First used in 2016, the Mirai botnet is old news. Built by two university students, the IoT-powered botnet was initially used to extort money from games server hosts.
A few months later Mirai was used to launch one of the largest DDoS attacks ever seen against internet DNS provider Dyn. Using malware infected IoT devices like CCTV cameras, the botnet was able to generate tens of millions of malicious requests, directed at Dyn’s DNS service. When the service eventually failed, several of the world’s most popular websites were taken offline for approximately two hours.
Why does Mirai still matter?
There are a few reasons why Mirai still matters, even now, nearly six years after the original attack. First, the Mirai botnet is still active, meaning that there are tens of thousands of infected devices out there, primed for use in another DDoS attack. The Wynncraft Minecraft server attack in Q3 2022 proves the danger of Mirai has not gone away.
Second, the Mirai source code was leaked online, providing cybercriminals with a codebase on which to build and refine their own malware. Mirai code and techniques are believed to have inspired more recent botnet variants including the Okiru, the Satori, the Masuta and the PureMasuta.
In many ways, Mirai has shown the future of DDoS attacks. Using a decentralized, self-propagating network of zombie devices, cybercriminals are able to generate and direct vast amounts of traffic at their targets. Decentralizing the control process also makes it much harder to stop an attack because there is no longer a single command server for your security team to focus on.
As such, expect to see these kind of IoT-based DDoS attacks more frequently in future.
Why do we have to protect our own resources?
Given that Mirai (and similar malware) works by compromising IoT devices, who should take responsibility for preventing future DDoS attacks?
Mirai malware works by exploiting known vulnerabilities in the embedded Linux operating system used by various IoT devices like IP cameras and home routers. By issuing software updates, manufacturers could help to patch these exploits.
However, many of the compromised devices are from budget manufacturers who provide little or no support. Software updates are rare – or completely non-existent. As a result, these vendors have little or no interest in providing after-sales support or fixes.
IoT device owners?
Often the compromised IoT devices are consumer-grade devices. Even if manufacturers provide firmware updates, many end users lack the knowledge or confidence to update their hardware. Given that the effects of infection are almost negligible (slightly increased bandwidth usage, occasional sluggishness), most users would not bother applying the patches anyway.
ISPs could detect and block malicious traffic if they chose to. Because DDoS traffic volumes tend to be lower than regular video streaming, most ISPs classify the bandwidth usage as manageable – and therefore not worth worrying about.
As the only party with a vested interest, it is down to your business to protect against malware botnet activity. It is your bandwidth and resources being targeted, so you need to implement the relevant safeguards to identify and mitigate a DDoS attack.
How to protect your network against Mirai
The key to managing a Mirai DDoS attack is preparation, having mitigation safeguards in place before an attack is launched. FastNetMon provides reliable and accurate detection and response automation. Importantly, FastNetMon can respond in as little as two seconds, allowing you to block an attack before your resources are overwhelmed.
FastNetMon has been engineered to protect against the most advanced DDoS attacks, including:
- UDP, TCP, and ICMP flooding attacks.
- TCP protocol attacks such as SYN, SYN-ACK, and FIN floods.
- IP Protocol attacks that use fragmented packets.
- Reflection and amplification attacks through NTP, SNMP, SSDP, DNS, GRE, Chargen, etc.
- Multi-vector attacks that employ a combination of techniques to evade mitigations.
But more than simply detecting DDoS attacks, FastNetMon can also automate your response. There are three key tools for mitigating a Mirai botnet attack:
- Blackhole automation – routing traffic to attacked IP addresses to a null0 interface, resulting traffic being dropped from the network without returning a response to the sender.
- FlowSpec mitigation – which filters out most volumetric attacks, including TCP floods, DNS amplification and reflection attacks, GRE floods, and SSDP, SNMP, and Memcached amplification attacks. Importantly, FlowSpec mitigation only catches and blocks malicious traffic at the routing stage.
- Block-list based filtering – which blocks traffic originating from specific senders. This approach can also disrupt malware activity by blocking communications with external C2 infrastructure.
Ready to learn more?
FastNetMon is future ready, able to protect against DDoS attacks from the Mirai botnet – or any other malware-driven source. To learn more, why not try FastNetMon free for one month?