How to Battle IoT Devices Infected with DDoS MalwareAkamai's Michael Smith Discusses Quarantines, Firmware Updates, Feedback Loops
Legions of internet-connected devices are being compromised by attackers and turned into bots for remotely launching distributed denial-of-service attacks.
When it comes to thwarting these attacks, organizations can look to the lessons learned from the Operation Ababil attacks against U.S. banks that began in 2012, says Michael Smith, the security CTO for DDoS defense firm Akamai Technologies in Asia Pacific. Those attacks were launched primarily from PHP servers running outdated content management system software. Attackers exploited the software to compromise the device, installed an attack toolkit - often Brobot - then began feeding it attack scripts.
IoT malware such as Bashlite, Lightaidra and, more recently, Mirai likewise involves compromising internet-connected devices, installing an attack toolkit and then telling it what to target.
For DDoS attack victims and their defenders, "you want to create a feedback loop when you receive an attack ... to generate a list of the sources, along with the date-time stamp they were seen, to get that into a mitigation workflow, to get the service provider responsible for that IP address to clean it up," Smith says in an interview with Information Security Media Group.
But while malware such as Brobot ran on servers - and cleaning it up often required interfacing with virtual private server operators to ensure that machines got patched - most IoT malware attacks are being launched by consumer devices for which no patch might be available.
"Now, from the defender's side, you have to ... assume that the attackers have an unlimited supply of machines that they can compromise," Smith says.
IoT Challenge: Remediation at Scale
As a result, ISPs should consider segregating subscribers whose machines are being used to launch attacks into automated quarantines and spelling out to them which devices they need to update, replace or retire, he says. And device manufacturers must up their game by ensuring that devices can be updated and patched without user intervention using well-known patch management and network management processes.
"Understand that success in this world is very not sexy," Smith says.
In this interview (see audio link below photo), he also discusses:
- How to battle IoT-based botnets;
- The need to decommission devices - especially routers - at the end of their lifespan;
- The challenge of feeding attack information back to ISPs.
Singapore-based Smith is Akamai's security CTO for Asia Pacific and Japan. He previously led Akamai's computer security incident response team. He was also an information assurance instructor for Potomac Forum as well as a manager at Deloitte, among other roles. And he served as an infantry squad leader in the Army National Guard as well as a linguist in the U.S. Army.