Internet of Things, Distributed Denial of Service – botnet script kiddies or more sinister players?
I doubt few missed the massive outage a few days ago when Dyn’s DNS service was rendered useless by a massive DDoS attack. What made it worse is that many of the big players (Twitter, PSN, GitHub etc) had put all their eggs in the same basket and had no alternate DNS and thus disappeared on the internet.
I for one can’t understand (well, I can technically…) how easy it still is to flood a server/service because this should’ve been addressed so many times since the 90’s but here we are 2016 and we are strill crippled by a DDoS.
Why Dyn was targeted on the 21:st of October is a debate at the moment but I think one probable scenario is PSN and the Battlefield One release. Historically there’s been a DDoS whenever Battlefield, CoD and similar AAA titles have been released. With Mirai and similar in your toolbox, most script kiddies can cause massive damage with little skills.
Here is a frequency map that shows the botnet activity on the 21:st. (credit: Level 3)
Since the first DoS attacks, and more specific DDoS, the industry has taken quite a few steps in order to make it harder to knock out a server, or service, but with enough devices generating traffic there’s nothing (or very little) that can stop this. Eventually you flood the capacity of the network(s) and the outage is a fact. The main ingredient in the DDoS soup is the access to bots – a vast number of infected personal computers that are ready to be remote controlled with a few keystrokes.
The anti-virus companies are playing cat & mouse with the creators of the malicious code that makes all these computers bots and today it shouldn’t be that easy to hijack someones computer this since, most, anti-virus software are both free and pretty damn good at catching this in realtime, and this should’ve ended here… or?
The latest couple of DDoS attacks tells a different story and regardless of the precautions, bots are being created 24/7 at an alarming rate and it makes you wonder how on earth this can happen? Well, it’s easier than you think! IoT devices.
As someone who tinkers with both hardware and software I started to connect my trinkets to the internet a very long time ago and with dirt-cheap modules like the ESP8266 you can do this at virtually no cost at all! The trinkets also have become really powerful because today we can run a linux kernel on just about anything. Raspberry Pi is one of many SoC one-board computers that can be a really powerful IoT enabler – but here is the big problem: we spend all our efforts (and money) on securing our personal computers – but IoT devices are being scaled back in order to lower the power consumption and this is often done by using old kernels and a bare minimum of running services. Often there’s little to none security and features like UPnP are enabled in order to make it easier for those a bit less tech savvy to connect their IoT devices to the home networks – and other IoT devices, and here we are. A big mess.
The latest wave of DDoS didn’t just utilise a specific brand of routers or similar – it went for the unexpected ones like a whole bunch of IP cameras, routers and even 3D-printers! These devices are all connected to the internet but have little (in some cases) security to none (3D printers etc) security whatsoever and adequate scripts and payloads were easily created in order to infect these until now innocent devices…
Chinese manufacturer Hangzhou Xiongmai Technology is having to recall millions (4.3 millions) of IP cameras in order to address a security issue, but this is only the tip of the iceberg imho.
One of the botnet enablers (malware) is Mirai and it was leaked after the KrebsOnSecurity attack last month. It scans the device for commonly used, and factory preset, passwords and then infect the device and move on. Another similar malware is Bashlight and it also works by trying commonly used, and factory preset, passwords. This obviously worked really well…
I had a quick look at the source code for Mirai and when you see malware, and payloads, written in Golang – which certainly hasn’t been created with tight security in mind but to simplify programming of robotics, then you know you have a shit-storm of infected devices out there ready to execute malicious code at the touch of a button – and this on a massive scale! Mirai isn’t all about Golang – it’s just a tiny part to show that apart from the usual linux based distributions it can also use your 3D printer as a bot. I’m mentioning it here because people aren’t thinking about security when they build a 3D printer, or other CNC homebrew devices.
Mirai was leaked by Anna-senpai and here are his opening words from the leak:
[FREE] World’s Largest Net:Mirai Botnet, Client, Echo Loader, CNC source code release – Anna-senpai – 09-30-2016 11:50 AM
Preface
Greetz everybody,
When I first go in DDoS industry, I wasn’t planning on staying in it long. I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO. However, I know every skid and their mama, it’s their wet dream to have something besides qbot.
So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.
So, I am your senpai, and I will treat you real nice, my hf-chan.
And to everyone that thought they were doing anything by hitting my CNC, I had good laughs, this bot uses domain for CNC. It takes 60 seconds for all bots to reconnect, lol …<snip>
After the Mirai leak it probably has already been revised a few times, or abandoned for another malware? A lot of people in the industry are looking towards IoT devices right now – which is good, but with so many unsecure devices connected to the internet this very moment I think we will see plenty of more attacks before we have caught up with the problem of unsecured devices.
So what can we do then to prevent this? A lot!
- Does your device really need to be connected to the internet? (just because you can doesn’t mean you should…)
- Change ALL default passwords! If you can’t then don’t connect it!
- Set up a separate home network for your IoT devices. This network can then be configured for the bare minimum, and stricter security.
- Firmware. Always make sure you have the latest.
- Turn off UPnP.
- Make sure your IoT devices are behind a firewall.
- Avoid IoT devices that rely on cloud services. This because they require internet access 24/7 and are prime targets.
- Don’t trust your devices! What was secure last month might not be secure today, and certainly not tomorrow. Eventually everything’s broken (into).
If you treat every piece of IoT device as any computer you have to ask yourself -“if I didn’t have anti-virus software on my computer, how would I go about my daily business?” Configure the device accordingly and allow/restrict network access based on the above.
I have quite a few IoT-type devices at home and I have them all on a separate network – and I have assigned static routes to all these devices. That way I can limit what ports are being used and what other IP addresses they can talk to, but I’m a minority and not the target. People who buy IoT devices and just plug them in without changing any default settings, on a totally open network – those are the targets. They are in broad majority…
For those of you who want to study Mirai, here is a link to GitHub. I believe the greater good of publishing malicious code in order to secure ourselves is more important than some script kiddie getting hold of it. (a quick Google search will get you the code anyway…)
Stay vigilant and please – secure all of your devices, trinkets, gizmos and IoT’s!!! Just because you can squeeze a 10 year old kernel into a device doesn’t make it secure per default. Expect the worst and plan accordingly.
p.s …and No – it’s not “the Russians” that are behind these botnets to “help Wikileaks spread lies about Hillary Clinton” or whatever BS some media publishes… Yes, some Russians are probably involved considering all the Russian text strings in parts of Mirai, but they are not under payroll of Putin. This is what it is and it is not organised. It’s various people doing it because they can – and some try to make some money out of it, but these ones are not state controlled!
p.p.s …but there are attacks that are state initiated, but that’s a whole different story.
Trackbacks/Pingbacks