iot ddos attacks: the stakes have changed

IOT DDOS ATTACKS: THE STAKES HAVE CHANGED Manish Rai, VP of Marketing Ty Powers, Principal Technical Product ManagerDecember 13th , 2016

2

Recent News: IoT DDoS Attacks

• Mirai botnet infected est. 145K+ IoT devices on Internet• Infected devices used to launch series of DDoS attacks• There was follow-up attack in France that reached 1 Tbps• Culminated in a serious widespread Internet outage• Motive unclear, though ransom suspected

3

Timeline of Attacks

Kerbs on Security 623 Gbps

9/20 10/21

Dyn1.2 Tbps

French Provider OVH1 Tbps

9/22

4

9/20 : Krebs on Security Attack

• Mirai Botnet used in the attack• September 20 attack reached 623 Gbps• Previous record was 363 Gbps• Krebs was a Akamai pro bono customer• Akamai dropped Krebs website rather than take on a hard

financial hit

5

9/20 : Krebs on Security Attack

Top Sources

Brazil

Vietnam

China

South Korea

Romania

Russia

Colombia

Taiwan

United Arab EmiratesSource: Akamai

6

10/21: Dyn Attack

• Attack began ~7:10 am ET, targeting East Coast servers• Mitigated ~2 hours later

• Second wave began ~1:50 ET, global in nature• Recovered ~1 hour later

• Small probing attacks next few hours/days• Prevented without customer impact Source: A depiction of the outages caused by today’s

attacks on Dyn, an Internet infrastructure company. Source: Downdetector.com.

http://hub.dyn.com/static/hub.dyn.com/dyn-blog/dyn-statement-on-10-21-2016-ddos-attack.htmlhttp://www.cnbc.com/2016/10/21/major-websites-across-east-coast-knocked-out-in-apparent-ddos-attack.html

7

“Mirai” Botnet• Targeted IoT Devices: DVRs, IP surveillance cameras, and consumer routers

• Spreads like a worm, using Telnet and 60+ default username/ passwords to scan Internet for additional IoT devices to infect

• Many of the devices are manufactured by XiongMai, with hardcoded username/passwords

• Botnet even blocks owners from communicating with it

• Capable of generating 10 types of attacks: • 2 UDP, 2 GRE, 2 ACK, 1 SYN and 1 DNS flood• 1 Valve Engine attack• 1 HTTP flood attack that is configurable and can leverage any HTTP method.

• Static and randomized IP address spoofing in five of the 10 attack types

8

Targeted Devices

9

Great Bay Software Survey Results: Conducted before the IoT DDoS AttacksSurveyed over 100 Enterprise Network Security Professionals

Goal: With the exponential growth of IoT devices (both consumer/enterprise) connected to the enterprise network in 2016/17 our aim was to understand: • How will this effect enterprise endpoint security protocol and best

practices? • How are enterprises planning on accommodating for IoT devices?• How will enterprises secure IoT & umanagable devices on their

network compared to the managed device types.

10

Great Bay Software Survey Results: Conducted before the IoT DDoS Attacks

“71% of IoT Enterprise Security Professionals Not Monitoring IoT Devices In Real Time”

“43% of those surveyed stated that they have no plans to accurately classify every IoT device on the network and 28% plan to address the issue within the next 6-12 months”

11

Best Practices for Safeguarding your Enterprise against DDoS threats • Be part of the solution, not the problem• Protect yourself while protecting others• Be good Internet citizens

• Know what’s on your network at all times• What’s on my network?• How long has it been there?• Has it moved?• Why is it on my network?• What is it doing?• Do I trust it?

Mirai-infected devices were spotted in 164 countriesImperva, inc. - https://www.incapsula.com/

12

Best Practices for Safeguarding your Enterprise against DDoS threats • Harden networks against the possibility of a DDoS attack

• https://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf

• Disable remote access to IoT devices if possible• Remote access provides a conduit to vulnerable devices

• Disable/Limit protocol usage• Disable unsecure protocols such as Telnet and FTP as possible

• Ensure that communication ports that should be open are• Are SSH, Telnet and HTTP ports still open?

• Ensure proper network segmentation• Reduce the available attack surface and limit the contamination

• Keep the perimeter intact• Avoid Internet-facing endpoints and services where possible

13

Best Practices for Safeguarding your Enterprise against DDoS threats • Implement policies and procedures around new device adoption

• Endpoint certification/validation etc.• Know the risks and weigh them against the benefits of IoT

• Minimum Security Baselines (MSB)• Document and educate endpoint owners on proper configuration guidelines

• Control access to the network• Limit network access to approved devices (Authenticate, Authorize, and Audit)

• Deploy real-time endpoint detection• Know what’s connecting to the network and where

• Patch, patch, patch• Patch early and patch often

14

Whose Job Is it Anyway?

• Is IoT security the responsibility of the device manufacturer, the service providers, or us…the consumer?• All of the above!

• Gartner researchers predict that by 2020 we will have 25 billion connected devices• PricewaterhouseCoopers’ Global State of Information Security®

Survey 2015 stated that more than 70 percent of connected IoT devices, such as baby monitors, home thermostats, and televisions, are vulnerable because they lack fundamental security safeguards• This is MUCH more than an enterprise problem!

15

Whose Job Is it Anyway?

• Device manufacturers• Reuters reports that IoT device manufacturers such as Hangzhou XiongMai

have said it will recall some of the products it has sold in the United States, strengthen passwords and send out a patches for some devices • http://www.reuters.com/article/us-cyber-attacks-manufacturers-idUSKCN12O0MS

• In the race to be first (or early) to market, security has been lower priority in some cases

• CSO Online reported that many companies still think that if a device is not directly accessible from the Internet, nobody needs to be concerned about its security. • CSO online -

http://www.csoonline.com/article/2983681/vulnerabilities/how-to-secure-the-internet-of-things-and-who-should-be-liable-for-it.html

• Published FTC guidelines• https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report

-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

16

Whose Job Is it Anyway?

• Service Providers• Provide DDoS prevention and protection services• Consumer-grade providers can and possibly should provide

hardening at the Point of Presence as first line of defense• IoT End Users • As the device owners, we need to make certain that we’re doing

all that we can to prevent or at least not participate in attacks such as DDoS• The Online Trust Alliance (https://otalliance.org/) has published an

IoT security checklist for consumers• https://otalliance.org/system/files/files/initiative/documents/smartdevice-se

curityprivacy-checklist.pdf

17

ACT

SEETAKEAWAYS & QUESTIONS

IoT Security

Monitoring• Identity• Behavior• Location

Onboarding• Authenticate Device• Onboard Automatically• Segment

Enforcement• Alert• Quarantine• Block

Visibility• Real-time Discovery• Comprehensive Profiling • Every Network

THANK YOU! To learn more visit: greatbaysoftware.com Request an IoT endpoint assessment: https://go.greatbaysoftware.com/endpoint-assessment-request