The mirai botnet — most powerful till date
A lowdown on botnets and how IoT are compromised
What is a botnet?
A botnet is a network of bots. What are bots?
Bots are slaves or zombies. They will do your bidding.
But the fun is that these fellows are distributed across the Internet owned by different people and they all work together to do your bidding. How can this be?
This is what poorly configured or factory settings when exposed to the big bad world of the Internet with plenty of threat actors hungry for power and with financial motive take over your camera or baby monitor.
The incentive to properly configure an IoT device and to keep it safe from attacks is very low. In fact in most case people don’t even realize they are compromised. There are around 8 billion such IoT devices worldwide which the Mirai botnet employed to launch various types of network attacks.
What is a DDoS attack?
A denial of service attack is really simple. You bring down a network of computers somehow that interferes with normal functioning. A normal functioning network may need file sharing, web browsing, database access and more.
With denial of service you flood the network with packets that make these services inaccessible. A distributed denial happens when an army of bots come together to attack your network or a single host in your network.
First attack of this nature was around 1996. Exactly 20 years later the Mirai botnet did this in an unprecedented manner in 2016. How can this happen?
The attack itself could be one of
- Layer III or IV
- Application attack like HTTP
- GRE or VPN
- DNS amplification
- UDP or SYN flood
There is a wide variety of attacking to bring down your network and hurt your reputation and bleed your finances. Even a 2TB HTTP POST that is slow can hurt you.
There are lots of ways in which denial of service attacks can be mounted. It turns out that Mirai written in go language by a teenager by name Paras Jha ends up being lot more well engineered than imagined.
When the entire East Coast of the USA went down and when the whole country of Liberia lost Internet the FBI imagined it was some well funded govt that emanated from outside of mainland USA.
But it ends up being a teenage prank, the botnet was written by Josiah White and Paras Jha. They also tried to attack Rutgers university and then tried to monetize this by selling DDoS protection.
To imagine that all this started with some fascination with Minecraft Windows game…well well.
Who wrote Mirai?
Paras Jha and Josiah White. Paras wrote the go code for the command and control which is at heart of the botnet. Then Josiah wrote the C bot code which runs within the compromised IoT devices to launch more scans and communicate with the CnC server.
Why IoT?
IoT devices typically run with factory settings and you can easily assemble an army of IoT devices that run a modified Linux mostly with ARC processor. Mirai figured out a way to make them send arbitrary HTTP GET and POST requests or some other network packet to target a victim.
IoT devices are really capable as citizens of the Internet of today unlike the laptops and powerful servers that run into several 1000s of dollars. The genius of Mirai lies in the fact that IoT devies compromised with the insecure telnet port being open could be used to send gigabytes of traffic to some other corner of the Internet.
How does it affect you?
If you own some IoT device then you should be concerned. You may not even know that Mirai has already eaten up your device. Once infected you can reboot and Mirai is gone but unless you fix the password it will get quickly infected. The scan to recruit more bots are ongoing.
Moreover Mirai is open source and there are several forks existing already.
Why is it the best bot written so far?
I think the genius of Mirai is in the fact that unlike desktop computers and Linux servers, IoT devices are easy to target and recruit into the bot army. The fact that for a network attack the processing power of the individual bot is of little importance is critical. It is a numbers game and a synchronization game.
If your code is able to invoke the bot sending packets simultaneously to a single target host or a target network then you can cause the sort of damage that alerts the FBI. Though written by young boys this ended up creating widespread damage pumping millions of packets per second.
This is like some genie that got out of the bag well beyond the wildest expectations of the bot authors.
How can you protect yourself?
There are a handful of companies offering you DDoS protection. They have some migitation techniques which I don’t understand very well. I don’t think it is practical to safeguard yourself from a well engineered DDoS attack.
Mirai first targeted OVH, a French ISP and then brought down Dyn, a DNS provider after releasing the source code. Such ego driven extortion rackets are leading to lose lose for everyone. But you are better off by ensuring that your IoT devices are not running with default username and password.
Even if your IoT devices are good, some others on the web can still hit you.
How does it differ from ransomware?
DDoS and ransomware are two different things. Ransomware is the family of software that encrypts your files and make you lose your data. Sometimes it locks you out of your computer.
DDoS is a network thing. It does not cause permanent damage like ransomware. It runs for a while, you lose resources or your machines go down but after the attack passes you are back at your feet. Think of DDoS like a tornado and ransomware like cancer. Both lead to pain and loss of face.
Is cyber security important?
Cyber security is still viewed by many organizations worldwide as a luxury item. People think DDoS attacks and ransomware threats won’t affect them though they read about them in the news.
That is no longer the case. Even powerful government organizations get attacked. It does not take a well funded group like Lazarus to develop a powerful strain of malware or exploit a Windows bug.
As we see today a motivated teenage kid can bring down an entire country with DDoS. It is also possible to buy them without technical knowledge and run against some target to extort money.
Cyber security is growing in importance and in addition to being aware of the CVEs that describe vulnerabilities and exploits, you should also protect youself from DDoS and other threats. It is a never ending cat and mouse game.
