IoT DDoS Security Concept

Zombie Computers (Image from Kaspersky daily article “Zombie computers and how to avoid them.”)
Zombie Computers (Image from Kaspersky daily article “Zombie computers and how to avoid them.”)

Remember when the internet didn’t exist? When people turned to schools and libraries for answers to all of their questions? When the only way to navigate around your local area was by memorizing street names and relying on physical maps so you wouldn’t get lost? Maybe someone would want to listen to music, so they pull out their cd player and listen to their favorite album? Well whether or not you were around long enough to relate to these examples, the world has been blessed with the advancements in technology and the internet to make everyone’s lives easier. The creation of internet computers and smartphones offers people the ability to look up anything they may choose to discover. As years passed, more inventions are being upgraded to implement the internet into their basic uses to provide improved functionality for its users. The Internet of Things (IoT) is this advancement in everyday-devices, utilizing the power of the internet to create a more interactive approach for consumers and organizations to enhance their experiences with their products. But implementing the internet into these products can also lead to malicious intent from those who have the ability to hack into the IoT devices for their own benefit as well. In order to understand why this problem is relevant, we first need to know what the original goal IoT is striving for.

What is the Internet of Things?

Diagram of the Internet of Things. (Image from Sciforce article)
Diagram of the Internet of Things. (Image from Sciforce article)
Diagram of the Internet of Things. (Image from Sciforce article)

The concept of the IoT refers to the billions of physical devices that are connected to the internet from around the world. All of these devices are collecting and sharing data, whether its for the consumer’s luxury, or for the means of the provider gathering relevant information on the specific product. According to a British technology pioneer, Kevin Ashton, who co founded the Auto-ID Center at the Massachusetts Institute of Technology (MIT), “The IoT integrates the interconnectedness of human culture — our ‘things’ — with the interconnectedness of our digital information system — ‘the internet’” (Ranger).

Interconnected Devices throughout a city. (Image from ZDNet article)
Interconnected Devices throughout a city. (Image from ZDNet article)
Interconnected Devices throughout a city. (Image from ZDNet article)

The Auto-ID Center created a global standard system of RFID (Radio-frequency identification) tags, or RFID chips, which are radio waves that “transmit data from the tag to a reader, which then transmits the information to an RFID computer program” (Pontius). RFID tags are most commonly used to keep track of merchandise which are bought by consumers. This is what coined the term “the Internet of Things,” describing the system in which the internet is interconnecting with the physical world. Ever since then, new innovations have expanded from the original idea of IoT such as:

-Smart homes (smart thermostats, security, lights)

-Smart offices

-Smart speakers (Amazon Echo, Google Home)

-Smart Cars (Self-driving cars)

-Smart wearables (apple watch)

-Anything that is now implementing internet functionality…

Although the potential for these inventions to improve the everyday-lives of the consumers are incredible, these innovations also act as a double edged sword. A majority, if not all of the products that acquire the power of the internet, such as “ thermostats, cameras, and cookers could all be used either to spy on citizens of another country, or to cause havoc if they were hacked.” In addition, national critical infrastructure relevant to the IoT, including “dams, bridges, and elements of the electricity grid” creates an even more serious push to maintain security for all devices (Ranger).

Risk of DDoS attacks on IoT devices

IoT devices draw attention for DDoS attacks because they are increasing rapidly in numbers, with some estimates predicting that today there are about “21 billion IoT devices [being used] around the world.” A number of these IoT devices are speculated to have a lack in security features with courtesy to the consumers and organizations holding a lenient practice for security in their IoT devices. A cyber-attack on the DNS provider is an example of “how vulnerable the internet is and how determined some bad actors are to bring it down” (Ibm). Dyn is a remote access solution which allows users to pick a unique hostname and link it to any of their IoT devices to ensure they remain consistently connected, safe, and efficient (“What Is the Internet of Things.”) On 21 October 2016, Dyn experienced a massive DDoS attack which was claimed to be caused by “tens of millions of IP addresses around the world,” but later was estimated to actually be around 100,000 instead. The attack caused certain users to run into issues when they tried to “reach popular websites such as Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix throughout the day” (“Major DDoS Attacks Involving IoT Devices.”). A part of the attack involved the use of the Mirai botnet, which is a form of a DDoS attack that compromised IoT devices, such as home PCs, that had a number of vulnerabilities.

Botnet illustration (Image from Doug Olenick’s DDoS article)
Botnet illustration (Image from Doug Olenick’s DDoS article)
Botnet illustration (Image from Doug Olenick’s DDoS article)

The botnet could capture devices “either through unprotected network ports or via trojans or other malware” which is usually spread by spam, opening backdoors for attackers to access. Once the IoT device is compromised, “the controller — known as a bot herder — issues commands commands via [Internet Relay Chats] or other tools.” IRC provides a way of communicating in real time with devices from all around the world (Rouse). Commands can sometimes also be sent out from a central server, but these days “botnets have a distributed architecture that makes their controllers harder to track down” (Fruhlinger). The diagram below illustrates how a DDoS attack utilizes compromised computers in order to bring down DNS servers at an exponential rate, infecting multiple IoT devices which are used to attack the target server.

Message distribution using IRC (Image from Simon Heron’s botnet article)
Message distribution using IRC (Image from Simon Heron’s botnet article)
Message distribution using IRC (Image from Simon Heron’s botnet article)
DDoS Concept Diagram. (Image from Keycdn website)
DDoS Concept Diagram. (Image from Keycdn website)
DDoS Concept Diagram. (Image from Keycdn website)

After several hours and waves of attacks executed by the Mirai botnet, Dyn was able to resolve the DDoS attack, but they were left with the reminder that more security issues will arise if security practices aren’t tightened to prevent future attacks. The Dyn DDoS attack is but only one recorded incident of cyber-attacks involving the security vulnerabilities within IoT devices, implying that there is always the chance of new and stronger attacks to rise in the future. But when organizations do choose to reform and upgrade the security in their devices, there are always new approaches for malicious hackers to find new ways of bypassing the security with alternative tactics.

The Slowloris DDoS attack

IoT DDoS attacks doesn’t have to always involve the procedure of infecting other IoT devices in order to deal the damage. A unique DDoS attack called the Slowloris, named after the south and southeastern asian primates, involves executing a similar goal of a botnet DDoS attack. But the difference in the concept is that the hacker who is running this procedure only needs one computer to attack its target, instead of the need to infect other compromised devices to do the deed for them. The images below is an example of how the Slowloris code would be written in order to successfully attack a specified target, which is all run from a single computer.

Slowloris DDoS code explanation. (Image from gkbrk’s Github repo)
Slowloris DDoS code explanation. (Image from gkbrk’s Github repo)

This DDoS tool is “designed to allow a single machine to take down a server without using a lot of bandwidth.” It uses a low amount of bandwidth and “instead aims to use up server resources with requests that seem slower than normal but otherwise mimic regular” traffic, which lives in the category of attacks “known as ‘low-and-slow’ attacks.” During these Slowloris attacks, the targeted servers have limited amounts threads to handle multiple concurrent connection requests. Each thread existing in the server will attempt to wait for extremely slow requests that are being sent. And once the servers max limit of threads have been taken up due to the overload of slow requests, “each additional connection will not be answered and denial-of-service will occur” (“Slowloris DDoS Attack”). The image below goes over the steps that are taken for a Slowloris DDoS attack procedure to successfully take down a server that is being targeted.

4 steps of a Slowloris attack (Image from CloudFlare Slowloris DDoS website)
4 steps of a Slowloris attack (Image from CloudFlare Slowloris DDoS website)

Conclusion

Without a doubt, the world has excelled thanks to technological advancements. The concept of IoT seemed to be a fantasy years before the internet finally came to existence. Whether we look at the small things such as refrigerators being able to send data to its manufacturers in order to keep track of its different usages, or something as big as an airplane giving its pilot the crucial information for whether or not it is safe to take flight with hundreds of vulnerable passengers, the IoT applications have surely benefit organizations and consumers around the world. But there are dangers that can arise from these new technological advancements, utilizing the internet, which are forever prone to new methods for malicious hackers to bypass security vulnerabilities not yet taken into consideration. It is of best practice to stay on high alert for any security breaches, such as DDoS attacks, and adapt to these breaches in order to prevent them from happening again.

Botnet image (Image from Trend Micro article)

Works Cited

Fruhlinger, Josh. “The Mirai Botnet Explained: How IoT Devices Almost Brought down the Internet.” CSO Online, CSO, 9 Mar. 2018, www.csoonline.com/article/3258748/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html.

Ibm. “DDos Attacks, IoT, and the Future of IT Security.” Medium, IBM Journal, 8 Nov. 2016, medium.com/ibm-journal/ddos-attacks-iot-and-the-future-of-it-security-b57975dd1b74.

“Major DDoS Attacks Involving IoT Devices.” ENISA, 13 Dec. 2017, www.enisa.europa.eu/publications/info-notes/major-ddos-attacks-involving-iot-devices.

Pontius, Nicole. “What Are RFID Tags? Learn How RFID Tags Work, What They’re Used for, and Some of the Disadvantages of RFID Technology.” Camcode, 18 Jan. 2020, www.camcode.com/asset-tags/what-are-rfid-tags/.

Ranger, Steve. “What Is the IoT? Everything You Need to Know about the Internet of Things Right Now.” ZDNet, ZDNet, 6 Feb. 2020, www.zdnet.com/article/what-is-the-internet-of-things-everything-you-need-to-know-about-the-iot-right-now/.

Rouse, Margaret. “What Is Internet Relay Chat (IRC)? — Definition from WhatIs.com.” WhatIs.com, TechTarget, 28 Dec. 2005, whatis.techtarget.com/definition/Internet-Relay-Chat-IRC.

“Slowloris DDoS Attack.” CloudFlare.com, CloudFlare, Inc, https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/

“What Is the Internet of Things.” Dyn, dyn.com/internet-of-things/.

Attending Make School Product College located in San Francisco, training to be a Backend Engineer.