Existing Home Routers Could Be Used to Stop DDoS Botnet Attacks

2 minute read
| Analysis

Much has been written about how Friday’s DDoS Botnet attack was made possible by a security hole present in various internet of Things (ioT) devices. The lingering question is: how do we prevent this from happening again?

This is tough to answer. First, I don’t have any idea whether or not my webcam participated in this attack. Chances are you don’t know if yours did, either.

Second, there’s no reasonable way for me to go in and secure my webcam so that it’s unable to participate in this type of attack in the future. The security hole used by the exploit is baked into the core functionality of the embedded operating system that my webcam’s manufacturer sourced from China. There’s a good chance that even the company who made my webcam was completely unaware that this security hole existed.

We Can’t Rely On Users … or HomeKit

Even if we could fix this one security hole on every affected device – and it’s important to note that we cannot – what about the similar holes that exist in your printer, DVR, doorbell or thermostat? The reality is these exploitable devices are going to exist in the homes of enough general consumers that we need to assume everyone’s house is compromised and will remain that way for a good, long time. Apple’s very-secure HomeKit protocol makes it extremely difficult to hack HomeKit data, but doesn’t stop these devices from being exploitable in other ways.

Do Not DDoS Street SignThe best way to combat this is to limit the effect that any one exploit can have. Speed limit signs don’t often stop people from driving their cars too fast, but speed bumps certainly do. What if we could put a speed bump in place that limited the ability for these types of DDoS botnet attacks to have any meaningful impact?

Every Router, a Speed Bump for DDOS Botnet Attacks

For this, I look to router manufacturers. The problem with a DDoS attack is that it’s really difficult for the servers being attacked to separate good traffic from bad. Routers, however, have a lot more information about the device initiating the request.

Any decent home router these days uses Quality of Service (QoS) algorithms to manage traffic (ahem, Apple, you need to catch up here). That means your router is (or should be) examining every single packet coming in and out of your home, making sure it properly prioritizes the important ones to ensure a smooth internet experience for you.

Router manufacturers could enhance their QoS algorithms to look for devices like webcams that start performing requests atypical for that type of device. For most routers this truly could be a simple firmware update. Today’s routers (including Apple’s) have CPUs that are fast enough to process this type of on-the-fly analysis if the right firmware is installed.

Additionally, router manufacturers like NETGEAR, eero and others have QoS and parental control databases that auto-update to account for new devices and services. Those database updates could also include the addresses of servers being attacked. As soon as Dyn saw they were being targeted, they could have asked router manufacturers to add their addresses to the database and push out an update.

Just Slow Them Down Until It’s Not Fun Anymore

The point isn’t to completely stop these types of attacks – that would be nice, just reasonably impossible – rather to limit the impact of any such attack. If a large-enough percentage of consumers were using routers that automatically limited this type of activity, a lot of the benefit for attackers would be lost.

Yes, there’s definitely a cat-and-mouse scenario here where attackers will work to circumvent these in-router blocks, but I think it would be a very good start. Right now the mouse is blind and immobile and the cat is having a field day.

Router manufacturers, the ball is in your court, but we’re all here to support the process.

7
Leave a Reply

Please Login to comment
7 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
5 Comment authors
txaggie90AlphamanDoug Petrosky Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
Member
Rico Trevisan

the issue with a DDoS is the first D — distributed

Indeed. The beauty of the Internet is – unsurprisingly – its Achilles heel. Daren Kitchen suggested an interesting idea (Daily Tech News Show, ep 2884): distributed DNS. Something using the blockchain and bittorrent tech.

But I guess that requires “redoing” basic piping of the Internet which cannot be easy. What do you guys think about that?

txaggie90
Member
txaggie90

I don’t pretend to be a security expert, but a simplified version of how this might work. When the device connects to the router the router determines it is a XYZ Inc device (via MAC Address, etc) and therefore could know which IP addresses to whitelist for devices by that manufacturer. Any traffic sent to a non white listed address would be considered suspect.

I know there are nuances to this, but I’m thumb typing and don’t want to make this too long.

Alphaman
Member
Alphaman

Dave, The trick with a DDoS is to leverage a small amount of data into a huge amount of replies. Or, to paraphrase Patton, “No zombie ever won a war by dying for his cause, but by making the server die for his.” A zombie sends a tiny little request, perhaps as small as a single packet, but for a LARGE amount of data. The zombie can send thousands of such requests, and barely move the bandwidth needle. The server, OTOH, tries to reply with potentially hundreds of Kbytes or even megabytes of data in response to that one packet… Read more »

Doug Petrosky
Member
Doug Petrosky

Are you sure? You stated that you were unsure of the requirements of HomeKit approval but then state that it WILL NOT keep you safe! Might not keep you safe, or will not ensure your total safety, might be better ways but I’m willing to bet as part of HomeKit certification, Apple requires certain privileges be locked down which would have stopped this attack. I understand that NOTHING is unhackable, but with so much low hanging fruit I would go out on a lim and say that HomeKit devices are far more hardened for security, and until you get confirmation… Read more »

Alphaman
Member
Alphaman

Interesting idea, but the issue with a DDoS is the first D — distributed. Any one device doesn’t have to contribute much to the deluge for it to become part of the flood, and throttling it using QoS won’t really accomplish much different than what the attacked site can already handle. The real thing that a home router can do that it’s already doing, is prevent the backdoors in these devices from talking to the Internet. When a compromised device is placed directly on the Internet, it puts us all at risk. But, if the ports that make up the… Read more »