Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
7/13/2017
03:45 PM
Sara Boddy
Sara Boddy
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

The Hunt for Networks Building Death Star-Sized Botnets

Internet of Things devices are more critically vulnerable to compromise in DDos attacks than ever before. Here's how to defend against them.

Justin Shattuck, Manager of Product Development, F5 Silverline, also contributed to this article.

For over a year now, F5 Labs and our data partner, Loryka, have been monitoring the ongoing hunt by attackers to find vulnerable IoT devices they can compromise. In our first report, DDoS’s Newest Minions: IoT Devices, our research proved what many security experts had long suspected: IoT devices were highly vulnerable to exploit, the level of interest in exploiting them was high, and distributed denial-of-service (DDoS) attacks using these devices were already occurring. Our findings and conclusions in Volume 1 rang true, and the new numbers show even steeper growth than we had imagined.

  • Networks in China (primarily state-owned telecom companies and ISPs) headlined the threat actor list, accounting for 44% of all attacks in Q3 and 21% in Q4. (That drop likely was due to global interest in Mirai.)
  • Behind China, the top threat actors in Q3 were Vietnam and the US, and Russia and the UK in Q4. Surprisingly, the UK jumped from number 15 in Q3 to number 3 in Q4, with most activity coming from an online gaming network.
  • In Q3 and Q4, the top four targeted countries were Russia, followed by Spain, then the US, then Turkey. Russia was a top target of all top 50 source countries, at 31% in Q3 and 40% in Q4. These efforts coincided with the high-profile US election and allegations of Russian hacking.
  • Most attacks were launched from Linux systems within hosting provider and telecom companies.
  • IoT devices are critically vulnerable, and the scope is global. IoT devices have little capacity for securing themselves. An end user can reboot a compromised IoT device to clear its memory of malware, but unless the access issue is fixed (That is, default passwords are changed; security controls are added.), the device will just get compromised again. There are many Mirai botnets now, and they’re constantly scanning for new devices.
  • IoT attacks can impact large targets, previously thought to be untouchable. The collective firepower of an IoT botnet can be greater than terabits per second, and we don’t yet know just how big they can get.
  • Bot operators aren’t afraid to turn their cyber weapons against some of the largest providers in the world.

Image Source: F5
Image Source: F5

Beyond just “getting used to it,” here are some steps security professionals can take, both personally and professionally:

Have a DDoS strategy
If you don’t already have a DDoS strategy in place, now is the time for one, and there are three good options:

  1. On-premises equipment is great for customers who are routinely targeted with DDoS attacks (below their network capacity) and have trained resources to effectively mitigate them on their own.
  2. Hybrid on-premises and cloud scrubbing for customers that receive frequent DDoS attacks they mitigate with their on-premises equipment and resources (because it’s not cost effective to outsource), but who are also at risk of large attacks that exceed their capabilities and therefore need backup DDoS scrubbing services.
  3. Cloud scrubbing for companies that don’t deal with DDoS on a regular basis and do not have in-house expertise or equipment. This includes any company at risk of large scale attacks that exceed their network capabilities (that’s essentially every business on the Internet outside of service providers and DDoS scrubbing services!).

Ensure Critical Services Have Redundancy
Consider that you are not always going to be the target, but the services you use could be, in which case you are a potential downstream casualty. Have a business continuity plan that includes disaster recovery for your critical services so you don’t find yourself in the same boat as Twitter, Github, and Spotify when Dyn DNS suffered a DDoS attack—or any other company that solely leveraged OVH for hosting and was down when their network was attacked. Have a dual strategy in place (or even a multi strategy, in the case of DNS) to protect yourself. Remember that DNS can be your friend, too; Anycast your global data centers for replicated content to diffuse DDoS attacks when they happen.

Don’t Buy IoT Products Known To Be Insecure or Compromised
Money talks! Choosing not to spend money on the products built by irresponsible manufacturers is a quick way to drive change, at both a grassroots level personally with consumer products that become weapons against your business, and professionally if you are an IoT implementer.

If you are a company that deploys but does not manufacture IoT devices, test and verify the safety of a vendor’s products before you buy them.

If you are a security professional, the general public needs help knowing which devices are vulnerable or compromised, so share your knowledge with your family and friends and encourage them to share, as well. Social media is a powerful tool. So is security awareness training for your employees.

Share Your Knowledge.
Security professionals around the world can chip away at this global problem by communicating more with each other and sharing knowledge. Attackers are known for sharing information with each other; they even shared the most powerful botnet to date! Security professionals—even among competitors—need to take a page from attackers’ playbooks by sharing more key information about vulnerable devices, attacks and threat actors, mitigation efforts that are working, and potential solutions, no matter how wild the ideas might seem.

Get the latest application threat intelligence from F5 Labs.

Sara Boddy currently leads F5 Labs, F5 Networks' threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
To Be Ready for the Security Future, Pay Attention to the Security Past
Liz Maida, Co-founder, CEO & CTO, Uplevel Security,  9/18/2017
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.