There’s a flood of connected devices making their way into our homes and businesses. From mobile, wearables and car technology to advancements in smart homes, TVs and cameras, the tech world is awash with internet-connected devices. By 2020, it’s estimated that there will be more than 30 billion connected devices in the world – more than four times the earth’s population.
Hackers are Watching
Tech-hungry consumers keep their eyes peeled for major device announcements. Also watching are distributed denial of service (DDoS) attackers who have made the Internet of Things (IoT) their weapon of choice. These nefarious actors exploit millions of vulnerable IoT devices to create sophisticated malware-based DDoS botnets they then use to initiate devastating attacks. IoT vulnerabilities give these hackers the ability to scale their attacks across tens of millions of devices and unique IP addresses.
These new device announcements add more weapons to an already stocked arsenal of connected gadgets hackers have at their disposal that they can weaponize and leverage to launch DDoS attacks.
If we’ve learned anything from the Mirai botnet’s path of destruction in late 2016, during which attackers hijacked more than 500,000 webcams to launch a DDoS attack topping 1 Tbps, and last year’s WireX and Reaper threats, it’s that bad actors will latch onto unsecured devices and use them to do their bidding.
“Millions of unsecure, internet-enabled devices provide new threat vectors. Given the rapid proliferation of Internet of Things devices in advance of IoT-oriented security standards and configuration practices, expect these devices to be increasingly used as weapons for DDoS and other attacks,” said Adam Isles, principal at The Chertoff Group, a global advisory firm that provides security risk management, business strategy and merchant banking advisory services.
According to a recent AT&T Cybersecurity Insights report, nearly a third (32 percent) of surveyed organizations said IoT-based DDoS attacks are their biggest future cybersecurity concern. AT&T found that more than a third (35 percent) of all its survey respondents say IoT devices were the primary source of a data breach experienced over the prior year. And the outlook for future IoT attacks remains bleak, with 68 percent of survey respondents saying they expect IoT threats to increase in the coming year.
That said, AT&T found that 90 percent of organizations have conducted enterprise-wide cyber risk assessments in the past year, but only half (50 percent) have conducted risk assessments specific to IoT threats.
Meanwhile, according to our A10 Application Intelligence Report (AIR), distributed denial of service (DDoS) attacks took the top spot among cyberthreats against businesses, with more than one third (38 percent) of IT decision makers saying their company has suffered an attack at least once over the past 12 months, with another 9 percent noting they’re not aware whether they’ve been attacked or not. Frighteningly, that means that nearly half of IT professionals say their company has either been a victim of a DDoS attack or they don’t know if they’ve been a victim.
A10 AIR respondents, however, don’t fear IoT as much as they probably should. For example, AIR respondents rank laptops as the most vulnerable type of device, more so than smartphones and even more so than IoT devices, a misperception that, if exploited, could give hackers an inroad into corporate networks.
This rash of IoT-based DDoS attacks when paired with lack of awareness and the growing roster of IoT devices hitting the market creates a potentially catastrophic cocktail of opportunity for savvy cyberattackers.
The consensus: IoT-based DDoS attacks will grow in both bot size and traffic volumes mostly due to their use of vulnerable, poorly-secured IoT devices. Contributing to those millions of vulnerable IoT devices will be this year’s crop of marquee CES announcements and the myriad gadgets found under the Christmas tree.
Protection from IoT DDoS Attacks
The rise of IoT DDoS attacks makes it imperative to rethink DDoS defenses to thwart these sophisticated and often devastating threats. Here are key things to look for in an effective DDoS defense solution to ensure that IoT DDoS attacks can’t take you down:
- DDoS defense solutions should be capable of detecting, mitigating and reporting on multi-vector DDoS attacks at the network edge and in centralized scrubbing centers to scale to defend against colossal IoT-fueled attacks
- DDoS defense solutions must differentiate botnet traffic from legitimate traffic and users, so services stay available when battling an attack
- DDoS defense solutions should include intelligence into known botnets and agents to defend networks against known threats
- DDoS defense solutions must scale yet maintain cost-efficiency