IoT: From Dream to Nightmare

In the early days of 2016, our threat researchers started investigating just how big a threat IoT devices could be. There’d been a lot of talk about the potential of thousands of connected devices transformed into an attack engine of devastating power. We believed that bad actors were already intensively looking for vulnerable IoT devices, but there wasn’t much data out there. Was the nightmare of IoT DDoS attacks just that: a bad dream?

DDoS attacks in 2016

Fast-forward to October and the 1.2 Tbps attack against DNS provider DYN from the Mirai botnet, which harnessed hundreds of thousands of IoT devices to fundamentally change the landscape of DDoS attacks overnight. What was speculative just months ago has now become our reality. And with more and more IoT devices coming online every day, the threat of DDoS attacks from increasingly sophisticated IoT botnets is only going to grow.

Consumer devices are already regulated for safety and efficiency; it’s time they’re also evaluated for Internet security.

What 2016 tells us about future attacks

F5’s threat intelligence arm—F5 Labs—examined the growth of IoT devices as an attack vector between February and July of 2016. Threat researchers examined who is looking for vulnerable devices to compromise, how they use them once they are under their control, and what attack trends are emerging.

Most IoT devices were not designed with security in mind, which makes them easy targets for individuals or government entities using Telnet and SSH brute-force scans to identify and compromise vulnerable connected devices that use default usernames and passwords. Both types of brute-force scans are on the rise, with Telnet scans having increased 140 percent year over year from 2015.[1] By far, the majority of this activity is conducted by China. More Telnet scans come out of China than the next 19 countries combined on the top 1000 ASN threat actors list.[2]

F5 Labs research shows that attackers are targeting IoT devices around the world. And while data from some 2016 incidents shows that each compromised IoT device only contributed 0.1 percent to the total attack, the number of devices harnessed by these botnets means that attackers have unprecedented potential to damage websites, organizations, and reputations. [3]  Analysis also shows that their attack mechanisms are evolving from brute force logins to API breaks.

What do we do now?

The threat of DDoS attacks from compromised IoT devices is a complex problem for which there’s no easy solution. These devices will continue to be exploited and used as weapons to attack individuals and businesses until they are properly protected by their manufacturers. Consumer devices are already regulated for safety and efficiency; it’s time they’re also evaluated for Internet security. However, regulation has limited financial benefits for manufacturers, so an effective system of regulatory security standards for connected devices isn’t even on the horizon. And regulations in a single country won’t really help, since Internet attackers are actually protected by borders.

In the meantime, we need to protect ourselves the only way we know how: by putting in place the most comprehensive strategy for mitigating DDoS attacks, such as a mix of both on-premises defenses and cloud-based scrubbing services. In this new world of vulnerability where DDoS attacks are easier, cheaper, and more damaging than ever before, focusing on preemptive protection can help you stay ahead of the threat. That way, the ideal vision of a fully connected world doesn’t become a dystopia of overwhelming attacks launched by armies of infected devices.

[1], DDoS's Newest Minions: IoT Devices (volume 1), F5 Labs, October 2016.
[2] Ibid.
[3] Ibid.