Much has been written about how Friday’s DDoS Botnet attack was made possible by a security hole present in various internet of Things (ioT) devices. The lingering question is: how do we prevent this from happening again?
This is tough to answer. First, I don’t have any idea whether or not my webcam participated in this attack. Chances are you don’t know if yours did, either.
Second, there’s no reasonable way for me to go in and secure my webcam so that it’s unable to participate in this type of attack in the future. The security hole used by the exploit is baked into the core functionality of the embedded operating system that my webcam’s manufacturer sourced from China. There’s a good chance that even the company who made my webcam was completely unaware that this security hole existed.
We Can’t Rely On Users … or HomeKit
Even if we could fix this one security hole on every affected device – and it’s important to note that we cannot – what about the similar holes that exist in your printer, DVR, doorbell or thermostat? The reality is these exploitable devices are going to exist in the homes of enough general consumers that we need to assume everyone’s house is compromised and will remain that way for a good, long time. Apple’s very-secure HomeKit protocol makes it extremely difficult to hack HomeKit data, but doesn’t stop these devices from being exploitable in other ways.
The best way to combat this is to limit the effect that any one exploit can have. Speed limit signs don’t often stop people from driving their cars too fast, but speed bumps certainly do. What if we could put a speed bump in place that limited the ability for these types of DDoS botnet attacks to have any meaningful impact?
Every Router, a Speed Bump for DDOS Botnet Attacks
For this, I look to router manufacturers. The problem with a DDoS attack is that it’s really difficult for the servers being attacked to separate good traffic from bad. Routers, however, have a lot more information about the device initiating the request.
Any decent home router these days uses Quality of Service (QoS) algorithms to manage traffic (ahem, Apple, you need to catch up here). That means your router is (or should be) examining every single packet coming in and out of your home, making sure it properly prioritizes the important ones to ensure a smooth internet experience for you.
Router manufacturers could enhance their QoS algorithms to look for devices like webcams that start performing requests atypical for that type of device. For most routers this truly could be a simple firmware update. Today’s routers (including Apple’s) have CPUs that are fast enough to process this type of on-the-fly analysis if the right firmware is installed.
Additionally, router manufacturers like NETGEAR, eero and others have QoS and parental control databases that auto-update to account for new devices and services. Those database updates could also include the addresses of servers being attacked. As soon as Dyn saw they were being targeted, they could have asked router manufacturers to add their addresses to the database and push out an update.
Just Slow Them Down Until It’s Not Fun Anymore
The point isn’t to completely stop these types of attacks – that would be nice, just reasonably impossible – rather to limit the impact of any such attack. If a large-enough percentage of consumers were using routers that automatically limited this type of activity, a lot of the benefit for attackers would be lost.
Yes, there’s definitely a cat-and-mouse scenario here where attackers will work to circumvent these in-router blocks, but I think it would be a very good start. Right now the mouse is blind and immobile and the cat is having a field day.
Router manufacturers, the ball is in your court, but we’re all here to support the process.