It's been an interesting few days. Brian Krebs had his website taken down by the largest Distributed Denial of Service (DDoS) attack ever seen. It massed some 665 Gbps of traffic that assaulted Akamai like storm that couldn't be stopped. Researchers have been working to find out how this attack was pulled off, especially considering that this attack was already more than twice the size of the largest DDoS attacks Akamai had ever seen. A news article late Friday said that the attack likely started from IoT devices repurposed for packet flooding.
Most of the recent DDoS attacks have come from stressing tools or other exploits in UDP-based services like DNS or NTP. For the attack vectors to shift to IoT means that nefarious groups have realized the potential of these devices. They sit in the network, communicating with cloud servers to relay data to apps on smartphones or tablets. These thermostats, clocks, cameras, and other various technology devices don't consume much bandwidth in normal operations. But just like any other device, they are capable of flooding the network under the right conditions. Multiply that by the number of smart devices being deployed today and you can see the potential for destruction.
What can IT professionals do? How do these devices, often consumer focused, fit into your plans? How can you keep them from destroying your network, or worse yet destroying someone else's in an unwitting attack?
Thankfully, tools already exist to help you out. Rather than hoping that device manufacturers are going to wake up and give you extra controls in an enterprise, you can proactively start monitoring those devices today. These IoT things still need IP addresses to communicate with the world. By setting you monitoring systems to sweep periodically for them, you can find them as they are brought onto the network. With tools like those at Solarwinds, you can also trend those devices to find out what their normal traffic load is and what happens when it starts bursting well beyond what it should be sending. By knowing what things should be doing, you can immediately be alerted for things that aren't normal.
These tools can also help you plan your network so that you can take devices offline or rate limit them to prevent huge traffic spikes from ever becoming an issue. You can then wait for the manufacturer to patch them or even create policies for their use that prevent them from causing harm. The evidence from a series of traces of bad acting devices in your network can be a great way to convince management that you need to change the way things work with regard to IoT devices. Or even to ensure that you have an IoT policy in place to begin with.
All that's required for the bad guys to use your network for their evil schemes is for networking professionals to do nothing. Make sure you know what's going on in your system so you're not surprised by complacency.