IoT security: 8 lessons learned from the Mirai botnet
You've probably seen your fill of Mirai-inspired headlines, but keep reading. You'll learn something essential to maintaining your overall IT security posture.
To recap: In late 2016, unknown hackers launched a set of attacks by building an automated collection of Internet-connected webcams and digital video recorders. The botnet, subsequently labeled “Mirai,” has been the source of distributed denial-of-service (DDoS) attacks on numerous websites, including a site operated by security journalist Brian Krebs, a German Internet service provider, and the Dyn.com domain name services (DNS) used by many large companies.
Until Mirai came along, the majority of DDoS attacks were accomplished using malware-infected Windows PCs, commandeered by criminals who harnessed the collected computing power of these PCs and controlled it remotely. Mirai changed the game by the sheer number of devices involved and the magnitude of damages inflicted, making it a potent criminal force.
Mirai's operation has grown more sophisticated over time, and there is much to learn from its construction and leverage of Internet of Things (IoT) embedded devices. First, the timeline of events to set the stage.
Mirai was in the news for a number of events. The following timeline reveals how it became increasingly more potent and dangerous as it went along.
September 20, 2016: Investigative journalist Brian Krebs targeted
Krebs is one of the top investigative InfoSec journalists, and his Krebs on Security is a must-read blog. However, sometimes he becomes the story when unhappy hackers turn on him. His web servers became the target of one of the largest DDoS attacks ever recorded—between 600 billion and 700 billion bits per second. To put that into perspective, this level of traffic is almost half a percent of the Internet’s entire capacity. What makes it even more impressive is that the data rates were sustained for hours at a time against Krebs’ websites.
DDoS attacks are brute force: A collection of computers sends streams of automated TCP/IP traffic directed at a specific web destination. When the traffic reaches a certain volume, it can overwhelm and shut down the targeted server. An enterprise must filter out the malicious traffic or otherwise divert it away from its network to bring its servers back online.
This wasn’t Krebs’ first DDoS attack. He has experienced hundreds of them over the past several years. But it was the biggest. According to Akamai, the Krebs attacks were launched by 24,000 systems infected with Mirai. During September, five attacks hit Krebs, ranging from 123 to 623 Gbps.
To better defend his sites, Krebs had been using Akamai's content delivery network (CDN) to filter out the attacks. And for the most part, they were able to repel the earlier DDoS efforts. But the attacks on September 20 contained so much traffic that after several days Akamai had to throw in the virtual towel. This meant that Krebs’ sites were offline for a few days, until he could move his protection to Google’s Project Shield. This is a free, invitation-only program designed to help independent news sites stay up and running. With help from Project Shield, Krebs' site has stayed up until today.
October 1, 2016: Mirai source code released on GitHub
The attack on Krebs was a great proof of concept, but the folks behind Mirai took things a step further. A hacker known as “Anna-Senpai” posted the code for Mirai online, where it has been downloaded thousands of times from various sources, including GitHub. As a result, the botnet infection spread as more criminals began using the tool to assemble their own botnet armies. Update: On January 18, 2017, Krebs described how he uncovered Anna-Senpai's true identity.
October 21, 2016: Dyn.com attacked
In late October, another huge attack was launched on Dyn, a DNS provider for a number of large-scale customers, including GitHub, Twitter, Netflix, Airbnb, and hundreds of other companies. These services are akin to an Internet phone book: When you request a particular website, such as Google.com, it routes your request to a particular TCP/IP address for Google’s web servers to respond. Without these naming services, your request goes nowhere. This Mirai attack used 100,000 unique IP addresses, a big step up from the earlier one on Krebs. Dyn maintains multiple data centers around the world, which suffered three attempted attacks over the course of the day. The first two brought part of its operations down, meaning that Internet users couldn’t access the websites of certain Dyn customers. The third attack was thwarted by Dyn’s IT staff. Security research company Flashpoint provides more detail on the attack.
November 1: Liberia’s Internet connection disrupted
According to one security researcher, the Mirai botnet briefly brought down parts of Liberia's Internet connection in late October and early November. The attack was targeted at the two fiber companies that own the country’s Internet connections. These companies manage Liberia's link to a massive undersea cable that runs around the African continent, connecting other countries. Liberia may have been targeted because of its single fiber cable connection, and the fact that the Mirai botnet can overwhelm the connection with a 500 Gbps traffic flood.
November 30: Deutsche Telekom customers taken offline
In late November, more than 900,000 customers of German ISP Deutsche Telekom (DT) were knocked offline after their Internet routers were infected by a new variant of Mirai. The Mirai code seen in this attack was modified with two important features. First, it exploited a security flaw in specific routers made by Zyxel and Speedport to allow remote code execution. These routers have been sold to numerous German customers, which is why DT was affected so severely. Second, this new strain of Mirai now scans the entire Internet looking for all potential devices that could be compromised.
How was Mirai first detected?
In September 2016, a series of IoT-based botnets were detected by a number of security researchers, most notably Sucuri and Flashpoint. Sucuri published several posts describing its investigations of several botnets that had amassed more than 45,000 individual IP addresses. (This is about twice the number of origins first experienced by Krebs.) The botnets attacked a Sucuri customer, reaching 120,000 requests per second. The customer couldn’t defend itself, even using Amazon and Google clouds to spin up larger virtual machines. Krebs attempted the same tactic using Akamai’s defenses.
Sucuri found three types of endpoints that made up the attack: webcams, home routers, and compromised enterprise web servers. Eight major home router brands were part of the botnet, with the majority of the total IP addresses coming from Huawei brands. Many of these routers were located in Spanish-speaking countries, but there were plenty of compromised routers located all around the world. This geographic diversity is one of the reasons why Mirai was both so powerful and so hard to defend.
Flashpoint found subsequent compromised devices by scanning Internet traffic on TCP port 7547. According to its researchers, there are several million other vulnerable devices in other countries, including Brazil and the U.K. The latest Mirai variant is likely an attempt by one of the existing Mirai botmasters to expand the number of infected devices under their control. According to InfoSec journalism site BadCyber.com, part of the problem is that DT, initially targeted in November, does not appear to have followed the best practice of blocking the rest of the world from remotely managing these devices.
Defending against Mirai: Lessons for IT leaders
The Mirai botnet is a major threat, and requires a combination of methods to defend against massive traffic volumes that can overwhelm even the most capable web servers. Experts recommend a combination of the following actions:
- Create a DDoS strategy now. Forget the security-by-obscurity plan and come up with something more definitive. Anyone can become a target, and now is the time to plan appropriate measures. Flashpoint's recommended DDoS attack mitigation strategies are worth reading.
- Examine how your company obtains its DNS services. Dyn customers didn’t use a secondary DNS provider, or configure DNS servers to use more than one of Dyn’s data centers. Server reconfiguration took time, creating more attack opportunities. Some large online companies now use both Dyn and other DNS providers, such as OpenDNS or EasyDNS, for redundant operations. This is a good strategy in the event of future DNS-based attacks.
- Employ anycast DNS as your company's provider. Anycast is communication between a single sender and the nearest of several receivers in a group. This recommendation comes from Flashpoint, and it has two benefits. First, anycast DNS can spread the attacking botnet requests across a distributed network, lessening the burden on individual servers. Second, it can speed up DNS responses, making pages load faster. A short list of managed DNS providers offering anycast can be found here.
- Check routers for unauthorized DNS changes (also called DNS hijacking). Cybersecurity company F-Secure has a simple and free tool that can determine if routers’ DNS settings have been tampered with in just a few seconds. It could be tedious to check every router, therefore home routers accessing a corporate network should be prioritized.
- Reboot routers. Mirai is memory-resident, and rebooting removes the infection. However, it isn’t a good long-term solution because criminals have perfected scanning techniques to re-infect routers using default passwords. The next step is to change the defaults, and reboot again.
- Change factory default passwords on all network equipment. Unchanged default passwords allowed Mirai to collect multiple endpoint IoT webcams and routers. The F-Secure tool can help with home routers, but a more complete program must be put in place to ensure all critical network infrastructure has appropriately complex and unique passwords.
- Get network forensics in order. Companies should be able to capture attack traffic in order to analyze what happened and who is targeting their network. Mirai used an exploit on TCP port 7547 to connect to home routers. Companies should add a detection rule to monitor that port. Legitimate traffic should not be counted or recorded in logs, making it important for IT to understand normal traffic baselines.
- Consider a CDN provider to handle peak traffic loads. Historic traffic patterns help determine if web servers are stretched too thin or if additional load balancing or CDNs could improve performance.