1
WHAT IS A BOTNET? A botnet is a network of devices, usually PCs, that have been infected with malware allowing them to be controlled remotely by threat actors. HOW DO BOTNETS GROW? Botnets grow by continuing to spread its malware to new devices. Attackers commonly use social engineering, and even breaking or celebrity news, to create malware infested links that people are likely to click onin large numbers. Once they do, their PC is now part of the botnet. WHY IS THIS IMPORTANT? When a botnet reaches a certain size, it becomes a revenue generating platform. Botnets can feature segmented command- and-control, which allows them to launch simultaneous DDoS attacks against multiple, unrelated targets, generally in return for Bitcoin payments. ENTER IoT DEVICES IoT devices are ideal for DDoS botnets for a variety of reasons: Vulnerable IoT devices are subsumed into botnets by continuous, automated scanning for and exploitation of well-known, hardcoded administrative credentials present in the relevant IoT devices. Manufacturers’ re-use of default passwords across device classes makes them especially attractive to attackers. Most IoT devices have access to the internet without any bandwidth limitations or filtering. The stripped-down operating system and processing leaves less room for security features and most compromises go unnoticed. CONQUER ONE, CONQUER MANY. INSIDE AN IoT BOTNET Mirai is a family of DDoS botnets and initially consisted primarily of webcams and DVRs. Once an IoT device has been subsumed into the Mirai botnet, it immediately begins scanning for other vulnerable devices to compromise. The original source code has been released and now multiple threat actor groups are actively working to expand and improve the propagation methods and DDoS attack capabilities of Mirai-variant botnets. The botnet code consists of two halves — a client and server. The client is designed to run on compromised Linux devices which connect to a hard-coded Command & Control (C2) server. LAUNCHING IoT BOTNET DDoS ATTACKS Mirai made up of hundreds of thousands of infected IoT devices will connect to the server and receive commands to expand and improve the propagation methods and DDoS attack capabilities. HTTP UDP TCP ‘water torture’ attacks. overwhelm the target server under many requests. sends a random string of junk characters to a UDP port. repeatedly sends TCP packets with the specified flags. That’s 400 Gbps without turbocharging! IMPACT OF A DDoS ATTACK Many people view DDoS attacks as little more than a nuisance but today’s complex and massive attacks are capable of causing real financial and infrastructure damage. Companies that do business online or rely on connectivity can be severely impacted from even short-term DDoS attacks that impact their website or internet connection. DDoS attacks targeting data centers can be even more damaging due to a cascading effect that impacts their customers and leads to increased operational expenses and burnt out employees. What’s worrying is that the attack traffic does not appear to be spoofed or amplified, meaning that large-scale attacks can be launched directly without relying on reflectors/amplifiers that can artificially increase attack traffic. CAN IoT BOTNETS BE STOPPED? There are several steps that can be taken to help curb the growth of IoT botnets: NO TURBOCHARGING REQUIRED 1 2 3 Consumers need to do their part by changing default passwords, when possible, to make it more difficult for threat actors to infect their devices with malware. Service providers need to actively monitor their network for suspicious traffic that is originating from IoT botnets like Mirai. Device manufacturers need to place a priority on security and close the most common vulnerabilities in their devices, as well as support automatic security updates to patch devices. DDoS MITIGATION BEST PRACTICES Enterprises, ISPs and MSSPs can defend against DDoS attacks by implementing best current practices (BCPs) for DDoS defense. Hardening their network infrastructure. Ensuring they’ve complete visibility into all traffic ingressing and egressing from their networks so as to detect DDoS attacks. Ensuring they’ve sufficient DDoS mitigation capacity and capabilities (on-premise and in the cloud). Having a DDoS defense response plan which is kept updated and rehearsed on a regular basis. ISP and MSSP network operators should actively participate in the global operational community, so that they can both render assistance when other network operators come under high-volume DDoS attacks as well as request mitigation assistance as circumstances warrant. ISP and MSSP network operators should also take into account the baseline load of their normal internet traffic so as to neither underestimate or overestimate the amount of attack traffic targeting their networks and customers. This is vital when determining which DDoS defense mechanisms and methodologies to employ in the course of an attack. Visit arbornetworks.com/stakes to learn more. WHAT THEY DON’T SEE? BIG RISKS AHEAD. THE STAKES HAVE CHANGED. HAVE YOU? 2016 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, Pravail, Cloud Signaling, Arbor Cloud, ATLAS, We see things others cant. and Arbor Networks. Smart. Available. Secure. are all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners. WHAT DOES THE FUTURE HOLD? 34 According to a report from Business Insider the number of connected devices will skyrocket, opening up new potential sources for botnets. BILLION 24 BILLION devices connected to the internet by 2020, up from 10 billion in 2015. $6 of those devices are IoT devices. 10 BILLION TRILLION are traditional computing devices (e.g. smartphones, tablets, smartwatches, etc.). will be spent on IoT solutions over the next 5 years. Businesses will be the top adopter of IoT solutions, which can improve their bottom line by: DNS UDP WHAT WOULD DOWNTIME COST YOUR ORGANIZATION? Threat actors can use their army of compromised devices to launch DDoS attacks. IN AN INTERNET MINUTE 1,389 Uber Rides 300 Hours of Video Posted to YouTube 30 Identity Thefts 216,000 Instagram Posts 2.4M Google Searches 347,222 Tweets 50,200 Mobile Apps Downloaded 142,361,111 Emails Sent and Received Arbor observes attack commands from IoT botnet C2 servers and correlates it with attack information. Spike from the attack targeting a gaming company from several thousand compromised devices. 400 Gbps EXPANDING to new market or developing new product offerings LOWERING operating costs INCREASING productivity IoT BOTNETS + DDoS ATTACKS: THE STAKES HAVE CHANGED The Internet of Things (IoT) brings the promise of efficiency and innovation to the enterprise. IoT also profoundly expands the threat surface for your organization. Apr 1 May 1 Jun 1 Jul 1 Aug 1 2016 Sept 1 Oct 1 Nov 1 Dec 1 Feb 1 Mar 1 0 100 Gbps 300 Gbps 500 Gbps 700 Gbps PATCH PASSWORDS MONITOR TRAFFIC

IoT Botnets and DDoS Attacks

Embed Size (px)

Citation preview

Page 1: IoT Botnets and DDoS Attacks

WHAT IS A BOTNET?A botnet is a network of devices, usually PCs, that have been infected with malware allowing them to be controlled remotely by threat actors.

HOW DO BOTNETS GROW?Botnets grow by continuing to spread its malware to new devices.

Attackers commonly use social engineering,and even breaking or celebrity news, to create malware infested links that people are likely to click onin large numbers. Once they do, their PC is now part of the botnet.

WHY IS THIS IMPORTANT?When a botnet reaches a certain size, it becomes a revenue generating platform. Botnets can feature segmented command- and-control, which allows them to launch simultaneous DDoS attacks against multiple, unrelated targets, generallyin return for Bitcoin payments.

ENTER IoT DEVICESIoT devices are ideal for DDoS botnets

for a variety of reasons:

Vulnerable IoT devices are subsumed into botnets by

continuous, automated scanning for and exploitation of well-known,

hardcoded administrative credentials present in the relevant IoT devices. Manufacturers’ re-use of default passwords across device

classes makes them especially attractive to attackers.

Most IoT devices have access to the internet without

any bandwidth limitations or filtering.

The stripped-down operating system and

processing leaves less room for security features and

most compromises go unnoticed.

CONQUER ONE, CONQUER MANY.

INSIDE AN IoT BOTNET

Mirai is a family of DDoS botnets and initially consisted

primarily of webcams and DVRs.

Once an IoT device has been subsumed into the Mirai botnet, it immediately begins

scanning for other vulnerable devices to compromise. The original source code has been released and now multiple threat actor groups are actively working to expand and improve the propagation methods and DDoS attack

capabilities of Mirai-variant botnets.

The botnet code consists of two halves —

a client and server.

The client is designed to run on compromised Linux devices which

connect to a hard-coded Command & Control (C2) server.

LAUNCHING IoT BOTNET DDoS ATTACKS

Mirai made up of hundreds of thousands of infected IoT devices will connect to the server and receive commands to expand and improve the propagation methods and DDoS attack capabilities.

HTTP

UDP TCP

‘water torture’ attacks.

overwhelm the target serverunder many requests.

sends a random string of junk characters to a UDP port.

repeatedly sends TCP packets with the specified flags.

That’s 400 Gbps without turbocharging!

IMPACT OF A DDoS ATTACKMany people view DDoS attacks as little more than a nuisance but today’s complex and massive attacks are capable of causing real financial and infrastructure damage. Companies that do business online or rely on connectivity can be severely impacted from even short-term DDoS attacks that impact their website or internet connection.

DDoS attacks targeting data centers can be even more damaging due to a cascading effect that impacts their customers and leads to increased operational expenses and burnt out employees.

What’s worrying is that the attack traffic does not appear to be spoofed or amplified, meaning that large-scale attacks can be launched directly without relying on reflectors/amplifiers that can artificially increase attack traffic.

CAN IoT BOTNETS BE STOPPED?

There are several steps that can be taken to help curb the growth of IoT botnets:

NO TURBOCHARGING REQUIRED

1 2 3Consumers need to do their

part by changing default passwords, when possible, to make it more difficult for threat actors to infect their

devices with malware.

Service providers need to actively monitor their network for suspicious

traffic that is originating from IoT botnets like Mirai.

Device manufacturers need to place a priority on security and close the most common

vulnerabilities in their devices, as well as support automatic

security updates to patch devices.

DDoS MITIGATION BEST PRACTICESEnterprises, ISPs and MSSPs can defend against DDoS attacks by implementing best current practices (BCPs) for DDoS defense.

Hardening their network infrastructure.

Ensuring they’ve complete visibility into all traffic ingressing and egressing from their networks so as to detect DDoS attacks.

Ensuring they’ve sufficient DDoS mitigation capacity and capabilities (on-premise andin the cloud).

Having a DDoS defense response plan which is kept updated and rehearsed on a regular basis.

ISP and MSSP network operators should actively participate in the global operational community, so that they can both render assistance when other network operators come under high-volume DDoS attacks as well as request mitigation assistance as circumstances warrant.

ISP and MSSP network operators should also take into account the baseline load of their normal internet traffic so as to neither underestimate or overestimate the amount of attack traffic targeting their networks and customers. This is vital when determining which DDoS defense mechanisms and methodologies to employ in the course of an attack.

Visit arbornetworks.com/stakes to learn more.

WHAT THEY DON’T SEE? BIG RISKS AHEAD.THE STAKES HAVE CHANGED. HAVE YOU?

2016 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, Pravail, Cloud Signaling, Arbor Cloud, ATLAS, We see things others cant. and Arbor Networks. Smart. Available. Secure. are all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.

WHAT DOES THE FUTURE HOLD?

34

According to a report from Business Insider the number of connected devices will skyrocket, opening up new

potential sources for botnets.

BILLION24BILLION

devices connected to the internet by 2020, up from

10 billion in 2015.

$6

of those devices are IoT devices.

10BILLION TRILLION

are traditional computing devices (e.g. smartphones, tablets, smartwatches, etc.).

will be spent on IoT solutions over the

next 5 years.

Businesses will be the top adopter of IoT solutions, which can improve their bottom line by:

DNS

UDP

WHAT WOULD DOWNTIME COST YOUR ORGANIZATION?

Threat actors can use their army of compromised devices to launch DDoS attacks.

IN AN INTERNET MINUTE

1,389 Uber Rides

300Hours of Video

Posted to YouTube

30Identity Thefts

216,000Instagram

Posts

2.4MGoogle

Searches

347,222Tweets

50,200Mobile Apps Downloaded

142,361,111Emails Sent

and Received

Arbor observes attack commands from IoT botnet C2 servers and correlates it with attack information.

Spike from the attack targeting a gaming company from several thousand compromised devices.

400 Gbps

EXPANDINGto new market or developing

new product offerings

LOWERING operating costs

INCREASING productivity

IoT BOTNETS + DDoS ATTACKS: THE STAKES HAVE CHANGEDThe Internet of Things (IoT) brings the promise of efficiency and innovation to the enterprise. IoT also profoundly expands the threat surface for your organization.

Apr 1 May 1 Jun 1 Jul 1 Aug 12016

Sept 1 Oct 1 Nov 1 Dec 1 Feb 1 Mar 1

0

100 Gbps

300 Gbps

500 Gbps

700 Gbps

PATCH PASSWORDS MONITOR TRAFFIC

DDoS Attacks Against Global Markets - Akamai€¦ · Prolexic White Paper | DDoS Attacks Against Global Markets 5 Specific DDoS attacks and market movements (by date) PLXSert has

DDoS Attacks Against Global Markets - Akamai€¦ · Prolexic White Paper | DDoS Attacks Against Global Markets 5 Specific DDoS attacks and market movements (by date) PLXSert has

Documents
Measuring Resilience to DDoS attacks

Measuring Resilience to DDoS attacks

Documents
DDoS Protection Protecting Against The DDoS Attacks Since 2007

DDoS Protection Protecting Against The DDoS Attacks Since 2007

Internet
DDoS Attacks

DDoS Attacks

Technology
DDOS Attacks And Defence Technics

DDOS Attacks And Defence Technics

Technology
DDoS And Web Applications Attacks

DDoS And Web Applications Attacks

Documents
DDoS attacks: Understanding the Threat

DDoS attacks: Understanding the Threat

Technology
DDoS Attacks : Preparation Detection Mitigation

DDoS Attacks : Preparation Detection Mitigation

Internet
In-depth security news and investigationsecuritylab.disi.unitn.it/lib/exe/fetch.php?media=ddos-2016-10-01... · attacks from many new botnets powered by insecure routers, IP cameras,

In-depth security news and investigationsecuritylab.disi.unitn.it/lib/exe/fetch.php?media=ddos-2016-10-01... · attacks from many new botnets powered by insecure routers, IP cameras,

Documents
(Distributed) Denial of Service - Portokalidis · Distributed Denial-of-Service Botnets are frequently used to perform network-based DDoS attacks Fall 2018 Stevens Institute of Technology

(Distributed) Denial of Service - Portokalidis · Distributed Denial-of-Service Botnets are frequently used to perform network-based DDoS attacks Fall 2018 Stevens Institute of Technology

Documents
Tying the Bot: The Marriage of DDoS & Botnets

Tying the Bot: The Marriage of DDoS & Botnets

Technology
DDoS Attacks and Countermeasures

DDoS Attacks and Countermeasures

Technology
Botnets, malware and network attacks

Botnets, malware and network attacks

Technology
(SEC306) Defending Against DDoS Attacks

(SEC306) Defending Against DDoS Attacks

Technology
Botnets & DDoS Introduction

Botnets & DDoS Introduction

Technology
The Anatomy of DDoS Attacks

The Anatomy of DDoS Attacks

Technology
Imperva Incapsula WAF and DDoS Protection Campaign€¦ · DDoS Protection For SecureSphere Distributed Denial of Service (DDoS) attacks are more devastating than ever; DDoS attacks

Imperva Incapsula WAF and DDoS Protection Campaign€¦ · DDoS Protection For SecureSphere Distributed Denial of Service (DDoS) attacks are more devastating than ever; DDoS attacks

Documents
DoSs, DDoS, DrDoS Attacks

DoSs, DDoS, DrDoS Attacks

Internet
Defending Against Spoofed DDoS Attacks

Defending Against Spoofed DDoS Attacks

Documents
The Elknot DDoS Botnets We Watched - Virus Bulletin · The Elknot DDoS Botnets We Watched Ya Liu, ... C2 communication from Netflow data ... –even together with other DDoS botnet

The Elknot DDoS Botnets We Watched - Virus Bulletin · The Elknot DDoS Botnets We Watched Ya Liu, ... C2 communication from Netflow data ... –even together with other DDoS botnet

Documents
DDoS Threats Landscape : Countering Large-scale DDoS attacks

DDoS Threats Landscape : Countering Large-scale DDoS attacks

Internet
DDoS Attacks & Mitigation

DDoS Attacks & Mitigation

Documents
So you think IoT DDoS botnets are dangerous Bypassing ISP and ...archive.hack.lu/2018/hack_lu_slide_deck.pdf · So you think IoT DDoS botnets are dangerous Bypassing ISP and Enterprise

So you think IoT DDoS botnets are dangerous Bypassing ISP and ...archive.hack.lu/2018/hack_lu_slide_deck.pdf · So you think IoT DDoS botnets are dangerous Bypassing ISP and Enterprise

Documents
Ddos Attacks 20420

Ddos Attacks 20420

Documents
Lecture 7 DDOS Attacks

Lecture 7 DDOS Attacks

Documents
LARGEST DDOS CYBER ATTACK EVER RECORDED...DDoS attacks and describes how, in 2013, 30% of DDoS attacks cost their victims at least USD100,000 per hour. Three weeks of mass DDoS attacks

LARGEST DDOS CYBER ATTACK EVER RECORDED...DDoS attacks and describes how, in 2013, 30% of DDoS attacks cost their victims at least USD100,000 per hour. Three weeks of mass DDoS attacks

Documents
DDoS Protection Place For DDoS Attacks

DDoS Protection Place For DDoS Attacks

Internet
SENSS Against Volumetric DDoS Attacks

SENSS Against Volumetric DDoS Attacks

Documents
2010. 5. Jeong, Hyun-Cheol. 2 Contents DDoS Attacks in Korea 1 1 Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in

2010. 5. Jeong, Hyun-Cheol. 2 Contents DDoS Attacks in Korea 1 1 Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in

Documents
Delving into Internet DDoS Attacks by Botnets ...seal.cs.ucf.edu/doc/15-dsn.pdftypes. For example, Blackenergy supports different transport mechanisms of attack traffic, including

Delving into Internet DDoS Attacks by Botnets ...seal.cs.ucf.edu/doc/15-dsn.pdftypes. For example, Blackenergy supports different transport mechanisms of attack traffic, including

Documents