Mirai botnets: the vanishing upper limit of DDoS attacks.

Binary map

Note: I wrote this in October 2016 after the Dyn DDoS attack.

There is a lot of blame to go around in the aftermath of the Dyn DDoS attack on Oct 21st. A good chunk of the bots look like Internet of Things (IoT) devices that were recruited by the Mirai botnet code. Mirai has dropped the traditionally high costs of building a botnet to near zero which means we’re seeing progressively larger and more effective DDoS attacks each week.

Sucuri (the company I work for) discovered the first IoT botnet using CCTV devices in June. It was not long after that we started to see significantly larger DDoSes occurring and breaking all existing records for DDoS volume to date

Why is Mirai such a big deal?

Anonymous mask and globe As I alluded to in the introduction, the cost of building a botnet used to be high. All those spam and phishing emails we’ve become numb to over the years were part of that effort. Hackers had to painstakingly trick each of us to click a malicious link which installed their malware on our (usually Windows) PC. It would take thousands of emails to get one or two suckers to click the link. It often took months to build a really powerful botnet with hundreds or thousands of zombie computers. And once it was built, it had to be carefully guarded to ensure it did not get dismantled by anti-virus software and other measures.

The reason this was so hard is because it was a person-against-person attack. Hacker guy had an agenda to trick you into clicking the link and you had a very good reason to not do that. That is why it took so many attempts to net one or two clicks. These IoT botnets are a different beast altogether. It’s smart humans against painfully dumb machines that have no way to even know what is happening to them, much less any sentient desire to protect themselves. The most significant contributing factor is the sheer number of these devices that are deployed with the factory username and password which means they may as well have no authentication system at all.

Mirai makes composing a botnet of 10s of thousands of devices even easier by automating the process. Mirai will even find the devices out on the Internet. So, now we have a situation where millions of dumb devices can be successfully exploited en masse within a short time frame. It’s the perfect storm.

Why was the Dyn DDoS attack significant?

Botnets are usually directed at a specific target or group of targets. Hacker collectives aim their botnet cannons at whatever site is on their radar at that time. The large DDoS attack targeted at Krebs On Security is a good example. The hapless site crumbles, eventually the attack subsides, and life goes on. The effects are fairly localized at the target site, although there can be some collateral damage.

The Dyn attack was significant because it targeted Dyn’s DNS servers instead of any particular customer, or Dyn itself. Dyn has a large customers base that they provide DNS services for. This means that the DDoS was deliberately indiscriminate and was done to cause a wide spread outage to a large number of sites. The intent was different this time. It wasn’t about attacking a company or a site, it was about causing the largest amount of damage as possible.

Security expert Bruce Schneier postulates that these attacks aimed at core Internet infrastructure such as DNS servers are learning experiences. He figures someone is purposely trying to learn how to take down the Internet and these attacks are their reconnaissance missions probing the defenses. It sounded far-fetched a few months ago, but as time goes on and more of these large attacks happen, it’s becoming much easier to believe that he is probably right.

How many bots participated in the Dyn attack?

Dyn’s response to the attack states that they saw 10s of millions of discrete IPs in the attack. That is a highly distributed attack. Interestingly, Brian Krebs has pointed out that the Mirai botnet code shows that there are only 68 logins. 68 logins that allow access to probably millions of devices.

What can we do?

DNS has always been the weakest link of the Internet. When it has issues, it doesn’t matter a whit what the true state of the website on the other end is. If you can’t get to the site, it is effectively down.

The larger discussion of how to “fix” DNS has been going on for years but this type of general-purpose DDoS against DNS servers is a different thing. This is a DDoS problem, not a DNS problem.

One argument I’ve heard that may have merit is to use longer TTLs on your zone records. The argument is that if your TTL is a few days long, your website visitors won’t be affected by the unavailability of DNS servers because they have your DNS information already and it won’t expire until the attack is over. The flip side of this argument is that long TTLs mean that any changes to your domain’s DNS records under normal circumstances will take much longer. Trading agility for stability may not work for some people. It also does not address the case of a first-time visitor who does not have your DNS information cached yet.

This type of large-scale attack is becoming the new normal. The current defense stance of “have a bigger fire hose than your attacker” is not going to work against botnets of this size.

#infosec #dns #ddos