Using DNS to Defend Against IoT Botnets

Sometimes cyberattacks come from a direction you weren’t really expecting. We all know about threats from ransomware, nation-state actors, industrial espionage, or hacker collectives looking for personally-identifiable information (particularly for credit cards). But we probably weren’t expecting our sites and services to be collateral damage in a small but nasty war in the world of Minecraft gaming server providers.

That’s what seems to be the reason for the rise of the Mirai botnet, and its attacks on the Dyn cloud DNS provider and the French hosting service OVH in October 2016, according to a report by security journalist Brian Krebs. Perhaps best thought of as a digital version of the classic organized crime protection racket, botnets were being used to encourage Minecraft server owners to sign up to the botnet owners’ DDoS protection services.

Using the Mirai botnet- which took advantage of unprotected firmware in certain IoT devices-attackers were able to quickly flood DNS servers, making it impossible for users to contact the services they wanted to use (most of which weren’t Minecraft servers!). The botnet used in the attack on OVH involved over 170,000 compromised devices, from all over the world.

What was different about these attacks was their scale, and their use of unprotected IoT devices, rather than compromised PCs. So how can we defend our networks and our users against attacks that take advantage of consumer hardware?

What can be done?

The first option is protecting your DNS services by implementing the approach we talked about in a previous blog. It’s a good idea not to rely on a single host for your DNS, and where possible to use advanced DNS hardware that can handle very high traffic, as well as identifying and blocking attacks.

While defending your own systems is important, is there anything else that can be done to stop the problem at its source?

DNS as an active botnet defense

There’s a big problem facing anyone trying to defend against IoT botnets like Mirai: consumer internet services are hard to protect. They’re intended to be open by design, and most users don’t consider the hardware they’re using, or use a security model beyond a basic NAT firewall built into a router.

That means we can’t expect users to keep their networks secure, or their IoT hardware up to date. The latter is made harder by vendors who may not provide appropriate patches in a timely fashion. When it can take 20 minutes or more to update a lightbulb’s firmware, there’s an underlying disincentive to keeping home IoT hardware up to date. It all adds up to an environment that’s increasingly hostile, and hard to manage.

How do we protect the wider internet from this risk? One option is for ISP’s to take a stronger stance on securing their networks, with stricter controls for customer premises equipment (CPE) and for user networks. Hardware in their networks can be used to detect common attack patterns, especially from known botnets like Mirai.

Once compromised networks have been identified, DNS security tools can use technologies like IPAM to switch the customer’s CPE from an open network to one that’s more restricted and able to both filter botnet command and control packets. It can also provide users with quick access to tools and techniques to help remediate their network; assisting them in identifying and updating compromised hardware, while disrupting the botnet structure.

There is a risk associated with this approach, as it changes the relationship between the ISP and the customer, and could be seen as undue interference. If it’s to be used, it will need to be handled in conjunction with other ISPs at a regional level, and will need to become part of the contract between user and service provider.

Services and ISPs working together to defend the Internet

If we can bring service and ISP solutions like these together, along with an industry-wide approach to IoT updates and servicing, we might just have a solution.

The key elements of a solution are:

1. Advanced DNS services that can handle DDoS traffic
2. Using multiple DNS services for key services to ensure their continuity
3. Use a DNS security layer for CPE, linked to attack pattern detection
4. Consumer ISP quarantine services linked to easy update services for IoT hardware

Preventing massive-scale botnet DNS DDoS attacks like those delivered by Mirai can’t be solved by just one action. They’re an internet-scale threat that require service providers, consumers, hardware vendors, and ISPs to collaborate in order to deliver a multi-faceted solution.