Internet of DDoS: IoT Botnets Lend Urgency to Anti-DDoS Measures

cyber attackThe past few days have once again pushed that cybersecurity staple the DDoS attack (yawn) into the spotlight. First Brian Krebs suffered what was widely trailed as the ‘biggest attack ever’, topping out around 620Gbps, and then a French hoster claimed it was submerged by an attack topping 1Tbps. The interesting point of the second attack is that it’s said to have been carried out by an IoT botnet.

What does this mean for organisations across the globe? You’d better start budgeting for extra spending on DDoS mitigation services. I spoke to Arbor Networks principal engineer, Roland Dobbins, to find out more.

IoT botnets are nothing new, he claimed. In fact, they’ve been used to launch not only DDoS but send spam, launch MitM attacks and more for several years. Even as recently as August, experts reported an IoT botnet used to try and take organisations affiliated with the Rio Olympics offline prior to the Summer Games. Other examples include cyber extortionists trying to take gaming networks offline.

So exactly why are these embedded computing devices so attractive to cybercriminals?

“Because so many of these devices are shipped with insecure defaults, including default administrative credentials, open access to management systems via the internet-facing interfaces on these devices, and shipping with insecure, remotely exploitable code,” Dobbins told me by email.

“A large proportion of embedded systems are rarely if ever updated in order to patch against security vulnerabilities – indeed, many vendors of such devices do not provide security updates at all.”

Another problem is that IoT devices – which can range from webcams and DVRs to set-top boxes – aren’t typically things a user spends much time in front of, so it might not be obvious they’re being exploited, he said.

“There are tens of millions of vulnerable IoT devices, and their numbers are growing daily; they’re generally always turned on; they reside on networks which aren’t monitored for either incoming or outgoing attack traffic; and their networks where they’re deployed often are high-speed connections, which allows for a relatively high amount of DDoS attack traffic volume per compromised device,” explained Dobbins.

Fighting back

So what can be done to mitigate the risk to businesses?

Best practice includes hardening network infrastructure, improving visibility into traffic and having adequate DDoS mitigation capabilities – none of which is going to be cheap, unless you’re lucky like Krebs and get protected by Google’s Project Shield.

“In particular, ISP and MSSP network operators should ensure that they participate in the global operational community, so that they can both render assistance when other network operators come under high-volume DDoS attacks, as well as request assistance as circumstances warrant,” Dobbins told me.

It’s also important for operators to measure DDoS attack volumes against their baseline for normal traffic so as not to over or underestimate attacks.

“This is vital when determining which DDoS defence mechanisms and methodologies to employ during a given attack, as well as in providing accurate information to other network operators in the global operational community,” he concluded.

Stopping the attacks as they are fired out is all very well, but how about trying to shore up those pesky IoT devices which have become such a boon to cybercriminals? A new architectural approach has been proposed by a non-profit group known as the prpl Foundation. It suggests that a hardware-led approach is key to securing embedded computing devices. Its guidance document is a must-read for anyone interested in IoT security.

It sets out four key elements that are needed to improve IoT security:

Open source software which will improve the quality of code and increase the likelihood of timely security updates.

Interoperable standards to help to drive up the quality of engineering, especially in the connectivity layer which has frequently been exposed by researchers such as Miller and Valasek.

Secure boot based on a root of trust anchored in the silicon to prevent hackers from reflashing the firmware. This could have helped prevent the Ukrainian power outages of 2015 and potentially also SYNful Knock.

SoC virtualisation to containerise each software element running on the chip, keeping critical components safe, secure and isolated from the rest.

The prpl Foundation has already released its own hypervisor and other elements to make its Security Framework proposal a reality. But will the industry go for it?

Up until now the common perception has been that users prioritise usability and low cost over security. But according to a new report on the smart home by prpl, this isn’t the case. It polled 1,200 consumers across the globe and found that 60% thought the user should take control of securing the smart home. What’s more, a plurality (42%) claimed they would pay a premium for more secure devices.

So there it is IoT industry. Over to you.


OpenStack: the open source cloud project taking Asia by storm

openstack summit logoCan you guess which city has more OpenStack contributors in it than any other on the planet?  Well, it’s Beijing.

That may come as something of a surprise given the heritage of the open source cloud computing project – NASA and US hosting/cloud giant Rackspace.

However, it’s certainly not a one-off, with several other cities in the PRC also boasting significant numbers of acolytes, including Shanghai which also ranks in the global top ten.

I learnt this and rather a lot more about the project at the OpenStack Summit in Hong Kong this week. It was a conference heavy in symbolism for the OpenStack Foundation – its first ever outside the US and the first since the release of Havana – its eighth major release for building public, private and hybrid clouds.

Having slogged my way around IT conferences for more years than is healthy for a person of my age, the summit was a first for me in many ways.

First up the new announcements from vendors were kept very much in the background – barely mentioned at all in the keynotes and not publicised heavily elsewhere at the event.

Now that could be the fault of the event PR team but I’d like to think it’s because the Foundation are trying to send a message of inclusivity to the community – that no one vendor should be allowed to use the platform to market its wares so blatantly to a captive audience of over 3,000 enthusiasts.

That’s not to say there was no news, of course, or that the major vendors weren’t using the show to meet customers, get their message out, etc, but it was certainly toned down from the all-guns-blazing razzmatazz of some  industry events I’ve been to.

Part of that no doubt lies in the fact OpenStack Summit is really about bringing the community together to share ideas and best practices on implementations and, quite literally, to sit down and draw up a roadmap for where it is headed next.

It is still very early days for OpenStack versus, say, Amazon Web Services, and there is a certain amount of tension still in the community about whether it should be seeking to emulate the cloud leader or take a separate path of innovation – “letting a thousand flowers bloom”, according to Canonical founder Mark Shuttleworth.

The Rackspace private cloud VP Jim Curry and CTO John Engates I chatted to admitted feature parity isn’t at the same level as AWS yet, but also claimed that itself is a bit of a red herring as few people use all the features in Amazon anyway.

In the end one of the more eloquent and passionate speeches on the open source project came from Red Hat consulting engineer Mark McLoughlin – one of the top OpenStack contributors in the world if rumours are to be believed

“Does anyone think we’re just going to add a handful of new projects in 2014 and then stop? I really don’t think that’s realistic,” he said. “I think it’s going to continue to expand and become a broad umbrella of projects. We need to embrace the collaboration that’s happening under this OpenStack umbrella.”


Rackspace goes East with first Asian public cloud launch

cloudOpenStack cloud vendor and Amazon–agitator Rackspace Hosting is launching its first public cloud offering for Asia in Hong Kong today, so I caught up with APAC MD Ajit Melarkode to talk all things Hong Kong, cloud and Rackspace.

I covered the news over at The Reg. Given that not many businesses rely solely on the public cloud, the announcement can be seen more in context of Rackspace’s Hybrid Cloud offering – which allows users to mix and match between public and private cloud and dedicated server hosting.

As such, I’m sure IT managers in the region will be keen to have another option for their cloudy needs.

They should also be assured that Rackspace is certainly investing significantly in the region, and Hong Kong, Melarkode told me. “We’ve sent a lot of Rackers out to set up here,” he said. “We’re not treating it as a satellite office – Hong Kong has really come into its own this year.”

Testament to this is Melarkode himself, who has experience of running operations on the ground in the region, and the fact that the firm is setting up dedicated finance, HR and marketing departments, as well as hiring a regional CTO, lead engineers, SMB and enterprise support staff, and ensuring that there is a good spread of local language speakers.

So who is Rackspace hoping to target with its new offering? Well, according to Melarkode, the growth of the Hong Kong office and APAC hub can be seen in parallel with the expansion of Rackspace customers into Asia: “as our customers expand we expand with them – we’re driven in a major part by client requirements”.

Another market he mentioned was that of the smaller innovative local companies in industries like retail and technology which are unencumbered by legacy infrastructure and are “leapfrogging onto new technologies like mobile and cloud”.

Melarkode was unsurprisingly quick to leap to the defence of Asian firms, which are often branded as copy cats and accused of lacking the ability to truly innovate.

He argued that creating services on top of “building blocks” already developed in the West does not necessarily amount to copying – and pointed out that firms from the region are contributing code to OpenStack, which he claimed is certainly not the behaviour of a technology laggard.

The region in general, while perhaps slightly behind the West, is certainly catching up in terms of the maturity of its IT services industry.

“I’ve seen how the region has developed right from the time Indian outsourcing started blooming in 1993, to the more hardware and infrastructure  focus in China and the BPO success taking hold in the Philippines,” he explained.

“What I see is lagging behind here but the pace is still fantastic. Look at how it’s catching up. Lots of clients used cloud just for back-up and storage but now they’re starting to use it for app testing and development. The catch-up rate is astonishing.”

Rackspace will certainly need that maturity to expand beyond the handful of early movers in APAC if it’s to recoup some of its growing investment here.

Things are moving pretty fast, though, with the firm doubling headcount and its datacentre space in Hong Kong to meet expected demand and with plans to do so again in the coming year, Melarkode said.


How cloud computing will let loose the Asian dragon

chinese dragonAsia’s unique combination of large numbers of entrepreneurs and software developers offers tremendous opportunities for dynamic cloud growth, while European and Australian companies continue to lag in the shadow of the US.

That’s the view of Nigel Beighton, VP of technology and product, for managed hosting-cum-open cloud company Rackspace, who was in Hong Kong this week to discuss how the “sleeping software giant” of Asia will soon awake.

He argued that European and Australian firms are 18 months to 2 years behind their US rivals and suffer from the same issues around legacy infrastructure.

“Asia is fascinating because it doesn’t track what happens in the US. It has its own culture and personality and if you think about software development in Asia it’s different. Even the code they write looks different. The way people think about mathematics and structure and architecture is different,” he said.

“Cloud enables business to be agile and Asia is very good at that – at being entrepreneurial. At the same time it’s cool to be a software developer here and cloud is enabling software developers to do what they want to do immediately.”

The US market, while it still has a “degree of creativity”, is very much in a phase of consolidation at the moment, dealing with legacy infrastructure and looking at changing business models, Beighton argued.

To an extent, Europe and Australian firms are in a similar boat – held back by a large legacy application estate going back 10-15 years which makes it difficult to scale vertically in the cloud, he added.

However, there aren’t many examples of cutting edge cloud innovation in the region – he gave China’s indigenous search engine companies led by Baidu as one – because it’s still early days. As a result, education remains an important part of the cloud provider’s role.

It’s worth bearing in mind here that even though it now has a successful enterprise business, Rackspace began life serving entrepreneurial SMB-type companies, which is why the firm is always keen to enthuse about this end of the market. It’s also part of the reason why it located a regional datacentre in Hong Kong rather than rival IT hub of Singapore which is geared more towards servicing larger financial organisations, according to Beighton.

“For us the entrepreneurial aspect of Hong Kong was really interesting, and how that would work in conjunction with China,” he said, adding that public cloud capabilities from the datacentre would be available in Q4 this year.

Rackspace is not the only cloud provider waxing lyrical about the huge potential in the Asia region. EMC Greater China president Denis Yip argued at a conference in Hong Kong last summer that China is actually trumping the US and the rest of the world at the cutting edge of cloud computing deployments.

However, despite huge building projects by local government in China, there is a real risk datacentre capacity will lie idle because not enough thought has gone into working out what to use it all for and how to generate profits once the infrastructure is completed.