United States: Six Proposals To Stop IoT-Based DDoS Attacks

Last Updated: November 16 2016
Article by Randal L. Gainer

On Oct. 21, 2016, an extremely large distributed denial-of-service (DDoS) attack on Dyn prevented many internet users on the East Coast of the U.S. from accessing websites such as Netflix, PayPal, Spotify and Twitter for several hours. Dyn provides domain name system (DNS) services to other businesses. DNS services resolve web addresses into IP addresses, which is necessary for users' web browsers to connect with web providers' servers. The DDoS attack on Dyn was reportedly similar to the 620 gigabits of traffic per second that targeted Brian Krebs' website, KrebsOnSecurity, on Sept. 20, 2016. Later in September 2016, a DDoS attack against webhost provider OVH broke the record for largest recorded DDoS attack, with attack rates of at least 1.1 terabits per second.

These historically large DDoS attacks were made possible when attackers used the "Mirai" malware to capture internet of things (IoT) devices and herd them into botnet armies that attackers used to send massive amounts of traffic to targeted servers. The IoT devices used in the attacks were primarily internet-connected cameras but also included internet routers, digital video recorders and internet-connected printers. The attackers' tasks were made easier, as Brian Krebs reported, because the devices were deployed with standard default user names and passwords, which users had not changed. Even if users deployed the IoT device behind routers, which should have made them unreachable from the internet, the devices use technology known as universal plug and play (UPnP), which automatically opens ports to enable reaching the devices from the internet. If users had changed the default user names and passwords on the devices' web interfaces, that may not have changed the default user names and passwords for telnet or SSH access to the devices, which the Mirai malware uses to communicate with the devices.

The threat that additional DDoS attacks will be launched using Mirai malware and vulnerable IoT devices increased substantially when the source code for the Mirai malware was posted online at the end of September 2016.

According to Krebs, a Chinese company, XiongMai Technologies, admitted that it had sold networked cameras until September 2015 that were accessible by attackers using Mirai malware. XiongMai said that it planned to recall the vulnerable products.

Even if XiongMai recalls and replaces its pre-2015 devices with devices that cannot be compromised by Mirai or similar malware, billions of other vulnerable IoT devices will remain. U.S. Senator Mark Warner, in a letter to Federal Communications Commission (FCC) Chairman Tom Wheeler, quoted a Juniper Networks estimate that by the end of 2020 there will be 13.4 to 38.5 billion IoT devices. Roland Dobbins, a principal engineer at Arbor Networks is quoted in Wired as stating, "I'm not worried about the future, I'm worried about the past, because there are all these zillions of devices out there that are ripe for exploitation."

Given that currently deployed IoT devices can serve as a platform for DDoS attacks that can take down large internet companies, the internet itself is at risk. As Senator Warner stated in his letter to Chairman Wheeler, "[w]hile the internet was not designed with security in mind, its resiliency – which serves as its animating principle – is now being undermined." Security expert Bruce Schneier was more blunt about the IoT DDoS threat: "We simply have to fix this. ... This problem is only going to get worse, and more expensive."

Senator Warner, Bruce Schneier and other experts have proposed several ways to address the IoT DDoS threat. Seven proposed fixes, including their strengths and weaknesses, are discussed below.

  1. Senator Warner asked FCC Chairman Wheeler if the FCC could require ISPs to designate vulnerable IoT devices as "insecure" and deny them connections to the ISPs' networks. This potential fix could be implemented relatively quickly. The FCC may be able to issue such an order pursuant to the FCC's authority to regulate broadband access ISPs as entities providing telecommunications services. See In the matter of Protecting and Promoting the Open Internet, FCC GN Docket No. 12-28 ("Open Internet Order"), ¶¶ 47, 51 (2015). Even if a "no connection" order is possible, it would be only a partial solution. As Bruce Schneier points out, "attackers can just as easily build a botnet out of IoT devices from Asia as from the United States." Still, a relatively quick and partially effective approach could buy time for other proposed actions to gain ground. If the FCC responds positively to Senator Warren's suggestion, this approach could deny attackers the use of IoT devices in the U.S.
  2. Similarly, as Viktor Vitkowsky noted, the Federal Trade Commission (FTC) could find that manufacturers of insecure IoT devices have violated Section 5 of the FTC. In its January 2015 FTC Staff Report, at pages 11-12, the FTC recognized that IoT devices with security vulnerabilities "could be used to launch a denial of service attack." The successful prosecution of a Section 5 complaint by the FTC against an IoT manufacturer for inadequate security could cause other IoT manufacturers to recall and fix their devices. This approach would be limited to manufacturers over which the FTC has jurisdiction, just as the FCC's reach regarding "no connection" orders would be limited to ISPs within the FCC's jurisdiction. An enforcement effort by the FTC could, however, be implemented relatively quickly, could reduce the battalions of IoT devices in the attackers' botnet armies and could incentivize other IoT manufacturers to deploy secure devices.
  3. IoT owners could disable features exploited by the attackers. Theoretically, owners of vulnerable IoT-connected cameras and other devices could learn to disconnect their devices from the internet, reboot the devices, and change the user names and passwords in the web interfaces of the devices. Because the Mirai exists in dynamic memory, rebooting the devices clears the malware. Users may also learn that they need to disable the UPnP feature of the devices to prevent attackers from reinfecting the devices by accessing them through telnet and SSH after web application user names and passwords have been changed. Some users may also block ports 23 (telnet), 2323 (telnet for some IoT devices) and 103 (used by Mirai as a backdoor). It seems unlikely, however, that most IoT users worldwide will take these steps. If some users do make these changes, it will decrease the number of devices available for DDoS attacks, but there is no historical precedent that should make anyone optimistic about users of IoT devices correcting the security flaws in the devices through self-help.
  4. Some commenters have proposed that businesses damaged by IoT-based DDoS attacks could bring civil claims, including product liability claims, in U.S. courts. An early case that included similar claims, Cahen v. Toyota Motor Corp., 147 F. Supp. 3d 955 (N.D. Cal. 2015), app. filed, No. 16-15496 (9th Cir. Mar. 23, 2016), did not fare well. The consumer car-buyer plaintiffs in Cahen alleged, among other things, that Toyota and GM violated California law by selling cars that were susceptible to hacking. The trial court dismissed the plaintiffs' claims for lack of standing and for failure to state a claim. Businesses damaged by DDoS attacks would presumably be able to establish standing and the damages component of their claims. It could be difficult, however, for such businesses to establish that a manufacturer of an IoT device is liable for such damages when the device user failed to take steps to secure the device and a criminal attacker exploited the security vulnerabilities. Further, even if a business were to succeed in obtaining a judgment against an IoT device manufacturer and succeed in defending the judgment on appeal, the case would take years to litigate. Although civil litigation could eventually establish precedents that would add additional incentives for IoT manufacturers to address security issues, as a remedy for the current, substantial DDoS threat, civil damages claims offer relief that would be too little and too late. If a business were to seek injunctive relief to try to stop an ongoing DDoS attack, it is unclear what companies would be proper defendants – all vulnerable IoT component suppliers, all device manufacturers and all ISPs? It also would appear challenging for a business damaged by an IoT-based DDoS attack to persuade a judge that the balance of equities favors forcing ISPs to identify and disconnect IoT devices.
  5. Criminal actions could be brought against the IoT-based DDoS attackers, either in U.S. courts or where the attackers reside. Criminal prosecution of DDoS attackers can be effective in eliminating the defendants as threats and in encouraging similar attackers to pursue other opportunities. That was demonstrated when two Israeli DDoS "booter" providers were arrested after Krebs disclosed their identities. (Booter providers use servers, not IoT devices, to launch DDoS attacks.) A few days later, one of the largest forums selling DDoS booter services, Hackforums.net, announced it was getting out of the DDoS business. The FBI and other law enforcement agencies are undoubtedly seeking to identify the individuals responsible for the recent, massive IoT-based DDoS attacks. It is notoriously difficult, however, to identify such individuals. The release of the Mirai source code makes the malware available to a large number of potential attackers who now do not need to write their own code to perform IoT-based DDoS attacks. Even if such attackers are identified, if they reside in Russia, the Russian government currently refuses to extradite cyber criminals. Criminal prosecution of DDoS attackers should be pursued, but there's little evidence it will stop IoT-based DDoS attacks.
  6. Senator Warner asked FCC Chairman Wheeler if IoT manufacturers should be required to abide by minimum technical security standards and if such standards should be set by the U.S. National Institute of Standards and Technology. Another commenter asked if such manufacturers should be required to obtain certification from an "internal organization validated by public authorities" to establish that their products do not have security flaws that would make them vulnerable to being used for DDoS attacks. As with several of the other proposed solutions, these proposals would take time to implement and would not address the billions of IoT devices with exploitable vulnerabilities that have already been deployed. As with other such remedies, they should be pursued, but the need for a more immediate solution to the risk cannot be ignored.

In short, it appears that only action by the FCC or FTC can timely address the risk that attackers will continue to take down internet businesses by launching massive IoT-based DDoS attacks. Encouraging device owners to correct security flaws will probably do very little to reduce the risks of such attacks. Criminal prosecutions of the attackers are likely to remain infrequent and will therefore provide little deterrent effect. Civil claims by affected businesses and imposing security standards on IoT manufacturers could help reduce the risk over several years, but will not address the current threat. The magnitude of the IoT-based DDoS threat should cause the FCC and FTC to strongly consider taking action.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Wilson Elser Moskowitz Edelman & Dicker LLP
Baker Newman Noyes
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Wilson Elser Moskowitz Edelman & Dicker LLP
Baker Newman Noyes
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions