In 2016, some of the world's most popular websites came to a halt when attackers launched a series of massive DDoS attacks from thousands of infected IoT devices known as botnets using the Mirai malware. The first victim was a French technology company, OVH, followed by the Brian Krebbs website. Later, the wave of attacks targeted Dyn, a cloud-based internet performance management company that overwhelmed its sites such as Amazon, Netflix, PayPal, The New York Times, and Verizon. The Mirai botnet at present continues to cause damages.
What is a botnet attack?
A botnet attack happens when attackers remotely control malware-infected devices, often known as botnets, with an intent to carry out financial theft, information theft, denial of services, and other scams. Malware is malicious code designed to damage computers or applications by exploiting security vulnerabilities in the operating system. Botnets include personal computers, mobile phones, smart devices connected to the internet and infected with malicious computer applications.
During a DDoS botnet attack, attackers control a large network of hijacked devices and send innumerable requests to overload the victim server, rendering the service inaccessible.
How does the Mirai botnet work?
Mirai is a malware (self-propagating worm). Using a table of more than sixty factory default login credentials, the malware scans the IoT devices and infects them so that a central set of command and control (C&C) servers can control them to launch DDoS attacks. Mirai malware is more damaging because even if an infected device is rebooted, it will be reinfected within minutes if the default password is not changed immediately.
Who created the Mirai botnet? and Why?
In September 2018, an article published by the Department of Justice announced that three defendants, Paras Jha, 22, of Fanwood, New Jersey; Josiah White, 21, of Washington, Pennsylvania; and Dalton Norman, 22, of Metairie, Louisiana, have been sentenced for their roles in creating and operating Mirai and Clickfraud botnets. The trio used the malware to launch a series of DDoS attacks and sold the malware at rental service. Paras Jha and Josiah White also co-founded Protraf Solutions company that offered DDoS mitigation services to the victims of the Mirai botnet attacks. In addition, Brian Krebbs, the owner of the KrebsOnSecurity website, has published the full story of a four-month investigation into Mirai and its authors.
Why are Mirai botnet attacks still so intimidating?
According to Krebs Brian's investigation, the authors of the Mirai malware released the Mirai botnet source code to the public under the name of Anna Senpai. As a result, attackers modified the code to develop several other Mirai variants to launch damaging DDoS attacks and rent it as DDoS-for-hire services. Such services are being auctioned and traded among attackers in online markets. They are rented for as cheap as 10 dollars and require minimum skills for launching DDoS attacks.
Manufacturers and users pay less attention to securing the Internet of Things (IoT) devices, which results in increasing botnets. A Cisco report mentions that 72.8% of mobile devices will be smart devices, and most mobile data traffic (99%) will originate from these smart devices by 2022. Additionally, a 5G connection will generate 2.6 times more traffic than the average 4G connection.
This means that with new variants and more vulnerable smart devices, the possibility of launching high-damaging DDoS attacks increases.
Why is mitigation not enough?
DDoS mitigation solutions are only effective when their configuration maps the protected networks perfectly. Unfortunately, such mitigation systems do not automatically fine-tune the configuration. It means that any changes in the network impact the configuration settings and create DDoS vulnerabilities making the network vulnerable to attacks.
Getting Full DDoS Protection
Companies cannot stop attackers from using DDoS botnets such as a Mirai as they continue to create its variants and hijack IoT devices. However, as an effective DDoS protection strategy, if companies detect and remediate vulnerabilities regularly, they can block all possibilities of DDoS attacks successfully.
Companies can identify open and ongoing network DDoS vulnerabilities by continuously simulating layer 3, 4, and 7 DDoS attacks on live environments. In addition, the simulation approach helps security teams understand DDoS vulnerabilities from an attacker's perspective, and they can fine-tune their deployed mitigation systems to block potential DDoS attacks.
MazeBolt's RADAR™ Technology
Companies can perform automated, non-disruptive, and continuous DDoS simulations with MazeBolt's new technology, RADAR™. Working with any mitigation solution installed, RADAR™ offers superior DDoS coverage and automated DDoS protection. RADAR™ simulates over 100 attack vectors with all public-facing IPs 24/7, giving real-time visibility to all DDoS vulnerabilities with zero downtime.
Security officers and mitigation solution vendors get real-time data insights facing no disruption to the network. As a result, they can reconfigure the mitigation systems to block newfound vulnerabilities and successfully block a potential DDoS attack.