Joel Pacheco Gonçalves
‘Mirai’ means ‘future’ in Japanese
Mirai is not the only botnet malware out there, nor the last one. In fact, this attack mainstreamed how vulnerable the Internet is and fired up a more serious debate about the risks of IoT for a reason: this is just the beginning, more attacks are expected.
What Mirai does is quite simple, it takes control of Internet-of-Things devices and turns them into “bots” or “zombies”, to be consistent. From CCTV Cameras to DVRs to home networking equipments have been infected worldwide and are being controlled to launch DDoS attacks to Internet services.
Mirai accomplishes this by doing two things:
1. Locating vulnerable Internet-of-Thing (IoT) devices to compromise them and grow the botnet
2. Launching DDoS attacks guided by a remote Command and Control (C&C) unit
Once the IoT device has been identified as vulnerable, Mirai connects remotely and tries to guess its login credentials to gain control over. The malware uses the brute force technique, also known as dictionary attack. This attack is widely successful due to factory default user and password combinations, such as admin/admin or root/123456, still being used by most of these devices.
If you are curious about how many devices are infected with Mirai globally, take a look at this map.
The DDoS target: The Managed DNS infrastructure of DYN
This time the target of the Distributed Denial of Service (DDoS) was the Managed DNS infrastructure of Dyn, which described the attack on its website as “a complex and sophisticated attack, using maliciously targeted, masked TCP and UDP traffic over port 53”.
In a DDoS attack the goal is to leave a service or system unresponsive by overflowing its network with large amounts of data. Naturally, the scale of those attacks are measured in traffic directed to target per second. The largest attack on record happened this September 21st, measuring at least 600Gbps, to a single website at krebsonsecurity.com; previously the largest one measured was from 300 to 400Gbps.
Now, what happened to Dyn was a different story. Early observations of the attack volume indicate packet flow up to 50 times higher than normal, according to Dyn’s statement. There are reports of a magnitude in the 1.2Tbps range, even though Dyn hasn’t verified that magnitude yet it is clear that we witnessed the largest DDoS attack on record(2X) this past Friday.
Dyn’s customers and users around the globe experienced outages of major internet services such as Twitter, Amazon, Spotify and PayPal, to name a few. The company confirmed that a significant volume of malicious attack traffic originated from Mirai-based botnets.
More security concerns around the Internet of Things (IoT)
Mirai’s favorite targets are Internet-of-Things devices due to their lackluster security measures and scarce firmware updates, which make them quite vulnerable. So, the more routers, coffee-makers, thermostats, refrigerators, Alexa’s (and so on) we connect, the more vulnerable the Internet gets.
The escalation of DDoS attacks, both in size and frequency, suggests that the botnet – network of bots or ‘zombies’ under control – is growing rapidly and becoming a real threat to the Internet’s stability.
There is not much you can do to avoid a DDoS attack, however you can keep the botnet from growing too much with three easy steps:
- After setting up your device, change your login credentials following best practices to set user/password
- Disable all remote (WAN) access to your device
- Keep your device software or firmware up to date, if possible
Let’s not contribute with your own ‘zombies’ and stay alert. More attacks are expected to come.