Virtualization Technology News and Information
Kentik 2017 Predictions: When Things Attack - The IoT DDoS Threat

VMblog Predictions 2017

Virtualization and Cloud executives share their predictions for 2017.  Read them in this 9th annual series exclusive.

Contributed by Avi Freedman, CEO of Kentik

When Things Attack: The IoT DDoS Threat

Network managers should get ready, because 2017 is looking like it will deliver a large crop of threats from distributed denial of service (DDoS) attacks. The reason is that the millions of IoT devices sown into fertile soil of our digital economy have turned out to be demon seeds.  Developed with bad DNA--gaping security holes that make them perfectly suited to be colonized into botnets, IoT devices are being harvested into botnets by the hundreds of thousands, if not millions. If your organization relies on internet traffic for any critical aspect of its business, it's time to improve your defenses.

A major DDoS attack illustrated the scale of the threat on Oct. 21, when a botnet assembled by Mirai malware downed brand name websites like Amazon and the New York Times. More specifically, the botnet launched multiple attacks with up to several hundred Gigabits per seconds of traffic on Dyn, a provider of managed domain name service (DNS) for major web enterprises. DNS translates human-readable URLs like and to machine-readable numeric internet addresses. So when Dyn's servers got slammed, the ripple effect made many sites essentially unavailable, and caused hundreds of millions in lost e-commerce and payment processing. 

Cyber-security and networking experts have been warning for a number of years about the problem posed by millions of new IoT devices being shipped to market with ridiculously lax security settings. Essentially, most IoT devices are ready-made to be exploited by botnet malware. For ease of use reasons, these devices come pre-configured for open and unfettered access from the internet, with easily guessed default administrative usernames and passwords.  Most consumers and small businesses don't change these settings, and in some cases, these security vulnerabilities can't be changed by users at all. All botnet malware like Mirai has to do is scan IP addresses to identify vulnerable types of devices, then login to these devices using "dictionaries" filled with common default credentials. 

The number of unprotected IoT nodes numbers well into the millions and botnets have been growing like weeds. Further, robust botnet growth is expected in the years ahead as more light bulbs, refrigerators, scales, thermostats and other devices become internet-enabled.

The Right Way to Defend Against DDoS

As in most things in life, there is not one solitary way to defend against DDoS. However, there are appropriate and inappropriate tools. In the inappropriate category are traditional security tools like firewalls and IPS, which are actually vulnerable to denial of service attacks because they statefully track IP communication sessions in detail, so the flood of artificial sessions often seen in DDoS attacks can actually overwhelm their memory. 

What are appropriate tools?

If the main or only thing you need to protect is your front-end website access, then you may be able to rely on a content delivery network to provide needed protection. On the other hand, CDNs are less effective when attacks target APIs or your corporate network address space and bandwidth. 

In cases where companies have outsourced network operations to a managed services provider, "clean pipe" services may be included in the overall price tag. However, if that's not already the case for you, it's helpful to understand that such premium protections involve scanning every packet of network traffic, which in turn comes at a premium price. On-demand pricing can start anywhere from $5,000 to $15,000 monthly, while always-on pricing can be $25,000 or more per month.

E-commerce, service provider, web enterprise and financial firms will most often need to  pursue a layered, hybrid cloud approach. An advanced edge detection capability plus hybrid mitigation appliance and burstable cloud-based mitigation is needed. Detection must work hand in hand with deep analytics so that you always have situational visibility.

DDoS is Cloud-Scaling. So Should Defense

DDoS attacks are using cloud-scale concepts (distributed components on horizontally scalable internet-connected computing). Unfortunately, DDoS defenses have long been bound by the limits of scale-up, appliance-only architectures. However, that is changing.

Now it's possible to utilize the power of cloud and big data to get DDoS detection that is far more accurate than appliance-based solutions, plus get deep analytics and automation of hybrid cloud mitigation options. Hybrid cloud mitigation combines on-premises mitigation with bursting to cloud-based services when that's not enough.

Big data, cloud-scale systems are more accurate because they are both more comprehensive and more algorithmically sophisticated than was ever possible with a single appliance's computing power. Assembling that kind of computational power would be prohibitively expensive using appliances, but the economics of multi-tenant SaaS makes super-powerful DDoS detection and network analytics far more affordable.

The reality is that IoT botnets are a large threat. Network managers should realistically assess business risk and vulnerability to DDoS, and invest in the right level of protection. Thankfully, the continued evolution of cloud-based detection and hybrid mitigation offers IT leaders more powerful and cost-efficient options to ensure the most effective defense.


About the Author

Avi has decades of experience as a leading technologist and executive in networking. He was with Akamai for over a decade, as VP Network Infrastructure and then Chief Network Scientist. Prior to that, Avi started Philadelphia's first ISP (netaxs) in 1992, later running the network at AboveNet and serving as CTO for ServerCentral.

avi freedman kentik 

Published Thursday, November 17, 2016 7:01 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2016>