Intro: How to Make Unattackable Secure Arduino IoT Device
Thesedays there are a lot of Internet of Things.
But most of these IoT are exposed under the network attack like as DDOS.
Accordingly the many experts of IoT warn us about the security problem of IoT as like as a below link.
Now I will suggest one method to make a secure IoT device and show you the reason why it will be a unattackable IoT device from the network attack.
Oneday I read a below article which gave me a idea.
Benefits of TCP offload
Traditionally TCP/IP is implemented in software and executed on a processor. With the advent of higher bandwidth networks this has become a major bottleneck in data transfer as the processor must spend more of its time handling incoming frames rather than running user algorithms. This performance degradation negatively impacts network efficiency and is inconsistent with real-time applications. Moreover as ever more powerful processors are used to improve performance, BOM costs increase as does the physical size of the host card or module.
To solve this bottleneck, more functions are now being offloaded into dedicated hardware. For example, most network cards will perform checksum offload (a task that the processor is particularly unsuitable for). By selectively offloading parts of the TCP/IP stack to hardware, vast improvements in transmission bandwidth can be achieved.
By offloading these parts of the TCP stack into dedicated hardware, such as TCP/IP Off-Load Engine (TOE), it is possible to saturate the bandwidth and minimize the delay, or latency, between the receipt and acknowledgement of data.
This article is about the network performance of software TCP/IP stack and hardware TCP/IP stack.
But I adopped this article to secure IoT device.
I thouth that hardware TCP/IP stack can be a "unattackable" device from DDOS network attack.
And I have done a several tests with a arduino and two type ethernet shields hardware type and software type.
Let's start to know why the hardware TCP/IP stack can be a secure solution from network attack.
We have to know how to measure Arduino network performance.
If you want to know measuring method of network performance with Arduino & ethernet shield, refer below link which is I posted before.
Step 1: Meterials to Test Network Perfromance Arduino IoT Device
1. Arduino & Ethernet shields
* Arduino Uno
* Hardware TCPIP ethernet module - WIZ550io (available direct from WIZnet)
* Software TCPIP ethernet module - ENC28J60 (available from ebay)
These will be a Iperf Server.
* My PC (which is installed by any Windows)
It will be a a Iperf Client and check network performance.
And It will be the DDOS attack to Server
3. Network switch
* 3Com Gigabit Switch
It connects with Computer and Arduino together on a network.
* DDOS attack tool : LOIC (Freeware)
* Network measuring tool : Iperf
Please refer to the pictures which show the materials for the DDOS network attack test.
Step 2: Test Environment & Test Plan
Refer to the picture which is shown how to connect with network performance tests under DDOS attack.
1. Arduino & ethernet module shields will be a Iperf server.
2. PC will be a Iperf client. Also PC will DDOS attack to server.
3. Iperf server & Iperf client will connected with together on a network switch.
To define how to make the unattackable IoT device under DDOS network attack, I will show the result of the network performance with the Iperf program under DDOS attack environment or not.
(DDOS attack will be generated by LOIC program for network stress test.)
And I will test with Hardware TCP/IP Ethernet module (WIZ550io) and Software TCP/IP Ethernet module (ENC28J60).
So, there will be the four test results.
1. Hardware TCP/IP Ethernet module / no DDOS network attack
2. Hardware TCP/IP Ethernet module / DDOS network attack
3. Software TCP/IP Ethernet module / no DDOS network attack
4. Software TCP/IP Ethernet module / DDOS network attack
Step 3: Install Arduino Library for WIZ550io and ENC28J60
Most of them, we have to install arduino library to use WIZ550io(Hardware TCP/IP) and ENC28J60(Software TCP/IP)
Please refer to below link to install wiz550io library
First, install ENC28J60 library
1. Download ENC28J60 library (ETHER_28J60.zip file)
2. Unzip file and copy to \arduino-1.0.6\libraries folder like as picture.
Second, download sketch code which will make a arduino as a Iperf server (IperfServer_ENC.ino)
This code is updated from the example code of ENC28J60 library. It will just read packet and send ack.
Step 4: DDOS Attack Software
It is a freeware and a network stress software. It can be a DDOS network attack program.
Please refer to the picture which shows the usage of LOIC.
1. Don't use this program for the other purpose. It is very dangerous!!!
2. You may make Anti-VIRUS program disable before excute LOIC.
Step 5: Run Network Performance Test With DDOS Attack
There are four videos.
They are 4 case demo videos which I did the test as I mentioned the test plan.
These videos show us the network performance test of each plan.
Video 1 : Arduino & Software TCP/IP Ethernet (ENC28J60) and no DDOS attack
Video 2 : Arduino & Software TCP/IP Ethernet (ENC28J60) and DDOS attack
Video 3 : Arduino & Hardware TCP/IP Ethernet (WIZ550io) and no DDOS attack
Video 4 : Arduino & Hardware TCP/IP Ethernet (WIZ550io) and DDOS attack
Here are 2 scenarios to test measuring the network performance.
1. When do test with no DDOS attack.
Measuring network performance during 30 seconds with no DDOS attack.
2. When to test with DDOS attack
Measuring network performance during first 10 second with no DDOS attack and last 20 seconds with DDOS attack.
Step 6: Result & Analysis
The picture(result table) shows us a result of network performance test from demo videos of last step.
When we use a Hardware TCP/IP stack, DDOS network attack is not effective with the Arduino device.
But when we use a Software TCP/IP stack, Arduino device is not working under DDOS network attack.
Now we can know that Hardware TCP/IP Ethernet module(like WIZ550io) make a IoT device unattackable from DDOS network attack by the result table.
We can tell that it is a unattakable IoT device if it is included with a Hardware TCP/IP stack.
1. Network performance is not the matter in this test. It can be enhanced the network performance if I update the sketch code. But I just want to know the network performance variation between DDOS attack environment and no DDOS attack enviroment.
2. Hardware TCP/IP network performance variation is just a measurement error. It is not effective with the DDOS network attack.
3. We can know that there is no throughput after I click DDOS attack button when I test Software TCP/IP stack (second video). So I list 0 bps on the correspondings cell of result table.