The age of animated objects is definitely upon us. Our communication needs have transcended person-to-person interaction, and smart alternatives to analog devices are being developed at a rapid rate. In this article, we explore the scale and industrial impact of the Internet of Things (IoT) technology and we look at how IoT devices (or connected devices) have fueled Distributed Denial of Service (DDoS) attacks. We then go on to give insight into the technology that fosters these attacks, some promising solutions that have been proposed, and the impact that Software-Defined Networks (SDN) and 5G will have on IoT.
Once upon a time, we just wanted to be able to express ourselves to our fellow humans and be sure that we were not being misunderstood. The success of our communal existence and growth depended on our doing this and the birth of language became a turning point in our interpersonal interactions.
Today, community means more than your next-door neighbor or the people of your clan. It means the friends and followers on your social networks and the virtual groups you belong to. It means your colleagues, doctors, and teachers in remote locations. It means your pet cat, and it means Alexa who knows your favorite song of the week and the contents of your shopping cart.
With the coming of innovations like the internet and virtual assistants, the lines between the abstract, the real, and the inanimate have been blurred. Technology has become such an integral part of our lives that the time has come for our machines to intelligently interact with each other and us.
It is no surprise, then, that IoT, a technology that makes object-to-person and object-to-object interaction possible has become a mainstay of the fourth industrial revolution. We are more technologically aware and have made so many advancements that the distinction between function and capability is diminishing. The question has mutated from “What does this product do?” to “What can this product do?”
What is this IoT?
The Internet of Things is a technological advancement that represents a new generation of devices and physical objects embedded with sensors, controllers, connectivity tools, cloud-based software, and user interfaces that enables the user to interact with the system.
These embedded systems enable the device or object to receive and exchange information with other devices, objects, and online platforms over a wireless connection with little to no human involvement.
As a result, otherwise ‘dumb’ objects can understand their environment and perform more specialized tasks, essentially making them into ‘smart’ devices. In the past, this capability was largely restricted to smartphones and computers. Now, it seems anything can be made into a computer.
Just how BIG is IoT?
IoT offers never-before-seen possibilities in the area of product development and service delivery.
If a wristwatch that is destined to stay strapped around your wrist can leverage its access to your radial pulse to tell you how your heart is faring, well, with IoT there’s no reason why it shouldn’t. If the equipment in a factory can automatically stop production when there is sufficient inventory in the warehouse or when an essential raw material is running out, now there is no reason why it can’t do so efficiently without your input. If your power grid can determine just how much electricity everyone needs so that power generation and distribution can be better managed, will there be anyone more grateful than our planet?
IoT is actively powering a technological revolution. To put this in a numerical perspective, in 2009, there were 0.9 billion connected devices worldwide. Today, there are over 30 billion active IoT devices and we can expect that there will be 75 billion by 2025. Current global spending on IoT is $1.3 trillion (USD) and it is estimated that 93% of enterprises will adopt IoT technology in 2020.
With this rate of proliferation, it is important to shine more light on the finer details of this technology.
Unfortunately, the reality is that IoT has not made these strides without a cost. It did come with its fair share of challenges that we must tackle to fully leverage its potential.
A major challenge is the security of IoT devices. Owing to the relative novelty of IoT and the absence of a binding security standard, more emphasis has been laid on product development than on product security. Manufacturers are largely concerned with creating devices with exciting features and capabilities, often at the expense of equipping them with a tenable security framework. This failure to effectively secure IoT devices before they are introduced to the market has led to billions of vulnerable IoT devices with internet access.
And this vulnerability did not go unnoticed by cyber-intruders! The victim has been the integrity of the internet itself — the very foundation on which IoT stands. As IoT devices gained mainstream popularity, we began to record a proportional increase in the frequency and viciousness of Denial of Service (DDoS) attacks.
What are DoS and DDoS Attacks?
A Denial of Service (DoS) attack is a cyber-attack that aims to prevent legitimate users from accessing it’s target’s services. The attackers do this by flooding the target network’s resources and systems with an overwhelming volume of data or traffic. IoT enabled DDoS attacks are usually volumetric attacks like User Datagram Protocol (UDP) Flood, Synchronize (SYN) Flood, Internet Control Message Protocol (ICMP) Flood, amongst others.
This is why attackers are perpetually seeking new ‘assets’ to capture. The more devices that they can infect, the greater the intensity of the attack that they can launch. Individual infected devices are called bots and a network of several bots is called a botnet.
As a result of an overwhelmed service gateway or bandwidth exhaustion arising from a DoS attack, legitimate users are denied the online service that they seek. When a DoS attack is launched using several infected devices, all participating in the same attack, it is called a Distributed Denial of Service (DDoS) attack and it can persist for days. Websites, applications, and machines are common targets of DoS attacks.
The surge in DDoS attacks can be traced to Oct. 1, 2016, when the source code of the notorious malware, the Mirai virus, was publicly released. Within three weeks of its release, the number of infected devices that ran its source code grew by over 200 million devices. Mirai infects connected devices that are powered by ARC processors. To date, it is still a favorite of cyber-attackers, and hundreds of variations of the virus have been identified.
For online platforms and enterprises, this development is a nightmare. Gartner estimates that in 2020, 60 percent of online businesses will suffer downtimes arising from a cyber-attack.
It is scary to think that your dutiful gadget that efficiently executes tasks and serves your needs is, in fact, a sleeper agent for a malicious attacker. These attackers target poorly secured devices with internet access and deposit malware programs in them, making them bots. The compromised IoT device (now a bot) becomes the attacker’s ‘asset’ which they can use to effect damages of large magnitudes. These attacks have enduring effects and can be detrimental to the physical resources of the target network.
Consequently, even though the device is safely in your possession and functioning perfectly, the attacker is still able to remotely access and issue commands to it.
This is how the army for an IoT enabled DDoS attack is assembled. Connected devices like printers, routers, Internet Protocol (IP) cameras, smart electronics (such as smart TVs or smart speakers), webcams, and other devices are often conscripted to join this army.
How Bad is the DDoS Problem?
The first known DDoS attack was carried out in 1999 and the target was the network computer of the University of Minnesota. A network of 114 computers infected with the Trin00 virus was used to launch the attack. Twenty-one years later, DDoS attacks are still a long way from being checked. In fact, today, we see botnets of over 600,000 bots mostly comprising non-legacy IoT devices. As a result, the frequency, volume, and duration of attacks have also soared.
Cisco reports that the average number of DDoS attacks between 100Gbps and 400Gbps in volume grew by 776 percent in 2020, and the global frequency of DDoS attacks has risen by 39 percent year-on-year. The average DDoS attack size has leaped to 1Gbps, which is enough to take most organizations completely offline.
Until recently, it used to be the case that DoS attacks could only be staged by professional hackers with strong technical backgrounds and experience. These pros also had to go to great lengths to acquire or develop the resources needed to effect an attack. This isn’t the case anymore, as the source code of many malware programs have been made open-source.
There are also online forums on the dark web where potential hackers can find mentorship and purchase the necessary tools for a DDoS attack at a very cheap price (a bot typically costs 50 cents). Essentially, a complete novice can learn to carry out a DDoS attack in a matter of days. This has led to an increase in the population of cybercriminals who are committed to finding out the vulnerabilities of their target networks and taking advantage of them.
What’s worse than this? The services of professional DoS attackers have become incredibly affordable. Experts from Kaspersky Labs found that the cost to launch a DDoS attack using a cloud-based botnet of 1,000 desktops is about $7 per hour (yes, you read right!). The attackers typically charge $25 for their services, thereby earning a profit of $18 per hour — not to mention huge bragging rights.
Why Should We Worry About DDoS Attacks?
At this rate, almost anyone can hire cyber-attackers to assault a rival’s network. Some attackers even offer some form of service warranty and can go as far as showing you proof of their competence by carrying out a sample attack at your behest.
This informs us that a whole new industry has been built around cyber-insecurity because of the strong economic incentive to launch these attacks.
When financial gains are involved, there are no limits! Attackers often afflict random targets and demand that they pay a ransom, or they can be hired by a business to make their competitor’s services unavailable during a peak business period. This could be crippling for thriving businesses in highly competitive niches.
Individual attackers and business rivals seeking financial gains are not the only players on the field. Government and political organizations have also been linked to some popular DoS attacks. Two prominent examples are the 2007 attack on the online services of the Estonian government and the 2019 attack on Telegram that sought to disrupt protests in Hong Kong.
Some countries like the US, Russia, Israel, UK, and China have dedicated cyber-warfare divisions that are concerned with launching opposition attacks.
What is the Difference Between DDoS Attacks and Legitimate-User-Generated Traffic?
You might wonder: if DoS attacks generally take the form of legitimate user requests, why is it a problem for the target network?
Well, the simple answer is that a network can only take so much. Take a look at this graph that shows normal network traffic and network traffic during a DoS attack.
Every online service is built with an estimate of how much traffic they expect to manage. The website of a local veterinarian can expect that its visitors will largely comprise local pet owners and a specific group of pet lovers. Therefore, they might anticipate that 8GB of bandwidth per month will suffice. Given this, investing in network resources that support 12GB of monthly bandwidth should be future-proof. It wouldn’t be prudent to invest in the same costly systems and resources as a website like Facebook or Netflix.
A cybercriminal who wants to launch a DDoS attack on this local vet’s website would know about this limitation. They could go on to assemble an army of bots capable of sending traffic of 1GB per second in order to flood the website with traffic. Within a short time, their memory or processing capacity would be too overwhelmed to receive and process requests from legitimate users.
The Most Notable DDoS Attacks of All Time
Small online enterprises are not the only ones at risk. In Oct. 2016, a DoS attack with a magnitude of 1.2 terabytes per second attacked Dyn, a domain name service provider. Using multiple botnets of 100,000 bots (mostly IoT devices infected by the Mirai virus), the attackers were able to disrupt the services of big websites like The New York Times, Amazon, Paypal, Github, and Netflix. The IP addresses of the guilty devices were traced to 164 different countries.
Another interesting and pioneering attack was conducted in 2000 by Michael Calce, a 15-year-old hacker known as Mafiaboy. His attack used the compromised networks of several universities to take down major websites like CNN, eBay, Yahoo, and Dell. The negative impact of this attack extended as far as the stock market.
Github has also suffered two major attacks — the first, a politically motivated attack in 2015, and the second a Memcached DDoS attack in 2018. More recently, in February 2020, a DoS attack on Amazon Web Services (AWS) claimed the record for the largest ever attack. AWS sustained an attack of 2.3 terabytes per second for eight hours.
These instances show that no one is immune.
How is a DDoS Attack Even Possible?
First, the attackers recruit their soldiers…
The first thing an attacker needs for a DDoS attack is a botnet. They acquire this by searching for vulnerable devices and hacking their authentication protocols using brute force. Owning geographically spread out bots provides attackers with an advantage, since it means they do not have to spoof the address of the data packets they send because their bots already have various addresses that cannot be traced back to them. The most popular malware programs employed to achieve this are Mirai, Linux.Hydra, NewAidra, BashLite, Psyb0t, Reaper, and Chuck Norris.
… Then they build their army…
The attackers utilize a variety of tools in their bot sourcing schemes. These tools can remove competing malware, gain access to the device using brute force, or get information about the device. They can also enable the malware to gain access to other devices in the same network as their new bot. Some of these tools are Mr. Black, LizardStresser, Mirai Code, and Nitol.
… And they STRIKE!!!
DDoS attacks used to be single-vector attacks like flooding and HTTP GET. When it became easier for these kinds of attacks to be detected and mitigated, they evolved into multi-vector attacks. First, an attacker would initiate a single vector attack like an ICMP or UDP flood attack. This would warrant an application layer defense response from the victim and the attacker would pull back. Then, once the victim seemed to have recovered, they would initiate a second attack (like an amplification attack) that would override this defense protocol and most likely get to the victim’s servers.
The attacker would use this pattern to continue to barrage the victim’s network with multiple attacks until it is exhausted or the victim decides to shut down their services. Multi-vector attacks have proven to be significantly successful and are quickly gaining popularity among cyber-attackers.
Some popular tools employed to effect a multi-vector DoS attack are Slowloris, XOIC, Goldeneye, LOIC, Pyloris, Tor’s Hammer, and DDoSim.
The Battle Formation
IoT botnets can be used to stage bandwidth exhaustion attacks (flooding and amplification attacks are popular examples of this) and resource exhaustion attacks. Bandwidth exhaustion attacks use the botnet to send malicious packets until no room is left to process requests from legitimate users. Resource exhaustion attacks, in their own right, exploit loopholes in their target’s network systems, application layer protocol, or transport layer protocol. Their aim is to overload and crash the victim’s memory and processing infrastructure.
IoT devices became a favorite of DoS attackers because they offer certain advantages. Connected devices often have uninterrupted access to power and constant internet connection. Unlike servers, these devices require almost zero maintenance by the attacker. Plus, manufacturers rarely provide their devices with strong security protocols or firmware updates. When they do send firmware updates, it’s usually over insecure channels. Most manufacturers use the same user ID and password for all their devices, thereby making the job easy for an attacker scavenging for potential bots. Users seldom bother to change the default passwords so it is often easy to exploit their devices.
Rebooting a device might remove the malware but it will become reinfected within minutes if the password is not quickly changed.
IoT devices can, themselves, be the victims of DoS attacks. A smart device or system basically comprises sensors, trackers, and a communication channel. The data generated by these components must be transmitted to the control system in real-time to avoid inefficiency. Technically, a DoS attack on these communication channels can lead to a denial of service to the device.
What are the Solutions to IoT Enabled DDoS Attacks?
One thing that has always been constant in communication is the presence of adversaries. Throughout history, we never stopped communicating because of adversaries. Instead, we created ways to transcend them. We worked to ensure that our existing means of communication were fast, secure, and efficient. We found quicker ways to deliver long-distance messages. And when our adversaries learned ways to intercept our messages, we invented cryptography — signatures, stamps, seals, and encryption methods.
In this age of DDoS attacks, the story is no different. We have not caved in under the pressure of adversaries but have been making commendable efforts to elude and defeat them. Some promising solutions have already been implemented, but there are more steps we can and should take.
We need Laws
Corporations are usually unwilling to spend money on anything that does not advance their bottom line and security, all too often, falls into this category. Seven years before the world-famous cyberattack on Sony Pictures in 2014, a Sony executive was quoted publicly saying that he would not invest $10 million to avoid a possible $1 million loss. He was referring to the cost of setting up a standard cybersecurity system in the company and the fine associated with a security mishap respectively.
This is why one of the solutions should be the development of a binding security standard that all IoT devices must attain. Some great propositions are already being considered by the European Union. The aim of this is to ensure that manufacturers are bound by strict laws and are not negligent of the security and privacy needs of their product and end user.
Internet service providers (ISPs) can also be called upon to help solve the problem. Since they are not directly affected, ISPs may also be deterred by the costs associated with security, but they could take action to prevent attacks. During a DoS attack, data packets are sent from one network to another. These packets bear headers that contain the source and destination addresses so hypothetically, they can be scrutinized for spoofed addresses.
Research, Research, and Research
Further research into the network protocols and infrastructures that enable a DDoS attack is also needed if we are to find a lasting solution to this security problem. It might be time to be more fundamental in approach. We must look for thorough solutions that will accompany proper management practices.
Some research publications propose extra layers on the current three-layer architecture of IoT as a potential solution to mitigate the conscription of IoTs into botnet armies.
Darwin, for example, proposed a four-layer architecture. In addition to the perception, network/transport, and application layers of the three-layer architecture, the four-layer architecture proposes a support layer. This layer would be responsible for ensuring that information is threat-free and that every user is duly authenticated. It would also send only validated information to the network layer.
Another proposition, a five-layer architecture, includes two additional layers — a processing layer and a business layer. The processing layer would be responsible for sifting through collected data and permitting only useful information. This layer would also help with the problem of big data being collected by IoT. However, it would be prone to an exhaustion attack. The business layer would manage the user’s privacy and determine how data is generated, stored, and modified. Unfortunately, it would also be prone to Business Logic and Zero-Day attacks.
A viable solution to the DDoS problem would prevent devices from being detected or infected by malware, recognize malicious traffic flow, and mitigate attacks by denying further access to the network’s resources.
Encryption and Hash-Based security protocols can be further used to secure the authentication, authorization, and information exchange process.
Manufacturers Have a Role to Play
Manufacturers should also be sensitive to the problem and open to implementing promising practicable research. They should adopt a security by design approach when creating new devices.
Reliable default security protocols should be integrated at the development phase of every device. Original equipment manufacturers (OEMs) should also include strict identity and access management protocols that can mitigate the misuse of login credentials.
End Users Cannot be Indifferent
End users can protect themselves by opting for adequately secure devices instead of cheap insecure alternatives. Enterprises should adopt IoT devices on a need-to-own basis, at least until they become more secure.
Individuals should also not be too quick to jump on the latest fad smart device. We must understand that every new device is a gateway to the internet and a security and privacy loophole. Users who don’t own online businesses may think they are immune to the onslaughts of DDoS vectors, but they are not. None of us can allow ourselves to become lax about taking ideal security measures.
The internet is a property of mankind. It connects us all and fosters a global culture. It has created new opportunities and given a voice to the voiceless. If fundamental services like telemedicine, electronic payment systems, e-schools, and smart power distribution systems are compromised, the quality of our lives will be greatly affected. The internet’s social and economic significance has a global reach, so it is our collective responsibility to ensure that it is safe.
Users should ensure the integrity and security of their smart devices by changing the default passwords as soon as they start using a new device. Choosing a strong password is crucial because hackers have tools and scripts that can effectively scan for devices with weak passwords. Password managers can help with setting up and remembering complicated passwords.
Users can also protect themselves by using personal firewalls on routers and computers, and by setting up two-factor authentication wherever it’s available.
What does the Future Hold?
IoT and SDN – The SDN Promise
Software-Defined Networking is a dynamic network management model where the data plane is separated from the control plane. It is a novel concept in networking that seeks to virtualize the physical infrastructures of a traditional networking system and effect communication between planes through APIs like OpenFlow.
It is hard to come up with a universal networking model for IoT because devices vary according to function — this is where SDN comes in. A merger of the SDN and IoT architecture yields a unique architecture comprising an IoT agent, an IoT controller, and an SDN controller. The SDN controller is a logical software entity that has a global view of the network and externally manages the flow of data.
Once the IoT agent authenticates the IoT controller, it passes on the information received from its surroundings. The IoT controller also authenticates the IoT agent before receiving this information. The presence of the SDN layer adds security to the network layer by ensuring that spurious information does not make it through the network layer and into other connected devices. It is an overarching layer that controls the flow of information.
As a result, SDN-enabled network frameworks can detect DDoS attacks or malware prowl at higher network levels and stop them from spreading to other devices on the network. Data from switches that are enabled by SDN can also be used to make the controller more intelligent at detecting malicious traffic.
5G-powered SDN architectures are expected to be highly secure, flexible, programmable, cost-effective, and more intelligent.
SDN is not to be confused with Network Functions Virtualisation (NFV). NFV is a network model where the network components — such as firewalls, routing protocols, gateways, and traffic controllers— are being run as virtual machines on remote servers. The network functions are not coupled with the gadget itself. NFV can help to autoscale a network in the event of a traffic surge without compromising the user’s privacy.
IoT Botnets in the age of 5G
As we await the takeover of 5G, we anticipate ultra-fast connection speeds and more reliable network connections. We also know that it will lead to much more efficiently connected devices which will, in turn, drive an increase in the adaptation of IoT technology.
However, with the growing threat of IoT botnets, this blessing could become a curse if we do not find a viable solution to the insecurity of connected devices.
On the plus side, 5G offers better security protocols. Its control plane has a stronger authentication and encryption protocol which should make it less susceptible to attacks. Also, 5G’s network slicing capability allows for network segments that are independent of each other. This means that if one network segment is compromised, the others can still be secure. What it also means, unfortunately, is that attackers can focus their attack on the network segment of their choice.
The connection speeds that 5G technology promises is also a plus because it will foster the virtualization of networks and other software infrastructures. This means that IoT devices will be less vulnerable as they promise to be more efficiently secured on the network layer.
It is important to note that, though IoT devices are favored by attackers for the aforementioned reasons, they are not the only vectors of DDoS attacks. Servers, smartphones, and any device that has access to the internet is a potential vector.
In the early days of communication, hacking involved capturing and extracting information from the messenger. It still involves the same fundamental principle today.
Where there is a message to be sent, there will be attempts to intercept it, but these should only serve to motivate us to best ourselves.
Security is not a one-off investment, it must be a sustained practice. When it became possible to detect spurious traffic, intruders started to disguise them as legitimate traffic and send an overwhelming volume of this legitimate traffic (which is essentially DDoS) so as to fool network traffic controllers.
Hackers learn to evolve with technology, so counting on them being outmoded is too much of a risk.
The Internet of Things technology may come under fire from skeptics and tech conservatives, but it would be a mistake to think that it will go away or take on a less significant role in our lives. IoT presents such a wide range of possibilities that it is difficult to imagine an industry where it cannot be leveraged. From healthcare to transportation, manufacturing, and beauty (there’s a smart hairbrush!), its footprints are everywhere.
DDoS attacks are growing exponentially and most of the biggest attacks are powered by IoT botnets. Nonetheless, remarkable efforts are being made to make IoT technology more secure while ensuring that it is 5G-ready.
IoT security demands a concerted effort from everyone — the researcher, the government, the manufacturer, and the end user.