From Carna To Mirai: Recovering From A Lost Opportunity

We had four years to prepare for recent DDoS attacks and failed. How can we learn from our mistakes?

Bob Rudis & Deral Heiland, Rapid7 Chief Data Scientist & IoT Research Lead

December 8, 2016

5 Min Read

Those not immersed in security and technology are mostly oblivious to one fact: the Internet is a fragile ecosystem. There are many parallels between the Internet and the ecosystems that span our globe. Each has vital resources that need to be protected and utilized for the greater good. When there is an imbalance in an ecosystem, bad things happen.

We saw this twice recently with the Mirai botnet, which co-opted a cadre of devices in the Internet of Things and forced them to issue denial-of-service (DoS) attacks that crippled many sites and services. But we knew this was coming and did virtually nothing to stop it, just like many real-world ecosystem disasters.

Let's look at where we were four years ago, how far we've progressed, and what we could do to stave off an Internet ecosystem disaster.

Back to the Future: The Carna Botnet 
The Internet and media were abuzz four years ago when individuals claiming to be researchers — they remain anonymous to this day — released reports from what was described as the most comprehensive scan of the Internet to date. This became known as the 2012 Internet Census, and it provided insight into what was running on the Internet back then. These anonymous researchers hijacked home routers using weak, default credentials and installed software on those devices that let them control the execution of Internet service scans. While they claim to have done this solely to study the Internet, it is not known if they only performed harmless actions or used the devices in more malicious ways.

Reliving the Past until We Get It Right 
Let the previous section sink in for a minute: we knew this was possible four years ago and as each year passed we knew there would be more "things" connected to the Internet, and yet we did nothing to prevent these "things" from being deployed insecurely.

We're now at a point in time when it's easy to quickly scan the entire Internet and — if you're performing scans from hacked machines — at virtually no expense or risk.

When these devices are taken over and used maliciously because of vulnerabilities or weak default configurations, there are no consequences for manufacturers of IoT devices, owners of IoT devices, or network providers where these IoT devices originate communications.

Again, we're reliving the pain of decades of PC bots and viruses in the era of IoT with some key differences when it comes to things such as vulnerabilities, rampant adoption, usability, and exposure. There is another problem that comes with millions of IoT bots joining together in massive attacks: we're virtually defenseless, primarily because of how the Internet has been architected.

The distributed DoS mitigation company protecting Brian Krebs had to abandon him as a customer because it couldn't absorb the attack on his site in September. Even if there were a handful of providers that could absorb such attacks, most people and organizations couldn't afford to use them, leaving everyone else at the mercy of the attackers. This is what's at risk if we retain the status quo.

A Secure Path Forward
If we do nothing, the attacks we saw this fall will not only be repeated, they will grow larger, have longer impact, and potentially have more sinister outcomes. What can be done?

For starters, more IoT vendors should follow Hangzhou Xiongmai's lead and recall products that have unfixable or easily exploitable default configurations. Although this step would be the responsible thing to do, it might not have the impact you'd expect. There's no surefire way to notify all individuals with problem equipment, and it only takes a scarily small number of vulnerable systems to cause widespread damage.

Another option is for each of us, in every country, to work with lawmaking bodies and get sane standards and regulations put forth for IoT devices. This won't affect the vast number of devices that are already out there, but most of us will throw these things away as we upgrade devices to take advantage of new features (or, they'll just break down, as many aren't made to last). This approach can be time-consuming, and it may take five years to have strong, enforceable standards in place.

A third option is for Apple, Amazon, and Google to co-develop requirements for when manufacturers want to integrate their IoT devices with the ecosystems of those three companies. These three are fast becoming the gatekeepers of IoT, and if they set the bar high enough it would have an immediate downstream effect. My guess is that we'd see more secure versions of products within one product release cycle and discounts for upgrade/trade-in offers.

A fourth option: a "cash for clunkers"-like program. Given the potential impact of these insecure "things," governments around the world — in partnership with nonprofit foundations — could band together and offer cash incentives for bringing in derelict devices. Coordination at this scale would be difficult, but it would be a boost to security and the global economy.

The Internet of Things has the potential to dramatically change our lives for the better and for the worse. We must all work to understand the current, tenuous state our fragile Internet ecosystem is in, then work together to ensure it will be there when we expect it to be. 

Related Content:


About the Author(s)

Bob Rudis & Deral Heiland

Rapid7 Chief Data Scientist & IoT Research Lead

Bob Rudis, Chief Data Scientist, Rapid7
Bob Rudis has over 20 years of experience using data to help defend global Fortune 100 companies and is a chief security data scientist at Rapid7. Bob is a serial tweeter (@hrbrmstr), avid blogger (, author (Data-Driven Security), speaker and regular contributor to the open source community ( He currently serves on the board of directors for the Society of Information Risk Analysts, is on the editorial board of SANS Securing The Human program, and was co-chair of the 2014 Metricon security metrics/analytics conference. He holds a bachelor's degree in computer science from the University of Scranton.

Deral Heiland, IoT Research Lead, Rapid7
Deral is responsible for security assessments and consulting for corporations and government agencies. He has over 20 years of experience in the information technology field, and has held multiple positions including: senior network analyst, network administrator, database manager, and financial systems manager. Deral is also founder of Ohio Information Security Forum, a not for profit organization that focuses on information security training and education. He has presented at numerous national and international security conferences including Blackhat, ShmooCon, Defcon, Derbycon, Securitybyte India, and Hackcon Olso Norway, and he has been interviewed by and quoted by several media outlets and publications including Bloomberg UTV, MIT Technical Review, MSNBC and PCworld.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights