View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Learning from Dyn and Mirai: defeating IoT botnets

We usually don’t expect our websites and services to become collateral damage thanks to a popular gaming server.

By James Nunns

In this day and age, cyberattacks can come from directions you would never expect. We are all aware of threats from ransomware, nation-state actors, industrial espionage, or hacker collectives looking for personal information (credit card details in particular). However, we usually don’t expect our websites and services to become collateral damage thanks to a popular gaming server. 

Enter the rise of the Mirai botnet, its hostile shutdown of Minecraft gaming servers, and its subsequent attacks on the cloud DNS provider Dyn in October 2016. According to a report by security journalist Brian Krebs, versions of Mirai were being launched on Minecraft servers from competing Minecraft security organisations, in order to woo customers from one another. Mirai takes advantage of unprotected Internet of Things devices like CCTV cameras, routers, DVRs, or even baby monitors. The botnet is able to rapidly overwhelm DNS servers with requests, cutting off users from connecting to services they want to use- the definition of a distributed denial of service (DDoS) attack.

The Dyn attack carried out in one day utilised more than 500,000 devices, and pushed many popular services offline for hours- Twitter, Reddit and BBC to name a few. The difference between this attack and prior botnets was its scale, as well as the hijacking of unsecured IoT devices (versus the more ‘typical’ compromised PCs). Dyn will not be a lone case; merely the most recent and highbrow public example of a major attack, given the services that were affected. So, what can be done to defend networks and users from future attacks utilising consumer hardware?

First steps for protection- a hybrid approach

Protecting DNS services starts with adhering to the old adage of “Don’t put all your eggs in one basket”. It’s best not to rely on a single DNS host, and use advanced DNS hardware to handle traffic and identify and block attacks. This lends itself to a hybrid approach, where the DNS architecture is spread across multiple DNS servers. While this may require some effort to keep in sync, it gives you the option of having a continually-running service for your users in the event of one of your DNS servers becoming inaccessible. (Note some DNS servers will handle the process of updating other DNS servers automatically, reducing the time needed to manage your DNS assets).

In a hybrid DNS architecture, DNS servers are constantly active. If one server is affected or goes down, the service will automatically switch to another server. In the event of a DNS DDoS attack, users utilise the unaffected server – giving them uninterrupted access, while preventing automatic retries that multiply the effects of the initial attack.

Using the DNS protocol as a defence

The problem facing any organisation trying to defend against IoT botnets like Mirai is that consumer internet services are difficult to protect. They’re open by design, and most active users are not considering the hardware they’re using, nor are they employing a security model beyond a basic firewall built into a router. Individuals can’t be expected or relied upon to keep their networks secure or IoT hardware up to date. Vendors may also not provide patches and bug fixes in a timely fashion, making matters worse. This all equates to an environment that’s become increasingly hard to manage.

So how can the internet be shielded from this growing risk? ISP’s can adopt a stronger stance on network security, with more stringent controls on user networks and customer premises equipment (CPE). Their network hardware can also be leveraged to detect common attack patterns.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

DNS security tools can go to work once compromised networks are identified. Using technologies like IPAM, they switch a customer’s CPE from an open network to one more restricted, with the ability to filter botnet command and control packets. They can also arm users with access to tools to help rectify their network, while helping to identify and update compromised hardware, in turn disrupting the structure of the botnet itself.

This approach is not without risk, as it inherently changes the relationship between the ISP and its customer- one that can be seen as inserting undue interference. In order for this particular situation to work, it should be handled at a regional level in cooperation with other ISPs, and would become part of the user and service provider contract agreement.

Collaborative defence efforts by Services and ISPs

If services and ISP solutions like these are brought together, along with an industry-wide commitment on an approach to IoT updating and servicing, we may have a valid solution. Key elements would include:

  • Advanced DNS services for absorbing DDoS traffic
  • Using multiple DNS services to ensure key service continuity
  • Using a DNS security layer for CPE, which is linked to detect attack patterns
  • Consumer ISP quarantine services, that are linked to simple IoT hardware update services

Massive DNS DDoS attacks like those on Dyn can’t be prevented with a singular action. They’re far too large a threat in scale, and will require service providers, consumers, hardware vendors, and ISPs to join forces in order to deliver a functional solution.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.