The Internet of Threats: IoT Botnets and Application Layer Attacks

The Internet of Threats: IoT Botnets and Application Layer Attacks

It is well known that connected devices are prime targets for hackers who want to exploit their computing power and large-scale distribution for cybercriminal activities, and in particular DDoS. IoT devices are deployed in the millions, often configured insecurely by default, and typically infrequently maintained. They operate 24/7 and are available at any time, and unlike PCs and servers, they are subjected to few security standards and regulations.

Unsecured IoT devices are also easy to find. Thanks to sites like, a specialised search engine that lets users look up specific types of IoT devices (such as connected web cameras or routers), identifying vulnerable targets now requires minimum effort.

Put together, these weaknesses give hackers easy access to a massive attack surface via IoT botnets. But such botnets are not only used for brute force (volumetric) attacks: they are also being exploited in stealthier ways, which require more sophisticated protection measures.

The growing threat of Application Layer attacks

When we talk about DDoS attacks, most people will think of large-scale attacks which target the network or transport layers (3 or 4) in the OSI Model. The poster child for this type of attack is, of course, Mirai. Mirai made global headlines in the fall of 2016, when it rendered major websites such as Twitter, Reddit and Spotify unavailable by taking down the Dyn DNS server. It was the first major, widespread attack using IoT botnets.

However, compromised IoT devices are increasingly used for a different and more insidious type of attacks, namely so-called Application Layer (Layer 7) attacks, which target specific elements of an application or service. Security solution provider F5 calls Layer 7 attacks “the new drug”, meaning that they are becoming more common, more sophisticated, and more threatening.

The most common type of Application Layer attacks are HTTP floods, which send seemingly legitimate requests, but, in vast quantities. They often target particularly resource-hungry elements of the web application, such as form submissions.

Whereas mitigating a brute force attack comes down to who has the strongest network capacity — the attacker or the mitigation service — Application Layer attacks are much more complex to detect and deflect.

Because each bot in the botnet makes apparently legitimate network requests and reports a unique source IP address, a distributed attack can look very similar to legitimate user traffic and may not trigger detection before it is too late.

By using a large number of different devices with different IP addresses (for which IoT botnets are ideal), and capping the number of attempts per device, hackers can avoid volumetric detection. IP centric protection solutions, such as Web Application Firewalls, are simply no match for this type of attack.

The most effective way to protect applications against Layer 7 attacks is therefore to effectively profile incoming traffic. Behaviour, not volume, is the key to detecting this sort of attack, and the protection solution must be able to accurately distinguish real human users from human-like bots.

Will IoT device owners do their part?

Sadly, IoT device owners currently have few incentives to prevent their devices from being used in DDoS attacks on unaffiliated businesses. As a result, we are composing with billions of vulnerable devices around the world.

Long term, the consequences of weak security will inevitably become too visible or too costly, and IoT security will have to improve. But until then, IoT devices will keep being hijacked and used in both network layer and application layer DDoS attacks. Organisations therefore need to implement security controls that efficiently detect and block malicious bots, in order to protect their websites, applications and services.

How to learn more

IoT botnets are a growing threat to businesses worldwide. With the right knowledge and tools, however, most botnet attacks can be prevented. You can become a trusted leader at the forefront of Cyber Security with a Master of Cyber Security at Edith Cowan University online. Accelerated and 100% online, the Master of Cyber Security will provide you with the tools and techniques to predict, identify, and mitigate DDoS attacks and other cyber security risks.

originally posted on

The Convergence of Blockchain and the IoT

The Convergence of Blockchain and the IoT

Blockchain technology and the Internet of Things (IoT) have a lot in common. They are both futuristic technologies in the midst of a ten-second countdown to launching themselves into the stratosphere, where all industries will rely on them and everyday people will begin to take them for granted.

Currently, many crypto fans already possess a bitcoin wallet from Luno or another global brand, and thousands of households have connected devices to make chores easier. This is in spite of the fact that blockchain and IoT are still, arguably, in their early ramp-up periods – assuming they do spread massively as predicted. However, these two areas of technology cannot just be matched up on their growth potential, but they can actually be matched up.

The convergence of the Internet of Things and Blockchain technology is possible, in motion and to the benefit of businesses. Here we will discuss the state of play and find out exactly why businesses could benefit from such a join of technological forces.

How Does the IoT and Blockchain Technology Fit Together?

The internet of Things is developed to spread data without the need for human interaction, for the most part. Spreading information is something the blockchain already does when sending crypto data around the world from wallet to wallet. With this in mind, it is already possible to see some mutually beneficial qualities in both technologies.

Ways of Fuelling IOT Through A Crypto System

The bottom line is that there are ways that the IoT could be fuelled by blockchain and/or crypto. To give a better understanding of these possibilities, here are some speculated examples of how they could be used together and how this benefits businesses.

1. IoT to Excel Microtransactions

If an IoT reliant society does come to fruition, the increase of microtransactions will be unavoidable. We may have to pay small fees for turning lights on or using the washing machine, but can banks keep up with a surge in microtransactions? We already know crypto can, but financial institutions may also begin to look at the blockchain to help deal with such demand. Simultaneously this helps those business providers bring their services to market.

2. Data Security

There is already some distrust between devices that are placed in our home and listen to our commands. Distrust likely increased after Google’s latest admission of listening to private conversations.

On the other hand, blockchain goes far too ensuring data is kept secure and has a glowing reputation for safety and privacy. It is very likely that IoT devices powered by Blockchain technology would increase trust among consumers and improve sales to those providing IoT services and products.

3. Blockchain Protects

Blockchain has already been known to track the usage of a vehicle and prevent tampering with readings and other information. This is primarily to ensure that anyone deciding to sell the car to another person must be honest and upfront about its history, maintenance records and thus, its value.

The same could be done with all the IoT devices currently in homes and IoT concepts being thought up as you read this. All these devices could have their history tracked including repairs and so on. This will protect companies who sell them from warranty fraud but has a number of other benefits.

The IoT and Blockchain could in many ways be a powerful match to give consumers and businesses the trust and confidence they need to buy and use IoT-enabled products and services. This is an important key for massive adoption of IoT throughout the whole society. Time will tell if these technologies become a strong couple but many companies are already investing in this promising combination of technologies to design the next generation of the Internet of Things…

originally posted on