Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
7/13/2017
03:45 PM
Sara Boddy
Sara Boddy
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

The Hunt for Networks Building Death Star-Sized Botnets

Internet of Things devices are more critically vulnerable to compromise in DDos attacks than ever before. Here's how to defend against them.

Justin Shattuck, Manager of Product Development, F5 Silverline, also contributed to this article.

For over a year now, F5 Labs and our data partner, Loryka, have been monitoring the ongoing hunt by attackers to find vulnerable IoT devices they can compromise. In our first report, DDoS’s Newest Minions: IoT Devices, our research proved what many security experts had long suspected: IoT devices were highly vulnerable to exploit, the level of interest in exploiting them was high, and distributed denial-of-service (DDoS) attacks using these devices were already occurring. Our findings and conclusions in Volume 1 rang true, and the new numbers show even steeper growth than we had imagined.

  • Networks in China (primarily state-owned telecom companies and ISPs) headlined the threat actor list, accounting for 44% of all attacks in Q3 and 21% in Q4. (That drop likely was due to global interest in Mirai.)
  • Behind China, the top threat actors in Q3 were Vietnam and the US, and Russia and the UK in Q4. Surprisingly, the UK jumped from number 15 in Q3 to number 3 in Q4, with most activity coming from an online gaming network.
  • In Q3 and Q4, the top four targeted countries were Russia, followed by Spain, then the US, then Turkey. Russia was a top target of all top 50 source countries, at 31% in Q3 and 40% in Q4. These efforts coincided with the high-profile US election and allegations of Russian hacking.
  • Most attacks were launched from Linux systems within hosting provider and telecom companies.
  • IoT devices are critically vulnerable, and the scope is global. IoT devices have little capacity for securing themselves. An end user can reboot a compromised IoT device to clear its memory of malware, but unless the access issue is fixed (That is, default passwords are changed; security controls are added.), the device will just get compromised again. There are many Mirai botnets now, and they’re constantly scanning for new devices.
  • IoT attacks can impact large targets, previously thought to be untouchable. The collective firepower of an IoT botnet can be greater than terabits per second, and we don’t yet know just how big they can get.
  • Bot operators aren’t afraid to turn their cyber weapons against some of the largest providers in the world.

Image Source: F5
Image Source: F5

Beyond just “getting used to it,” here are some steps security professionals can take, both personally and professionally:

Have a DDoS strategy
If you don’t already have a DDoS strategy in place, now is the time for one, and there are three good options:

  1. On-premises equipment is great for customers who are routinely targeted with DDoS attacks (below their network capacity) and have trained resources to effectively mitigate them on their own.
  2. Hybrid on-premises and cloud scrubbing for customers that receive frequent DDoS attacks they mitigate with their on-premises equipment and resources (because it’s not cost effective to outsource), but who are also at risk of large attacks that exceed their capabilities and therefore need backup DDoS scrubbing services.
  3. Cloud scrubbing for companies that don’t deal with DDoS on a regular basis and do not have in-house expertise or equipment. This includes any company at risk of large scale attacks that exceed their network capabilities (that’s essentially every business on the Internet outside of service providers and DDoS scrubbing services!).

Ensure Critical Services Have Redundancy
Consider that you are not always going to be the target, but the services you use could be, in which case you are a potential downstream casualty. Have a business continuity plan that includes disaster recovery for your critical services so you don’t find yourself in the same boat as Twitter, Github, and Spotify when Dyn DNS suffered a DDoS attack—or any other company that solely leveraged OVH for hosting and was down when their network was attacked. Have a dual strategy in place (or even a multi strategy, in the case of DNS) to protect yourself. Remember that DNS can be your friend, too; Anycast your global data centers for replicated content to diffuse DDoS attacks when they happen.

Don’t Buy IoT Products Known To Be Insecure or Compromised
Money talks! Choosing not to spend money on the products built by irresponsible manufacturers is a quick way to drive change, at both a grassroots level personally with consumer products that become weapons against your business, and professionally if you are an IoT implementer.

If you are a company that deploys but does not manufacture IoT devices, test and verify the safety of a vendor’s products before you buy them.

If you are a security professional, the general public needs help knowing which devices are vulnerable or compromised, so share your knowledge with your family and friends and encourage them to share, as well. Social media is a powerful tool. So is security awareness training for your employees.

Share Your Knowledge.
Security professionals around the world can chip away at this global problem by communicating more with each other and sharing knowledge. Attackers are known for sharing information with each other; they even shared the most powerful botnet to date! Security professionals—even among competitors—need to take a page from attackers’ playbooks by sharing more key information about vulnerable devices, attacks and threat actors, mitigation efforts that are working, and potential solutions, no matter how wild the ideas might seem.

Get the latest application threat intelligence from F5 Labs.

Sara Boddy currently leads F5 Labs, F5 Networks' threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5118
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
CVE-2019-12422
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2012-4441
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
CVE-2019-10764
PUBLISHED: 2019-11-18
In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
CVE-2019-19117
PUBLISHED: 2019-11-18
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.