Mirai Botnet vs Dyn – The Attack that Brought Down Half of US Internet
One of the fastest growing segments in the IT world is definitely the DDoS sector. As we mentioned in a recent article (The DDoS of The Year!), in 2016 we witnessed a huge rise in number of infected devices as well as the sheer amount of traffic they generate as a botnet. And numbers don’t lie – DDoS is an increasingly serious threat with a rapid growth pattern.
Recent facts are just confirming it, with the massive DDoS attack that brought down Netflix, GitHub, Reddit, Twitter, Airbnb, Amazon and many other online giants for hours getting the media spotlight. One of the largest and most powerful DDoS attacks in recent history was conducted against Dyn, the largest DNS providers in the world. Most precisely, it targeted Dyn’s managed DNS infrastructure this past Friday (October 21) and affected many of its downstream clients. Although hackers’ identities and motivations are still obscure, security experts say it may have been an extortion attempt or just a publicity gimmick. Cybersecurity firm Flashpoint has traced Friday’s widespread internet outage to IoT devices, recruited into botnets which were then used to launch the massive DDoS attack. The IoT recruitment was executed through a botnet malware known as Mirai, whose code was recently released within the hacking community.
IoT devices users tend to keep the generic passwords, which is usually the same for entire classes of devices. The rush to connect everything and launch smart products has somehow brought people to almost completely neglect the security aspects of all those smart things. It’s then that malwares like Mirai take the scene as they scan and take control of IoT devices, leveraging the security void for their cybercrime agenda.
Below, we will cover the specifics about Mirai, the way the attack was conducted as well as the repercussions that follow.
Mirai: Hijacking IoT Devices
Mirai is one of at least two malware families that are currently being used to quickly assemble very large IoT-based DDoS armies. The other dominant strain of IoT malware, dubbed Bashlight, functions similarly to Mirai as it also infects systems via default usernames and passwords.
Malwares like Mirai operate as “parasites”, they use hosts to launch the attacks. The botnet, armed with specific lists of usernames and passwords, scans the Internet for IoT systems protected by factory default or hard-coded usernames and passwords (e.g. admin, 1111). It then attempts to brute-force crack into the devices and gain control over them. Mirai can break into a wide range of IoT devices from CCTV cameras to DVRs to home networking equipment, turning them into bots.
That’s how developers of DDoS toolkits can potentially build up an IoT botnet army comprising of a number of infected devices that dwarfs anything possible by traditional PC-based botnets. Although the malware is easily eliminated by rebooting the device, if their owners don’t take measures to protect them, they risk ending up infected again in a matter of minutes.
As for Mirai, about a month ago we mentioned it in an article dedicated to IoT based DDoS attacks. At that point it was just a “newly discovered piece of Linux malware”, a direct descendant of an older Trojan known as Gafgyt. Since then it has been used for launching one of the largest DDoS attacks in history (620 Gbps) against KrebsOnSecurity a security expert’s blog on September 20, followed by the Dyn attack last week.
The malware has since alerted the internet security community which is investing serious efforts in finding a solution to the proliferation of high-profile IoT based DDoS attacks. Incapsula’s analysis of the Mirai source code found some interesting facts:
- Infected IP addresses spotted in 164 countries
- Brute force technique for guessing passwords (dictionary attacks)
- Enables a range of flood attacks (HTTP, GRE IP,GRE ETH, SYN, ACK, STOMP, DNS and UDP)
- Bypass capabilities (to avoid security solutions)
- Hardcoded list of IPs to avoid when performing IP scans (the “Don’t Mess With” list)
- Killer scripts for eliminating other worms and trojans (memory scraping)
- Traces of Russian-language code strings
Earlier this month, the source code for Mirai was publicly released within hacking communities by its creator that goes by the pseudonym “Anna-senpai”, resulting in a spike of infected devices, doubling in just a few weeks. The hacker stated that the release was to cover his tracks because of increasing law enforcement and cyber security firms interest in the matter.
Overview Of The Attack
According to Brian Krebs, the security expert whose site was DDoS-ed a month earlier, the attacks against Dyn may have been planned. Unspecified sources claimed that they had detected “some chatter in the cybercrime underground” just a day before the attacks, “discussing a plan to attack Dyn.”
On 21 October, starting at 11:10 am UTC, Dyn began monitoring and mitigating a DDoS attack against their Managed DNS infrastructure. At roughly 15:50 a second DDoS attack began against the DNS platform. The second attack was distributed in a more global fashion. Dyn stated “Affected customers may have seen intermittent resolution issues as well as increased global latency. At approximately 17:00 UTC, our engineers were again able to mitigate the attack and service was restored.” A third attack was also reported but was quickly mitigated.
Various reports have confirmed it was a sophisticated, highly distributed attack involving 10s of millions of IP addresses and the malware used to launch the attack was indeed Mirai. It is not yet clear if other botnets have been used as well.
The actual motivation behind the attack is still unclear, with experts suggesting it was extortion oriented or as a smokescreen for other criminal activities, while other claim it was just a publicity stunt. Some theories go as far as linking the attack with WikiLeaks related hacktivism, as a protest of Julian Assange’s internet recently being cut off by Ecuador. However, there is no indication yet of the attacks on Dyn having any connection to WikiLeaks or Assange.
Until recently CDNs could absorb large scale DDoS attacks without giving it too much thought, but now the tables are turning as a whole new market of infectable devices has risen within the Internet-of-Things universe threatening to overrun mitigation capabilities. Richard Meeus, vice president of technology at security firm NSFOCUS, also believes that DNS has “often been neglected” when it comes to cybersecurity. “This attack highlights how critical DNS is to maintaining a stable and secure internet presence” Meeus suggested.
Just to put things in context:
Dyn has likely invested millions of dollars in high-end hardware, top of the line WAF’s and they still suffered the attack. On the other end, there’s likely a hacker whose only cost to launch an attack was typing in a few lines of code in the command line to take over vulnerable devices and launch the attack. Dyn stated that there have been reports of a magnitude in the 1.2 Tbps range but was unable to confirm those claims at the moment.
Also, KrebsOnSecurity.com was supported pro bono by Akamai but the company decided it could no longer afford to keep protecting his site from large-scale attacks such as the Mirai one (620 Gbps). According to Krebs, the sort of protection Akamai provided would cost them $150,000 to $200,000 per year. (Luckily, Google got him covered.)
It means that a group of unsecured IoT devices can end up causing huge online repercussions resulting in system outages and heavy subsequent losses.
The Dyn attack has sparked up an important conversation about internet security and volatility, once again highlighting vulnerabilities in the security of IoT devices that need to be addressed. Some suggest the “Golden Networks” paradigm approach, where the basic concept is that a set of networks can be whitelisted (Google, Microsoft, Alibaba, Yandex … etc.) in a response to internet turbulence. A more feasible step in this direction is reputation based peering which would use observations of abuse or neglect over time to rate/rank members of the networking community.
However it turns out, as the Internet grows to support more people and societal functions, its critical aspect constantly increases. As its core architecture remains designed for openness and not security we are yet to see how the matter will be tackled in the future. If your feel your company is at risk or need help choosing the best security solutions, you can contact our experts to boost your site’s security and performance.