Justin Shattuck, Manager of Product Development, F5 Silverline, also contributed to this article.
For over a year now, F5 Labs and our data partner, Loryka, have been monitoring the ongoing hunt by attackers to find vulnerable IoT devices they can compromise. In our first report, DDoS’s Newest Minions: IoT Devices, our research proved what many security experts had long suspected: IoT devices were highly vulnerable to exploit, the level of interest in exploiting them was high, and distributed denial-of-service (DDoS) attacks using these devices were already occurring. Our findings and conclusions in Volume 1 rang true, and the new numbers show even steeper growth than we had imagined.
- Networks in China (primarily state-owned telecom companies and ISPs) headlined the threat actor list, accounting for 44% of all attacks in Q3 and 21% in Q4. (That drop likely was due to global interest in Mirai.)
- Behind China, the top threat actors in Q3 were Vietnam and the US, and Russia and the UK in Q4. Surprisingly, the UK jumped from number 15 in Q3 to number 3 in Q4, with most activity coming from an online gaming network.
- In Q3 and Q4, the top four targeted countries were Russia, followed by Spain, then the US, then Turkey. Russia was a top target of all top 50 source countries, at 31% in Q3 and 40% in Q4. These efforts coincided with the high-profile US election and allegations of Russian hacking.
- Most attacks were launched from Linux systems within hosting provider and telecom companies.
- IoT devices are critically vulnerable, and the scope is global. IoT devices have little capacity for securing themselves. An end user can reboot a compromised IoT device to clear its memory of malware, but unless the access issue is fixed (That is, default passwords are changed; security controls are added.), the device will just get compromised again. There are many Mirai botnets now, and they’re constantly scanning for new devices.
- IoT attacks can impact large targets, previously thought to be untouchable. The collective firepower of an IoT botnet can be greater than terabits per second, and we don’t yet know just how big they can get.
- Bot operators aren’t afraid to turn their cyber weapons against some of the largest providers in the world.
Beyond just “getting used to it,” here are some steps security professionals can take, both personally and professionally:
Have a DDoS strategy
If you don’t already have a DDoS strategy in place, now is the time for one, and there are three good options:
- On-premises equipment is great for customers who are routinely targeted with DDoS attacks (below their network capacity) and have trained resources to effectively mitigate them on their own.
- Hybrid on-premises and cloud scrubbing for customers that receive frequent DDoS attacks they mitigate with their on-premises equipment and resources (because it’s not cost effective to outsource), but who are also at risk of large attacks that exceed their capabilities and therefore need backup DDoS scrubbing services.
- Cloud scrubbing for companies that don’t deal with DDoS on a regular basis and do not have in-house expertise or equipment. This includes any company at risk of large scale attacks that exceed their network capabilities (that’s essentially every business on the Internet outside of service providers and DDoS scrubbing services!).
Ensure Critical Services Have Redundancy
Consider that you are not always going to be the target, but the services you use could be, in which case you are a potential downstream casualty. Have a business continuity plan that includes disaster recovery for your critical services so you don’t find yourself in the same boat as Twitter, Github, and Spotify when Dyn DNS suffered a DDoS attack—or any other company that solely leveraged OVH for hosting and was down when their network was attacked. Have a dual strategy in place (or even a multi strategy, in the case of DNS) to protect yourself. Remember that DNS can be your friend, too; Anycast your global data centers for replicated content to diffuse DDoS attacks when they happen.
Don’t Buy IoT Products Known To Be Insecure or Compromised
Money talks! Choosing not to spend money on the products built by irresponsible manufacturers is a quick way to drive change, at both a grassroots level personally with consumer products that become weapons against your business, and professionally if you are an IoT implementer.
If you are a company that deploys but does not manufacture IoT devices, test and verify the safety of a vendor’s products before you buy them.
If you are a security professional, the general public needs help knowing which devices are vulnerable or compromised, so share your knowledge with your family and friends and encourage them to share, as well. Social media is a powerful tool. So is security awareness training for your employees.
Share Your Knowledge.
Security professionals around the world can chip away at this global problem by communicating more with each other and sharing knowledge. Attackers are known for sharing information with each other; they even shared the most powerful botnet to date! Security professionals—even among competitors—need to take a page from attackers’ playbooks by sharing more key information about vulnerable devices, attacks and threat actors, mitigation efforts that are working, and potential solutions, no matter how wild the ideas might seem.