Vulnerable Wireless Device Detection for DDoS BOTNETs
Don’t let your enterprise infrastructure participate in the next wave of massive DDoS attacks.
News stories in recent weeks have brought attention to massive DDoS (distributed denial of service) attacks leveled at infrastructure and media sites like the security blog KrebsonSecurity as well as the French hosting company OVH and the DNS company DYN. Attacks in excess of 700Gbps have been recorded, ten times the size of typical ‘large’ DDoS attacks and twice the size of the previously seen largest denial of service attack.
What changed? Behind these massive attacks are connected IoT devices such as cameras, Security DVRs (Digital Video Recorders), Network Video Recorders (NVRs) and Network Attached Storage (NAS). And whereas many of these devices are in homes, it’s been reported that over 70% of the attack traffic came from the devices that were based inside the Enterprise. This fact comes as no surprise to the security experts who have followed the evolution of DDoS attacks over the last decade.
Time and again we have seen the natural evolution of the source of DDoS attacks move from the consumer home space to the enterprise. Attackers know that enterprises have high bandwidth ‘pipes’ which can deliver a lot more DDoS traffic to the victim. Enterprise and consumer IoT devices, including wireless webcams and security DVR’s, share similar vulnerabilities with multiple default usernames and passwords. Compromised, enterprise equipment can be used as an unknowing participant in a large-scale attack on the Internet, damaging the unwitting source company’s reputation and credibility.
It is imperative that enterprises, especially the Fortune 2000, understand what wireless devices are operating in their airspace and whether these devices could be used in the inevitable next wave of DDoS attacks.
In the case of the DDoS attack on Dyn, the attacker generated a lot of the attack traffic from compromised IP Cameras and Security Digital Recorders. Some of those IP Cameras had been left with their default usernames and passwords. Other, more responsible, owners had taken the trouble to change their username and password using the web camera’s Web Application. However, in addition to Web Access, many of these cameras and security DVR’s also allowed Telnet and SSH access. Users didn’t change those passwords because they didn’t know that those access protocols were present.
How did Enterprise teams miss the vulnerability?
First, it is hard to inventory and manage what you can’t see. IoT devices are brought into the Enterprise environment not just by the current IT and security teams, but by contractors and employees, and installed in remote as well as prominent locations.
Second, when a new piece of equipment comes with an Ethernet console, the Enterprise team typically immediately changes the username and password. However, that same equipment may also have a ZigBee radio console, which the Enterprise doesn’t even know about. That console is operating with the default username and password and is vulnerable to attack. Attackers using ZigBee Control Consoles can take control of the equipment from outside the building!
So how can you know what wireless devices have been installed within your Enterprise by your current or previous employees, partners, vendors, contractors, visitors or customers?