How Mirai Foreshadows the Dystopian DDoS Future
The Mirai botnet that has been used to deliver two of the bigger DDoS attacks ever seen is a precursor of things to come in more ways than one.
Yes, it’s perhaps the first known botnet made up mostly of embedded devices such as surveillance cameras and DVRs. Which is scary enough on its own. But it’s also at the leading edge of what may be a huge wave of DDoS attacks that abandon the traditional SYN and ACK flood tactics for HTTP request floods, which bypass many traditional mitigation technologies.
DDoS attacks often are discussed as if they’re all the same. But there are any number of different types of DDoS attacks and cybercrime groups and script kiddies will use different kinds depending upon their resources, targets, and objectives. SYN floods are probably the best known variety of DDoS and have been in use for the better part of two decades to great effect. There are plenty of other variations that have come along, and many of them target the application layer. Knowing that, security companies, ISPs, and network security teams have developed defenses and filtering systems to protect against app-layer attacks.
What Mirai has brought to the forefront – along with the need to get your stupid embedded devices off the Internet – is a shift toward layer 7 attacks that forego the traditional SYN or ACK floods. Cloudflare, which has a unique position from which to observe the Internet’s comings and goings, has taken a detailed look at two huge DDoS attacks that have transited the company’s network, each of which involved enormous numbers of HTTP requests. The attacks both appear to have been run through the Mirai botnet and one of them involved more than 125,000 unique IP addresses.
“This attack topped out at 360Gbps per second of inbound HTTP traffic. It’s pretty unusual for an HTTP attack to generate a substantial amount of network traffic. It’s the long payload sent after the request headers that allowed the attackers to generate substantial traffic. Since this attack we’ve seen similar events with varying parameters in the request body. Sometimes these attacks came as GET requests, sometimes as POST. Additionally, this particular attack lasted roughly one hour, with 128,833 unique IP addresses,” Marek Majkowski of Cloudflare said in a post on the attacks.
These attacks both involved more than a million HTTP requests per second at their peaks and used compromised devices spread around the world. Normal botnets – meaning those comprising laptops or desktops – are fairly simple to build and can be relatively simple to take apart. Security firms often sinkhole the command-and-control servers used in DDoS campaigns, and network operators and security teams can disinfect the compromised machines on their networks.
But MIrai and the other IoT botnets that are sure to follow it are a different story. Embedded devices are notoriously insecure and that problem is compounded by the fact that they are often difficult, if not impossible, to update. The firmware on these devices is designed to perform specific tasks and make it as easy as possible for owners to implement them and then walk away. That usually means default credentials, which makes it quite easy for attackers to identify vulnerable devices and compromise them.
Mirai is only the beginning, and as Majkowski points out, the variety of devices being added to these botnets is only going to expand over time.
“Although the most recent attacks have mostly involved Internet-connected cameras, there's no reason to think that they are likely the only source of future DDoS attacks. As more and more devices (fridges, fitness trackers, sleep monitors...) are added to the Internet they'll likely be unwilling participants in future attacks,” Majkowski said.