Mirai: One year On
By Guest blogger Max Metzger
It’s been a year since the record-breaking DDoS attacks against OVH and Dyn - how has the world responded in the wake of the largest DDoS attacks on record?
2016 was a big year for DDoS. Looking back, it may even signal a period of transformation for Denial of Service Attacks, marked by massive attacks which took down companies, large parts of the internet, and if some reports are to be believed, the country of Liberia.
DDos records successively broke on top of each other in only a few short weeks. This all started with a September 13th attack on the acclaimed journalist Brian Krebs, which topped out at 665 Gigabytes per second (Gbps). At the time it was called the largest ever seen, a title which it wouldn’t hold for long.
A short while later, a French hosting provider, OVH, was DDoSed with a flood power of 1 Terabyte per second (Tbps) - beating the previous record by orders of magnitude.
Less than a month later Dyn, a DNS provider was attacked, leading to large service outages at some of the world's most popular online services including Spotify, Twitter, and Amazon. Early reports put this attack’s size at 1.2 Tbps.
Three of the largest DDoS attacks ever occurred within weeks of each other, all enabled by botnets cobbled together with malware called Mirai. This was its introduction to the world.
Security researchers were quick to pour water on the idea that these attacks had been carried out by a sophisticated APT group but rather pointed towards one amateurish and particularly angry gamer.
It’s been a year and the shockwaves can still be felt.
One thing is for sure - when it comes to DDoS, the bar to entry falls ever lower. When a mysterious user posted the Mirai source code online, many considered it an Earth-shattering development. An early report from the Institute of Critical Infrastructure Technology labeled it “an asymmetric quantum leap in capability.” Not because it was particularly innovative but that Mirai’s source code offered “a powerful development platform that can be optimized and customized” by even an unsophisticated adversary.
Mirai is significant for more than just the power that it could bring to bear. It also highlighted a fundamental weakness in an area of technology that is growing at a startling rate - The Internet of Things (IoT). Mirai never had to work all that hard to build sprawling botnets cobbled together from IP cameras and baby monitors. It merely scanned for connected devices and guessed the password from a small library of commonly used credentials.
It was this weakness - caused by manufacturers building cheap, insecure devices, and the ignorance of the customers that bought the devices - that largely allowed Mirai to enable some of the largest attacks ever recorded.
The IoT is not slowing down and nor are the appetites of bot herders. Gartner predicts that by the end of the year, the world will be using 8.4 billion connected devices. A recent experiment by a member of the SANS Technology Institute found that it took only two minutes for a device with default credentials to be attacked by Mirai once it had been connected to the internet.
An effective DDoS attack is well within the capability of amateurs. IoT botnet source modules are readily available on hacking forums, and some researchers insist that most IoT malware threats have been aided heavily by code sharing and reuse.
Effective DDoS attacks are not far out of the reach of even the technically illiterate. Stresser services offer the DDos capability to anyone with money and a grudge. Though many have been taken down and their surprisingly young operators arrested, law enforcement has not quite managed to stop the proliferation of such services.
Despite all of this, 2017 was a sparse year for massive DDoS attacks. Akamai’s most recent State of the Internet Security report noted a resurgence, after almost a year-long lull. The report noted a 28 percent increase in the volume of attacks after three consecutive quarters of decline. This increase, the report said, represented a return to time-tested tools and techniques like Mirai.
The other key point from the report is that this was the first quarter that the company had not seen an attack over 100 GBps. Small persistent multi-vector DDoS attacks are becoming popular, often aimed at a variety of targets from the application layer to the target’s suppliers, cloud providers, and ISPs, and sometimes meant to distract from data breaches happening elsewhere.
The picture might look dark, but lessons have certainly been learnt. Police have made a number of high-profile arrests and the DDoS protection market is apparently undergoing double-digit growth. Even more encouraging is that the qualities that made Mirai so effective can be used to secure devices against further exploitation. In August, an international research team published a paper proposing a Mirai vaccine, a white worm which uses the design of Mirai bots to exploit insecure devices and inserts code which could make them secure.
Editors Note: This is a guest blog and the author is responsible for all the opinions expressed and presented facts and data. If you are interested in submitting a guest blog, please write to us at social [at] infoblox [dot] com.