Vulnerable Wireless Device Detection for DDoS BOTNETs

Don’t let your enterprise infrastructure participate in the next wave of massive DDoS attacks.

News stories in recent weeks have brought attention to massive DDoS (distributed denial of service) attacks leveled at infrastructure and media sites like the security blog KrebsonSecurity as well as the French hosting company OVH and the DNS company DYN. Attacks in excess of 700Gbps have been recorded, ten times the size of typical ‘large’ DDoS attacks and twice the size of the previously seen largest denial of service attack.

Excerpts from "You May Have Helped Crash the Internet. But How Would You Know?" by Bernadette TanseyOctober 31st, 2016Risley, the CEO of security company Bastille, is one of the cyber defense experts who have been analyzing an attack on Manchester, …

Excerpts from "You May Have Helped Crash the Internet. But How Would You Know?" by Bernadette Tansey

Risley, the CEO of security company Bastille, is one of the cyber defense experts who have been analyzing an attack on Manchester, NH-based Internet performance management company Dyn, which was the target of a denial-of-service attack Oct. 21 that blocked Web traffic to its customers, such as Twitter.

“It took little sophistication to find devices like yours or your neighbor’s that could be made to fire a fusillade of messages to disable Dyn,” Risley says, “because most owners leave their devices so vulnerable.”

“Some devices were merely plugged in by users and allowed to keep their default username and password,” Risley says. A sample default setting might be “admin” and “password” for user name and password, he says. “The attackers merely had their computers try the default credentials on every device they discovered.”

Chris Risley, CEO Bastille interviewed by Xconomy on the recent DNS DDoS attack.  Read the full article.

What changed?  Behind these massive attacks are connected IoT devices such as cameras, Security DVRs (Digital Video Recorders), Network Video Recorders (NVRs) and Network Attached Storage (NAS).  And whereas many of these devices are in homes, it’s been reported that over 70% of the attack traffic came from the devices that were based inside the Enterprise. This fact comes as no surprise to the security experts who have followed the evolution of DDoS attacks over the last decade.

Time and again we have seen the natural evolution of the source of DDoS attacks move from the consumer home space to the enterprise. Attackers know that enterprises have high bandwidth ‘pipes’ which can deliver a lot more DDoS traffic to the victim. Enterprise and consumer IoT devices, including wireless webcams and security DVR’s, share similar vulnerabilities with multiple default usernames and passwords. Compromised, enterprise equipment can be used as an unknowing participant in a large-scale attack on the Internet, damaging the unwitting source company’s reputation and credibility.

It is imperative that enterprises, especially the Fortune 2000, understand what wireless devices are operating in their airspace and whether these devices could be used in the inevitable next wave of DDoS attacks.

In the case of the DDoS attack on Dyn, the attacker generated a lot of the attack traffic from compromised IP Cameras and Security Digital Recorders. Some of those IP Cameras had been left with their default usernames and passwords. Other, more responsible, owners had taken the trouble to change their username and password using the web camera’s Web Application. However, in addition to Web Access, many of these cameras and security DVR’s also allowed Telnet and SSH access. Users didn’t change those passwords because they didn’t know that those access protocols were present.

How did Enterprise teams miss the vulnerability? 

First, it is hard to inventory and manage what you can’t see. IoT devices are brought into the Enterprise environment not just by the current IT and security teams, but by contractors and employees, and installed in remote as well as prominent locations.

Second, when a new piece of equipment comes with an Ethernet console, the Enterprise team typically immediately changes the username and password. However, that same equipment may also have a ZigBee radio console, which the Enterprise doesn’t even know about. That console is operating with the default username and password and is vulnerable to attack. Attackers using ZigBee Control Consoles can take control of the equipment from outside the building!

So how can you know what wireless devices have been installed within your Enterprise by your current or previous employees, partners, vendors, contractors, visitors or customers?