnets can feature segmented command- and-control, which allows them to launch simultaneous DDoS attacks against multiple, unrelated targets, generallyin return for Bitcoin payments.
ENTER IoT DEVICESIoT devices are ideal for DDoS botnets
for a variety of reasons:
Vulnerable IoT devices are subsumed into botnets by
continuous, automated scanning for and exploitation of well-known,
hardcoded administrative credentials present in the relevant IoT devices. Manufacturers’ re-use of default passwords across device
classes makes them especially attractive to attackers.
Most IoT devices have access to the internet without
any bandwidth limitations or filtering.
The stripped-down operating system and
processing leaves less room for security features and
most compromises go unnoticed.
CONQUER ONE, CONQUER MANY.
INSIDE AN IoT BOTNET
Mirai is a family of DDoS botnets and initially consisted
primarily of webcams and DVRs.
Once an IoT device has been subsumed into the Mirai botnet, it immediately begins
scanning for other vulnerable devices to compromise. The original source code has been released and now multiple threat actor groups are actively working to expand and improve the propagation methods and DDoS attack
capabilities of Mirai-variant botnets.
The botnet code consists of two halves —
a client and server.
The client is designed to run on compromised Linux devices which
connect to a hard-coded Command & Control (C2) server.
LAUNCHING IoT BOTNET DDoS ATTACKS
Mirai made up of hundreds of thousands of infected IoT devices will connect to the server and receive commands to expand and improve the propagation methods and DDoS attack capabilities.
HTTP
UDP TCP
‘water torture’ attacks.
overwhelm the target serverunder many requests.
sends a random string of junk characters to a UDP port.
repeatedly sends TCP packets with the specified flags.
That’s 400 Gbps without turbocharging!
IMPACT OF A DDoS ATTACKMany people view DDoS attacks as little more than a nuisance but today’s complex and massive attacks are capable of causing real financial and infrastructure damage. Companies that do business online or rely on connectivity can be severely impacted from even short-term DDoS attacks that impact their website or internet connection.
DDoS attacks targeting data centers can be even more damaging due to a cascading effect that impacts their customers and leads to increased operational expenses and burnt out employees.
What’s worrying is that the attack traffic does not appear to be spoofed or amplified, meaning that large-scale attacks can be launched directly without relying on reflectors/amplifiers that can artificially increase attack traffic.
CAN IoT BOTNETS BE STOPPED?
There are several steps that can be taken to help curb the growth of IoT botnets:
NO TURBOCHARGING REQUIRED
1 2 3Consumers need to do their
part by changing default passwords, when possible, to make it more difficult for threat actors to infect their
devices with malware.
Service providers need to actively monitor their network for suspicious
traffic that is originating from IoT botnets like Mirai.
Device manufacturers need to place a priority on security and close the most common
vulnerabilities in their devices, as well as support automatic
security updates to patch devices.
DDoS MITIGATION BEST PRACTICESEnterprises, ISPs and MSSPs can defend against DDoS attacks by implementing best current practices (BCPs) for DDoS defense.
Hardening their network infrastructure.
Ensuring they’ve complete visibility into all traffic ingressing and egressing from their networks so as to detect DDoS attacks.
Ensuring they’ve sufficient DDoS mitigation capacity and capabilities (on-premise andin the cloud).
Having a DDoS defense response plan which is kept updated and rehearsed on a regular basis.
ISP and MSSP network operators should actively participate in the global operational community, so that they can both render assistance when other network operators come under high-volume DDoS attacks as well as request mitigation assistance as circumstances warrant.
ISP and MSSP network operators should also take into account the baseline load of their normal internet traffic so as to neither underestimate or overestimate the amount of attack traffic targeting their networks and customers. This is vital when determining which DDoS defense mechanisms and methodologies to employ in the course of an attack.
Visit arbornetworks.com/stakes to learn more.
WHAT THEY DON’T SEE? BIG RISKS AHEAD.THE STAKES HAVE CHANGED. HAVE YOU?
2016 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, Pravail, Cloud Signaling, Arbor Cloud, ATLAS, We see things others cant. and Arbor Networks. Smart. Available. Secure. are all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.
WHAT DOES THE FUTURE HOLD?
34
According to a report from Business Insider the number of connected devices will skyrocket, opening up new
potential sources for botnets.
BILLION24BILLION
devices connected to the internet by 2020, up from
10 billion in 2015.
$6
of those devices are IoT devices.
10BILLION TRILLION
are traditional computing devices (e.g. smartphones, tablets, smartwatches, etc.).
will be spent on IoT solutions over the
next 5 years.
Businesses will be the top adopter of IoT solutions, which can improve their bottom line by:
DNS
UDP
WHAT WOULD DOWNTIME COST YOUR ORGANIZATION?
Threat actors can use their army of compromised devices to launch DDoS attacks.
IN AN INTERNET MINUTE
1,389 Uber Rides
300Hours of Video
Posted to YouTube
30Identity Thefts
216,000Instagram
Posts
2.4MGoogle
Searches
347,222Tweets
50,200Mobile Apps Downloaded
142,361,111Emails Sent
and Received
Arbor observes attack commands from IoT botnet C2 servers and correlates it with attack information.
Spike from the attack targeting a gaming company from several thousand compromised devices.
400 Gbps
EXPANDINGto new market or developing
new product offerings
LOWERING operating costs
INCREASING productivity
IoT BOTNETS + DDoS ATTACKS: THE STAKES HAVE CHANGEDThe Internet of Things (IoT) brings the promise of efficiency and innovation to the enterprise. IoT also profoundly expands the threat surface for your organization.
Apr 1 May 1 Jun 1 Jul 1 Aug 12016
Sept 1 Oct 1 Nov 1 Dec 1 Feb 1 Mar 1
0
100 Gbps
300 Gbps
500 Gbps
700 Gbps
PATCH PASSWORDS MONITOR TRAFFIC