It is well known that connected devices are prime targets for hackers who want to exploit their computing power and large-scale distribution for cybercriminal activities, and in particular DDoS. IoT devices are deployed in the millions, often configured insecurely by default, and typically infrequently maintained. They operate 24/7 and are available at any time, and unlike PCs and servers, they are subjected to few security standards and regulations.
Unsecured IoT devices are also easy to find. Thanks to sites like shodan.io, a specialised search engine that lets users look up specific types of IoT devices (such as connected web cameras or routers), identifying vulnerable targets now requires minimum effort.
Put together, these weaknesses give hackers easy access to a massive attack surface via IoT botnets. But such botnets are not only used for brute force (volumetric) attacks: they are also being exploited in stealthier ways, which require more sophisticated protection measures.
The growing threat of Application Layer attacks
When we talk about DDoS attacks, most people will think of large-scale attacks which target the network or transport layers (3 or 4) in the OSI Model. The poster child for this type of attack is, of course, Mirai. Mirai made global headlines in the fall of 2016, when it rendered major websites such as Twitter, Reddit and Spotify unavailable by taking down the Dyn DNS server. It was the first major, widespread attack using IoT botnets.
However, compromised IoT devices are increasingly used for a different and more insidious type of attacks, namely so-called Application Layer (Layer 7) attacks, which target specific elements of an application or service. Security solution provider F5 calls Layer 7 attacks “the new drug”, meaning that they are becoming more common, more sophisticated, and more threatening.
The most common type of Application Layer attacks are HTTP floods, which send seemingly legitimate requests, but, in vast quantities. They often target particularly resource-hungry elements of the web application, such as form submissions.
Whereas mitigating a brute force attack comes down to who has the strongest network capacity — the attacker or the mitigation service — Application Layer attacks are much more complex to detect and deflect.
Because each bot in the botnet makes apparently legitimate network requests and reports a unique source IP address, a distributed attack can look very similar to legitimate user traffic and may not trigger detection before it is too late.
By using a large number of different devices with different IP addresses (for which IoT botnets are ideal), and capping the number of attempts per device, hackers can avoid volumetric detection. IP centric protection solutions, such as Web Application Firewalls, are simply no match for this type of attack.
The most effective way to protect applications against Layer 7 attacks is therefore to effectively profile incoming traffic. Behaviour, not volume, is the key to detecting this sort of attack, and the protection solution must be able to accurately distinguish real human users from human-like bots.
Will IoT device owners do their part?
Sadly, IoT device owners currently have few incentives to prevent their devices from being used in DDoS attacks on unaffiliated businesses. As a result, we are composing with billions of vulnerable devices around the world.
Long term, the consequences of weak security will inevitably become too visible or too costly, and IoT security will have to improve. But until then, IoT devices will keep being hijacked and used in both network layer and application layer DDoS attacks. Organisations therefore need to implement security controls that efficiently detect and block malicious bots, in order to protect their websites, applications and services.
How to learn more
IoT botnets are a growing threat to businesses worldwide. With the right knowledge and tools, however, most botnet attacks can be prevented. You can become a trusted leader at the forefront of Cyber Security with a Master of Cyber Security at Edith Cowan University online. Accelerated and 100% online, the Master of Cyber Security will provide you with the tools and techniques to predict, identify, and mitigate DDoS attacks and other cyber security risks.