Public posting of the source code makes it script-kiddie simple Credit: Tampatra / Bannosuke / Getty Images There’s no magic behind the success of Mirai DDoS botnets that are made up of IoT devices: the software enabling them is publicly available, which makes it easy for relatively inexperienced actors to create them and turn them loose on anyone. Flashpoint speculates that the attacker in the case of the Dyn DDoS, which had an enormous impact on major Web sites, was the work of low-skilled script kiddies – a frightening prospect that contributes to Trend Micro’s assessment that “the Internet of Things ecosystem is completely, and utterly, broken.” +More on Network World: US Senator wants to know why IoT security is so anemic+ To amass an IoT botnet, Mirai bot herders scan a broad range of IP addresses, trying to login to devices using a list of 62 default usernames and passwords that are baked into Mirai code, according to US-CERT. Mirai connects hijacked devices to an IRC-type service where it waits for commands. Often one of the first things a bot does is scan the internet for more vulnerable devices to infect. These devices are largely security cameras, DVRs and home routers. Brian Krebs, whose krebsonsecurit.com site was one of the first hit by a massive Mirai-based DDoS attack, lists some of the specific devices here. When Mirai botnets are called upon to carry out DDoS attacks, they can draw on a range of tools including ACK, DNS, GRE, SYN, UDP and Simple Text Oriented Message Protocol (STOMP) floods, says Josh Shaul, vice president of web security for Akamai. Mirai doesn’t try to hide from forensic analysis, probably because the type of device it’s on won’t have an owner who is skilled enough to look for it. Like any botnet, Mirai directs its zombie machines via command and control (C2) servers, which are mostly compromised machines in the networks of small and mid-sized businesses, says Dale Drew, CSO of Level 3. To avoid detection, these change location about three times as often as other IoT botnets change—roughly every day or so, he says. +More on Network World: Gartner Top 10 technology trends you should know for 2017+ These IoT botnets carry out volumetric attacks that try to throw as much traffic at their targets as possible to overwhelm them and make it impossible for legitimate traffic to reach them. Some estimate that they have generated greater than 1Tbps attacks. There are millions of IoT devices deployed, making it possible to assemble larger than usual botnets more quickly. US-CERT says the purported author of Mirai says 380,000 IoT devices are under its control. Since so many devices are enlisted and attack directly it’s difficult for defenders to readily identify significant numbers of malicious IP addresses and block them quickly. These hijacked IoT devices often use randomly assigned and changing IP addresses issued by service providers via DHCP. That means the IP address of a zombie device might change over time, making it more difficult to nail it down as an attacker. Why IoT devices? IoT devices represent an ideal category of potential bots. There are millions of them and they have several problems. Many of them have exposed administrative ports protected by weak passwords. They lack anti-virus and other security software, and they are turned on and connected to the internet all the time. The owners of these devices are often consumers or businesses who don’t have the training to secure these devices. Because attackers go directly to open ports used for administration—typically SSH and Telnet—they don’t have to deal with things like social engineering, email poisoning or zero-day attacks to hijack devices. Many of the devices used in the Mirai attacks were made by or included components made by a single vendor, XiongMai Technologies, which has issued recalls and sofware updates for some of its products to make them more secure. Are you infected? One indicator that an IoT device might be infected with Mirai is that the SSH and Telnet ports (22 and 23) are closed. Mirai does that so administrators can’t get in and nobody else can attack the machine in the same way. Since Mirai is in memory, rebooting the machine should open them again. This should be done offline and afterwards the default password should be changed to help avoid reinfection, but in some cases it’s not easy or even possible to change the passwords. If firewalls are set to block traffic to IoT devices they protect, they should be protected from infection, say researchers at Imperva. There are steps businesses can take if they are worried about whether their Web sites will be taken down by future attacks on DNS services. The top one is to hire more than one DNS provider so if one is impaired another can pick up the slack. They should also formulate a plan for what they are going to do when they do suffer such an outage and have the names and phone number s of those who will be involved. Everyone should be aware of their responsibilities and the team should practice their responses in simulation exercises. Related content brandpost Sponsored by Zscaler NYC Department of Education builds the pipeline for future cybersecurity professionals NYC Department of Education's innovative programs empower students through hands-on experience and partnerships in cybersecurity, paving the way for diverse career pathways and long-term success in the digital workforce. By Demond Waters, CISO, and Anthony Dixon, Director of Cybersecurity Engineering at the New York City (NYC) Department of Education (DOE) Oct 21, 2024 10 mins Security brandpost Sponsored by Zscaler Are Your Firewalls and VPNs the Weakest Link in Your Security Stack? In an era when traditional network perimeters no longer exist, it’s time to adopt the Zero Trust mantra, "never trust, always verify.” By Zscaler Oct 21, 2024 9 mins Security brandpost Sponsored by Zscaler 6 key mobile and IoT/OT attack trend findings Zscaler ThreatLabz analysis shows more than 100% growth in spyware, much of which can bypass multifactor authentication, and 45% growth in IoT attacks. By Will Seaton, Viral Gandhi, Yesenia Barajas Oct 18, 2024 6 mins Security news Admins warned to update Palo Alto Networks Expedition tool immediately Six holes in the configuration migration tool could allow theft of cleartext passwords and more. By Howard Solomon Oct 11, 2024 1 min Network Security Security PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe