The Internet of Things (IoT) represents a massive threat to network infrastructure as already seen in widely publicized IoT-based DDoS attacks. As an example of what can happen, the Mirai malware set loose in late 2016 created a botnet of IoT devices that included ordinary consumer devices such as security cameras, routers, and other home use IoT devices purposely designed to take websites and entire networks offline. The scale of the initial Mirai-based attack was eye-opening. The KrebsOnSecurity website came under a sustained DDoS attack in September 2016 from more than 175,000 IoT devices. That one attack maxed out at 620 Gbps, almost twice the size of the next largest attack that Akamai had ever seen!
At the end of September 2016, the authors of Mirai released the source code for their botnet. This set the stage for other copycat attacks. Some Mirai botnets grew quite large and were used to launch devastating attacks, including one on October 21st, 2016 that waged an attack against Domain Name Service (DNS) firm Dyn that disrupted Twitter, Netflix, Reddit and a host of other major sites. Another Mirai botnet variant was used in extortion attacks against a number of banks and Internet service providers in the United Kingdom and Germany. Justice was ultimately served with the Mirai co-creators pleading guilty to charges of using their botnet to conduct click fraud—a form of online advertising fraud that cost Internet advertisers more than $16 billion. Based on an annual report from the Spamhaus Project, there has been a 32% increase in botnet controllers in 2017. So what needs to happen to safeguard our devices and networks from participating in these botnet attacks? And how can IoT device originated attacks get quickly identified and stopped by network operators?
Consumer IoT Vulnerabilities Still Widespread Industrial IoT deployments have their vulnerabilities but not to the extent that consumer-driven IoT usage does. In industrial IoT deployments, secure methods and procedures deployed by dedicated network operations staff attempt to ensure that these devices are not compromised. This is not to say that industrial IoT deployments are always secure but consider the typical lack of discipline used to set up consumer IoT devices such as video cameras, thermostats, lighting, switches, smart speakers and TVs in our homes that are potentially vulnerable to compromise and use for DDoS attacks.
I currently have 30 or so IP addresses in my home associated with consumer IoT devices and a Comcast connection that is just over 100 Mbps downstream and 12 Mbps upstream. If I fail to implement my firewall correctly and leave my network open with no password or weak password protection for a bad actor to get into some of my IoT devices, I am vulnerable to unwillingly be part of a botnet based attack. My upstream speed and IoT device count alone may not be high enough to stage a high volume DDoS attack but we have 1,100 doors in my housing development with the potential for the same vulnerabilities in place. With consumer IoT device popularity on the rise and residential broadband providers like Comcast, Charter, AT&T, Google Fiber and others offering 1 Gigabit Internet access to 10s of millions of homes, the next Mirai style attack could be massive in volume. And full duplex DOCSIS 3.1 cable network technology offers the ability to offer 500 Mbps upstream services (on a 1 Gbps service) that in aggregate across millions of homes would dwarf the bandwidth of the original Mirai botnet’s attack.
Kentik’s Scalable IoT DDoS Protection Kentik’s adoption of a big data architecture is at the core of their network monitoring and DDoS protection platform, Kentik Detect®. This brings some real advantages for IoT DDoS protection–including detection and mitigation–because big data is not only about handling large volumes of data, but also letting network operations staff make sense of that data very quickly and take action without human intervention if necessary. Key advantages include: