Mitigating IoT-Based DDoS

Download the Practice Guide

The NCCoE has released the preliminary draft version of NIST Cybersecurity Practice Guide SP 1800-15, Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD). Use the buttons below to view this publication in its entirety or scroll down for links to a specific section.

Download PDF » Open Web Version »

Current Status

The National Cybersecurity Center of Excellence (NCCoE) has released a preliminary draft of National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide Special Publication (SP) 1800-15, Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD) for public comment. This practice guide is intended for IoT product developers and implementors. However, the guide also demonstrates to IoT device users the crucial role MUD can play in network security.

Following an experimental agile process for continuous delivery of special publications, the preliminary draft was released for public comment ths spring. Thanks to everyone who shared their feedback with us. We will use this input to shape the next version of the document which is scheduled for release in the fall of 2019. The guide is available in three volumes:

  • SP 1800-15A: Executive Summary (pdf) (web page)
  • SP 1800-15B: Approach, Architecture, and Security Characteristics (pdf) (web page)
  • SP 1800-15C: How-To Guides (pdf) (web page)

Review the guide online or download the complete guide.

See the Mitigating IoT-Based DDoS project two-page fact sheet for an overview of this project.

If you have questions or suggestions, please email us at To receive announcements about additional milestones, or join our Community of Interest to receive email alerts.


Gartner predicts there will be 20.4 billion connected IoT devices by 2020. With so many IoT devices operating in homes and businesses, security concerns are also increasing. Unlike full-featured devices such as personal or business computers or mobile devices, IoT products are designed to perform a single function and often lack state-of-the-art security software. This helps keep costs down, but there are consequences. In typical networking environments, malicious actors can detect and attack an IoT device within minutes of it being connected and then launch an attack on that same device from any system on the internet, unbeknownst to the user. They can also commandeer a group of compromised devices, called botnets, to launch large-scale distributed denial-of-service (DDoS) and other attacks.

The Internet Engineering Task Force’s manufacturer usage description (MUD) architecture is designed to constrain IoT devices so they behave only as intended by the device manufacturers. This is done by providing a standard way for manufacturers to indicate the network communications that each device requires to perform its intended function. When MUD is used, the network will automatically permit the IoT device to send and receive only this required traffic. Even if an IoT device is compromised, MUD prevents it from being used in any attack that would require the device to communicate with an unauthorized destination.

The NCCoE aims to improve the resiliency of IoT devices against distributed attacks and improve the service availability characteristics of the internet by mitigating the propagation of attacks across the network. This project also supports the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (EO 13800). In collaboration with stakeholders in the IoT community, the NCCoE published this practice guide, which demonstrates an approach using MUD to significantly strengthen security while deploying IoT devices in home and small-business networks.

This project can help different stakeholder groups, including:

  • IoT device manufacturers that implement support for MUD understand the relatively small steps that are required of them to design and enable their devices to take advantage of MUD
  • Gateway manufacturers that implement support for MUD will benefit from increased trust, confidence, and loyalty that they can build among their customers by demonstrating a commitment to protecting users’ security.
  • Communications service providers and businesses that rely on the internet understand how wide deployment of MUD can effectively combat DDoS attacks. 
  • Users of IoT devices better understand that MUD is a crucial component of overall network security and that they should deploy the infrastructure required to support MUD and use IoT devices that can take advantage of MUD.

Questions? Comments? Reach us at

MUD Related Resources

Find resources to MUD-related information, including standards, tools, implementations, research papers, articles, and conferences here.

IETF Hackathon – IoT MUD Implementations

Members of the Mitigating IoT-Based DDoS project team participated in the Internet Engineering Task Force’s (IETF) Hackathon in Montreal, Canada on July 20-21, 2019. IETF hackathons aim to advance the pace and relevance of new and evolving internet standards. In Montreal, the Mitigating IoT-Based DDoS project team shared practical implementations of the MUD technology and collaborated with the IETF participants on a number of activities leveraging the MUD components as described in RFC 8520, Manufacturer Usage Description Specification. See the presentation.

IoT MUD Industry Day  

Members of the Mitigating IoT-Based DDoS project team held an Industry Event on April 10, 2019 at the NCCoE. Thanks to everyone who joined to learn firsthand about the important work the team is doing to strengthen the security of IoT. See the presentations here.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

arm logo
CableLabs logo
ctia logo
ForeScout logo
Global Cyber Alliance logo
MasterPeace Solutions logo
Patton Electronics logo
Symantec logo