Recent DDoS Attacks Underscore Need for IoT Security
By: Darren Deslatte, Resolvit Principal Consultant
As you’ve probably heard, some of the Internet’s biggest players, including Twitter, Amazon, and Netflix, were recently forced offline for several hours by a series of distributed denial-of-service (DDoS) attacks. It was the scale and duration of the October “Internet outage” that caught the public’s attention (although DDoS attacks have been on the rise for a while), but what really made this cyber offensive unique was its pivotal use of the Internet of Things (IoT). Events like this show us just how important IoT security is for organizations.
DDoS attacks are a popular form of cyberattack that let hackers take down websites or servers by overwhelming them with traffic. The easiest way to do this (and the most difficult to prevent) is to flood the host Domain Name Service (DNS) server with queries.
When you enter a URL address, a DNS server lets your browser access the website by translating the domain name into the IP address of the website’s host server. DDoS attacks hijack this process using one or more botnets, networks of compromised Internet-connected devices that are controlled by remote hackers. The hackers manipulate the devices in the botnet to try to access a website simultaneously, flooding the site’s DNS servers with illegitimate traffic. The site then grinds to a halt, rendering it virtually inaccessible.
IoT Presents New Challenges
Botnets have traditionally been assembled from PCs, but the October attack was launched via an estimated 50,000 to 100,000 IoT devices (mostly cheaply-made DVRs and IP cameras). Given the recent explosion of IoT, this may seem like a cause for alarm. And it is true that IoT security and monitoring efforts are tricky, because consumers can’t purchase protective software for their devices, and because devices with the same software often have the same default username and password, which can be difficult to change.
However, the inevitable growth of IoT will force manufacturers to create security solutions, like making device login information easier to customize. As serious as the October attacks were, they were simply the growing pains of a still-new technology.
Special thanks to Resolvit Principal Consultant Jim Waldron for his contributions to this post.