Does user privileges lead to the attacks.

Does IoT Botnets provide morecost-effective option for attackers which provide DDoS attack as services?   AbstractIn the ever-changing world, the change is theonly constant. The cybercriminals are the best example who truly justify thisphrase by continuously finding new techniques and exploiting thevulnerabilities of the system. The use of IoT botnets in the latest DDoSattacks is one of the prime examples, howthe attackers updates their methods and techniques to accomplish their task.

Thenumber of IoT devices has exploded in recent years, and are very much favoredby the attackers for creation of the botnet army. The vulnerabilities in theIoT devices makes them very favorable but for a profitable business, theyshould also be a very cost-effective solution. In this research paper we havetried to find out if this is true or not. Introduction: In the history ofthe cyber-attacks, the DDoS have been the most pertinacious and detrimentalsince their inception. The first DDoS attack that occurred in a 1974 was due tothe courtesy of a 13-year student named David Dennis at University High School,who was curious to see, how would it look like to log off all the users at oncepresent in a room 1.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

  The curiosity led to the development of thefirst DDoS attack but further down the road the motivation for forming theattacks on the targets have changed. With the introduction of the IRC channels,the fight for gaining the super user privileges lead to the attacks. Themotivations for the attacks have changed from curiosity to monetary and frompersonal to political gains. The latest reports from Akamai states that thereis an increase in 28% of DDoS attacks from the Q2 2017 as compared to the Q12017 2,and we may observe a more growing trend in the attacks for the future. The formof hackers has also changed over the period, going from the geeks or nerds tobusinessman, by turning the DDoS attacks into a service, which can be hired byanyone.

With DDoS as a service, an attacker doesn’t need to have a technicalknowledge or background about the computers to orchestrate the attacks. Thisopens many probabilities about how a DDoS attack can be used, a person mayleverage it for gaining personal or business profits against a competitor. Apolitical party may hire for influencing the campaigns of the other candidatesetc.  Imagine, asuccessful company “A” with its cash cow product wanted to launch a new schemewhich can boost its online sells to new heights. The company decides thethanksgiving week for the launch and is trying everything to make itsuccessful, so that the customers have wonderful seamless experience. On theother hand, the business competitor “B”, also planned a similar campaign fortheir product, and wants to maximize its profit as well.

They can’t directlycompete on the scale that their competitor “A” has planned, so they try toaffect their online sales for their benefits. They hire a DDoS attack servicesat a cheaper cost for a week, which impacted the sales of the company “A” asthey can’t cater the request for their customer. This helped the company “B” asthe frustrated customers from the company A website turned to theirs.  Without any computer and technical knowledge,the company B was able to execute the attack and take advantage of the timingsof the sale. This DDoS attack not only cost the company A their targeted salesgoal but also placed a bad mark on the company’s reputation as well. Thecompany also had to bear the loss due to the un-productivity, downtime andmitigation costs.

The company B, on the other hand enjoyed the service of theDDoS attack at a very low price with complete anonymity and guarantee. Thishelped them to boost their sales and profits and generated more sales revenue.  The above-mentionedscenario is not a hypothetical anymore and is happening on a more day to daybasis. There was 10% increase in the DDoS attack in the year 2017 as comparedto 2016 3.

The report mentioned about the loss in revenues to be estimated over $2.5million on an average across the organizations. The DDoS attacks has not onlyturned out to be a profitable business but also a weapon which can be exertedby anyone with a motive to employ it. The report from the Corero, suggests thatthe monthly attack attempts have increased by 91% as compared to the Q1 2017 4. The business modeltransformation of the DDoS attacks as a service, with cheaper cost and multipleoptions provides genuine reason for observing the high frequency of theattacks.  With the increasing number ofthe IoT devices, the reports have also suggested in the increase of the numberof DDoS attacks and the frequency. From the below figure the percentage of the multipleDDoS attack on the same company has increased to 73% in 2017 as compared to the60% in the year 2016.

 Figure 1.DDoS:  We have beendiscussing about the DDoS attacks in the previous section, here we look moreinto details about them and how it functions. The distributed denial of serviceattacks or DDoS is an attack in which many compromised computer systems attacksa targeted system. The target system can comprise of a website, a server or anetwork resource. The compromised system for a DDoS attacks are labeled aszombies or bots, which are under control of the attackers and gets activatedonly when the attacker needs them too.

The bots or the zombies attacks thetarget with forge request which overwhelms the target system. The target systemcannot service all the request, or it services the request which are bogususually generated by the bots. In this scenario, the genuine request from the customersare not service who faces service disruptions. The attackersexploit the vulnerabilities in one of the system and makes it a DDoS master.Once, the master is formed, it continuously tries to look out for the suchother vulnerable systems. When it encounters such system, it converts the newsystem into it slave by infecting the system by planting a malware or gainingthe control of the system through different means of authentication controls(i.e. default password etc.

). The same process is repetitive, and a network ofdevices is formed which are under the control of the intruder. The compromisedsystems are called as bots and the network of such devices are called asbotnets. The complex DDoS attacks can also have multiple layers andhierarchies, in such a scenario, there can be multiple masters which in turnscan control a specific set of bots as mentioned in figure 2. The botnetsoverload the target with the bogus requests so that the request from thegenuine users are not served.

This either leads to prolonged delays inprocessing of the request or crashing of the server, which in both cases causesloss to the business and create bad reputation as well.  Figure 2.Source: AWSBest Practices for DDoS Resiliency DDoS as Service: The DDoS attack asa service are now being offered on the darknet or Clearnet where anyone who hasa motive for performing the DDoS attack can hire a botnet instead of creatingone from the scraps and can execute the attack using it.

The user doesn’t needto have a technical background or expertise in this field. The serviceproviders have different plans and service offering for their products due tothe competition. Some of the price listing for the services offered by thehackers on the darknet can be seen in the Figure 3 5.The hackers havematured in art of selling or they may have hired services from others formarketing. They provide guarantee and testing of the services too, and anoption for payment of the services post usage and satisfaction of the customer.To overcome the competition service providers have used different techniquessuch as kinky taglines on their websites stating, “quick solutions to all your problems with the competitors and enemies”etc.Figure 3.

 As DDoS attack asservice is growing, the providers have come up with the different serviceoptions among them, the 24/7 customer support is one the component of theservice industry is now being introduced 6. The figure 4,provides a statistic from the DDoS attack service provider, which has added thestatistics about his product, which the customers may found interesting.Figure 4.

From theSecureWorks report we can observe the trend in the increase of the prices forDDoS attacks as compared to the year 2013 and 2014 from the below image. Theprices mentioned below are before the attack of the Mirai botnet. During this timethe DDoS mitigation services provided by the different company seems to have thiseffect. It may also be possible that the attackers are planning something newand big during this time related to the DDoS attacks. Post Mirai attack thistrend seems to slide down for the DDoS with the introduction of the IoTdevices. The IoT device may provide cheap options for the service providers tocreate, maintain and rent the botnets for a profitable margin.

 Figure 5. Internet of Things: IoT stands for Internet of Things, which isused to describe the new genesis of devices which are inter-connected usinglocal or internet connection. These devices may be smartphone, CCTV, fridge,coffee maker, lawn mowers etc. The Internet of Things (IoT) have become realityin a sort span of time and the numbers of the devices have increased at a veryrapid pace. By the year 2020, in IoT ecosystem there will be 24 billion andapproximately $6 trillion amount would be spent on the IoT solutions in thenext 5 years 7.

The IoT’s boom has been due to rapid acceptance by the market due to theirusability and the size. The report from HIS forecasted more 6 billion moredevices to be connected in 2020 8. The average cost of the sensors, which aremajor components of the IoT devices have been falling. This is one of the mainreason as well, where the business has become more profitable in manufacturingof such devices. From, the below figure 6, we can see the average cost of thesensor in 2016 was $0.50 as compared to $1.

30 in 2004 9. The reduction inthe cost and size of the sensors have contributed a lot towards this explosion.The IoT devices provides a very cost-effective solution for remote monitoring,automation and data gathering units for analytics purpose. Theinterconnectivity devices make their own network and inter communication amongthem helps in creating better lives for the humans.  Figure 6.The IoT devices in the smart home has taken agreat leap in making life easier for human beings, getting a cup of coffeeready while you woke and brush your teeth without pushing a button on thecoffee maker or even before getting out of the bed, or setting the righttemperature of the thermostat of the home while leaving form the office, sothat the house is warm and cozy once you enter have made them favorable amongthe customers.

The new generation of the IoT devices for the gardening toolshelps in removing the weeds, cutting the grass, watering the plants or addingthe fertilizers while you are away on vacation or sipping coffee. Theapplication of IoT not only in smart homes but offices has also helped inmaking cost-effective decisions for allocation resources where they are neededthe most. The IoT’s have shown an immense potential,about how they can be used to change the human life for betterment.

The IoT’sare at the same stage where once the personal computers were. Hence, in thisscenario too, the security and privacy components for the data and the deviceshave not been considered. The vulnerabilities in the system and threatsoriginating from them are not being considered to it’s potential due to therace of launching the products and to come up with the new innovativesolutions.

The inter-connectivity between the devices forms the backbone, butif security is not considered in the design process, it generates an elevatedrisk. For example, a smart thermostat and home security system can be interconnected,and one can lead to a significant vulnerability in the system. The smartthermostat can read the temperature of the home and can ask the security systemto open the windows if temperature rises above a certain threshold. In thisscenario, if the thermostat gets hacked or misused by a person to elevate thetemperature. Once, the temperature rises over the threshold, then it wouldtrigger the security system to open the windows, hence leading to a physicalsecurity breach.  IoT Botnets: The IoT device are no different than atraditional server or personal computer in terms of hacking.

These devices canalso be hacked and can be misused to personal or professional advantages. Theautomated garden system, the DVR’s, smart TV’s fridge all these devices whichare connected to the internet carries a risk of being compromised. The methodsfor hacking such devices may differ but the potential risks remain the same. TheIoT devices can also be hacked and used in the same way for causing the DDoS attacksas traditional personal computers or serves, and these devices are referred asIoT botnets. As the number of IoT devices is increasing, so as the number ofIoT botnets.

The structure of attacking the IoT devices is explained in detailin the later section about how the Mirai IoT botnets were created and launcheda record breaking 620 Gbps of attack on Dyn and Krebs website 10 11.Components of the botnet: The botnet mostly consists of the bots, whichare the infected system. But to create the bots and to control them, so that theycan be used for DDoS attacks when needed require some more components. Thesecomponents are required for creation and maintenance of the bots or botnet. A hierarchicalstructure is formed which has the botmaster as the top authority.

The botmastercan decide to use the botnet for himself based on his motivation or can avail hisbotnet to others as DDoS service. The botnet components can be described asbelow: 1.     Botmaster, is the person who either creates orrent out the botnets. It uses the command and control server for maintainingthe botnet. 2.     Malware, a program which is developed or used bythe botmaster for infecting the device.

3.     The systems which are vulnerable are exploitedby the malware, and are under the control of the botmaster. 4.     Command and Control servers, which are used tocontrol the bots. It sends and receives the information from the bots.

 The botnets have evolved over the period, andmore components have been added along the way for maintenance and control ofthe bots. The new botnet anatomies that have been found included the scannerand reporting servers in the structure as well.  Evolution of IoT Malware: The IoT malware have existed for a long time,but their real power was revealed by the Mirai.

As per the report from Kaspersky(figure 7), the earliest malware for IoT was detected in 2008, named as Hydraand has evolved into a more devastating malware known as Mirai in 2016 12. Below is the listof the malware small description of the each. Hydra:  It is one of the earliest known malware usedfor targeting the IoT devices, mainly routers 13.Psybot:It was also developed to gain access to the home routers and modems, and wasbelieved to have Australian origin.

It was loaded with common usernames andpassword that were used to gain the access of the device 14.Tsunami: This malware was not only designed to attackthe Linux based devices but also the mac os as well 15.Lizkebab/BASHLITE/Torlus/Gafgy: The malwares belong to the same family and targetedthe IP cameras, DVR’s and Smart TV’s 16. Linux.PNScan: This is also a Linux based malware, which hada capability of peer to peer connectivity 17.

Mirai: Itis the malware, which brought down the internet on it’s knees. After the releaseof the Mirai code on the internet, the malware has evolved a lot and many newvariants of the Mirai can be found on the darknet. One of the variants of Miraiimproved it with an advanced algorithm and removing most of the hard-coded codefrom it 18.

 Mirai and Baidu DDoS attack. To know more about how the DDoS attack workswe will study the two recent attacks Mirai which was done using the IoT botnetsand the other Baidu which highjacked a server and caused the attack 19 20.  The Mirai botnet was used to perform a DDoSattack against the DNS service provider Dyn which not only affected the Dyn butalso the other biggest internet websites such as Twitter, Spotify etc. TheMirai was also used against the Krebs website as well, which was hold to aransom for stopping the attack before Google’s Project Shield intervened tohelp the blogger. The Mirai was also used in the attack on a French hostingcompany OVH as well.

The bots used in the Mirai were Internet cameras, routers,DVR’s and any other smart device which was connected to the internet 21.   On the other hand, Baidu a Chinese web searchengine was hijacked to inject a malicious JavaScript code which helped inperforming a massive attack which crippled the GitHub. The hackers got thecontrol over the website and injected the malicious code, which redirected theusers to the GitHub page. In this scenario, millions of innocent users using thesearch engine unknowingly became the soldiers for causing a massive DDoS attackagainst GitHub. Mirai: The Mirai is one of the most devastating malwaredeveloped which is capable of self-replication.

Mirai means “thefuture” in Japanese, and has a capability of the infecting around 4000 IoTdevices per hour. At the time of the attack it consisted of around 150,000 IoTdevices as botnets. For creation of the bot, it searches for the vulnerable deviceand uses the dictionary attack to gain the access. Once, the infected device isin control of the bot master then it waits for the commands for initiating theattacks. It’s working is as typical malware used for creating the botnets.

 in Mirai, there exists no separate scannercomponent, however the bots perform the function of scanning for vulnerable IoTdevices and carry out DDoS attacks on target. In a general scenario, C2scommunicate regularly with bots, foot soldiers in botnet. Most botnets implementa standard client/server architecture where the bots get their commands fromthe C2s or controllers. The botnet malware spread to new IoT devices bycontinuously scanning the internet for vulnerable IoT devices, either from thebots or from an external scanner (in some cases, C2s performs the scandirectly). Potential victim’s devices can be found using special search enginessuch as Shodan (www. and Censys(www.censys.

io). Reporting server receives oneway traffic with informationabout the IP addresses and credentials of the vulnerable IoT devices fromscanners (as in BASHLITE) or from the bots (as in Mirai malware).


I'm Ruth!

Would you like to get a custom essay? How about receiving a customized one?

Check it out