Nearly all large organizations have some kind of production-level IoT device, whether it be connected light bulbs, temperature sensors, or load sensors. These devices can easily be compromised by an attacker, who can then use them to launch a DDoS attack against a target in the organization. We have seen an increase in the number of DDoS attacks against the web properties of large organizations, with some of the largest attacks leading to hundreds of terabits of traffic per second. It is important to note that many of these attacks are not launched by individuals with a personal grudge against the organization. Rather, the attackers are most often using hacked IoT devices to launch DDoS attacks against the organization’s website. Therefore, it is almost guaranteed that any organization with a large number of IoT devices will be vulnerable to this form of DDoS attack. What can an organization do to protect itself from this form of DDoS attack? One simple and effective step is to enable the EAC on all of the organization’s production-level IoT devices. An organization can ensure the EAC is enabled on its devices by looking for the presence of the appropriate Access Control List (ACL).
What is the Edge-to-Edge (E2E) Access Control List?
The Edge-to-Edge (E2E) Access Control List is a mechanism for restricting access to sensitive information within an organization.
It is a series of rules that are applied to inbound packets from the network edge to the enterprise edge firewall. It allows administrators to define what traffic can and cannot pass through a given edge device, without the need for packet filtering at any point in the network. By using this mechanism, organizations can significantly reduce DDoS vulnerability by preventing attackers from gaining access to production IoT devices and using them for DDoS attacks.
Requesting the EAC via API
An organization can enable the EAC from the command-line interface (CLI) or via the API. The CLI is used to manage settings on a device and is also used for setting up and configuring devices. The requests for enabling the EAC will look something like this:
> enable_eac --url https://example.com/eac
> enable_eac --url https://example2.com/eac
The requested URL will be used in place of the actual target URL, which is required when using the API. Lastly, if an organization has more than one production-level IoT device, they should individually set up each of their devices with the same settings using their own URLs.
What is the EAC?
The EAC is an access control system used to authorize devices to communicate with each other. Each device within the network has a unique identifier, which is used by the EAC to address devices and determine who can talk to whom. When the EAC is enabled on a device, it creates an ACL that identifies any devices that are allowed to communicate with that device. The ACL allows only those devices specified in the ACL to communicate with the designated device, which prevents unauthorized devices from talking to your production-level IoT devices and launching DDoS attacks against your website.
What is an Access Control List (ACL)?
An Access Control List (ACL) is a list of rules that determine who has access to a resource or set of resources. An organization can use the ACL on an IoT device to control what each particular device can do, such as whether it should be allowed to send traffic and how much traffic it can send. The ACL is effectively a way for an organization to monitor and protect its production-level IoT devices from being compromised by an attacker and used in a DDoS attack.
Conduct a Network Inventory
First, collect a list of all the production-level IoT devices in your organization. Ideally, this list should include IP addresses and MAC addresses for all of the devices. Next, submit a request to the device manufacturers to obtain an ACL for each device. This request is typically answered by an email containing the ACL and an associated password, which can then be used to enable the EAC on each device. The next step is to check that any production-level IoT devices that were not considered during network inventory are now accessible via the EAC. If necessary, reconfigure the access controls on these new devices so they are also protected by the EAC.
If you have any questions about this process or would like help conducting a network inventory at your organization, please contact your Cisco representative or one of our engineers by submitting a service request at https://www.cisco.com/go/servicerequest