The internet of things (IoT) is shaping up to be a more significant threat to the Domain Name System (DNS) through larger IoT botnets, unintentional adverse effects of IoT-software updates and the continuing development of bot-herding software.\nThe Internet Corporation for Assigned Names and Numbers (ICANN) and IBM\u2019s X-Force security researchers have recently issued reports outlining the interplay between DNS and IoT that includes warnings about the pressure IoT botnets will put on the availability of DNS systems.\n\nICANN\u2019s Security and Stability Advisory Committee (SSAC) wrote in a report that \u201ca significant number of IoT devices will likely be IP enabled and will use the DNS to locate the remote services they require to perform their functions. As a result, the DNS will continue to play the same crucial role for the IoT that it has for traditional applications that enable human users to interact with services and content,\u201d ICANN stated. \u201cThe\u00a0 role\u00a0of\u00a0 the\u00a0 DNS\u00a0 might\u00a0 become\u00a0 even\u00a0 more\u00a0 crucial\u00a0 from\u00a0 a\u00a0 security\u00a0 and\u00a0 stability perspective with IoT devices interacting with people\u2019s physical environment.\u201d\nIoT represents both an opportunity and a risk to the DNS, ICANN stated. \u201cIt is an opportunity because the DNS provides functions and data that can help make the IoT more secure, stable, and transparent, which is critical given the IoT's interaction with the physical world. It is a risk because various measurement studies suggest that IoT devices may stress the DNS, for instance, because of complex DDoS attacks carried out by botnets that grow to hundreds of thousands or in the future millions of infected IoT devices within hours,\u201d ICANN stated.\nUnintentional DDoS attacks\nOne risk is that the IoT could place new burdens on the DNS. \u201cFor example, a software update for a popular IP-enabled IoT device that causes the device to use the DNS more frequently (e.g., regularly lookup random domain names to check for network availability) could stress the DNS in individual networks when millions of devices automatically install the update at the same time,\u201d ICANN stated.\nWhile this is a programming error from the perspective of individual devices, it could result in a significant attack vector from the perspective of DNS infrastructure operators. Incidents like this have already occurred on a small scale, but they may occur more frequently in the future due to the growth of heterogeneous IoT devices from manufacturers that equip their IoT devices with controllers that use the DNS, ICANN stated.\nMassively larger botnets, threat to clouds\nThe report also suggested that the scale of IoT botnets could grow from hundreds of thousands of devices to millions. The best known IoT botnet is Mirai, responsible for DDoS attacks involving 400,000 to 600,000 devices. The Hajime botnet hovers around 400K infected IoT devices but has not launched any DDoS attacks yet. But as the IoT grows, so will the botnets and as a result larger DDoS attacks.\nCloud-connected IoT devices could endanger cloud resources. \u201cIoT devices connected to cloud architecture could allow Mirai adversaries to gain access to cloud servers. They could infect a server with additional malware dropped by Mirai or expose all IoT devices connected to the server to further compromise,\u201d wrote Charles DeBeck, \u00a0a senior cyber threat intelligence strategic analyst with IBM X-Force Incident Response in a recent report.\u00a0\n\u00a0\u201cAs organizations increasingly adopt cloud architecture to scale efficiency and productivity, disruption to a cloud environment could be catastrophic.\u201d\nFor enterprises that are rapidly adopting both IoT technology and cloud architecture, insufficient security controls could expose the organization to elevated risk, calling for the security committee to conduct an up-to-date risk assessment, DeBeck stated.\nAttackers continue malware development\n\u201cSince this activity is highly automated, there remains a strong possibility of large-scale infection of IoT devices in the future,\u201d DeBeck stated. \u201cAdditionally, threat actors are continuing to expand their targets to include new types of IoT devices and may start looking at industrial IoT devices or connected wearables to increase their footprint and profits.\u201d\nBotnet bad guys are also developing new Mirai variants and IoT botnet malware outside of the Mirai family to target IoT devices, DeBeck stated.\n\u201cA threat actor group called Shaolin, for example, has been primarily targeting consumer brand routers, specifically Netgear and D-Link routers. Samples for Shaolin reach back to December 2018 and appear to be cobbled together from the code of multiple botnet variants, including Mirai,\u201d DeBeck stated.\u00a0 Some researchers have suggested that it is part of a larger group of bots called Cayosin. An Instagram user with the alias \u201cunholdable\u201d was spotted selling access to the Cayosin malware in early 2019, posting videos of how to purchase and use its botnet services, DeBeck stated.\n\u201cAnother IoT-targeting malware family, Gafgyt, represented 27 percent of all observed instances of IoT targeting so far in 2019,\u201d according to X-Force data. \u00a0\u201cGafgyt is a relative newcomer to the IoT botnet marketplace, having emerged in late 2017, and was created in part from the released Mirai source code. It uses password brute-forcing with a pre-generated list of passwords to infect devices. Gafgyt historically targeted Linux-based devices, unlike Mirai, which targets a broader set of devices.\u201d\nBotnets aren\u2019t the only IoT challenge facing DNS systems.\u00a0 ICANN says another problem is what it calls \u201cunfriendly DNS programming and cited an example where after an\u00a0update\u00a0 to\u00a0 Apple\u2019s iOS\u00a0 6.0\u00a0 in\u00a0 November\u00a0 2012,\u00a0the\u00a0TuneIn\u00a0music\u00a0app started transmitting one DNS query per second for domains of the form www..com, perhaps to regularly check for network connectivity.\n\u201cThe mobile network operator who observed the event reported around 1,000 of these queries per second from around 700 iPhones. The result was that the operator\u2019s DNS resolver's cache grew to about 5 million entries (normally around 400K) and its memory consumption increased to around 10 GB (normally around 4 GB), leading the operator to classify the event as a DDoS attack on its resolver. The network operator was unable to block the traffic because the devices were also making normal queries and instead had to wait until the new version of the app came out, which was about three weeks later,\u201d ICANN wrote.\nICANN wrote that incidents like the TuneIn app can have DNS-wide effects on resolvers.\n\u201cFor example, a certain type of IoT device with a large installed base across many different networks and resolvers exhibiting TuneIn-like behavior may cause stress on the local DNS resolvers in those networks because they fill up their caches and run out of memory, resulting in packet drops or increased response latency\u201d ICANN wrote. \u00a0\u201cA similar event would be a large number of IoT devices coming back online after a power outage and all trying to locate their remote services almost simultaneously.\u201d\nA possible root cause of DNS-unfriendly programming is that IoT device engineers rely on open source stacks (Linux variants) that hide the details of networking functions from them. As a result, they are less familiar with how the DNS works and the Internet-scale effects of their programming.\nAnother risk IoT presents to DNS is the number of open resolvers on the Internet.\u00a0\n\u201cOpen resolvers have been misconfigured to accept DNS queries from any client on the Internet, rather than restricting access to clients within the domain that they are intended to serve(e.g., an ISP network or a home network),\u201d ICANN stated. \u00a0\u201cAttackers can take advantage of such misconfigurations by sending many DNS requests to an open resolver with the query\u2019s source IP addresses set to spoof a victim\u2019s IP address. As a result, the resolver will send any responses to the victim instead of to the attacker, adding an amplification factor because DNS responses are usually larger than DNS requests.\u201d\nThe number of open resolvers on the Internet is on the order of millions, with some estimating 23 million to 25 million open resolvers in 2014 and Shadow server reporting over 3 million open resolvers based on\u00a0 their\u00a0 active\u00a0 scanning\u00a0 system\u00a0in December of\u00a0 2018, ICANN stated.\n\u201cWhile open resolvers are a longtime problem, they represent an additional risk to the IoT. This is because Mirai has demonstrated that a botnet of several 100K bots can launch direct DDoS attacks on DNS operators that can lead to large-scale service outages, which would potentially be tens of times higher if they were amplified through a set of open resolvers. There is anecdotal evidence that there are IoT botnets, such as the Reaper botnet, that are capable of exploiting open resolvers.\u201d\n5 Ways to improve IoT-DNS security\nICANN identified five key opportunities to improve overall IoT\u2013DNS security:\n\nDeveloping a DNS library for IoT devices that makes DNS security functions (such as DNSSEC validation)\u00a0available for device-control applications and that uses DNS query data to make IoT deployments more transparent for users.\nTraining IoT and DNS professionals to help DNS players such as registrars and registrants understand the implications of providing services for domain names that act as a backend for IoT devices rather than as a means for making content available to humans and to help IoT device manufacturers understand how to use the DNS and how to configure resolvers.\nDeveloping a shared system that lets DNS operators automatically and continually share information on IoT botnets.\nDeveloping systems that let DNS operators share DDoS-handling capacity and that stop attacks in an early stage in edge networks so DNS operators can better handle very large IoT-powered DDoS attacks.\nDeveloping a system that lets DNS operators measure how the IoT uses the DNS to better understand\u00a0how\u00a0IoT risks evolve, for\u00a0instance, to develop new domain-name policy or for incident response purposes.\n\nIBM\u2019s X-Force meanwhile recommends mitigation strategies to protect IoT and DNS systems:\n\nInventory all IoT assets on a regular basis and ensure that they are serving a legitimate business purpose.\nFor organizations with a significant IoT footprint, engage in regular penetration testing to confirm the presence of IoT devices and that they meet security standards.\nChange all default passwords on IoT devices. If passwords cannot be changed, segregate the IoT network and place mitigating controls around these device networks.\nRestrict public internet access to IoT devices by placing them behind firewalls and other network defenses.\nMonitor for unexpected outbound Wget or PowerShell requests that may be attempting to pull malicious payloads onto IoT devices.\nSecure IoT applications in all interactions, from the back-end servers processing device operations to communications with front-end user devices.\nEnsure IoT device interactions are encrypted and authenticated across the board.\nUse threat intelligence to monitor current threat trends for the latest tactics, techniques and procedures threat actors are using to compromise IoT devices.\nRestrict outbound activity for IoT devices that do not require external access.