|
Chapter 15 – The Day of Reckoning
First it was the fridge—it didn’t feel as cold. Then the oven was taking a long time to heat up. Then the air conditioning, the washer, the dryer… even the microwave—they all seemed a little off. Not much—but a proud and dedicated homeowner like myself could definitely feel it. Then my phone rang. It was John, my neighbor.
“Hey what’s up?” I was talking to John but really staring at the holiday-themed, half-heated up microwave dinner box.
“Need a favor, neighbor. Our dryer is acting up. Can we come over and use yours…” John was still talking when the news alert popped up on the screen of my cell: WORLD’S LARGEST ECOMMERCE SITE GRINDS TO A HALT ON THE BUSIEST DAY OF ONLINE SHOPPING…
* * *
In my last blog post I shared some of the general security challenges that come with the Internet of Things (IoT). In this post, I will focus on one particular security risk: distributed denial of service (DDoS) attacks.
Even before the age of IoT, DDoS attacks have been turning multitudes of computers into botnets, attacking a single target and causing denial of services for the target’s users. By “multitudes” we can be talking about thousands or even millions of victim devices. Now add IoT into the equation and we could be looking at billions of devices pressed into attack! The scale and the damage would be unprecedented and massive. Such attacks could bring some of the largest systems down (in my little piece of fiction above, an Amazon-like company). If it sounds like science fiction, it won’t be for long. What will it take for DDoS attacks that use IoT devices to cross that line from fiction to reality and how we can prevent such disaster from happening?
DDoS Attacks – Growing and Evolving with IoT
DDoS attacks are getting worse: as reported by Akamai1, the number of DDoS attacks in Q1 2015 have more than doubled the same period last year. That’s hardly a surprise as the most common software architecture, and its vulnerability, has remained unchanged for many years: the client-server model. Connected on the same network, clients (such as company computers) initiate a service request and servers (the company servers) provide the service. A company computer may request data or a software update, and the company’s servers will provide the requested resource or service in response. If malware takes over, for instance, the compromised machines become a “zombie army.” Since many company computers are always connected to the company’s network, they can turn against the company’s servers and initiate a DDoS attack.
The Akamai report calls out one important IoT-related issue: Simple Service Discovery Protocol (SSDP) attacks. SSDP are network protocols that bypass server-based configuration mechanisms and enable devices on the same network to discover and communicate with one another. They are intended for use with simple devices at home or in smaller offices—an important enabler scaling and making IoT readily available to the masses. SSDP attacks in Q1 2015 made up more than 20% of the attack vectors—something that wasn’t even tracked a year ago. So that little wireless activities tracker you wear on your wrist (Fitbit, Apple Watch, and many others) which you love as it syncs up your health data on your cell phone and your company tablet? With a little bit of malware, it can turn into the zombie device that you fear: it can attack any server without your noticing until it’s too late!
While the SSDP attacks reported have not turned fridges, coffee machines, microwaves, or dryers in our homes into zombie armies yet, their growth provides a great opportunity for abuse.
What You Can Do To Put off the day of reckoning
Let’s face it: DDoS attacks will only get worse with IoT opening up even more opportunities for attacks. Without any breakthrough in security measures, players in the IoT ecosystem have to consciously and meticulously put some hard work (in fact a LOT of it!) into fighting this DDoS war.
1. Network engineers and administrators of large networks: Redefine your security strategy.
2. Software designers: Put security in the forefront of your design process
My Sci-Fi story is still being written, as is the story of IoT. Let’s work together and give it a happy ending.
1 Akamai State of the Internet [Security] Report, May 2015
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byCSC