IoT and Ransom Denial of Service Attacks
I was doing some research on IoT and DDoS attacks. As part of that research, I conducted an email interview with Carl Herberger, VP of Security Solutions at Radware. Rather than talk about DDoS attacks, Herberger told me about ransom denial of service (RDoS) attacks, a term I was unfamiliar with. He explained:
In an RDoS attack, the perpetrators send a letter threatening to attack an organization — rendering its business, operations or capability unavailable — unless a ransom is paid by the deadline. These attacks have grown in number every year since 2010 and typically come in the form of a volumetric distributed denial-of-service (DDoS) attack. However, it is increasingly in vogue to find techniques that are more piercing and more efficient without generating large volumes. The most advanced attacks combine both volume and non-volume cyberattack techniques.
It’s a type of attack that IT professionals are concerned about, according to a study released this summer by Corero Network Security. As the Tripwire State of Security blog reported, 80 percent of respondents worry that their company will be the target of a RDoS attack within the year, and 43 percent of those expect to pay the ransom.
This fits in with what Herberger told me, that RDoS attacks, as well as the more commonly known ransomware attacks, are happening every day. As he said to me, while other types of attacks tend to take a long time to detect and defend, ransomware and RDoS threats shout, “I’m an attack and I’m right here!” You have no choice but to drop everything and address it immediately.
I asked Herberger what types of IoT devices are most commonly hit with the malware that causes these attacks. After all, when the Mirai malware took down Dyn, it was reported that cameras were the IoT devices targeted to be turned into botnets. Herberger said the type of devices that can be vulnerable is not as relevant as the type of code the devices are running:
Many of today’s IoT devices use standard operating systems or protocols such as Linux and Remote Code Execution (RCE) capabilities. Darknet marketplaces often offer a number of exploit codes for sale, which range from a local privilege escalation on Windows 8.1 or a single message DoS exploit on Telegram. Attackers can also find exploits, such as a RCE that allows upload of a bot to a large quantity of vulnerable routers.
When I wanted to know how companies can best defend themselves from this type of attack, Herberger emphatically fell into the “don’t pay the ransom” camp, stating that paying the ransom often leads to prolonged or repeated attacks. Instead, he advised adopting a strong security posture and becoming less of a target by using the following tips:
Protect Against Availability Attacks. Given the clear and significant correlation between downtime and loss of revenue, avoiding outage resulting from availability attacks should be at the top of the list for any business. With a wealth of sensitive data, it’s not uncommon to be overly focused on data confidentiality and integrity. But with the growth in frequency and severity of DDoS and RDoS attacks, proactive protection is a must.
Prepare for Encrypted Attacks. Attacks leveraging encrypted traffic as an attack vector are on the rise. Small businesses should ensure they can address the needs of high-capacity mitigation, support all common versions of SSL and TLS, and isolate suspicious encrypted traffic using behavioral analysis to limit legitimate user impact.
Implement IP-Agnostic Protection. Malicious actors have turned IP address spoofing into an art form with the goal of masquerading as seemingly legitimate users based on geo-location or positive reputational information about IP addresses they are able to compromise. Businesses should look for solutions that use device fingerprinting technology to gather IP-agnostic information about the source.