Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Connect Directly
E-Mail vvv

From Carna To Mirai: Recovering From A Lost Opportunity

We had four years to prepare for recent DDoS attacks and failed. How can we learn from our mistakes?

Those not immersed in security and technology are mostly oblivious to one fact: the Internet is a fragile ecosystem. There are many parallels between the Internet and the ecosystems that span our globe. Each has vital resources that need to be protected and utilized for the greater good. When there is an imbalance in an ecosystem, bad things happen.

We saw this twice recently with the Mirai botnet, which co-opted a cadre of devices in the Internet of Things and forced them to issue denial-of-service (DoS) attacks that crippled many sites and services. But we knew this was coming and did virtually nothing to stop it, just like many real-world ecosystem disasters.

Let's look at where we were four years ago, how far we've progressed, and what we could do to stave off an Internet ecosystem disaster.

Back to the Future: The Carna Botnet 
The Internet and media were abuzz four years ago when individuals claiming to be researchers — they remain anonymous to this day — released reports from what was described as the most comprehensive scan of the Internet to date. This became known as the 2012 Internet Census, and it provided insight into what was running on the Internet back then. These anonymous researchers hijacked home routers using weak, default credentials and installed software on those devices that let them control the execution of Internet service scans. While they claim to have done this solely to study the Internet, it is not known if they only performed harmless actions or used the devices in more malicious ways.

Reliving the Past until We Get It Right 
Let the previous section sink in for a minute: we knew this was possible four years ago and as each year passed we knew there would be more "things" connected to the Internet, and yet we did nothing to prevent these "things" from being deployed insecurely.

We're now at a point in time when it's easy to quickly scan the entire Internet and — if you're performing scans from hacked machines — at virtually no expense or risk.

When these devices are taken over and used maliciously because of vulnerabilities or weak default configurations, there are no consequences for manufacturers of IoT devices, owners of IoT devices, or network providers where these IoT devices originate communications.

Again, we're reliving the pain of decades of PC bots and viruses in the era of IoT with some key differences when it comes to things such as vulnerabilities, rampant adoption, usability, and exposure. There is another problem that comes with millions of IoT bots joining together in massive attacks: we're virtually defenseless, primarily because of how the Internet has been architected.

The distributed DoS mitigation company protecting Brian Krebs had to abandon him as a customer because it couldn't absorb the attack on his site in September. Even if there were a handful of providers that could absorb such attacks, most people and organizations couldn't afford to use them, leaving everyone else at the mercy of the attackers. This is what's at risk if we retain the status quo.

A Secure Path Forward
If we do nothing, the attacks we saw this fall will not only be repeated, they will grow larger, have longer impact, and potentially have more sinister outcomes. What can be done?

For starters, more IoT vendors should follow Hangzhou Xiongmai's lead and recall products that have unfixable or easily exploitable default configurations. Although this step would be the responsible thing to do, it might not have the impact you'd expect. There's no surefire way to notify all individuals with problem equipment, and it only takes a scarily small number of vulnerable systems to cause widespread damage.

Another option is for each of us, in every country, to work with lawmaking bodies and get sane standards and regulations put forth for IoT devices. This won't affect the vast number of devices that are already out there, but most of us will throw these things away as we upgrade devices to take advantage of new features (or, they'll just break down, as many aren't made to last). This approach can be time-consuming, and it may take five years to have strong, enforceable standards in place.

A third option is for Apple, Amazon, and Google to co-develop requirements for when manufacturers want to integrate their IoT devices with the ecosystems of those three companies. These three are fast becoming the gatekeepers of IoT, and if they set the bar high enough it would have an immediate downstream effect. My guess is that we'd see more secure versions of products within one product release cycle and discounts for upgrade/trade-in offers.

A fourth option: a "cash for clunkers"-like program. Given the potential impact of these insecure "things," governments around the world — in partnership with nonprofit foundations — could band together and offer cash incentives for bringing in derelict devices. Coordination at this scale would be difficult, but it would be a boost to security and the global economy.

The Internet of Things has the potential to dramatically change our lives for the better and for the worse. We must all work to understand the current, tenuous state our fragile Internet ecosystem is in, then work together to ensure it will be there when we expect it to be. 

Related Content:


Bob Rudis, Chief Data Scientist, Rapid7Bob Rudis has over 20 years of experience using data to help defend global Fortune 100 companies and is a chief security data scientist at Rapid7. Bob is a serial tweeter (@hrbrmstr), avid blogger (rud.is), author (Data-Driven Security), ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
12/8/2016 | 12:42:00 PM
Certainly Not Our Only Options?
Living in the open world, the free and open source software world, I am loathe to consider some of the other options that have been thrown out there of late, including introduction of highly proprietary protocols for the Internet and network firmware that would replace current ones.  However, I can't believe that these are our only options.  A recent article I read on the GCHQ and their push to get Internet providers to change protocols to help fight spoofing and its use in DDoS attacks raised the excellent point that in order for this to work, you'd need a global effort that would pull in both hardware and software consortiums across the planet to make changes that would theoretically help make the Internet more secure.  Wow.  I can see the trillions of dollars that go into that project evaporate in a hearbeat when the first exploit gets published on that new infrastructure.  

Not to discount my statement that there must be more options, which I'm starting to talk myself out of, but how about from another angle in which (at least in the US) we provide more protection to White/Grey Hat (ethical) hackers who can actually help through offensive cybersecurity tactics?  Get funds into tactical cybersecurity teams who not only can help, but are willing to put their best efforts forward in analyzing, profiling and attacking hackers and their teams in such a way that they are either quickly found by on-the-ground law enforcement teams, or can't get the resources they need online to perform their hacks.  Not to make a standard Hollywood image of the offensive hacker team seem realistic and easy to put together, but come on, there is a level of reality to this option that is hampered in large part by fear of prison due to our nation's archaic and frankly ill-informed computer-related laws.

I just feel there needs to be a big leap, a massive impact, in order to get ahead of cybercrime; the must-dos and process changes noted here obviously are going to happen, but we need a wall to get raised somehow to help that work not go to waste.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...