Mirai Botnet Linked to Massive DDoS Attacks on Dyn DNS

The DDoS attack on Dyn DNS was carried out using Mirai malware botnet — Mirai is a DDoS nightmare turning Internet of things (IoT) into a botnet of things.

Yesterday’s DDoS attack on Dyn’s DNS was like an earthquake that was felt worldwide when the top and most visited sites on the Internet went offline for hours. Although it is unclear who was behind this attack the security researchers are linking the Mirai DDoS botnet malware to this attack.

If you don’t know what Mirai is then let us tell you. It is the same botnet that was behind the DDoS attacks on Krebs on security blog and the OVH hosting website a couple of weeks back. The attack on Krebs’s website was 665 GBPS whilst OVH suffered Internet’s largest-ever DDoS attacks of 1 TBPS in which 145,000 hacked webcams were used.

Mirai uses the Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks.

You may be wondering why Mirai is such a badass botnet? It may have something to do with the fact that “Anna_Senpai shared their code in public. Yes, the owner of this botnet recently published its source code online and since then the use of Mirai has been steadily increasing – wreaking havoc globally. Researchers at FlashPoint have revealed that they discovered similar patterns, tactics, techniques, and procedures (TTPs) in yesterday’s DDoS attack.

Using IoT devices? Change their default login credentials to something strong.

Chris Sullivan, General Manager of Intelligence/Analytics at Core Security Inc told HackRead that IoT devices are cheap and don’t have the necessary memory and processing power to be secured properly. This is the main reason that they are easy to hack and use for malicious purposes.

According to Chris:

“This outage appears to have resulted from a new breed of very high volume DDoS, or denial-of-service attacks, that will be difficult to handle with the defenses that most enterprises have in place today. The really frightening part of this is not that we will be struggling with these new attacks for some time, but that the underlying weakness which makes them successful can and will be used to unleash more serious attacks that steal credit cards and weapons designs, manipulate processes like the SWIFT global funds transfers, and even destroy physical things the 30,000 PCs at Saudi Aramco.

IoT devices are the very cheap computers that we use to control the heat, lights and baby monitor in your home or tell UPS when a truck needs service – some cost less than $1. Unlike your PC or your phone, IoT devices don’t have the memory and processing to be secured properly, so they are easily compromised by adversaries and it’s very difficult to detect when that happens.

This is what’s driving the new ultra-high volume DDoS attacks like we saw today. Ultra-large IoT botnets are instructed to make so many superfluous requests of the target that legitimate requests cannot get through. No real damage is done but service is denied for legitimate users. Maybe you can’t get to twitter for an hour. But these same devices also have access to what we think are highly secured corporate, nations state and defense networks. They can be used to launch attacks on those networks from the inside where all of the net-generation firewalls, intrusion prevention and user-based analytics tools won’t even see them.

Companies should move immediately to get control of this situation both to protect themselves and because, in the wake of these new high-profile events, it’s likely to be mandated by new law. What is required now is the deployment of systems that don’t try to control the IoT devices but rather watch and learn how they behave so that we can identify malicious activity and isolate them when necessary.”

It is unclear who was behind these large-scale attacks or if these attacks are connected with what we saw a couple of weeks ago directed at the OVH and Krebs’ websites. One thing is quite obvious, though. Someone was trying to take the Internet down – and they almost succeeded. Let’s all just wait for the next barrage and ponder if the Internet of Things is actually turning into the Botnet of Things.

How a DDoS attack looks like
A list of usernames and passwords included in the Mirai source code.

Let’s see what’s next and how the Internet of Things are turning into Botnet of things. At the time of publishing this article, DDoS attacks on DYN’s servers were stopped and all our sites and services were back online.

Related Posts