Mirai Common Attack Methods Remain Consistent, Effective

While relatively unchanged, the notorious IoT botnet still continues to drive DDoS.

The Mirai botnet continues to break records for driving the biggest and most disruptive distributed denial of service (DDoS) attacks ever seen, researchers say.

To help victims of these scenarios, Corero Network Security released a report today analyzing the common attack methods of the notorious botnet, which have changed little in recent years. Still, Mirai has spawned numerous variants to maintain its core purpose: exploit vulnerabilities in IoT devices to create an army of botnets to mount DDoS attacks.

"What's interesting about Mirai is that it is still effective without having evolved much at all," Huy Nguyen, cyber security engineer for Corero Network Security, tells Dark Reading.

Though none of its myriad variants veer from Mirai's original attack vectors, it still poses a dangerous threat, one that is bolstered by the growing pool of vulnerable IoT devices being added to networks every day, he wrote in the report.

Indeed, typical Mirai attack vectors are problematic enough to damage even large organizations, Nguyen says. Moreover, threat actors with limited technical skills can build Mirai botnets using resources found on the Internet, thanks in part to the leak of its source code in 2016.

This makes it easy for attackers to abuse myriad devices that are installed across enterprises without being patched, Nguyen says. "Script kiddies can build their own botnet easily with a few commands," he wrote.

And though they need to exploit vulnerable IoT devices with a remote code execution (RCE) bug to drop the malware and launch a DDoS attack, RCE flaws "are not rare," as most people tend not to update home routers, access points, IP cameras, and the like, Nguyen noted.

Common Attack Methods

Mirai has been wreaking havoc since the mid-2010s, and is well known in the cybersecurity realm for having spawned numerous disruptive DDoS attacks against global organizations — including French technology company OVH, the government of Liberia, and DNS provider Dyn in an attack that affected websites such as Twitter, Reddit, GitHub, and CNN.

Mirai's core competency is to turn IoT devices like routers and cameras into zombies that attackers can control and use to deluge targets with massive amounts of traffic, forcing DDoS.

While at times it has appeared to evolve with the addition of new features or targets, or its use of new programming languages, the botnet still maintains nine key attack vectors for flooding networks with traffic to force DDoS over its lifetime until now, according to Corero.

One is a UDP flood, a type of attack normally aimed to overwhelm the bandwidth of the victim. In this attack, victims could be a destination IP, subnet, or multiple subnets.

A second is what's called a Vale Source Engine query flood that leverages the static TSource Engine Query as its payloads. This attack, if there are no command parameters, sends UDP traffic to destination port 27015.

The third attack method is one dubbed "DNS Water Torture" that does not go after a specific destination IP or subnet, but aims to overwhelm the resource of a DNS server by sending DNS queries to open resolvers, which prevents resolution in the victim's domain.

A fourth Mirai attack method is similar to a UDP flood but with fewer options and optimized for higher PPS, requiring only three arguments to trigger.

The fifth is an attack called a SYN flood that doesn't carry a payload and randomizes various ports and is "tricky" for defenders to block. Another attack, an ACK flood, is similar to a SYN flood but carries a payload, which is random and aimed solely at making the attack harder to block.

Mirai's seventh attack method is one in which "the botnet tries to not act like a bot," making it challenging for defenders to distinguish between normal and abnormal traffic, according to the report. It uses Simple Text Oriented Messaging Protocol (STOMP), a layer-7 application text-based protocol, but can change it to a different protocol for greater impact.

Another attack is a GRE flood that encapsulates the IP packets inside of GRE packets, randomizing the source IP, destination IP, UDP source port, UDP destination port, and UDP payload of the inner packet. This long-time method can use a "remarkably high BPS volume" and can cause "significant damage" to targeted victims, Nguyen wrote.

The last known Mirai attack method is an advanced and flexible layer 7 HTTP flood attack, which an attacker can customize with setting parameters, he added.

Defending Against Mirai

While its attack methods have remained consistent, the delivery of the Mirai malware may be different across device type, platform, or exploitable bugs, "which makes it rather unique," Nguyen wrote. However, Corero chose to focus its report on revealing the botnet's common attack methods to better prepare defenders to mitigate a DDoS attack that leverages the botnet.

That said, organizations can best defend against botnets like Mirai by implementing specialized solutions to detect network anomalies and mitigate against volumetric attacks, he says.

Editors' Choice
Jeffrey Schwartz, Contributing Writer, Dark Reading
Jai Vijayan, Contributing Writer, Dark Reading