IoT: Mirai Botnet DDoS Attack Mitigation


By Paul Rummery, Securenet Consulting

Companies need to be careful about the IoT devices on their networks. 


Internet/Security Reports for the fourth quarter of 2016 finds that distributed denial of service attacks larger than 100Gbps are rapidly increasing as more IoT devices are compromised


Mirai botnet of IoT device took down a number of high profile brand websites (we’re not going to point fingers and name – many of you will already have read the headlines and know who). 

Key websites and internet services were down for a number of hours. 

This open-source botnet scans for devices using their default username and password credentials. Anyone can use it – from anywhere in the world: you, your neighbour to generate DDoS attacks. 
 
“This is only the beginning of IoT-based malware attacks”

Mirai botnet was made up of tens of millions of compromised IoT devices.

The attacked DNS company said the DDoS attack used "tens of millions" devices. 
Since the attack, researchers have identified the number of infected IoT devices is over half a million (figures continue to increase).

In 2016, 5.5 million new “things” are getting connected each day, according to Gartner. 6.4 billion connected things are expected by end of 2016, reaching 20.8 billion by 2020. If all these devices are insecure by design, we can expect more sophisticated attacks targeting them, with more drastic impacts. 

A Chinese technology company, has admitted that its webcam and digital video recorder (DVR) products were used in the assault. The company is telling its customers to update their device firmware and change usernames and passwords.
 
Mirai botnet map
Devices infected by Mirai were found in at least 164 different counties, the top four including the United States, Vietnam, Brazil, and China where DDoS attacks were powered.

Future attacks will slow down the internet (as millions of IoT devices will generate a lot of traffic and take over the bandwidth). A year ago, we considered 300 Gbps as a large DDoS attack, at the end of 2015 600 Gbps, and September 2016, 1Tbps.

The malware code behind the Mirai attack has been made public by its creator.


"Houston we have a problem" ... what can we do


IoT device visibility  

Identifying the IoT devices that already reside on their networks

IoT devices: video surveillance systems, projectors, smart copiers and printers, industrial controls and HVAC systems are common in most businesses today.

These devices become more intelligent and valuable when networked, but when compromised, they can quickly becoming hackers target. The “things” on this ever-expanding list of devices share one common trait - they include lightweight operating systems that don’t support software agents that traditional security tools require to discover and manage them.

Nonetheless, they are showing up on wired and wireless enterprise networks with little regard to how they will be secured or the risk they pose to the businesses and government agencies that have so aggressively embraced them. 


Securing the Internet of Things (IoT)


It will take a combined effort of manufacturers and consumers to slow the spread of IoT botnet malware. 
 

Q: What can I do to protect my devices and prevent them from becoming infected?
A: Tips to protect your IoT device from becoming infected with malware. 
  • IoT vendors must make it easy to update and secure their devices. Since you can't expect users to patch their systems.
  • Research the capabilities and security features of an IoT device before purchase.
  • Update the firmware on your IoT devices regularly if your manufacturer releases security patches.
  • Perform an audit of IoT devices used on your network. 
  • Lock down IoT applications and operating systems. Just like any server, the device should have the absolute minimum of network services.
  • Modify the default privacy and security settings of IoT devices according to your requirements and security policy.  
  • Avoid connecting IoT devices directly to the internet without a firewall. 
  • Change the default credentials on devices. Use strong and unique passwords for device accounts and Wi-Fi networks.
  • Use a strong encryption method when setting up Wi-Fi network access (WPA). 
  • Disable features and services that are not required.
  • Disable Telnet login and use SSH where possible. 
  • Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
  • Disable or protect remote access to IoT devices when not needed. 
  • Use wired connections instead of wireless where possible. 
  • Protect your own sites by practicing DDoS prevention
    • For example, make sure your routers drop junk packets. You should also block unnecessary external protocols such as Internet Control Message Protocol (ICMP) at your network's edge. And, as always, set up good firewalls and server rules. In short, block everything you can at your network edge.
    • Keep attacks from being quite so damaging by increasing the Time to Live (TTL) in your own DNS servers and caches. Typically, today's local DNS servers have a TTL of 600 seconds, or 5 minutes. If you increased the TTL to say 21,600 seconds, or six hours, your local systems might dodge the DNS attack until it was over.
  • You should also look to DDoS mitigation companies to protect your web presence. 
    • If you’re worried about putting all your eggs in one basket with risking one DNS provider being exposed - you can mitigate these attacks by using multiple DNS providers.
  • Have your upstream ISP block unnecessary and undesired traffic. For example, your ISP can make your life easier simply by upstream 'blackholing'. And if you know your company will never need to receive UDP traffic, like Network Time Protocol (NTP) or DNS, your ISP should bin rubbish traffic. 
  • Endpoint Malware protection to prevent execution of virus or malware to convert devices into Botnets. 
  • Internet Content Filtering – stop users downloading / clicking malware  
  • Sandboxing – malware inspection which data packet contents.  
  • Packet Inspection  
  • Vulnerability Audits – automated and professional human services to identify and test vulnerabilities across your infrastructure/devices.  
  • Security Testing - do the security mechanisms you have in place effectively defend against the attacks they were designed to prevent?  
  • Remediation  
  • Intelligence – report on ‘out of band’ devices or suspicious behaviour. 
  • Device Access Control
    • Determine with a high level of confidence the identity, type and location of each device.
    • Dynamically assign devices based on their identity to appropriate network segments.
    • Monitor device behaviour and connections to recognise anomalous activity and alert, limit or block network access to quickly minimise damage and contain malware propagation.
    • Make third-party security tools aware of the device identity to implement identity-aware security policies across the enterprise and automate response actions.


Summary
Unfortunately until companies, consumers, manufacturers and service providers act quickly, the Mirai Botnet attack will not be the last we hear of DDoS / attacks targeting IoT devices - as more and more devices (fridges, fitness trackers, sleep monitors, ...) are added to the Internet they'll likely be unwilling participants in future attacks.
 
 
Solutions by SecureNet Consulting
Contact us regarding the solutions, professional services and engineering resources for the above.


Contact us today to discuss your requirements in more detail.
Telephone 
+44(0)7714 209927
+44(0)1273 329753
http://eepurl.com/GKx25
Newsletter
Subscribe 
info@securenetconsulting.co.uk
Email                            
info@securenetconsulting.co.uk
https://www.linkedin.com/in/paul-rummery-0b89535
Linkedin
https://plus.google.com/116898209106255177774
Google Plus

http://www.fhttps/www.facebook.com/pages/SecureNet-Consulting/188102854572105
Facebook