Defending Against the Mirai Botnet


When attacks from the Mirai botnet hit the network in 2016, we all knew something was different. You could feel it. In a 31-day span, the internet suffered three record-breaking attacks; Brian Krebs’ at 620 Gbps, OVH at 1.2 Tbps, and the widespread outages caused by the attack on Dyn DNS. Also within that window, the source code for Mirai was released to the world.

Mirai no longer holds the record for the largest volumetric attack on the Internet. That honor goes to the Memcached reflection attacks on Github. In fact, once the code was released, the botnets went from a few botnets with several enslaved members, to several botnets with fewer members. More botnets were fighting to enslave a pool of devices.

[You might also like: The Dyn Attack – One Year Later]

Attackers Get Creative

Attackers, as they always do, got creative. By modifying the Mirai code, attackers could discover new devices by leveraging other known exploits. While many attackers were fighting for telnet access to IoT devices with traditional Mirai, new variants were developed to find additional methods of exploitation and infection. Examples include TR-064 exploits that were quickly added to the code (and used to infect the endpoints of service providers), a 0-day exploit on Huawei routers in several botnets, and the Reaper botnet, which includes 10 previously disclosed CVEs.

One thing that has remained the same, however, is the attack vectors that are included in the modern botnets. They’re largely all based on Mirai, and even if their infection methods differ, the attacks don’t change much.

For example, Masuta and DaddysMirai include the original Mirai vectors but removed the HTTP attack. Orion is an exact copy of the original Mirai attack table (and just like Mirai, has abandoned the PROXY attack). Owari added two new vectors, STD and XMAS.

Understanding IoT Attacks

My background in network engineering naturally made me curious about the impact of these attacks on the network. What do they look like in flight? How is each one different? Is one more of a threat than another? I have been studying the attack vectors since they were released in 2016, but with the observation that new variants largely included the same attacks (and some twists), it was clearly worth revisiting.

[You might also like: IoT Threats: Whose problem is it?]

Today we launch a new publication, IoT Attack Handbook – A Field Guide to Understanding IoT Attacks from the Mirai Botnet and its Modern Variants. This is a collection of research on the attack vectors themselves and what they look like on the wire. You will see that they’re not much different from each other, with the only truly interesting change being the introduction of a Christmas Tree attack in Owari. But that too had some interesting challenges. You’ll have to read the guide to find out why.

It’s important to understand the capabilities of Mirai and other IoT botnets so that your organization can truly comprehend the threat. Manually reacting to these attacks is not viable, especially in a prolonged campaign. In many cases, it is possible to block some of these attacks on infrastructure devices such as core routers or upstream transit links, but in many cases, it’s not.

Effectively fighting these attacks requires specialized solutions, including behavioral technologies that can identify the threats posed by Mirai and other IoT botnets. It also requires a true understanding of how to successfully mitigate the largest attacks ever seen. Hopefully, this handbook provides the guidance and insight needed for each vector if your organization ever needs to take emergency measures.

Read the “IoT Attack Handbook – A Field Guide to Understanding IoT Attacks from the Mirai Botnet and its Modern Variants” to learn more.

Download Now

Ron Winward

As a Security Evangelist at Radware, Mr. Winward is responsible for developing, managing, and increasing the company’s security business in North America. Ron’s entire career has been deeply rooted in internet and cybersecurity. For over 20 years, Ron has helped design complex solutions for carriers, enterprises, and cybersecurity providers around the world. Ron is an industry-recognized expert in the Mirai IoT botnet and its modern variants. Ron conducted the industry’s first complete analysis of the Mirai attack vectors, producing forensic examples for public distribution of each attack and the specific impact each attack had on networks. His work on IoT attack analysis has been presented at conferences worldwide and has been referenced by NIST. Prior to joining Radware, Ron was Director of Network Engineering for a global datacenter provider and ISP. In this role, Ron oversaw the growth and development of a global network infrastructure that delivered services to other ISPs, hosting providers, and enterprises around the world. During this time, Ron assisted some of the world’s top businesses in mitigating cyberattacks on their infrastructure, cultivating an extensive knowledge in DDoS attack methodologies. Ron holds a Bachelor of Science degree in Business and has earned many technical certifications throughout his engineering-focused career. Ron acutely understands the impact of technology and security on business and is enthusiastic about their interrelation.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center