On Tuesday, September 20th around 8:00PM, KrebsOnSecurity.com was the target of a record-breaking 620Gbps volumetric DDoS attack designed to take the site offline. A few days later, the same type of botnet was used in a 1Tbps attack targeting the French webhoster OVH. What’s interesting about these attacks was that compared to previous record-holding attacks, which were less than half the traffic volume, they were not using amplification or reflection. In the case of KrebsOnSecurity, the biggest chunk of the attack traffic came in the form of GRE, which is very unusual. In the OVH attack, more than 140,000 unique IPs were reported in what seemed to be a SYN and ACK flood attack.
Soon after the attacks, a user called anna-senpai posted the source code and instructions for building the bot and CnC involved in the attacks on hackforums.net and named it Mirai. It would seem that the author of Mirai was also the author of botnet malware Qbot.
The Mirai bots are self-replicating and use a central service to control the loading and prevent multiple bots being loaded on already harvested devices. Every infected device scans for open telnet ports and performs a brute-force login using 60+ factory default credentials of BusyBox -based Internet of Things (IoT) devices. Once the bot finds a new victim, the victim’s IP and credentials are sent to a centralized ScanListen service, which passes this information to the bot-load service that subsequently loads and starts the bot on the new victim. From that point forward, the new victim will help in harvesting new bots. This self-replicating pattern results in an exponentially growing number of bots in the botnet, reportedly up to 500 brute results per second at peak.
Through research we found that the Mirai code appears professional. The loader and bot are coded in C, while the scanListen and CnC service are written in Go, leveraging go-routines and channels in an efficient CSP (Communicating Sequential Processes) design pattern. This distributed micro-service architecture allows for scalable control of bots and executing attacks in very large botnets. It should not be surprising that malware and bots are designed and coded by professionals. The economics of cyber-attacks are well established and covered in a recent blog by Ron Winward.
The most concerning fact, and the genius of Mirai, resides in its simplicity for victimizing IoT devices. Simple use of telnet and a limited list of factory default usernames and passwords result in botnets with sizes that thwart our imagination. This makes Mirai one severe warning for IoT vendors and device makers. It also shows that for security, one should not rely on the average user to protect and harden his devices, especially for IoT and smart devices that are starting to invade everyone’s homes.
This warning might be the most severe in its kind, but it was certainly not the first about the security risks from the IoT. The FBI and Department of Homeland Security have issued public service announcements about the associated security risks as early as September 2015.
These incidents once again demonstrate the need for IoT platforms designed with security in mind from the ground up, not adding security as an afterthought. To date, the number of connected devices is estimated at 6 billion, compared to an estimated internet user count of 3.5 billion. By some sources, the number of connected things will reach 20 billion by the year 2020, of which 13 billion will be in the consumer space.