How to Detect and Mitigate Low & Slow Cyberattacks in IoT
Malicious actors are always looking to find new ways to gain unauthorized access to systems, networks, and data. As a company’s IT environment changes and adopts new technologies, attackers will look for low-effort, high-outcome ways to compromise these new technologies.
For example, in 2016, the Mirai malware targeted Internet of Things (IoT) devices so that the malicious actors could use vulnerable devices as part of a botnet for large-scale network attacks. Since then, researchers have continued to look for risk mitigation solutions to these challenges, like working on detection schemes to capture low and slow distributed denial of service (DDoS) attacks using IoT devices.
With insight into what a low and slow cyberattack is, organizations can implement security controls that mitigate business and service interruption risks.
What is a Low and Slow DDoS Attack?
A low and slow DDoS attack mimics legitimate application traffic or common HTTP requests with a slow, deliberate, and low-rate of requests. While traditional DDoS attacks send high volumes of requests to overload the target resource, the low and slow attack sends the server an incomplete request and the server leaves the connection open waiting for the rest of the message.
Low and slow attacks lead to service outages and degrade performance by depleting application and server resources. Since the traffic falls below DDoS attack thresholds, traditional tools may detect the low and slow attack.
Attackers often utilize tools like:
- Slowloris: sends partial HTTP requests to tie up resources without completing the connection using up server resources
- Sockstress: sends a flood of TCP SYN requests so that the server has an open connection indefinitely
- R.U.D.Y (R-U-DEAD-YET?): sends HTTP post requests for filling out forms while the server maintains the connections waiting for data
How Does a Low Volume Attack Work?
Low volume attacks focus on sending minimal, carefully crafted slow requests that can exhaust server resources. Every connection between an end user and a service follows a similar set of steps, even if the specifics vary:
- User sends a request to the web server.
- Web server reviews the request.
- Web server looks through its resources, like database or cache, to find the answer.
- Web server sends the answer back to the user.
The low and slow attack focuses on the web server’s request review, especially thread-based web servers that can only manage a limited number of incoming requests. When the information in the request is incomplete or open ended, the web server keeps the connection open waiting for the rest of the request.
By keeping connections open for extended periods, attackers can make it challenging for the server to process legitimate traffic, leading to delays or complete service unavailability.
How is a low volume DDoS attack different when compared to a traditional application DDoS attack?
A low-volume DDoS attack, such as a Slowloris attack, differs significantly from traditional application DDoS attacks in both the volume and nature of requests sent by attackers.
Traditional DDoS attacks often leverage extensive botnets to generate a high volume of requests that overwhelm server bandwidth and resources, such as creating a botnet from infected IoT devices. Using Web Application Firewalls (WAFs) or intrusion prevention systems can mitigate traditional DDoS attack risk because they identify abrupt spikes in traffic and filter out malicious requests, but the low and slow attacks often fall below these thresholds.
What Are the Signs of a Low and Slow Cyber Attack?
Network behavioral analysis plays a crucial role in identifying abnormalities during normal operations and suspected attack periods. By monitoring typical network traffic patterns, administrators can spot irregularities that indicate potential threats, including:
- Transaction delays: query and response activities take longer than normal
- Increased connections: web server connecting to more locations or abnormal locations
- Resource use: web server using more CPU, memory, or connections than usual
Why is it hard to detect a Slowloris DDoS attack?
Detecting a Slowloris DDoS attack is challenging due how it exploits the web server request and response processes.
When the user sends a complete HTTP request, it typically includes all the information the server needs all at once, meaning a GET request header includes the:
- Host: defining which server is being contacts
- User-Agent: defining the software making the request
- Connection: telling the server to close the connection after delivering the request
In a Slowloris attack:
- The GET request never tells the server to close the connection.
- The information for the host and user-agent might be sent separately.
The malicious request does two things:
- Tells the server to keep waiting for more information
- Sends the pieces of information individually
- Tells the server to keep the connection open while waiting
This means that the server never knows when to stop waiting for more information. Since the traffic feels like a normal request, the server keeps waiting and using up resources.
Best Practices for Monitoring IoT Devices
Mitigating low and slow attack risks requires understanding different types of IoT traffic patterns. Some IoT devices, like sensors, send small amounts of traffic to the network and their connected user-interface application. As organizations seek to understand their IoT device connectivity and communications, they need passive scanning technologies that enable them to create baselines for activity and collect the appropriate data.
Identify and Inventory IoT Devices
To create the appropriate protections, you should have a comprehensive IoT identification, inventory, and management program that allows you to detect and collect information about your deployment, including:
- Hardware: manufacturer, model, serial number
- Software: operating system, version, firmware revisions
- Device type and function
- Security assessment: vulnerabilities and risks
Implement Targeted Segmentation
While many organizations implement macro- and micro-segmentation, targeted segmentation focuses on isolating devices that have similar exploit vectors which enables you to focused on security risk profiles across IoT-specific mitigation strategies like:
- Security governance
- Patching
- Device configuration management
- Upgrading or replacing insecure devices
For example, devices that send low request volumes to servers and networks, like sensors, may pose a higher low and slow attack risk while other IoT devices would be better suited for a volumetric DDoS attack. By separating these IoT devices based on the risks they pose, you can implement more robust monitoring for difficult to detect attack types.
Create Baselines and Monitor For Anomalous Activity
You should be able to create a baseline definition of “normal” activity and communications for your IoT devices. A passive scanning solution can collect technical forensic data without taking IoT devices offline. With insight into normal device activity and transactions, you can set baselines for transaction times that help identify a potential low and slow attack.
With a solution that captures network packet data, you can collect forensic information like:
- Traffic information from networked devices
- Data transferred to an FTP server
- Potential traffic to adversary’s command and control servers
How Asimily Helps Defend IoT Deployments Against Low and Slow Cyberattacks
The Asimily platform is designed expressly with IoT devices in mind. It’s built to monitor traffic to and from IoT sensors and other connected devices in addition to surfacing anomalous behavior that might indicate an attack in progress.
Asimily provides vulnerability information on high-risk security issues with our proprietary algorithm that digests huge datasets from EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists using the MITRE ATT&CK Framework. This analysis often results in fast solutions for recent vulnerabilities, enabling customers to deploy new mitigations quickly to reduce risk.
To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.