A Post-Mortem on the Mirai Botnet Part 1: Defining the Attack
Defining the Mirai Botnet Attack - What exactly was attacked?
On Friday, October 21, Dyn, a managed DNS provider for large companies with points of presence on the Internet including Twitter, Reddit, Paypal, Spotify, and even Netflix, experienced a wave of multiple and massive distributed denial of service (DDoS) attacks. Two hours later, a second attack struck, and this time users had difficulties accessing the websites of Dyn customers. A third wave was detected, but was quickly extinguished due to mitigation procedures initiated by Dyn. Significantly, this particular attack was foreshadowed a month earlier when the France-based hosting company OVH was the target of a 1 Tbps DDoS attack that hit its servers. As described by the company’s CTO, Octave Klaba, OVH’s servers were hit by “multiple attacks exceeding 100 Gbps simultaneously concurring with a 1 Tbps DDoS attack,” the most egregious of these reaching 93 MMps and 799 Gbps respectively. Klaba further went on to explain the attackers used an IoT botnet composed mostly of “compromised CCTV cameras.”
How widespread was the attack?
According to reports, CDN provider Akamai and Internet intelligence company Flashpoint have independently confirmed that the attacks, which leveraged Mirai botnets determined that there were “tens of millions of IPs involved in the incident.” As far as how extensive this attack actually was, a report by Level 3 Communications identified nearly half a million infected IoT devices that made up multiple Mirai botnets.
What caused this to happen?
In the company’s statement posted to its website, and in a follow up business feature article, Dyn executives identified Mirai as the “primary source of malicious attack traffic.” The Mirai botnet, which is associated with IoT botnets is linked to several DDoS attacks that leverage consumer devices such as cameras, DVRs, smart appliances, and even home routers and turns them into remotely controlled bots that can be used in large-scale network attacks. Based on DYN’s own research, Hilton estimates that up to 100,000 malicious endpoints originated from Mirai-based botnets.” By taking control of these hundreds of thousands of malicious endpoints, the attackers using the botnet army fired 1.2 terabytes on Dyn, the largest DDoS attack ever measured.
What, specifically, is the Mirai botnet?
Unlike most botnets, which ostensibly “enslave” other computers, the Mirai botnet is largely comprised of otherwise mundane Internet of Things (IoT) devices such as the aforementioned digital cameras, DVR players, and so on. Discovered for sale by an RSA researcher on the Alpha Bay marketplace on the Tor-based Dark Web, Mirai’s price tag was reportedly $7,500, payable in bitcoin, along with the anonymous vendor’s claim that it “could generate a massive 1 terabit per second of internet traffic.” While the sale of botnets is nothing new (e.g. vendors offering “hacking-as-a-service” capabilities), the rise of Mirai suggests a more troubling and even ominous shift as vendors will now have the ability to “supercharge” all of their offerings, opening up new pathways to make a quick profit by selling these more “destructive DDoS cannons.” Get enough of this malware to gang up on a server in coordinated attack fashion and they will presumptively bombard a server with traffic until it collapses under the strain, which of course is what happened to OVH, Dyn, the website of journalist Brian Krebs and, according to some reports, the West African nation of Liberia.
Who was behind the attack?
In a report published shortly after the original DDoS attack against Dyn, Flashpoint determined that the attack was the work of “script kiddies” (amateurs) that mingle on so-called Hack Forums, rather than a nation state actor. In fact, according to its further investigation, it is alleged that a member of one of these Hack Forums actually developed and later released the Mirai source code which, coincidentally, also targeted a high profile video game company.
Am I or my business at risk and what can I do about it?
As we described in our recent post “Tracking the IoT botnet army”, the only way to prevent bad actors from enlisting your coffeemaker, printer or your employees’ iPhones in the botnet army is to see the “troops” coming. However, since many devices that were (or can be) swept up into the botnet army have hard-coded or default passwords on devices that were never changed, anyone with the right skills can create their own botnet for free with the leaked Mirai source code.
In Part 2 of our series we’ll drill down into these recent and altogether unprecedented IoT attacks to further explain how the code works, how they were carried out and what you can do to prevent them.