Overcoming the Rise of IoT-Based Botnets

Written by

Since the 1990s, botnets have been used by cyber-criminals who are able to access devices infected with command and control malware for spamming, stealing data, and performing Distributed Denial of Service (DDoS) attacks.

Effectively, criminals could rent out hordes of compromised computers to carry out their nefarious activities. Fast forward twenty years and these attacks have evolved to include extortion campaigns, the largest DDoS attacks on record, and causing global service outages. This is largely due to criminals taking advantage of the connected devices that make up the Internet of Things (IoT), and being resourceful in places where no one would think to look.

While the larger botnets of the early 2000s were mostly taken down by law enforcement that disabled their Internet Relay Chat (IRC) based C&C server infrastructures, attackers shifted gear around 2010 and started focusing more on L7 attacks with smaller botnets.

Around 2013, attackers begin using smaller botnets with lots of firepower due to reflective/amplified attack capabilities. In 2016 the world witnessed the rise of the IoT botnets, with the release of Mirai IoT malware into the wild, making criminals fully capable of launching any kind of DDoS attack.

A threat like no other

Mirai turned out to be the perfect catalyst for harnessing more CPU and bandwidth from the most unassuming devices on a massive scale. The reason it worked so well is that IoT devices like security cameras are often not monitored, or seen as threats.

Mirai takes advantage of the fact that these devices are often shipped with weak security or factory settings, for example hardcoded passwords. The source code for the botnet was released on 30 September 2016 and a month later was responsible for the 1+Tbps attack on Dyn. It interrupted internet availability for more than 900,000 Deutsche Telekom subscribers in Germany, and compromised almost 2,400 TalkTalk routers in the UK.

The nature of the beast

In order to understand how to defeat Mirai, it’s important to look at the ways in which it has been able to become so prolific (and successful). Mirai works by exploiting weak default security on many IoT devices. It operates by continuously scanning for IoT devices that are accessible over the internet and primarily scans for ports 22, 23, 5747, etc. that are open.

It can also be easily configured to scan for others. Once connected to an IoT device, Mirai attempts to login, gain access, and infect the device. The infected device then scans other networks looking for more IoT devices and launches DDoS attacks.

Mirai kills other process running on the IoT devices like SSH, Telnet and HTTP. It does this to prevent the owner from gaining remote access to the IoT device while infected. Rebooting the IoT device can remove the malware, but it can quickly become infected again.

Taming the threat

Devices shipped with weak or nonexistent security is a big problem plaguing IoT. Until this is addressed with standards at the industry level, users should take some responsibility by changing default usernames/passwords on all IoT devices before installing them on their networks.

Other basic practices to combat the proliferation of IoT based botnets is to ensure all IoT devices are protected by firewalls, and are not directly connected to the internet. In addition, make certain firewalls are blocking all inbound connections to IoT devices sitting behind them. Scanning from outside the network is also a good idea to find any unknown IoT devices that are publicly accessible.

For large organizations and service providers that have reams of customers depending on their availability and uptime, it would stand them in good stead to invest in a mix of cloud and on-premises DDoS defenses – this is called the hybrid approach. Investing in this way will provide peace of mind, and significant savings on the masses of infrastructure and bandwidth to tackle this every growing threat of almost unpredictable size.

By using cloud and hybrid based services, the traffic can be diverted away from your critical infrastructure, over to a safe haven where dedicated bandwidth and hardware are sitting on standby, ready to protect your business.

Organizations and service providers in particular will need to take steps to prepare now to roll with the punches, and keep their businesses and customers protected.

What’s hot on Infosecurity Magazine?