Level 3's Drew Sees Liability Issues in IoT Botnets
NEW YORK -- Service Provider & Enterprise Security Strategies -- The recent massive DDoS attacks using Internet of Things devices are rallying the cybersecurity industry to the cause, prompting greater information sharing and discussion of how to proactively stop such attacks, Level 3 Communications' Dale Drew said here yesterday. But there is still a serious hurdle that network operators face in trying to detect and shut down IoT-based botnet attacks, without also impacting other traffic.
One primary issue is liability -- or rather lack of liability, noted Drew, who is chief security officer at Level 3 Communications Inc. (NYSE: LVLT). The record distributed denial of service (DDoS) attacks launched using the Mirai IoT-based botnet in October in the US and more recently in Germany used consumer IoT devices like DVRs and webcams, but it's not a consumer liability issue, nor are the manufacturers of those devices likely to be held responsible or even motivated to start securing them going forward, given how cheaply they are made.
"It gets down to who is liable -- that's the problem we have to solve," Drew commented. Internet service providers are motivated to do something because they could face liability for services that fail or businesses that lose connectivity leading to financial losses. That's why backbone operators such as Level 3 continue to pursue proactive means of identifying massive DDoS attacks or other hacks, with the hopes to warding them off or at minimum, enabling a fast response, said Drew, who was one of the first to sound the alarm on IoT as a source of DDoS threats. (See Will ISPs Step Up to the IoT Challenge?)
Another issue, however, is how to accurately filter bad traffic once it's identified, since in the case of IoT botnets, that can mean blocking a consumer device from reaching the Internet which can have unintended consequences, he added.
Network providers are capable of alerting consumers to the fact their devices have been corrupted -- Level 3 did, in fact, notify 1.7 million consumers that their devices had been compromised after the October attack on DNS provider Dyn, and it notified their service providers as well, based on tracking the affected IP addresses.
"We are upsetting everyone" in the process, Drew admitted. Consumers remain unconcerned, and their service providers are unhappy: "We don't own that service so we are notifying somebody else's customers and the providers do not like that."
Even worse is the response from enterprise security personnel. "With business customers, if you notify the security part of the business, you get zero traction," he said. "If you notify the network or IT side of the business -- what happens is, we get a call back from security person saying, 'Thanks for letting me know about this and don't ever call me again.' We get more CYA from security side of the house."
Four of the six vendors of the end devices Level 3 contacted after the October Mirai attack took in the information Level 3 provided, although it's uncertain the extent to which they will respond going forward, since the companies essentially integrate pieces of hardware purchased from other vendors with their applications.
One vendor "told us to pound sand and threatened to sue," Drew recalled. "And we had one who said you make good points, but we don't see any point in changing," since the vendor bore no legal responsibility and would be cutting into its profit margins to add costs to its products by making them more secure.
Even when network operators can identify botnet activity and have the ability to block the traffic at its source face an ethical dilemma in doing so, the Level 3 executive said, because it's virtually impossible to know the function of the specific device that has been compromised, given that most home networks today are consuming multiple IP addresses.
"When a consumer of yours plugs into your network and you can tell they have a device that is compromised and causing harm to the Internet, there is some [thinking] that says you have an obligation to filter that, to prevent it from reaching the Internet and causing harm, and I don't disagree with that," Drew said. The problem is that even home users have multiple IP addresses in play and without know what function a specific IP address is supporting, there is a risk in filtering or blocking that traffic.
"As a provider, you don't know what unintentional damage you can cause by filtering that device -- it could be a VoIP line for calling 911 or a health monitoring device," he said. "So while there is capability in that part of the ecosystem it should not be the only ecosystem piece we should be focusing on. We need to focus on the entire spectrum, everything from standards all the way to consumer responsibility, manufacturing responsibility, ISP responsibility and so on to make sure we address issue fairly holistically."
One thing Level 3 can and is doing is sharing IP reputation data to enable reputation-based routing, using an IETF standard called UTRS or unwanted traffic removal service. As Drew explained it, that's a BGP feed network operators can generate on their own or get from other providers that rates IP traffic, based on an extensive set of metadata. Then an ISP can choose to filter their traffic below a set reputation rating.
"The problem still is, how do we tell unintended consequences of that -- how do you make sure you are filtering bad guy traffic and not the good guy traffic?" he asked. "Every bad guy on the network that you filter is also a good guy with a machine that has been compromised."
There does need to be some proactive means of addressing the issue, he said, because reactive measures to botnets causing DDoS attacks break down when botnet armies reach the size of those in the recent IoT-based attacks.
Drew said Level 3 is prepared to filter traffic from botnets in the tens of thousands but the IoT-based attacks are in the hundreds of thousands, and the real danger is they will be getting much bigger much faster.
"With concern about IoT botnets, the game changes -- the amount of infrastructure that is at the disposal of the bad guys and the amount of capacity and capability in hands of bad guys means the escalation of attacks evolves much faster than before," he said.
— Carol Wilson, Editor-at-Large, Light Reading