The Mirai botnet has infected hundreds of thousands of Internet of Things (IoT) devices, specifically security cameras, by using vendor default passwords for Telnet access. This IoT botnet successfully landed a Terabyte attack on OVH1, and took down KrebsOnSecurity2 with an Akamai confirmed 620+ Gpbs attack. Following Mirai's author post, dissecting the malware's source code and analyzing its techniques (including DDoS attack methods that are rarely seen like DNS Water Torture and GRE) we can definitely expect the IoT DDoSing trend to rise massively in the global threat landscape.
IoT devices are very attractive to the DDoS business as they don't require additional expenses, social engineering attacks, email infection campaigns, exploit kits or fresh zero-days. It is common for these devices to have poor security standards such that their remote administration ports are publicly accessible and susceptible to brute force and dictionary attacks, the ports are "protected" with vendor default passwords, and they don’t have an anti-virus solution in place to prevent malware infections. Combine these gaping security holes that make them "easy to exploit", with the device managers being people in their homes without security expertise, as well as these IoT devices being always online, ever-ready to serve the botmaster, and you get a very suitable breeding ground for launching more massive DDoS attacks.
Shifting DDoS Attack Varieties and Trends
As most typical volumetric attacks today rely on ICMP, SYN and a variety of UDP reflection and amplification attacks, the author of Mirai has interestingly introduced less common “DNS Water Torture” and “GRE flood” attacks. Though this DNS technique was already observed in the past, it’s not common to see nowadays.
Figure 1: DDoS Attack Methods
“DNS Water Torture” Technique
This technique is different from the regular DNS reflection and amplification attack as it requires significantly less queries to be sent by the bot, letting the ISP’s recursive DNS server perform the attack on the target authoritative DNS server. In this attack, the bot sends a well formed DNS query containing the target domain name to resolve, while appending a randomly generated prefix to the name. The attack becomes effective when the target DNS server becomes overloaded and fails to respond. The ISP’s DNS servers then automatically retransmits the query to try another authoritative DNS server of the target organization, thus attacking those servers on behalf of the bot.
Figure 2: DNS Water Torture Technique
GRE IP and Ethernet Floods
GRE (Generic Routing Encapsulation) is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an IP network, which is also used by DDoS scrubbing providers as part of the mitigation architecture.
Mirai holds two types of GRE attacks – with and without Ethernet encapsulation.
Figures 3 and 4: DNS Water Torture Technique and GRE IP
The encapsulated IP packet header uses the same parameters as the encapsulating IP header. The Transport Layer protocol for the encapsulated IP packet is UDP.
Most public routers will pass along the GRE packet because it’s a widely used protocol for generating VPN connections. We speculate that GRE might be the protocol of choice due to its encapsulation nature, allowing huge payloads to be sent adding processing overhead of IP defragmentation to impact the target.
The Hidden Attack
While there is no record of this attack and no supported command to invoke it, there is an implementation of a so called “cfnull” attack that, which attacks the application layer. It is very similar to the GET/POST flood, but “cfnull” is designed to send a large POST payload of 80 MB of junk – a randomly composed alphabetic string - to the targeted server consuming webserver resources.
Bypassing Mitigation Devices
While analyzing Mirai’s offered attacks, we took the perspective of how to mitigate it.
According to Mirai’s creator, the so called “TCP STOMP” attack is a variation of the simple ACK flood intended to bypass mitigation devices. While analyzing the actual implementation of this attack it seems that the bot opens a full TCP connection and then continues flooding with ACK packets that have legitimate sequence numbers in order to hold the connection alive.
Figure 5: DDoS Scrubbing Services Fingerprinted
Judging by other leaked malware source code examples, such as the Zeus financial Trojan, we expect the underground market to adapt, combine, and improve the code, resulting in newer and enhanced variants.
Also, considering the low cost to maintain an IoT DDoS botnet, and referring to Gartner’s forecast3 stating connected things…will reach 20.8 billion by 2020, we can assume the IoT infection vector to grow. We should anticipate DDoS attacks over 1 Tbps to become more common in the near future, and see more “DNS Water Torture” and “GRE floods.”
It seems that the bot creator named his creation after a Japanese series “Mirai Nikki (The Future Diary)” and uses the nickname of “Anna-senpai” referring to the “Shimoneta” series.
Figure 6: Mirai's Name Inspiration
About F5 Labs
F5 Labs combines the expertise of our security researchers with the threat intelligence data we collect to provide actionable, global intelligence on current cyber threats—and to identify future trends. We look at everything from threat actors, to the nature and source of attacks, to post-attack analysis of significant incidents to create a comprehensive view of the threat landscape. From the newest malware variants to zero-day exploits and attack trends, F5 Labs is where you’ll find the latest insights from F5’s threat intelligence team.