The IoT (Internet of Things) have
been very hot topic in recent times. This has led to invasion of electronics
into our daily life at a massive level. More and more innovations are being
made every day for IoT. It has also encouraged many Startups and even big
players to jump into this Era of creativity to make IoT very flexible for end
users. It’s good news that most of the users are adapting to these new products
and taking a step into future.
But the real question is, How
Secure these products are? How they make you Vulnerable? What extent of your
Privacy is Breached? What did Mirai Bot use? .... and many more such questions.
Understanding Mirai Attack
Surface:
As per Arbor Networks, the
original Mirai botnet (henceforth referred to as ‘the Mirai botnet’, or
‘Mirai’, unless otherwise indicated) currently consists of a floating
population of approximately 500,000 compromised IoT devices worldwide;
relatively high concentrations of Mirai nodes have been observed in China, Hong
Kong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brazil, and
Spain. Additional Mirai concentrations
have been also been observed in multiple countries located in North America,
Europe, and Oceania.
Mirai is capable of launching
multiple types of DDoS attacks, including SYN-flooding, UDP flooding, Valve
Source Engine (VSE) query-flooding, GRE-flooding, ACK-flooding (including a
variant intended to defeat intelligent DDoS mitigation systems, or IDMSes),
pseudo-random DNS label-prepending attacks (also known as DNS ‘Water Torture’
attacks), HTTP GET attacks, HTTP POST attacks, and HTTP HEAD attacks. While none of the DDoS attack capabilities of
Mirai observed to date are new or unique, it is a flexible DDoS attack
generation system and can launch high-volume, non-trivial DDoS attacks when
wielded by a capable attacker. Mirai
features segmented command-and-control, which allows the botnet to launch
simultaneous DDoS attacks against multiple, unrelated targets.
Mitigating Factors: The DDoS attack capabilities of Mirai which
have been observed to date are well-known and can be successfully mitigated by
implementing industry-standard Best Current Practices (BCPs) and by utilizing
intelligent DDoS mitigation systems (IDMSes) such as Arbor SP/TMS and APS to
defend the targets of these attacks.
It is possible (and recommended)
for network operators to actively scan for both vulnerable and compromised IoT
devices on their networks and the networks of their customers, and then take
steps to isolate those devices, notify their legitimate owners of the problem,
and urge them to take corrective action.
It is possible (and recommended)
for network operators to identify likely compromised IoT devices by detecting
and classifying outbound/crossbound TCP/23 and/or TCP/2323 activity originating
from these devices, and then take steps to isolate those devices, notify their
legitimate owners of the problem, and urge them to take corrective action.
In order to inhibit scanning for
vulnerable IoT devices, it is possible for broadband access network operators
to implement access-control lists (ACLs) at a situationally-appropriate point
in the network topology to prohibit high-port TCP traffic destined for TCP/23
and TCP/2323 on their customer access networks. Such policies wold typically be implemented as
ingress ACLs on the coreward interfaces of broadband customer aggregation
gateways. Operators should gauge the
benefits of enforcing a network access policy of this nature vs. potential
negative effects, if any, and should thoroughly test any proposed anti-scanning
ACLs prior to deployment.
Recommended Actions: All relevant network infrastructure,
host/application/service, and DNS Best Current Practices (BCPs) should be
implemented by network operators with public-facing network infrastructure
and/or Internet properties.
Network operators should export
flow telemetry (e.g., NetFlow, IPFIX, s/Flow, cflowd/jflow, Netstream, et. al.)
from their peering/transit/customer aggregation edges and Internet data center
(IDC) distribution edges to anomaly-detection/traffic visibility systems Arbor
SP, which provide the ability to detect, classify, and traceback DDoS attack
traffic.
Network operators should make use
of DDoS mitigation mechanisms such as source-based remotely-triggered
blackholes (S/RTBH), flowspec, and/or intelligent DDoS mitigation systems
(IDMSes) such as Arbor TMS and APS in order to mitigate DDoS traffic sourced from
Mirai-based botnets.
Also check below URL for Mirai
Bot Scanner:
Source Code for Mirai Bot