Mirai is the Japanese word for “The Future”. The Mirai Botnet Attack of October 2016 used known security weaknesses in tens of millions of Internet of Things (IoT) Devices to launch massive Distributed Denial of Services Attacks against DYN, which is a major DNS Service provider.The result was a notable performance degrades in tens of thousands of businesses who rely heavily on the Internet, and millions of users who used these services. A short time before the attack, the Mirai Botnet code was shared on the Internet as it was placed into Open Source.

  • With the exponential rise of the population of IoT devices, what does the Mirai Botnet attack mean for the future of Internet Security?

Internet Of Things

The Internet has been business critical since 1997.The Internet, the World Wide Web, web applications, data, and resources they represent are often considered by many to be critical infrastructure Outages (any) can cost money, lost customers, and even brand damage.Everyone who uses the Internet in a business capacity should be aware of the DDoS Threat that the Mirai Botnet and similar programs represent. The Internet of Things that plays a major role in this saga, continues to grow exponentially in popularity and in capability. Nsolid

What is a Botnet?

Botnet = Robot + Network The term is usually used with a negative or malicious connotation.Botnets have been around since 2004.A botnet is a number of Internet-connected devices used by a botnet owner to perform various tasks. Botnets can be used to perform

  • Distributed Denial Of Service Attack
  • steal data
  • send spam
  • allow the attacker access to the device and its connection.
  • Attacker machines are usually running the Linux operating system.

Dos Attack

Denial-of-Service (DoS) attack is an attempt by attacker to prevent legitimate users from using resources.Denial-of-Service denies a victim (host, router, or entire network) from providing or receiving normal services.

  • Exploit system design weaknesses
    • Ping of death
    • Teardrop
  • System patches issued after discovering such attacks
    • Computationally intensive tasks
    • Encryption and decryption computation
  • DDoS attack ( Flooding-Based)
    • Exploit the computing power of thousands of vulnerable, unpatched machines to overwhelm a target or a victim
    • CPU, Memory, bandwidth exhaustion Nsolid

      Distributed Denial of Service (DDoS) Attacks

      Do not depend on system or protocol weaknesses.Introduce the “many to one” dimension.Large number of compromised host are gathered to send useless service requests, packets at the same time.The burst of traffic generated, crashes the victim or disables it.

  • Victim (Target): receives the brunt of the attack
  • Attack Daemon Agents: agent programs that actually carry out the attack on victim.Attacker gain access and infiltrate the host computer to deploy them daemons affect both the target and the host computers
  • Master Program/Agent: coordinates the attack through the attack daemons
  • Attacker/Attacking Hosts: mastermind behind the attack.Using the master, it stays behind the scenes during real attack. Nsolid

    Little-Known Roots of the Mirai Botnet

    The 2012 Carna Botnet Census exploited over public-facing 420,000 IPv4 devices that had no passwords or weak passwords.Of the 4.3 billion possible IPv4 addresses, Carna Botnet found a total of 1.3 billion addresses in use, including 141 million that were behind a firewall and 729 million that returned reverse domain name system records. The remaining 2.3 billion IPv4 addresses are probably not used. [Wikipedia] The website at http://internetcensus2012.github.io/InternetCensus2012/paper.html shows the paper written which describes the methods used and data collected The author admitted in his paper that he enjoyed the “feeling of power” being able to simultaneously control over 400,000 devices from a single desktop. Over 4 TB of device data and IP addresses were collected This data remains a standard for “check up” to ensure that administrators have no public facing insecure devices. The author, who remains a secret, could face prosecution in every country that has applicable network intrusion laws.

Pre-Attack Events

  • August 2016 - Bruce Schneier predicts, based on his research and observations that a DDoS attack or series of attacks would take down the Internet
  • September 2016 - Brian Krebs’ website and his Provider were hit with DDoS attacks at about 665 Gbs
  • October 2016 - Mirai Source Code placed in Open Source

    Someone Is Learning How to Take Down the Internet - by Bruce Schneier, Excerpt: “What can we do about this? Nothing, really. We don’t know where the attacks come from. The data I see suggests China, an assessment shared by the people I spoke with. On the other hand, it’s possible to disguise the country of origin for these sorts of attacks. The NSA, which has more surveillance in the Internet backbone than everyone else combined, probably has a better idea, but unless the US decides to make an international incident over this, we won’t see any attribution. But this is happening. And people should know.” DDoS Attack on Brian Krebs’ Website: KrebsOnSecurity Hit With Record DDoS https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/ DDoS attack takes down Brian Krebs’ site - www.krebsonsecurity.com . At 665 Gbps of traffic it was the largest DDoS Attack in Internet History - Attack was so powerful that Akamai threw up its hands http://www.csoonline.com/article/3123785/security/largest-ddos-attack-ever-delivered-by-botnet-of-hijacked-iot-devices.html Will IoT folks learn from DDoS attack on Krebs’ Web site? http://www.csoonline.com/article/3124436/security/will-iot-folks-learn-from-ddos-attack-on-krebs-web-site.html Someone, whom he subsequently spent months working to track down, had seized control of hundreds of thousands of internet-connected devices, including home routers, video cameras, DVRs, and printers, to create a botnet, a sort of digital zombie army. N|Solid

What Did the Mirai Botnet Do in October 2016?

The Internet didn’t “break” on October 21, 2016, but the attackers who launched the DDoS attacks against Dyn exploited a known DNS Weakness that negatively impacted MANY Internet-related businesses and millions of users.

How Did Mirai Work?DDoS Attacks of October 21, 2016

Infected IoT Devices:

  • Launch DDoS Attacks
  • Report data to C2 Servers
  • Infect other IoT Devices The Mirai Internet of Things (IoT) botnet has been using STOMP (Simple Text Oriented Messaging Protocol) floods to hit targets, a protocol that isn’t normally associated with distributed denial of service (DDoS) attacks.

Mirai has been responsible for taking major websites offline for many users by targeting the Dyn DNS service, in addition to hosting firm OVH in attacks that surpassed 1.2 Tbps (terabits per second). Mirai was also in an attack against Brian Krebs’ blog in a 665 Gbps+ (gigabits per second) assault. The botnet uses various attack vectors to power these massive attacks, including STOMP floods. Nsolid

Mirai’s Some Source Code Analysis

We can find a clear analysis on the source code of mirai in the below link https://medium.com/@cjbarker/mirai-ddos-source-code-review-57269c4a68f

Post-Attack Events

  • October 2016 - Twitter Account to Monitor Mirai in Real-Time
  • November 2016 - Chinese claim Mirai Botnet attack hit Chinese-made IoT Devices, especially CCTVs
  • November 2016 - DHS published guideline documents for implementing Secure IoT devices
  • Windows Mirai botnet variant identified in 2017 The Windows variant of the infamous.Mirai Linux botnet is the offspring of a more experienced bot herder, possibly of Chinese origin, Kaspersky Lab security researchers warn.Recently detailed by Doctor Web, its main functionality is to spread the Mirai botnet to embedded Linux-based devices. The malware also abuses Windows Management Instrumentation (WMI) to execute commands on remote hosts, and targets Microsoft SQL Server and MySQL servers to create admin accounts and abuse their privileges. Nsolid

How to Protect our IoT Devices Against Mirai and Other Botnet Attacks

  • Change Your Password: This is not only good advice for those of us who shop online or who have been notified that the e-commerce site we recently shopped on has been breached, but likewise for IoT devices. In fact, according to this report, these better credentials can be used to provide a bulwark against botnet attacks like Mirai by substituting the hard-coded username and password with ones that are unique to your organization and not, of course, easily guessed.
  • Turn them off: For currently deployed IoT devices, turn them off when not in use. If the Mirai botnet does infect a device, the password must be reset and the system rebooted to get rid of it.
  • Disable all remote access to them: To protect devices from Mirai and other botnets, users should not only shield TCP/23 and TCP/2323 access to those devices, but also to disable all remote (WAN) access to them.
  • Research Your Purchase: Before you even buy a product, research what you are buying and make sure that you know how to update any software associated with the device. Look for devices, systems, and services that make it easy to update the device and inform the end user when updates are available.
  • Use It or Lose It: Once the product is in your office, turn off the functions you’re are not using. Enabled functionality usually comes with increased security risks. Again, make sure you review that before you even bring the product into the workplace. If it’s already there, don’t be shy about calling customer service and walking through the steps needed to shut down any unused functions.

How Can an Organization Protect Against Mirai and Other Botnet Attacks?

The IoT threat is a serious one but one that can be simply resolved. While it’s almost impossible to educate everyone on how to change their user name and passwords on these devices, it is possible for manufacturers to incorporate security features into the design and production of these devices, in particular security telnet communication and its associated ports. Default passwords must be random and users should be advised with simple instructions on how to change them.

  • Stay current – Update firmware and software regularly
  • Authentication – Use unique credentials for each device
  • Configuration – Close unnecessary ports and disable unnecessary services
  • Segment – Create separate network zones for your IoT systems

  • Actively design, engineer, and implement security, from the beginning, not after the fact.
  • Set or Change the default passwords on IoT
  • Have an alternate DNS provider
  • Add DDoS attack scenarios into your Incident Management and Response Plans
  • Use DDoS scenarios in your Exercises
  • Simulate DDoS attacks on your digital infrastructure to stress-test

The Mirai Botnet Five Takeaways

  1. Not just one attack
  2. The attack was sophisticated
  3. IoT is to blame
  4. This isn’t the end
  5. The IoT industry needs stricter standards