The Best Defense Against IoT DDoS Attacks

by in Best Practices

Many organizations felt the impact of Friday’s massive internet disruption when a DDoS attack was initiated against DNS provider Dyn. It appears that the DDoS attack was launched with the Mirai botnet, which targeted IoT devices—often known for favoring ease of use over security.



The attack leveraged webcams on the public internet with default administrative passwords and has been so impactful that at least one webcam manufacturer has recalled its cameras. It has impacted multiple countries and companies and, by some estimates, up to 40% of all web traffic.

This isn’t a vulnerability that can be “patched” as it is a vulnerability in the meatspace of setting up devices. Leaving default passwords on devices that can connect to the internet is a guarantee they will be absorbed into one or more botnets and be used for attacks like these. The solution is actually quite simple:

Make better passwords passphrases

Don’t install devices on your or any network with the default password left in place. And don’t use the same password across the board. At a minimum, while you work on better password habits, try to cluster them into categories like banking, medical, kids, etc., so that you can change them together if you hear about a breach. I can preach on the importance of unique, complex passwords for every single login as many do, but security and privacy have to be consumable, and a fad password overhaul is about as effective as a fad diet.

As password requirements get longer (at least 8 characters, include a number, contain one lowercase letter, contain one uppercase letter, contain a special symbol, contain an emotion, taste savory), an easy way to meet the requirements is to adopt the idea of a passphrase. Many attacks are brute force dictionary attacks of words, and combining multiple words and making up new words massively increases your defense against this type of attack.
  • An 8-character password using all lowercase letters has ~217 billion
  • Add uppercase characters, and add another 54.5 trillion
  • Add numbers into the equation, and add another 221 trillion
  • Mix capital letters, special characters, and non-English words and combine longer phrases to exceed 669 quadrillion
A simple passphrase might be a song lyric you like. “A country boy can survive” is a lyric from a country song I am fond of.

acountryboycansurvive

Incorporating an additional language and changing boy to nino significantly reduces the risk of this passphrase being guessed in a dictionary attack.

acountryninocansurvive

Adding capital letters and replacing letters with numbers and symbols (L33T) further improves your passphrase.

@c0untryN1N0canSurv1v3

Now add your cluster flag to help create granularity for your passphrases.

@c0untryN1N0canSurv1v3Drs

@c0untryN1N0canSurv1v3Bills

@c0untryN1N0canSurv1v3Banks

Are these the best possible passwords? No — long, complex passwords unique to every single login is the best process. But this is an easy way for the everyday person to establish better password security while they work on building up to that best practice.

Now go change your passwords! “Petsname123” isn’t good enough.