After massive denial-of-service attacks in October, security experts are warning that the relative lack of security of the Internet of Things will continue to make connected devices favored targets of attackers looking to create botnets from which to launch denial-of-service attacks.
On Nov 16 security experts plan to testify in front of two subcommittees in the U.S. House of Representatives, warning Congress that a lack of focus on security has made the Internet of Things a playground for hackers.
The hearing follows the October attacks against Internet-infrastructure provider Dyn, which struggled for more than 11 hours to mitigate a flood of data that caused its domain services to become unreachable and resulted in intermittent service outages for its clients, including Twitter, Netflix, Etsy, Paypal and Spotify.
"These new attacks are alarming for their scope, impact and the ease with which attackers employed them," Dale Drew, chief security officer of Internet provider Level 3 Communications, stated in prepared comments to be delivered at the hearing. "Also worrisome is that these attackers relied on just a fraction of the total available compromised IoT nodes in order to attack their victims, demonstrating the potential for significantly greater havoc from these new threats."
The attacks are just the start of what could be a new trend in denial-of-service techniques. For the past five years, amplification attacks have ruled the denial-of-service world. Attackers used asymmetry in the amount of data produced by certain requests—a single packet producing a much more massive reply—to commit modest bandwidth but produce massive attacks. The Network Time Protocol (NTP), Domain Name Service (DNS) and the Simple Service Discovery Protocol (SSDP) were all used to amplify attacks.
With the Internet of Things, there are so many devices that amplification is not necessary. Instead, in a nod to attacks of the previous decade, attackers create massive botnets and use them to produce a deluge of data. The Internet of Things makes the attacks difficult to stop because they are coming from so many different corners of the Internet and not from known bad Internet addresses.
"Looking at previous cycles, and assuming this follows that trend, we are probably looking at a two- to three-year period [when] IoT botnets will be the hot thing," Terrence Gareau, chief scientist for DoS mitigation firm Nexusguard, told eWEEK.
The malicious software behind the attack—as well as a record-setting attack against security blogger and journalist Brian Krebs—is known as Mirai. Level 3 has estimated that Mirai, along with its predecessor BashLite, has infected more than 2 million IoT devices—more than 80 percent of which are digital video recorders, but which also includes routers and other devices. The attack on Dyn used a mere 8 percent of those compromised nodes to send 500 gigabytes per second of traffic to the infrastructure provider.
Mirai is fairly well written, which experts know because the source code of the program was released online. However, the criminals behind the attacks are more of a mixed bag, because the denial-of-service attacks is actually sold as a service, according to Drew.
"We believe that in the case of Dyn, the relatively unsophisticated attacker sought to take offline a gaming site with which it had a personal grudge and rented time on the IoT botnet to accomplish this," he said at a joint hearing of the Subcommittees on Communications and Technology and on Commerce, Manufacturing, and Trade.
Because the Internet of Things controls consumer and industrial systems, the actual impact of a denial of service can be significant.
Last week, a distributed denial-of-service attack reportedly disrupted the controlling server for the heating system in two blocks of apartments in Finland, causing the heating systems to fail. The management firm solved the problem by limiting network traffic.