Partners Warn Against Application Layer DDoS Attacks Targeting IoT Devices

The channel plays a critical role in educating customers of the security risks inherent in deploying Internet of Things devices, especially as distributed denial-of-service (DDoS) attacks continually evolve, solution providers told CRN.

"We're seeing devices on the market that are perfectly tailored for DDoS," said Doug Grosfield, CEO of Five Nines IT Solutions, a Kitchener, Ontario strategic service provider. "The IT providers hold the responsibility to secure the network with overarching security procedures. From a partner's perspective, we're always the ones that need to be the voice of reason there. Education is the key part of this."

Distributed denial of service attacks, launched through IoT devices, are continually evolving. While the attacks have targeted the network layer, they are more commonly attacking the application layer, possibly because it costs less for attackers to execute and requires fewer botnet resources.

[Related: Massive DDoS Attack On U.S. College Throws IoT Security Into The Spotlight -- Again]

While network layer attacks rapidly flood a network or server with data packets and other traffic, consuming all of its available resources, application layer attacks tend to exhaust computing resources, such as CPUs, so that servers stop answering new requests. Application layer attacks are not volumetric. They're slow and stealthy, exhausting resources and eventually crashing application services.

Application layer DDoS attacks are becoming more common, as attacks on vulnerable IoT devices are continually evolve, according security firm Burlington, Mass.-based Arbor Networks.

"For [customer] best practices, you need to pick partners that are doing their research, pay attention to what's going on in the attack landscape, so you're not taken by surprise tomorrow," said Tom Beinkowski, director of DDoS product marketing at Arbor Networks.

Most recently, a DDoS attack on an unnamed U.S. college in February, which was recently made public by web application security company Incapsula, affected the college's network for "54 hours straight" – indicating that the offenders are becoming more adept at launching application-layer assaults on vulnerable IoT devices.

Redwood Shores, Calif. Incapsula said the DDoS bots used in the attack were hiding behind different user agents than the five hard-coded in the default Mirai version. The attack may have exploited open telnet ports and TR-069 ports on the vulnerable IoT devices. The DDoS attack on the U.S. college could indicate that IoT attacks are being modified to launch more elaborate – and larger – application-layer attacks, according to Incapsula.

As attackers continue to evolve and change their methods, partners play a critical role in raising awareness about Internet of Things security risks for customers, such as the cost of downtime.

"We need to protect and educate our clients as best we can," said Marc Harrison, president of Silicon East, a Manalapan, N.J.-based solution provider. "Once the attack is underway, from the receiving side there's nothing they can do. Their ISP can cover off the traffic if it is coming from specific internet addresses. But if it's distributed attacks coming from millions of devices, it's too late."