There’s no magic behind the success of Mirai DDoS botnets that are made up of IoT devices: the software enabling them is publicly available, which makes it easy for relatively inexperienced actors to create them and turn them loose on anyone.
Flashpoint speculates that the attacker in the case of the Dyn DDoS, which had an enormous impact on major Web sites, was the work of low-skilled script kiddies – a frightening prospect that contributes to Trend Micro’s assessment that “the Internet of Things ecosystem is completely, and utterly, broken.”
To amass an IoT botnet, Mirai bot herders scan a broad range of IP addresses, trying login to devices using a list of 62 default usernames and passwords that are baked into Mirai code, according to US-CERT.
Mirai connects hijacked devices to an IRC-type service where it waits for commands. Often one of the first things a bot does is scan the internet for more vulnerable devices to infect. These devices are largely security cameras, DVRs and home routers. Brian Krebs, whose krebsonsecurit.com site was one of the first hit by a massive Mirai-based DDoS attack, lists some of the specific devices here.
When Mirai botnets are called upon to carry out DDoS attacks, they can draw on a range of tools including ACK, DNS, GRE, SYN, UDP and Simple Text Oriented Message Protocol (STOMP) floods, says Josh Shaul, vice president of web security for Akamai.
Mirai doesn’t try to hide from forensic analysis, probably because the type of device it’s on won’t have an owner who is skilled enough to look for it.
Like any botnet, Mirai directs its zombie machines via command and control (C2) servers, which are mostly compromised machines in the networks of small and mid-sized businesses, says Dale Drew, CSO of Level 3. To avoid detection, these change location about three times as other IoT botnets change – roughly every day or so, he says.
These IoT botnets carry out volumetric attacks that try to throw as much traffic at their targets as possible to overwhelm them and make it impossible for legitimate traffic to reach them. Some estimate they have generated greater than 1Tbps attacks.
There are millions of IoT devices deployed, making it possible to assemble larger than usual botnets more quickly. US-CERT says the purported author of Mirai says 380,000 IoT devices are under its control.
Since so many devices are enlisted and attack directly it’s difficult for defenders to readily identify significant numbers of malicious IP addresses and block them quickly. With reflection attacks, there is another layer of attack device that can be identified and blocked, effectively nullifying many individual bots.
Sign up for Computerworld eNewsletters.