How a new generation of IoT botnets is amplifying DDoS attacks

IoT botnets are not new. Nor are DDoS attacks. But the two are on a trajectory that is raising the stakes in DDoS protection and bot takeover prevention.

Botnet Trouble / Botnet army
Geerati / Getty Images

Larry Pesce remembers the day when the distributed denial of service (DDoS) threat landscape changed dramatically. It was late fall in 2016 when a fellow researcher joined him at the InGuardians lab, where he is director of research. His friend wanted to see how fast Mirai, a novel internet of things (IoT) botnet installer, would take over a Linux-based DVR camera recorder that was popular with medium-size businesses. So, she brought in a purchased DVR, then they set up observation instrumentation before connecting it to the internet via the DVR’s span port. 

“In about 30 minutes, we were able to watch a connection log in with the DVR’s default password, download the payload and join it to the botnet,” he explains. Almost immediately, they logged outbound traffic from the DVR and shut it down before it could DDoS anyone else’s devices. Frustratingly, each time they re-booted the DVR, it reset to the insecure factory-installed default password, even though they’d changed it to a secure password.

Fast forward to today, when IoT is now commonly used to amplify DDoS attacks against their targets and skirt current DDoS defenses. For example, in the second half of 2021, DDoS attacks were surpassing 4 Tbps, according to a network intelligence report by Nokia Deepfield (part of Nokia’s IP routing business) that analyzed more than 10,000 DDoS attacks coming from internet providers around the world.

“IoT using exotic devices such as refrigerators, parking meters, and door cameras was rare. Now we have crossed the inflection point and they are a dominant threat,” says Craig Labovitz, CTO at Nokia Deepfield and author of the report. “DDoS from these botnets is increasingly used to overwhelm internet systems or network infrastructure including firewalls. We are also seeing DDoS being used as a distraction to hide the launch of more dangerous attacks, such as ransomware.”

Nokia’s examination of DDoS data revealed that thousands of DVRs, internet-connected cameras, and even parking meters belonging to gas stations, banks, and other businesses have been recruited into botnets. Business PBX servers and VOIP phones also make up a large percentage of bot-infected devices, both in the cloud and on premises, he says.

Unsecured IoT devices a willing army

One of the key impacts for organizations is the loss of service. “Organizations are paying for the bandwidth being used by these bots in their enterprises. And, in the case of service providers, their customers will notice a slowdown and move to another provider,” Labovitz argues.

Other reports indicate that consumer devices, particularly home routers, are also increasingly being used as mules in DDoS botnet amplification attacks. These devices are outside the realm of enterprise risk management.

“Now everybody’s ancillary appliances are on the internet—your refrigerator, toaster, coffee maker, home security system, TV. These are items that do not give away how badly they’re being abused, or that they’re even infected unless they act erratically or stop working,” says Frank Clark, senior security analyst at Hunter Strategy, a consulting firm. “How would the average user know anything, let alone block the bot from sending the DoS packets? It would help if makers of enterprise and consumer OT made them secure by default, but that’s a pipe dream.”

Businesses need to shore up their defenses on two fronts: preventing their own devices from being turned into DoS-spewing bots and protecting their networks, web applications, and data centers against devastating DDoS amplification attacks. They also need to manage risks if their mission-critical service providers succumb to a DDoS amplification attack.  

Blocking DDoS attacks

Web-based businesses, cloud services, and internet providers were top enterprise targets for DDoS attacks in the second half of 2021, and most attacks were coming from Chinese IPs, according to Cloudflare’s DDoS Trends Report. In Q1 2022, most IPs sending DDoS packets were U.S.-based. Web application layer DDoS attacks rose by 164% between 2021 and 2022, according to the Cloudflare report, while network-layer attacks increased by 71%.

“We’ve seen sustained attacks on VoIP providers that impact all of their business customers using that service,” says Patrick Donahue, VP of product at Cloudflare, which blocks an average of 86 billion DDoS threats a day. “Sometimes we see ISPs overwhelmed, which then impacts their enterprise customers and that’s often when ISPs come to us to protect their whole network.”

Legacy firewalls, deployed physically in the data center, can also become another choke point for denial of service because they can’t scale to today’s amplified attacks. So, identify where your weak points are, he suggests. For example, consider the impact of having your marketing website go down, verses your call center if that call center is your primary business.

DDoS is also commonly used as a smokescreen to hide other, more malicious actions on the network, particularly ransomware activity, so setting up alerts on DoS activity at first notice is critical, Donahue adds.

However, detecting large-scale DDoS launched by IoT is more difficult because hijacked IoT devices use legitimate packets that send legitimate web requests, which traditional packet inspection is not tuned to look for. Traditional defenses are tuned to detect known patterns of forged IP addresses, headers, and payloads. Because of the sheer volume of traffic, blocking amplified DDoS attacks is not possible or practical for most organizations, so protection that goes beyond basic packet inspection and behavioral analysis is critical. “Cloudflare distributes traffic over their global network, which can absorb huge DDoS attacks. Most organizations don’t have that capacity,” says Clark.

Cloudflare blocks inbound DDoS packets and requests as close to their source as possible. Nokia Deepfield addresses this at the routing layer by constantly monitoring traffic on its global network and updating its intelligence as new DDoS trends materialize in their feeds.

Preventing device hijacking

It’s no surprise that IoT devices are realizing their botnet potential. Their CPUs are more powerful, their processing times faster, and they are distributed around the world on-premises and in the cloud. Clark asserts that consumer and business devices are being conscripted into these networks because they lack basic security controls, and because botnets made of IoT devices will be much harder to dismantle.

So, organizations need to prevent their own IoT devices from being swept into the botnet, says Piotr Kijewski, CEO of the Shadowserver Foundation and founder of the Polish Honeynet Project. “If IT managers want to reduce the amount of DDoS attacks against their organizations, they need to start by securing their own network and reducing their attack surface. That begins with maintaining an inventory of IoT assets that are exposed on the internet.”

The Shadowserver Foundation, which started tracking botnets sending DDoS attacks in 2005, counted 560,000 separate DDoS attacks in 30 days from mid-March to mid-April of 2022. While not monitoring for IoT bots specifically, Kijewski says many of the botnets are built on top of IP cameras, DVR and NVR video systems, home routers, and attached storage devices.

“For amplification attacks, we see the most popular vectors to be open NTP, LDAP and SNMP services. This is why it is important to try to reduce the number of open services that can be abused,” Kijewski advises.

For those IoT devices that can’t be patched, updated, or secured, network monitoring should be tuned to detect deviations in actions and outbound traffic from these devices to indicate it’s being taken over. Pesce from InGuardians also suggests a separate VLAN or NAC to connect IoT through. “These are effective network controls and the basis for zero trust, which includes monitoring and asset inventory. When you know what’s on your network and the components they make up, you can actively monitor for unusual activity, including notifications of new devices added to the network. And, when possible, make sure patches are applied.”

One of the sure giveaways of a botnet infection inside your own network is sluggish performance, adds Nokia’s Labovitz, who recommends tuning network monitoring systems to detect and immediately alert to network slowdowns. Enterprises rely on services like VoIP and connectivity should also look for solutions from their carriers and vendors, he adds. “This gets us closer to the root. We need to solve this at an industry level and encourage best common practices, such as signed and secure BGP, filtering, and IP ‘plumbing’ of the internet.”

Copyright © 2022 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)