How Does It Work?
DDoS attacks need to control a network consisting of online systems so they can bombard a
target with consecutive hits. To do this, IoT devices and computers get corrupted by a malware
which grants total system control to them.
Once a sucient number of devices come under its control, the cybercriminals can “order” the
machines with a set of instructions through remote access. After the target is finalized, its IP system
is noted and provided to all the controlled systems. Each of these systems then directs requests to
the target. After the computation limit of the target runs out, a targeted network or server is unable
to provide access to its routine trac. Since each of these controllers systems is an authentic device
in its own right; therefore it is not easy to eliminate them from the “normal” trac.
A DDoS attack is further composed of the following:
1. NTP amplification attack.
2. DNS amplification attack.
NTP Amplification Attack
An NTP amplification attack is a type of DDoS attack that is used by hackers to infect NTP
(network time protocol), a functionality in servers of the IoT devices so the victim’s server or
ADDoS attack can be represented as a trac jam which congests the road and stops other
routine trac from going to their desired destination.
Internet
Malicious Trac
Attacker Computer
Real Users
Clean Trac
WWW
Target Server
Out of Resources
Service Oine
Chapter 11 Security Challenges for IoT 287
Internet_of_Things_CH11_pp271-308.indd 287 9/3/2019 10:16:20 AM
network is overwhelmed through an amplified UDP trac amount. This makes the regular traf-
fic unable to reach the victim and its supporting infrastructure.
Amplification attacks rely on a bandwidth cost disparity which exists between the web
resource of the victim and the hacker. After the cost disparity increases with the passage of
time due to multiple requests; a large influx of trac threatens the integrity of the networking
ecosystem. Small queries are sent in order to generate bigger responses so the hacker can get an
advantage. If a botnet is used to infect the IoT devices, the hacker multiplies such magnification
in such a way that all the bots generate these requests; the hacker not only exploits the new
trac but also becomes obfuscated.
It is important to understand that these amplification attacks dier from the DNS flood
attacks. As opposed to the latter, the amplification attacks are known for reflecting and
amplifying the trac from the unprotected DNS server; this greatly helps to cover the attack
and boosts its potency. Usually, amplification attacks try to use only those devices which have
lower bandwidth connections so they can generate several requests to servers. While the
devices create multiple requests to use with the extremely large DNS records; during all this, the
hacker modifies the address of the victim. Due to such amplification, the hacker can target big
IoT systems even with the lack of sucient resources.
To understand the NTP amplification, consider a simple example of a coee shop. A man
contacts the coee shop via a call. The man requests the shop to create an order for every-
thing on the menu and then informs him about the complete order. When the shop requests
a number to verify his identity, the man provides the number of the victim. Afterwards, the
victim keeps getting bombarded with a call which tells them about too much unneeded and
irrelevant information.
If you do not know what the NTP does then keep in mind that it is a protocol which facili-
tates the internal clocks of IoT devices to get synchronized. Thus, it holds a crucial standing in
the internet architecture. When hackers are able to exploit the NTP servers’ monlist command,
they can apply multiplication on the beginning request trac, thereby generating a big
response. By default, the monlist command is turned on, especially in out-dated devices and
creates a reply which consists of the previous 600 requests from the source internet protocol
addresses for the NTP server.
It is important to note here that a server request pertaining to the monlist having
600addresses, stored in the memory, maybe more than 200 times bigger in comparison to the
beginning request. Hence, if a hacker is able to use 1GB internet trac then they have the poten-
tial to bombard with an attack of 200+ GB. Following is how a standard NTP amplification
attack works in a few steps.
1. A botnet is used by the hacker for sending UDP packets where spoofed IP addresses are
linked to an NTP server; the monlist command is turned on in the server. Each packet’s
spoofed IP address refers to the victim’s actual IP address.
2. The NTP server gets requests from all the UDP packets via the monlist command,
generating a huge response.
3. The spoofed address gets a data-filled response from the server.
4. The target’s IP address gets the response while the supporting network ecosystem is
rendered ineective as the high trac overwhelms it, culminating in the denial of service
The attack makes it look like as if the trac is a legitimate one and is originating from
authentic servers. As a consequence, the mitigation of such trac is troublesome unless the actual
288 Internet of Things
Internet_of_Things_CH11_pp271-308.indd 288 9/3/2019 10:16:20 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.