The Mirai botnet has infected hundreds of thousands of Internet of Things (IoT) devices, specifically security cameras, by using vendor default passwords for Telnet access. This IoT botnet successfully landed a Terabyte attack on OVH1, and took down KrebsOnSecurity2 with an Akamai confirmed 620+ Gpbs attack. Following Mirai's author post, dissecting the malware's source code and analyzing its techniques (including DDoS attack methods that are rarely seen like DNS Water Torture and GRE) we can definitely expect the IoT DDoSing trend to rise massively in the global threat landscape.
IoT devices are very attractive to the DDoS business as they don't require additional expenses, social engineering attacks, email infection campaigns, exploit kits or fresh zero-days. It is common for these devices to have poor security standards such that their remote administration ports are publicly accessible and susceptible to brute force and dictionary attacks, the ports are "protected" with vendor default passwords, and they don’t have an anti-virus solution in place to prevent malware infections. Combine these gaping security holes that make them "easy to exploit", with the device managers being people in their homes without security expertise, as well as these IoT devices being always online, ever-ready to serve the botmaster, and you get a very suitable breeding ground for launching more massive DDoS attacks.
Shifting DDoS Attack Varieties and Trends
As most typical volumetric attacks today rely on ICMP, SYN and a variety of UDP reflection and amplification attacks, the author of Mirai has interestingly introduced less common “DNS Water Torture” and “GRE flood” attacks. Though this DNS technique was already observed in the past, it’s not common to see nowadays.
“DNS Water Torture” Technique
This technique is different from the regular DNS reflection and amplification attack as it requires significantly less queries to be sent by the bot, letting the ISP’s recursive DNS server perform the attack on the target authoritative DNS server. In this attack, the bot sends a well formed DNS query containing the target domain name to resolve, while appending a randomly generated prefix to the name. The attack becomes effective when the target DNS server becomes overloaded and fails to respond. The ISP’s DNS servers then automatically retransmits the query to try another authoritative DNS server of the target organization, thus attacking those servers on behalf of the bot.