Now that its source code has been released you can expect more attacks from Mirai, the malware behind the largest DDoS attack on record, which was powered by hijacked IoT devices.
Since release of that code last week it has been responsible for smaller attacks that look like newcomers experimenting with the malware in preparation for bigger things, say security researchers at Imperva. “Likely, these are signs of things to come and we expect to deal with Mirai-powered attacks in the near future,” they say in their blog post.
That concern is echoed by researchers at F5, who say, “we can definitely expect the IoT DDoSing trend to rise massively in the global threat landscape.”
The historic attacks over the past two weeks that took down the popular KrebsOnSecurity site and challenged the resources of French hosting provider OVH mark the latest spikes in DDoS volume, which means mitigation infrastructure has to be prepared for attacks that are three to five times as large, according to Josh Shaul, vice president of web security for Akamai.
He says that despite the power of the attacks – up to 1Tbps – there’s nothing special about Mirai, which is named for the anime character Mirai Suenaga. “Usually the cool stuff is the exploits or the ability of the malware to hide or be persistent. Mirai can persist through a reboot of the infected device, but it’s not super sophisticated.”
It gets on systems by being installed after attackers login with default passwords. Mirai connects to an IRC-type service where it waits for commands. It doesn’t try to hide from forensic analysis, probably because the type of device it’s on won’t have an owner who is skilled enough to look for it. “It’s no Stuxnet,” he says.
The malware finds vulnerable machines by scanning a broad range of IP addresses until it finds IoT devices with easily guessable passwords, Imperva says. It’s got a number of DDoS attack methods in its playbook, including GRE, SYN, ACK, DNS, UDP and Simple Text Oriented Message Protocol (STOMP) floods.
The DNS attacks include the uncommon DNS Water Torture attack which overloads DNS servers used to resolve queries about the actual target, F5 says. When one server gets overloaded, the queries are retransmitted to another DNS server of the target and so on until legitimate traffic can’t be directed to the target.
Akamai’s Shaul says attackers are using smaller packets in their attacks, which stresses the networking equipment near the targeted servers as well as the servers themselves. Routers have to spend processing power for each packet regardless of length, so boosting the sheer number of packets can cause network bottlenecks.
Sign up for CIO Asia eNewsletters.