Record IoT DDoS attacks raise bar for defenders

Here’s why to expect more gigantic DDoS attacks

Now that its source code has been released you can expect more attacks from Mirai, the malware behind the largest DDoS attack on record, which was powered by hijacked IoT devices.

Since release of that code last week it has been responsible for smaller attacks that look like newcomers experimenting with the malware in preparation for bigger things, say security researchers at Incapsula. “Likely, these are signs of things to come and we expect to deal with Mirai-powered attacks in the near future,” they say in their blog post.

That concern is echoed by researchers at F5, who say, “we can definitely expect the IoT DDoSing trend to rise massively in the global threat landscape.”

The historic attacks over the past two weeks that took down the popular KrebsOnSecurity site and challenged the resources of French hosting provider OVH mark the latest spikes in DDoS volume, which means mitigation infrastructure has to be prepared for attacks that are three to five times as large, according to Josh Shaul, vice president of web security for Akamai.

He says that despite the power of the attacks – up to 1Tbps – there’s nothing special about Mirai, which is named for the anime character Mirai Suenaga. “Usually the cool stuff is the exploits or the ability of the malware to hide or be persistent. Mirai can persist through a reboot of the infected device, but it’s not super sophisticated.”

It gets on systems by being installed after attackers login with default passwords. Mirai connects to an IRC-type service where it waits for commands. It doesn’t try to hide from forensic analysis, probably because the type of device it’s on won’t have an owner who is skilled enough to look for it. “It’s no Stuxnet,” he says.

The malware finds vulnerable machines by scanning a broad range of IP addresses until it finds IoT devices with easily guessable passwords, Incapsula says. It’s got a number of DDoS attack methods in its playbook, including GRE, SYN, ACK, DNS, UDP and Simple Text Oriented Message Protocol (STOMP) floods.

The DNS attacks include the uncommon DNS Water Torture attack which overloads DNS servers used to resolve queries about the actual target, F5 says. When one server gets overloaded, the queries are retransmitted to another DNS server of the target and so on until legitimate traffic can’t be directed to the target.

Akamai’s Shaul says attackers are using smaller packets in their attacks, which stresses the networking equipment near the targeted servers as well as the servers themselves. Routers have to spend processing power for each packet regardless of length, so boosting the sheer number of packets can cause network bottlenecks.

He says Akamai has observed this effect. “With less traffic but more packets, you can break the network gear in the middle,” he says. “We saw both sides of that equation in those attacks last week.”

Who’s behind it?

“One of the most interesting things revealed by the code was a hardcoded list of IPs Mirai bots are programmed to avoid when performing their IP scans,” Incapsula says. Those include the U.S. Department of Defense, the U.S. Post Office, HP, GE and the Internet Assigned Numbers Authority.

That leads the Incapsula researchers to speculate that the creators of the malware are naïvely trying to avoid attention by eliminating those IP ranges, then following up by using it to launch one of the most scrutinized attacks ever. “Together these paint a picture of a skilled, yet not particularly experienced, coder who might be a bit over his head,” they write, but not a veteran cyber criminal.

The code uses English for its command and control interface but also contains strings in Russian. “This opens the door for speculation about the code’s origin, serving as a clue that Mirai was developed by Russian hackers or—at least—a group of hackers, some of whom were of Russian origin,” they write.

Whoever is behind Mirai might have launched the big attacks as a demonstration of its capabilities so the threat of a similar attack could be used to extort cash from potential victims in order to avoid the DDoS attack, Shaul says.

Those who download the software might be someone who has assembled a general-purpose botnet and wants to weaponized it as a DDoS army that could be used, say, in a DDoS-for-hire business. “I’d be surprised if we don’t see that happen,” he says. “The person who’s got the skills to do botfarming may not have the skills to do DDoS.”

Individuals probably won’t download Mirai to carry out a spiteful DDoS attack because it’s much more efficient to hire a service, he says.

Recruiting IoT botnets has a lot of advantages over trying to compromise PCs and servers, experts say:

  • Many IoT devices have publicly exposed administrative ports protected only by default passwords.
  • The devices lack security software such as anti-virus.
  • Residential customers and small businesses that lack security sophistication are in charge of protecting the devices.
  • Typically IoT gear is connected to the internet all the time.
  • Attackers don’t have to deal with social engineering, email poisoning or expensive zero day attacks.

Akamai came across what came to be known as Mirai via a honeypot it set last summer that drew attempts to log into the box. Most of the attempts came from China, he says, and most were trying to log in to root. Many of the passwords being tried to log in to the honey pot were unique default passwords for IoT devices – closed circuit cameras and DVRs.

Sometimes on login prompts the attacks would use shell commands, indicating that the malware had a bug that made it blind to the fact that its login attempt had failed so it ran commands as if it had logged in successfully. The commands were attempts to download the Mirai malware.

That gave Akamai researchers something to compare actual attack traffic to.

Akamai tracked down some of the hosts in the botnet and found they were closed-circuit cameras and DVR systems. So the packets being sent were similar to what Mirai sends and the types of devices in the attacks were the types Miria preys upon.

Join the CSO newsletter!

Error: Please check your email address.

More about F5GEHPSimple

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts