Distributed Denial of Service (DDoS) attacks require very little effort from cybercriminals and yet inflict maximum damage on the targeted victim, preventing them from sending or receiving any digital traffic. While preventative measures are available, the options are a costly gamble to already cash-strapped small- or medium-sized organizations and businesses.
Current DDoS attacks typically employ amplification methodology (PDF), in which bad-guy-owned servers coerce vulnerable remote computing devices into multiplying many times over the incoming requests that are then sent to the targeted computing environment with the intent of knocking it offline–imagine the amount of money a gambling web portal would lose on Super Bowl Sunday if those wanting to bet were unable to reach the portal. Currently, there are more than 10 Internet Protocols that can be exploited for this type of attack.
SEE: Free ebook: IoT security–What you should know, what you can do (TechRepublic)
Add IoT devices to the list
DDoS attacks are not new by any means, though what is relatively new is the replacement of vulnerable personal computers with equally-vulnerable Internet of Things (IoT) devices. Telnet-based attacks used to compromise IoT devices using ARM, MIPS, and PPC CPU architecture have dramatically increased since the first IoT attack in 2014.
Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, and Tsutomu Matsumoto, researchers at the Yokohama National University in Japan, Takahiro Kasama of the National Institute of Information and Communications Technology, and Christian Rossow of Saarland University in Germany understand the serious nature and potential for real harm by botnets containing millions of IoT devices. The research team decided to develop a honeypot system capable of capturing malware binaries intended to compromise IoT devices, and a malware analysis environment to reverse engineer the captured samples. The team published the results of their efforts in the paper IoTPOT: Analysing the Rise of IoT Compromises (PDF).
SEE: Video: Top 5 ways to secure your IoT (TechRepublic)
IoTPOT, a honeypot for IoT devices
The idea behind IoTPOT is the emulation of various IoT devices. “IoTPOT consists of a front-end low-interaction responder cooperating with back-end high-interaction virtual environments called IoTBOX,” write the paper’s authors. “IoTBOX operates various virtual environments commonly used by embedded systems for different CPU architectures.”
As shown in Figure A, IoTPOT consists of:
- Front-end Responder: This software mimics the many different IoT devices by handling incoming connection requests, banner interactions, authentication, and command exchanges with different device profiles.
- Profiler: This software mediates between the Front-end Responder and the IoTBOX, collects banners from devices, and updates command profiles to speed up interactions with devices sending Telnet queries.
- Downloader: This process examines the interactions and download triggers of malware binaries and their URLs.
- Manager: The Manager handles the IoTPOT’s configuration and links IP addresses to specific device profiles.
The IoTPOT runs on Linux for Embedded Devices and provides:
- support for available Telnet options (ones likely to be used by attackers);
- realistic welcome messages and login prompts to deal with situations where the attacker specializes in compromising certain devices;
- login screens to observe characteristics in the authentication process; and
- emulation for multiple CPU architectures allowing the capture of malware across multiple devices.
The steps of a Telnet attack
If you’re wondering whether DDoS attacks using IoT-device botnets are an issue, they are. “During 39 days of stable operation, 70,230 hosts visited IoTPOT. Among them, 49,141 successfully logged in and 16,934 attempted to download external malware binary files,” the researchers explain. “We observed 76,605 download attempts in total. We manually downloaded 43 malware binaries of 11 CPU architectures.”
A successful Telnet attack, like the one depicted in Figure B, follows the steps outlined below:
- Intrusion: Attackers log in to IoTPOT using a fixed (dictionary attacks) or random order of credentials.
- Infection: A series of commands are sent over Telnet to check for and customize the environment. Once that is accomplished, attackers will attempt to download and then execute the malware binaries.
- Monetization: With the malware functional, attackers are free to conduct the intended malicious activities such as a DDoS attack.
IoTBOX, an IoT sandbox
IoTBOX consists of the back-end virtual environments used to analyze the captured malware (Figure C). “To run malware binaries of different CPU architectures, we need a cross compilation environment,” mentions the research paper. “We thus chose to run respective platforms (OS) on an emulated CPU using QEMU, an open source processor emulator.”
The researchers’ conclusions
The research paper was published in 2015. During the 40-day test period, the computers housing IoTPOTs were hammered pretty hard–over 70,000 hosts visited IoTPOTs, with over 76,000 download attempts. “We have shown that IoT devices are susceptible to compromises and increasingly are also target for malware on the masses,” conclude the researchers. “We identified four malware families, which show worm-like spreading behavior, all of which are actively used in DDoS attacks.”
The authors were fortuitous in their predictions. On October 21, 2016, the largest DDoS attack in history occurred using a botnet consisting of 100,000 (estimated) IoT devices.