Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IoT - the Next Wave of DDoS Threat Landscape

648 views

Published on

Presentation by CF Chui at APRICOT 2017 on Monday, 1 March 2017.

Published in: Internet
  • Be the first to comment

IoT - the Next Wave of DDoS Threat Landscape

  1. 1. IoT - Next Wave of DDoS? IoT Sourced DDoS Attacks A Focus on Mirai Botnet and Best Practices in DDoS Defense
  2. 2. 2©2016 ARBOR® CONFIDENTIAL & PROPRIETARY • Largest attack reported was 800 Gbps with other respondents reporting attacks of 600 Gbps, 550 Gbps, and 500 Gbps • One third of respondents report peak attacks over 100Gbps • 41% of EGE respondents and 61% of data-center operators reported attacks exceeding their total Internet capacity DDoS Attacks Increasing in Size, Frequency & Complexity Arbor Networks WISR XII
  3. 3. 3©2016 ARBOR® CONFIDENTIAL & PROPRIETARY • Peak monitored attack of 579Gbps, 73% growth from 2015 • 558 attacks over 100Gbps, 87 over 200Gbps – Compared to 223 and 16 in 2015 • 20% of attacks over 1Gbps, as opposed to 16% in 2015 • Average attacks size now 931Mbps, up from 760Mbps, a 23% increase Arbor Networks ATLAS DDoS statistics
  4. 4. 4©2016 ARBOR® CONFIDENTIAL & PROPRIETARY DDoS Attack Trends 238.8 276.6 298.6 270.2 156.5 579.6 330.2 267.3 489.4 327.4 498.3 392.7 0 100 200 300 400 500 600 700 Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Jul-16 Aug-16 Sep-16 Oct-16 Nov-16 Dec-16 Worldwide Peak attack size (Gbps) 559329 493789 495581 482114 460641 503767 607848 619691 645590 644256 552766 630912 0 100000 200000 300000 400000 500000 600000 700000 Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Jul-16 Aug-16 Sep-16 Oct-16 Nov-16 Dec-16 no of DDoS attacks
  5. 5. 5©2016 ARBOR® CONFIDENTIAL & PROPRIETARY DDoS Attack Trends Year 2016 Global APAC Peak attack size 579.59 Gbps 196.06 Gbps Average attack size 931.24 Mbps 640.78 Mbps Average duration 55 min 20 sec 40 min 39 sec Attack dest port TCP/80 TCP/80 Top reflection attack type DNS DNS 177.1 260.3 287.8 135.47 71.15 147.7 196.06 104.7 166.5 154.6 134.8 149.1 0 50 100 150 200 250 300 350 Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Jul-16 Aug-16 Sep-16 Oct-16 Nov-16 Dec-16 APAC DDoS peak attack size (Gbps)
  6. 6. 6©2016 ARBOR® CONFIDENTIAL & PROPRIETARY Service Provider Attack Types WISR XII DDoS trend
  7. 7. 7©2016 ARBOR® CONFIDENTIAL & PROPRIETARY • SPs see Government, Finance and Hosting as top targets • SPs seeing attacks on cloud services drops from one third to one quarter • 42% of EGE respondents experienced an attack – 63% of finance, up from 45% – 53% of government, up from 43% DDoS Targets
  8. 8. 8©2016 ARBOR® CONFIDENTIAL & PROPRIETARY The Result • First high-profile attack using IoT devices Christmas 2013, using CPE and webcams • In 2016 Botnet owners started to recruit IoT devices en mass • Attacks of 540Gbps against the Olympics, 620Gbps against Krebs, Dyn etc.. The Problem • Almost every piece of technology we buy is ‘connected’ • Devices are designed to be easy to deploy and use, often resulting in limited security capabilities • Software is very rarely upgraded. Some manufacturers don’t provide updates, or the ability to install updates DDoS driving factors - IoT
  9. 9. 9©2016 ARBOR® CONFIDENTIAL & PROPRIETARY Cost of DDoS Service Impact to Victim DDoS Attacks Are The Great Equalizer… Ability It’s Never Been Easier to Launch a DDoS Attack. DDoS attack tools and DDoS for Hire Services add to the weaponization of DDoS. Fact:
  10. 10. 10©2016 ARBOR® CONFIDENTIAL & PROPRIETARY Abusable IoT Devices Weaponization and Ease of Attack Rise in IoT-Based DDoS Attacks Two Mega Trends Merging to Create “The Perfect Storm”?
  11. 11. 11©2016 ARBOR® CONFIDENTIAL & PROPRIETARY ◦ Approximately 500,000 compromised IoT devices worldwide. ◦ Default user name and passwords enabled and open ports in firewalls (Telnet TCP 23/2323). ◦ IoT devices are subsumed into botnet by continuous, automated scanning by other compromised Mirai botnet IoT devices. ◦ Rebooting device removes malware, but its estimated that it will take less than 10 min to be rescanned and become part of botnet again. The Mirai Botnet
  12. 12. 12©2016 ARBOR® CONFIDENTIAL & PROPRIETARY Mirai is NOT Just a DNS Attack Attack Vectors: ◦ SYN-flooding ◦ ACK-flooding ◦ UDP flooding ◦ Valve Source Engine (VSE) query-flooding ◦ GRE-flooding ◦ Pseudo-random DNS label-prepending attacks (also known as DNS ‘Water Torture’ attacks) ◦ HTTP GET, POST and HEAD attacks. ◦ The Mirai Botnet is capable of launching complex, multi-vector attacks.
  13. 13. 13©2016 ARBOR® CONFIDENTIAL & PROPRIETARY The Mirai Botnet (cont’d) ◦ Segmented command-and-control. ◦ Capable of launching simultaneous DDoS attacks against multiple targets. ◦ Non-spoofed traffic. (could change in future) ◦ Code has been released to wild…already seeing signs of alteration.
  14. 14. 14©2016 ARBOR® CONFIDENTIAL & PROPRIETARY IoT Botnets Are Not New and On The Rise 4000 500 1000 3500 July 2014 April 2016 Aug 2016 100 1000 200 300 400 800 900 Oct 2016 MIRAI IOT BOTNET LIZARDSTRESSER IOT BOTNET TARGETS BRAZIL AttackSize(Gbps) 600 500 700 Targets were organizations affiliated with major international sporting events (e.g. gov’t, banks, sponsors, etc.). Pre-event activity Dyn OVH ? Who/What Next?
  15. 15. 15©2016 ARBOR® CONFIDENTIAL & PROPRIETARY ◦ Summer, 2016 – 540 Gbps attack on an organization associated with the Rio Olympics (Lizardstresser) ◦ September 20th – 620 Gbps attack targeting KrebsOnSecurity.com (Mirai) ◦ September 21st – 990 Gbps attack targeting OVH (Mirai) ◦ September 30th – Mirai source code leaked ◦ October 21st – Dyn’s Managed DNS Infrastructure Targeted (Mirai) ◦ October 31st – 600 Gbps attack on Liberia (Mirai) RECENT ATTACKS
  16. 16. 16©2016 ARBOR® CONFIDENTIAL & PROPRIETARY ◦ Embedded or stripped-down versions of Linux ◦ Easy to target a wide range of devices ◦ Limited security features ◦ Internet-accessible ◦ Unfettered outbound access ◦ Market Dynamics ◦ Extremely Low-margin Products not differentiated by security features ◦ Chip makers à ODM’s à Brand Company à End User ‒ No security expertise, No incentive for Security ◦ Result ◦ A large population of highly susceptible, high bandwidth devices that cannot or will not be patched or otherwise secured. WHY IoT DEVICES?
  17. 17. 17©2016 ARBOR® CONFIDENTIAL & PROPRIETARY DEFAULT CREDENTIALS FOR IOT DEVICEShttps://krebsonsecurity.com/wp-content/uploads/2016/10/IoTbadpass-Sheet1.pdf
  18. 18. 18©2016 ARBOR® CONFIDENTIAL & PROPRIETARY Mirai – Propagation, Command and Control Bot (compromised) Telnet Scan (TCP/23) Brute Force 1 IoT Device ScanListen Service 2 Report: - Discovered IP - Successful Creds Telnet Port Scans TCP/48101 Already Compromised? Loader Install Bot Code 3 4 5 New Victim - IP - Creds C2 6 Check-In TCP/23
  19. 19. 19©2016 ARBOR® CONFIDENTIAL & PROPRIETARY Mirai – Propagation, Command and Control Bot (compromised) Telnet Scan (TCP/23) Brute Force 1 Bot (compromised) ScanListen Service 2 Report: - Discovered IP - Successful Creds Telnet Port Scans TCP/48101 Already Compromised? Loader Install Bot Code 3 4 5 New Victim - IP - Creds C2 6 Check-In TCP/23 Telnet Port Scans 7 And the beat goes on ...
  20. 20. 20©2016 ARBOR® CONFIDENTIAL & PROPRIETARY ◦ Predominantly Webcam IoT devices ◦ Approximately 500,000 devices worldwide ◦ High concentrations in China, Hong Kong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brazil, and Spain ◦ Segmented Control ◦ Multi-Vector Attack Support: ◦ Krebs, OVH, Dyn, and Liberia ◦ Does not imply it was the same adversaries!!! THE MIRAI BOTNET
  21. 21. 21©2016 ARBOR® CONFIDENTIAL & PROPRIETARY ◦ Three Attacks Targeting Dyn’s Managed DNS Infrastructure ◦ Dyn Customers include ◦ Netflix, Twitter, Reddit, Github, Spotify, PayPal, Airbnb, NYT, etc. ◦ Large-scale outages for Dyn Customers, even though the customers were not attacked directly DYN ATTACKS ON OCTOBER 21ST
  22. 22. 22©2016 ARBOR® CONFIDENTIAL & PROPRIETARY ATLAS IoT Botnet tracking • Network of honeypots setup to monitor IoT compromise activities • Snapshots of activities from 29 Nov to 12 Dec 2016 • 1,027,543 login attempts from a total of 92,317 unique IP addresses • Peak login attempts per hour is 18,054
  23. 23. 23©2016 ARBOR® CONFIDENTIAL & PROPRIETARY ATLAS IoT Botnet tracking • Billions of IoT devices connected to the Internet – Estimates vary, 5B+, with millions added every day • Arbor honeypot devices look for exploit activity on Telnet / SSH ports • 1M login attempts from 11/29 to 12/12 from 92K unique IP addresses • More than 1 attempt per minute in some regions
  24. 24. 24©2016 ARBOR® CONFIDENTIAL & PROPRIETARY ATLAS IoT Botnet tracking Country Number of Attempts China 102,975 Vietnam 26,573 Republic of Korea 19,465 USA 17,062 Brazil 16,609 Russia 13,378 Taiwan 11,697 Hong Kong 11,200 Turkey 10,190 Romania 9,856
  25. 25. 25©2016 ARBOR® CONFIDENTIAL & PROPRIETARY ATLAS IoT Botnet tracking 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 28/11/2016 0:00 30/11/2016 0:00 2/12/2016 0:00 4/12/2016 0:00 6/12/2016 0:00 8/12/2016 0:00 10/12/2016 0:00 12/12/2016 0:00 14/12/2016 0:00 Login attempts per hour Sum Sum SSH Sum Telnet
  26. 26. 26©2016 ARBOR® CONFIDENTIAL & PROPRIETARY ATLAS IoT Botnet tracking 0 1000 2000 3000 4000 5000 6000 7000 28/11/2016 30/11/2016 2/12/2016 4/12/2016 6/12/2016 8/12/2016 10/12/2016 12/12/2016 14/12/2016 Login attempt per region APAC EU SA US
  27. 27. 27©2016 ARBOR® CONFIDENTIAL & PROPRIETARY ◦ Multiple Highly Distributed Attack Vectors ◦ Dyn originally reported ”10s of millions of IP addresses” ◦ Later corrected to an estimate of 100,000 ◦ Cascading Effect ◦ 2nd Order Impact on Dyn customers ◦ DNS service disruption from original attack generates legitimate retry activity ‒ This is, in part, what caused Dyn to overreport the number of attacking IP’s ◦ 3rd Order Impact on Broadband Operators ◦ Mitigations Performed by Dyn According to Dyn: ◦ Traffic shaping, Anycast Rebalancing, ACL Filtering, Scrubbing Services ATTACK CHARACTERISTICS, EFFECTS, AND MITIGATIONS
  28. 28. 28©2016 ARBOR® CONFIDENTIAL & PROPRIETARY Telnet Traffic – IoT botnet growing
  29. 29. 29©2016 ARBOR® CONFIDENTIAL & PROPRIETARY Telnet Traffic by Country – Matches Attack SRC
  30. 30. 30©2016 ARBOR® CONFIDENTIAL & PROPRIETARY Source: Ponemon Institute: Dec. 2013, Cost of Data Center Outages ◦ On-premises Intelligent DDoS Mitigation Systems (e.g. Arbor APS / TMS products) ◦ Overlay cloud-based DDoS protection services (i.e. Arbor Cloud or ISP/MSSP) ◦ Network infrastructure- based techniques such as S/RTBH & Flowspec at all network edges 10 Best Practices in DDoS Defense ◦ Factor network availability into the design of online services or applications; continuously stress-test. ◦ Develop a DDoS Attack Mitigation Process ◦ Continuously stress-test & refine. ◦ Utilize flow telemetry (e.g. NetFlow) collection & analysis for attack detection, classification & trace back. Deploy multi-layered DDoS protection which includes: ◦ Scan for misconfigured, abusable services running on servers, routers, switches, home CPE devices, etc. (i.e. TCP 23/2323). Alert users running abusable services – possibly blocking until they are remediated. 1 2 3 4 5
  31. 31. 31©2016 ARBOR® CONFIDENTIAL & PROPRIETARY Source: Ponemon Institute: Dec. 2013, Cost of Data Center Outages 10 Best Practices in DDoS Defense (cont’d) ◦ Participate in the global operational security community and share threat intelligence and defense best practices. ◦ Check Open NTP Project for abusable NTP services on your networks. ◦ Disallow Level 6/7 NTP queries from the Internet. ◦ Check Open Resolve Project for abusable open DNS recursors on your networks. Ensure only authorized users can query recursive DNS servers. ◦ Ensure SNMP is blocked on public-facing infrastructure/ servers. ◦ Employ Anti-spoofing mechanisms such as Unicast Reverse- Path Forwarding, ACLs, DHCP Snooping & IP Source Guard, Cable IP Source Verify, etc. on all edges of ISP and enterprise networks. NTP Services DNS Recursors 6 7 8 9 10
  32. 32. 32©2016 ARBOR® CONFIDENTIAL & PROPRIETARY • Nearly half of SPs now implement anti-spoofing filters • Rehearsing DDoS attack processes and procedures is key • 10% increase in SPs running simulations, 37% do this quarterly • EGE 55% now run simulations, 40% do this quarterly • Difficulty in hiring and retaining personnel remains a key issue for both SP and EGE respondents SP WISR XII – Organization Security
  33. 33. 33©2016 ARBOR® CONFIDENTIAL & PROPRIETARY For More Information …
  34. 34. ©2016 ARBOR® CONFIDENTIAL & PROPRIETARY 34 Thank You

×