Think Mirai DDoS is over? It ain’t!!
[This is the first of a series of many posts on our analyses, reflections, and potential self-healing / mitigation insights on the Oct 21, 2016 Mirai DDoS attack. The incident literally took down half of the Internet and in a way the entire Silicon Valley because Twitter/Github is the oxygen here.]
A lot has been written about what happened during the distributed denial of service attack over Dyn last Friday.
Here we are showing you how we managed to observe the build-out of the attack life cycle even before the actual damage and why we are seeing more of such attempts from here on.
Prior to a typical DDoS attack, the actual life cycle starts with bad guys recruiting lots of botnets throughout the world, by exploiting the vulnerabilities of computers, mobile devices, or IoT devices. In the case of the recent attack on Dyn, it is widely believed that the default or weak passwords on many monitoring cameras were the culprits.
Once earlier rounds of botnet recruiting efforts are done, those recruited botnets will carry (aka “snowball”) more rounds of recruiting and the number of botnets may keep increasing. The more botnets recruited, the more damaging an attack can be launched by bad guys to accomplish the service downtime of the victims.
Based on the data we had, we were able to watch Mirai botnets grow steadily even before the actual incident happened. We observed an increase of ~10k botnets a day (a subset of the entire Mirai botnets worldwide) and that’s why the trajectory on the graph looks a bit “linear”. What’s very telling is that the botnet number continues to rise after the attack. So the battle against Mirai ain’t over yet at all!
To be clear, we got the above observations via data sciences, and no AI technology involved just yet. In the coming days, we will share further interesting insights based on state-of-the-art technologies in the following areas:
- SDN to capture the data with more granularity / context and to mitigate the attack automagically.
- AI with rich features to do early detections / preventions / predictions / self-healings.
AI with big data is transforming every aspect of our society and hi-tech industry, and we are certain it will change how we do security and network security very differently too. If you read our post this far, you are encouraged to subscribe to learn more on the insights we are going to share in the coming days.
[Because the unprecedented Oct 21 attack is still under the investigation by the US government, we are not releasing the original data and data source in public, but we are welcoming interested parties to email us: “deeplearningsec at gmail dot com” to compare notes.]
