The Mirai botnet first got into the headlines last year following the massive DDoS attacks on Krebs and Dyn. The latter brought down parts of the internet on the US east coast using an army of hacked surveillance cameras that attacked the largest managed DNS infrastructure.
A month later, in November 2016, Europe witnessed one of its biggest cyber-attacks, on German internet provider Deutsche Telekom, hijacking home routers and throwing nearly a million users off the internet for almost three days. The exploit code used to attack the routers was believed to be a modified version of Mirai. Rather than commandeering vast numbers of internet-connected surveillance cameras, it was used in a botched attempt to hijack home routers.
While Mirai infected bot attacks have mostly occurred in the U.S. and Europe, security researchers determined that over half a million IoT devices located in 164 countries worldwide were vulnerable to Mirai, so these botnet attacks were not limited to these regions. They were a global phenomenon.
During January 2017 we witnessed Mirai-like DDoS attacks in several service providers in Asia, who run Allot DDoS solutions such as Vodafone Fiji, all exhibiting similar characteristics.
The Allot ServiceProtector inline DDoS protection system mitigated a slew of Mirai-like floods with relatively short hit-and-run cycles but with massive spikes to the target. These indicated powerful DDoS attacks, just like the recent Mirai-powered DDoS attacks that required an effective real-time mitigation solution to block them.
Massive DDoS attack exceeding 2M pps using hit-and-run tactics as seen in Allot ServiceProtector management console
Like some other botnets, Mirai targets vulnerable devices with open management TCP ports such as 22, 23, 7547, 2323, etc. using a series of known passwords. Allot ServiceProtector inline sensors detected massive scan activity on all these ports. In addition, packet captures taken from the service providers’ network indicated login attempts using different passwords from Mirai’s list of common passwords.
Packet capture showing login attempts using Mirai password sequence
After a vulnerable device is infected by Mirai, it becomes a remotely controlled bot that can further spread the infection to other compromised devices and participate in a massive DDoS upon command. The huge DDoS attack on Deutsche Telekom took advantage of a vulnerability in the Eir D1000 modem that could enable a remote attacker to take control of an affected device using Transmission Control Protocol (TCP) port 7547. In our investigation Allot ServiceProtector host behavior anomaly detection (HBAD) identified significant HTTP scans on port 7547 as well as scans on port 23 generated by devices in the service providers’ network; most probably scanning attempts to spread the bot infection to other external targets.
Scans identified by Allot Behavior Anomaly Detection taken from Allot ServiceProtector management console
Since the release of the original Mirai source code on September 30, it has inspired many bad actors to exploit similar pools of IoT vulnerable devices and launch massive DDoS attacks. Such attacks proved that, if used on specific targets, they can cause a wide-scale outage by bringing down websites, services, or even internet infrastructure. It is hard to estimate the number of infected devices by Mirai and its copycats and their distribution worldwide. However our investigation indicates that the family of Mirai-like botnets has not gone away and anomaly-based DDoS protection such as Allot ServiceProtector can block massive incoming DDoS attacks generated by the scale of IoT bots, block the spread of bot infections and mitigate outbound DDoS attacks originating from such botnets.