Big and bad: how the Mirai botnet pulls off its massive DDoS attacks


There has been much hand wringing, teeth gnashing and, yes, frantic typing over the Mirai botnet. With what it’s managed to pull off in its relatively short life-span, rightfully so. Much of what has been said about this new breed of record-busting botnet has focused on what it’s done, however, rattling off the attacks on security blogger Brian Krebs, French hosting provider OVH and the staggering 1.2 Tbps attack on DNS provider Dyn, which knocked sites like Reddit and Twitter offline for hours.

Perhaps what security experts, website owners and anyone who owns smart devices should be focusing on is the how – how did this botnet get so big, how is it pulling off its devastating DDoS attacks, and most important of all, how can it be stopped from smashing websites straight off the internet?

Anatomy of a beast

A botnet is a network of devices with connectivity that have been infected by malware which allows an attacker to control them remotely. In the case of the Mirai botnet, the affected devices have been infected by Mirai malware. The Mirai botnet, at its last somewhat official count, weighed in at over 400,000 infected devices, with nearly all of them coming from the same place – the Internet of Things (IoT), especially CCTV cameras, routers and DVRs.

Essentially, the smart devices in the average person’s home could very well be involved in this or other IoT botnets, and the owner would be none the wiser. IoT devices have become major malware targets in the last few years for two reasons: how many there are available (billions), and how weak the security is on the vast majority of them. That second reason is exactly how the Mirai botnet has ballooned so big.

How the malware recruitment works

The Mirai malware was built with two main purposes in mind: finding and infecting IoT devices, and launching distributed denial of service (DDoS) attacks.

In order to find devices that could potentially be included in the botnet, Mirai performs wide-ranging IP address scans in search of under-secured devices. When it locates such a device, it uses what is called a brute force technique to guess the username and passwords, inputting a long list of default usernames and passwords until it hits on a combination that works. Since so many device owners never changed the default login credentials, or even knew they could do such a thing, the malware is often successful.

When the malware has enlisted another device, it sends this information to a centralized reporting server. All of this is accomplished with incredible speed. When the Mirai botnet is actively growing, it does so almost exponentially.

How the attacks happen

The Mirai botnet is controlled by what’s called command and control servers, centralized servers that the attacker uses to send attack orders to the devices in the botnet. As mentioned above, the attacks the Mirai botnet is perpetrating are DDoS attacks, a form of attack that uses the considerable resources of the botnet to direct massive amounts of traffic or requests at a target online service or website, overwhelming the server or other network infrastructure to take the target offline.

There are many different kinds of distributed denial of service attacks, but the Mirai botnet specifically perpetrates application layer attacks called HTTP floods, or network layer attacks including SYN, STOMP, UDP, DNS, GRE IP or GRE ETH floods.

Mirai also contains some level of bypass capabilities which allow it to work around certain security solutions.

Protecting against the attacks

Potential targets of the Mirai botnet – or one of the many variants that have popped up since its malware source code was made public – have no way of actually stopping or preventing the botnet from launching an attack. Instead, a target will have to deal with the attack as it is attempted.

There are two main challenges when it comes to mitigating the types of attacks Mirai perpetrates: 1) many of the floods it pulls off are made up of requests that seem legitimate, which means many targets won’t notice anything amiss with the requests until it’s too late and the server has been exhausted, and 2) the sheer size of the botnet means network layer attacks will eat through bandwidth at unfathomable rates, exceeding even some of the best on-premise DDoS mitigation.

The solution is professional DDoS mitigation, a managed service that handles these logistics so site owners don’t have to, specifically cloud-based protection. Professional DDoS mitigation will employ granular traffic inspection that can spot malicious botnet traffic in even legitimate-seeming requests, bouncing attack traffic to scrubbing servers. Further, cloud-based DDoS protection offers excellent scalability, distributing even huge amounts of network-layer attack traffic across a global network of scrubbing servers to be done away with without affecting the website’s performance.

Looking ahead

As bad as Mirai has been, it isn’t going to carry on creating havoc forever. This is because of those command and control servers in charge of sending out attack commands – if the command and control servers can be stopped, the Mirai attacks will be no more.

This is by no means a reason to celebrate, however, because the next IoT botnets grabbing headlines are going to be the ones that aren’t bothering to use command and control servers and are instead using peer to peer communication, passing attack commands from one device to the next. Best to line up professional distributed denial of service protection now before the how questions become why questions, as in – why didn’t we onboard protection before our business was ruined?

, , ,