Friday, October 28, 2016

security: IoT DDoS Attack & Mirai malware

2016 Dyn cyberattack - Wikipedia

"The 2016 Dyn cyberattack took place on October 21, 2016, and involved multiple denial-of-service (DoS) attacks targeting systems operated by Domain Name System (DNS) provider Dyn which made major internet platforms and services unavailable to large swaths of users in Europe and North America. The groups Anonymous and New World Hackers claimed responsibility for the attack.

The activities are believed to involve a botnet coordinated through a large number of internet-connected devices—such as printers, cameras, home routers and baby monitors—that had been infected with the Mirai malware."


"Mirai (Japanese for "the future") is malware that turns computer systems running Linux into remotely controlled "bots", that can be used as part of a botnet in large-scale network attacks."

Level3 Outage Map (US) - 21 October 2016.png


Friday's East Coast Internet Outage Is a Major DDOS Attack | WIRED

"Dyn offers Domain Name System (DNS) services, essentially acting as an address book for the Internet. DNS is a system that resolves the web addresses we see every day, like https://www.WIRED.com, into the IP addresses needed to find and connect with the right servers so browsers can deliver requested content"

An IoT botnet is partly behind Friday's massive DDOS attack | PCWorld

"Some of that traffic has been observed coming from botnets created with the Mirai malware that is estimated to have infected over 500,000 devices"

The Dyn Attack on the Internet and Who to Blame For It @ Fortune

"A list of alleged culprits, compiled by security researcher Brian Krebs, include familiar names like Panasonic, Samsung and Xerox printers. The names also include lesser known makers of routers and cameras, which reportedly made up the bulk of the bot-net army."

Who Makes the IoT Things Under Attack? — Krebs on Security

"The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords."


Major DDoS attack on Dyn DNS knocks Spotify, Twitter, Github, PayPal, and more offline | PCWorld

Episode 150 - DDOS Discussion @ The Azure Podcast | Short podcasts on Microsoft Azure by Cale Teeter, Evan Basalik & Sujit D'Mello

Last Week’s DDoS Attack Might Only Be The First Volley | On Point

Everything We Know About the Cyber Attack That Crippled America's Internet

The Dyn DDoS Attack: Two Key Lessons for Cyber Security | Satyamoorthy Kabilan | Pulse | LinkedIn

National Cyber Security Awareness Month | Homeland Security

10 Best Free DNS Hosting Providers

How Domain Name Servers Work | HowStuffWorks

When you enter a URL into your Web browser, your DNS server uses its resources to resolve the name into the IP address for the appropriate Web server. See more computer networking pictures.

IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers — Krebs on Security

Microsoft Launches Azure-Based Security Program For Internet Of Things - ARC - ARC


So what actually happened?
Network connected devices, in this case running basic Linux, with default passwords, get exposed on Internet (or on local network with other infected machines). Malware scans networks for such machines and configures them to frequently access selected addresses. When too many of infected machines start accessing selected addresses, servers and network capacity becomes limited for serving normal traffic, such as network address resolution in this case. Resolving this requires complex adjustments of network traffic.
Simple solution: change password on devices, and don't expose them (via NAT) on internet. 

No comments: