Akamai’s verdict on Mirai: People, it’s bad (and it’s gonna get worse)

Mirai y'all
Credit: Vuk Kostic / Shutterstock.com

The open-source Mirai malware that shocked the technology sector a few weeks ago has been studied by Akamai in its latest State of the Internet report. It’s bad news for the world, as Akamai suggests that adapted versions of Mirai will embrace the more common reflective DDoS attack vectors to cripple web infrastructure.

With the report, Akamai has put numbers on the problem. Somewhat shockingly, just 24,000 IP addresses were used in the monster attack that brought Mirai to the fore – mostly consisting of compromised DVR players and connected IP cameras. This direct DDoS traffic is dangerous enough, but adding the reflective traffic of other botnets would create huge outages.

Akamai concludes that the Mirai DDoS set a new target for malware developers to aim for, and that the IoT-fueled botnets that security professionals have feared “are a real, tangible menace that attackers will likely try to recreate going forward.” The access to the source code is of particular concern, and “until IoT security becomes a primary concern for manufacturers, this type of malware will be increasingly common.”

While the whole report makes for interesting reading, we’ve focused on Mirai and the IoT for this article. In the total DDoS picture, Akamai says that despite a number of highly publicized attacks, the overall number of DDoS attacks fell 8% in Q3 compared to Q2. Some 98% of attacks targeted the internet infrastructure layer, with the remainder going after the application layer.

In the top-five DDoS attack vector frequencies for Q3, UDP fragmentation took first-place with 24.56% of the total, followed by DNS floods with 18.4%. Combined, these two grew 4.5% in the quarter, and accounted for nearly 43% of the total. Third-place went to NTP attacks, with UDP in fourth on 10.29%, and CHARGEN rounding out the top-five with 8.22%.

Mirai used Generic Routing Encapsulation (GRE) flood attacks, and Akamai notes that while GRE only accounted for 0.02% of the Q3 DDoS traffic, it would not be surprising to see that figure grow. However, Akamai adds that GRE flooding relies heavily on the capacity of the botnet nodes to inflict outages, and is not a reflection-based attack like UDP fragmentation and DNS floods – and so Mirai (in particular) would be effectively countered by securing the end-nodes.

But Mirai was still responsible for the largest DDoS attack in history, at the time. The target of that attack was security blogger Brian Krebs, whose personal website was targeted. Akamai was providing DDoS mitigation for Krebs, on a pro bono basis, and notably turned off the mitigation after seeing peaks of 623 Gbps. Notably, a 555-Gbps attack on the website appears to have not stemmed from Mirai:

Much has been written about the attack on September 20th, which is appropriate as it remains the largest DDoS attack seen by Akamai. This 623-Gbps attack consisted of GRE floods, SYN floods, and ACK floods at the network level, and both PUSH and GET floods at the application later. None of these protocols are difficult to mitigate individually, but the sheer volume of this attack was impressive. GRE traffic is an uncommon attack vector, seen in only a handful of attacks each year, and this was the only attack upon the site using this profile.

Akamai adds that Mirai didn’t appear totally out of the blue. It says it had been monitoring the Kaiten variant of the malware since June, and noted that what made Mirai unique was the use of its IoT devices, combined with the unusual GRE use and telnet scanning. Ominously, Akamai clarified that Mirai currently doesn’t use any of the more common DDoS reflection vectors yet, hinting that its potential impact could be significantly amplified if it were adapted – and because the source code has been publicly leaked, that seems to be a future we’re headed towards.

So while we prepare for the arrival of our new Mirai-based overlords, Akamai points out that networks could go a long way to mitigating its impact (or even existence) if they “practiced basic hygiene.” Blocking insecure protocols by default is the first step, and Akamai points to the 2011 and 2012 Brobot attacks as examples of previous problems with insecure protocols in botnets.

As for Mirai, it was so lethal because it was capable of a diverse range of attacks. The ten weapons in its toolkit included two types of UDP floods, two GRE floods, two types of ACK floods, a SYN flood, a good old-fashioned DNS flood, a Valve Engine attack, and a HTTP flood.

Written by Alex Davies | First published  at ReTHINK IoT


Be the first to comment

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.