• United States
Senior Editor

Reports: As the IoT grows, so do its threats to DNS

News Analysis
Jul 24, 20199 mins

ICANN and IBM's security researchers separately spell out how the growth of the internet of things will increase opportunities for malicious actors to attack the Domain Name System with hyperscale botnets and worm their malware into the cloud.

CSO  >  Botnet  >  Robots amid a blue binary matrix
Credit: Tampatra / Bannosuke / Getty Images

The internet of things (IoT) is shaping up to be a more significant threat to the Domain Name System (DNS) through larger IoT botnets, unintentional adverse effects of IoT-software updates and the continuing development of bot-herding software.

The Internet Corporation for Assigned Names and Numbers (ICANN) and IBM’s X-Force security researchers have recently issued reports outlining the interplay between DNS and IoT that includes warnings about the pressure IoT botnets will put on the availability of DNS systems.

ICANN’s Security and Stability Advisory Committee (SSAC) wrote in a report that “a significant number of IoT devices will likely be IP enabled and will use the DNS to locate the remote services they require to perform their functions. As a result, the DNS will continue to play the same crucial role for the IoT that it has for traditional applications that enable human users to interact with services and content,” ICANN stated. “The  role of  the  DNS  might  become  even  more  crucial  from  a  security  and  stability perspective with IoT devices interacting with people’s physical environment.”

IoT represents both an opportunity and a risk to the DNS, ICANN stated. “It is an opportunity because the DNS provides functions and data that can help make the IoT more secure, stable, and transparent, which is critical given the IoT’s interaction with the physical world. It is a risk because various measurement studies suggest that IoT devices may stress the DNS, for instance, because of complex DDoS attacks carried out by botnets that grow to hundreds of thousands or in the future millions of infected IoT devices within hours,” ICANN stated.

Unintentional DDoS attacks

One risk is that the IoT could place new burdens on the DNS. “For example, a software update for a popular IP-enabled IoT device that causes the device to use the DNS more frequently (e.g., regularly lookup random domain names to check for network availability) could stress the DNS in individual networks when millions of devices automatically install the update at the same time,” ICANN stated.

While this is a programming error from the perspective of individual devices, it could result in a significant attack vector from the perspective of DNS infrastructure operators. Incidents like this have already occurred on a small scale, but they may occur more frequently in the future due to the growth of heterogeneous IoT devices from manufacturers that equip their IoT devices with controllers that use the DNS, ICANN stated.

Massively larger botnets, threat to clouds

The report also suggested that the scale of IoT botnets could grow from hundreds of thousands of devices to millions. The best known IoT botnet is Mirai, responsible for DDoS attacks involving 400,000 to 600,000 devices. The Hajime botnet hovers around 400K infected IoT devices but has not launched any DDoS attacks yet. But as the IoT grows, so will the botnets and as a result larger DDoS attacks.

Cloud-connected IoT devices could endanger cloud resources. “IoT devices connected to cloud architecture could allow Mirai adversaries to gain access to cloud servers. They could infect a server with additional malware dropped by Mirai or expose all IoT devices connected to the server to further compromise,” wrote Charles DeBeck,  a senior cyber threat intelligence strategic analyst with IBM X-Force Incident Response in a recent report. 

 “As organizations increasingly adopt cloud architecture to scale efficiency and productivity, disruption to a cloud environment could be catastrophic.”

For enterprises that are rapidly adopting both IoT technology and cloud architecture, insufficient security controls could expose the organization to elevated risk, calling for the security committee to conduct an up-to-date risk assessment, DeBeck stated.

Attackers continue malware development

“Since this activity is highly automated, there remains a strong possibility of large-scale infection of IoT devices in the future,” DeBeck stated. “Additionally, threat actors are continuing to expand their targets to include new types of IoT devices and may start looking at industrial IoT devices or connected wearables to increase their footprint and profits.”

Botnet bad guys are also developing new Mirai variants and IoT botnet malware outside of the Mirai family to target IoT devices, DeBeck stated.

“A threat actor group called Shaolin, for example, has been primarily targeting consumer brand routers, specifically Netgear and D-Link routers. Samples for Shaolin reach back to December 2018 and appear to be cobbled together from the code of multiple botnet variants, including Mirai,” DeBeck stated.  Some researchers have suggested that it is part of a larger group of bots called Cayosin. An Instagram user with the alias “unholdable” was spotted selling access to the Cayosin malware in early 2019, posting videos of how to purchase and use its botnet services, DeBeck stated.

“Another IoT-targeting malware family, Gafgyt, represented 27 percent of all observed instances of IoT targeting so far in 2019,” according to X-Force data.  “Gafgyt is a relative newcomer to the IoT botnet marketplace, having emerged in late 2017, and was created in part from the released Mirai source code. It uses password brute-forcing with a pre-generated list of passwords to infect devices. Gafgyt historically targeted Linux-based devices, unlike Mirai, which targets a broader set of devices.”

Botnets aren’t the only IoT challenge facing DNS systems.  ICANN says another problem is what it calls “unfriendly DNS programming and cited an example where after an update  to  Apple’s iOS  6.0  in  November  2012, the TuneIn music app started transmitting one DNS query per second for domains of the form, perhaps to regularly check for network connectivity.

“The mobile network operator who observed the event reported around 1,000 of these queries per second from around 700 iPhones. The result was that the operator’s DNS resolver’s cache grew to about 5 million entries (normally around 400K) and its memory consumption increased to around 10 GB (normally around 4 GB), leading the operator to classify the event as a DDoS attack on its resolver. The network operator was unable to block the traffic because the devices were also making normal queries and instead had to wait until the new version of the app came out, which was about three weeks later,” ICANN wrote.

ICANN wrote that incidents like the TuneIn app can have DNS-wide effects on resolvers.

“For example, a certain type of IoT device with a large installed base across many different networks and resolvers exhibiting TuneIn-like behavior may cause stress on the local DNS resolvers in those networks because they fill up their caches and run out of memory, resulting in packet drops or increased response latency” ICANN wrote.  “A similar event would be a large number of IoT devices coming back online after a power outage and all trying to locate their remote services almost simultaneously.”

A possible root cause of DNS-unfriendly programming is that IoT device engineers rely on open source stacks (Linux variants) that hide the details of networking functions from them. As a result, they are less familiar with how the DNS works and the Internet-scale effects of their programming.

Another risk IoT presents to DNS is the number of open resolvers on the Internet. 

“Open resolvers have been misconfigured to accept DNS queries from any client on the Internet, rather than restricting access to clients within the domain that they are intended to serve(e.g., an ISP network or a home network),” ICANN stated.  “Attackers can take advantage of such misconfigurations by sending many DNS requests to an open resolver with the query’s source IP addresses set to spoof a victim’s IP address. As a result, the resolver will send any responses to the victim instead of to the attacker, adding an amplification factor because DNS responses are usually larger than DNS requests.”

The number of open resolvers on the Internet is on the order of millions, with some estimating 23 million to 25 million open resolvers in 2014 and Shadow server reporting over 3 million open resolvers based on  their  active  scanning  system in December of  2018, ICANN stated.

“While open resolvers are a longtime problem, they represent an additional risk to the IoT. This is because Mirai has demonstrated that a botnet of several 100K bots can launch direct DDoS attacks on DNS operators that can lead to large-scale service outages, which would potentially be tens of times higher if they were amplified through a set of open resolvers. There is anecdotal evidence that there are IoT botnets, such as the Reaper botnet, that are capable of exploiting open resolvers.”

5 Ways to improve IoT-DNS security

ICANN identified five key opportunities to improve overall IoT–DNS security:

  • Developing a DNS library for IoT devices that makes DNS security functions (such as DNSSEC validation) available for device-control applications and that uses DNS query data to make IoT deployments more transparent for users.
  • Training IoT and DNS professionals to help DNS players such as registrars and registrants understand the implications of providing services for domain names that act as a backend for IoT devices rather than as a means for making content available to humans and to help IoT device manufacturers understand how to use the DNS and how to configure resolvers.
  • Developing a shared system that lets DNS operators automatically and continually share information on IoT botnets.
  • Developing systems that let DNS operators share DDoS-handling capacity and that stop attacks in an early stage in edge networks so DNS operators can better handle very large IoT-powered DDoS attacks.
  • Developing a system that lets DNS operators measure how the IoT uses the DNS to better understand how IoT risks evolve, for instance, to develop new domain-name policy or for incident response purposes.

IBM’s X-Force meanwhile recommends mitigation strategies to protect IoT and DNS systems:

  • Inventory all IoT assets on a regular basis and ensure that they are serving a legitimate business purpose.
  • For organizations with a significant IoT footprint, engage in regular penetration testing to confirm the presence of IoT devices and that they meet security standards.
  • Change all default passwords on IoT devices. If passwords cannot be changed, segregate the IoT network and place mitigating controls around these device networks.
  • Restrict public internet access to IoT devices by placing them behind firewalls and other network defenses.
  • Monitor for unexpected outbound Wget or PowerShell requests that may be attempting to pull malicious payloads onto IoT devices.
  • Secure IoT applications in all interactions, from the back-end servers processing device operations to communications with front-end user devices.
  • Ensure IoT device interactions are encrypted and authenticated across the board.
  • Use threat intelligence to monitor current threat trends for the latest tactics, techniques and procedures threat actors are using to compromise IoT devices.
  • Restrict outbound activity for IoT devices that do not require external access.