Skip Ribbon Commands
Skip to main content

IoT Botnets and DDoS: A New Reality With New Responsibilities


MNP's TAKE: Massive cyber attacks - such as those which recently shut down Twitter, Amazon and Shopify - are the type of threats enterprises around the world now must deal with. The attacks can impact any entity - your business, banks and government, anything that is connected to the internet. Indeed, the increase of Internet of Things (IoT) was a factor in this cyber attack, called a Distributed Denial of Service Attack (DDOS), authorities say. The majority of the issues with IoT are not necessarily in the flaws of the devices themselves but rather with the end users, who often don’t understand the technology and fail to update and upgrade appropriately. There were approximately 15 billion IoT devices in 2015 and that number is expected grow to 200 billion by 2020. The reality of cyber breaches is that they will occur at some point; to mitigate the impact, all businesses need to regularly assess their cyber security plans and programs. How interconnected are you with third-party vendors or contractors? Their cyber security programs can impact your security as well. To find out how to strengthen your cyber security stance, contact Danny Timmins, National Cyber Security Leader for MNP, at [email protected].


On October 21, multiple massive distributed denial ofservice (DDoS) attacks hit Dyn, an internet performance management company headquartered in New Hampshire. Dyn is a managed DNS provider to many of the large companies on the internet such as Twitter, Reddit, GitHub, Paypal, Spotify, Heroku, SoundCloud, Crunchbase, Netflix, Amazon, and others.

News surfaced over the following weekend that the Mirai IoT (internet of things) botnet was at least partially responsible for the attack, and according to Dyn, was generating traffic from “10s of millions of discrete IP addresses.”

Instead of rehashing details of how this could have occurred, we want to discuss botnet attacks as part of the new reality in our connected world, and as such, how device manufacturers and device users need to respond. We also want to take a look at the role that governments can or cannot play.

Connected Devices of All Types, Everywhere

Ubiquitous — it’s an over-used word, but it truly applies here. A huge range and number of internet-connected devices exist, including cameras, DVRs, thermostats, light bulbs, toothbrushes, teapots, clothes dryers, pet feeders, home security appliances, payment transaction devices, health monitors, personal emergency response systems, and on, and on. In other words, connected devices are everywhere — in the home, in the car, on our bodies, in the workplace, in our hospitals, and everywhere else you can imagine.

When there’s a DDoS, it isn’t just your ability to get on Facebook that’s impacted. All areas of our lives are disrupted, from entertainment, to commerce, to physical and personal security, to health matters that have — potentially — very serious implications. Sometimes denial of service is just an inconvenience; other times, it can be life threatening.

An Inconvenient Truth

Many of these devices are not inherently secure, and it’s way too easy to commandeer them with a botnet like Mirai.

So what to do? Let’s answer this from two points of view: the manufacturers’ and the end-users’.

Manufacturers’ Responsibilities

At the outset, we should mention that Hangzhou Xiongmai Technology, the manufacturer of many of the devices used in the attack, is planning to issue a device recall on some of its vulnerable products.

While a recall may help to get some of these insecure devices off the internet, it’s incredibly likely that many will stay connected and insecure and that far more devices from other manufacturers are sitting idle, waiting to be compromised — or are being used maliciously already.

So let’s shift the focus from after-the-fact “responsibility” to proactive steps that device manufacturers can and should take.

As we often say in this blog, security should be integrated from the outset, whether it’s into an organization’s infrastructure and practices or into an IoT device. With that in mind, manufacturers need to replace the current practice of shipping products that offer consumers no way to upgrade or protect themselves, with products that can be upgraded. A shift needs to take place whereby a much stronger focus on consumer security is built into the product development cycle. It’s not lack of processing power that makes devices vulnerable; it’s lack of will to build processing power into the devices in the first place. Some manufacturers already respect this and have a forced password reset on first login, or randomly generate a password per device.

End-User Responsibilities

Most of us, as end-users, show a degree of complacency in our acceptance of IoT devices and our generally lax approach to internet security. But unless end-users follow basic security practices, the security loop is incomplete and devices remain vulnerable. At a minimum, consumers should research carefully whether any type of security update mechanisms are built into the devices they are planning to purchase, and they need to stop using default (or otherwise weak) passwords. Easier said than done, of course, but it would appear that many manufacturers only respond to market forces or public shame.

Government Responsibilities

When the well-being of the community is being threatened, can governments step in? Ironically, their options are often limited. In many democracies, it is not legal to access a computer without the owner’s permission, even if the intent is to do good. In the United States, for example, it is illegal to access a computer without authorization, according to the Computer Fraud and Abuse Act. The same is true in Holland where Dutch authorities came under fire in 2010 after uploading a file to computers that had been infected with the Bredolab botnet, in order to use that file to redirect users’ browsers to a web page in an attempt to inform them that they’d been hacked.

This leaves us with quite a dilemma. It is probably safe to say that many of the connected devices involved in last week’s DDoS will not be returned, can’t be updated, and will remain active. It is theoretically possible to “brick” these devices and render them useless. But should we? Should the U.S. or another country take action to prevent these devices from further targeting infrastructure? What are the implications of such an action? What if the intended fix introduces even bigger flaws?

Final Words. . .

The Mirai botnet was performing smaller scale attacks prior to the one against Dyn, and has continued to attack after Dyn successfully mitigated the attack on Friday. So this simply means that malicious activity from this botnet is an ongoing problem with no real end in sight.

While there’s no way of preventing attacks like Mirai, there are steps that the connected community can take — from manufacturer to end-user — to mitigate attacks when they do happen.

DDoS may be part of the new reality, but we don’t have to accept it as the new norm.

This article originally appeared in Threat Stack Blog.


This article was written by Tim Armstrong from Business2Community and was legally licensed through the NewsCred publisher network.