Worried about IoT DDoS? Think Unikernels

Idit Levine edited this page Jan 5, 2017 · 16 revisions

On Friday (October 21st 2016) the world became aware of the Internet’s vulnerability, as millions of users found themselves disconnected from their favorite websites, and could not even tweet about it. This massive attack, aimed at the DNS provider Dyn, was famously launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders.


Mirai outbreak: 196,000 infected devices were seen online on Oct. 24. Source: MalwareTech.

While Distributed Denial of Service (DDoS) attacks are nothing new, and companies like Dyn are prepared to handle them, Friday’s attack was unusually powerful. In the past hackers would typically hijack old Windows PCs and order them to direct traffic to the target’s website in an attempt to knock it offline. This time, the botnet was made up of a particularly large number of IoT gadgets. Such devices are abundant and their security is particularly weak. Often users do not think of these gadgets as of computers, and do not bother to take even the simplest security measures, such as changing their default password. Moreover, since these devices are often small and simple, the perception is that they can anyway not cause more than limited damage. That may be true, until one harness many of them to work together.

The brain behind Friday’s attack was a piece of malware known as Mirai. The Command and Control (C&C) code of Mirai was coded in Go, and its bots in C. Like most DDoS malware, Mirai has two core purposes: to locate and compromise IoT devices to further grow the botnet, and to launch DDoS attacks based on instructions received from a remote C&C.

To fulfill its recruitment function, Mirai performs wide-ranging scans of IP addresses. The purpose of these scans is to locate under-secured IoT devices that could be remotely accessed. This was done simply by guessing the login credentials, mostly by trying known factory default usernames and passwords (such as username: admin, password:password).

The bleak news is that more of these giant hacks could be coming in the near future. At the end of September the hacker responsible for creating the Mirai malware released its source code, effectively letting anyone build their own attack army using Mirai. It is likely that the Friday attack was launched by some users, and others would soon follow.


The Hackforums post that includes links to the Mirai source code.

While DDoS attacks from Mirai botnets can be mitigated, there’s no way to avoid being targeted. Mirai targets devices held by unsuspecting users, who could take simple measures to avoid being part of someone’s next attack by taking simple measures, such as changing the password in all their gadgets and disabling their remote (WAN) access. As IoT devices become more abundant, one can hope that basic security practices like these should become the new norm. However, with billions of users around the world, there will always be enough users who either don’t know how to do this, are not aware of the need to do it, or simply don’t care.

Could such attacks be prevented if IoT devices were running bare metal unikernels?

Unikernels are lightweight, immutable operating systems compiled specifically to run a single application. Unikernel attributes - airtight security, immutable infrastructure, high performance and light footprint make them the ideal solution for deploying software on embedded devices.

Here at project UniK we strongly believe that the future of IoT lies in unikernels. One of the reasons for this is that we believe that unikernels would make IoT devices significantly more secure against malware like Mirai.

Non-secure configuration and services - like telnet or ssh - allow remote access to attackers simply by guessing the password. But unikernels do not contain such irrelevant services, and usually expose custom configuration services as a web services. Even if those services have default credentials, they are not a shell that can be used to run malware.

A “Directory Traversal” attack involves malicious input which results in placing a file outside the application intended directory - usually in a strategic location that will cause arbitrary code to run. But Unikernels typically do not even have a file system when one is not needed. Even in cases when a file system does exist, Unikernels are a single binary that cannot be forked, and no complex operating system is available to execute planted files.

Another attack vector, known as “Shell Injection”, occurs when the application runs shell commands that originated from malicious user input. The input can insert the shell’s command separator to execute arbitrary code. This is simply impossible to do in unikernels, which do not even have shells.

Finally, a buffer overflow attack happens when a bug in a software allows user input to override program memory. This can happen in unikernels. But unikernels only contain the code needed for one program, and not a multitude of unnecessary drives and software. Thus, a buffer overflow attack is less likely on a unikernel, simply because less code means less bugs.

Bottom line:

The minimalistic interface of a unikernel will make it harder for attackers. Running unikernels on IoT devices will make them much more secure, and reduce the risk of them becoming part of botnet.

Friday’s attack is a wakeup call for the IoT industry. Clearly, one needs to pay attention to the security of any gadget, no matter how small. We strongly believe that running IoT devices with unikernels (and managing them with UniK) is a practical, effective, and scalable approach.

By Idit Levine (@Idit_Levine) & Yuval Kohavi (@KohaviYuval)