Blog :: Security Operations

Mirai DDoS Botnet Powers Up and is Out of Control

In 2017, DDoS will be the largest cyber threat facing corporate security teams. The reason is largely due to two factors. First is the proliferation of the Mirai source code, which is still in its infancy. We are already seeing signs of its growing popularity. Second is the growth of the Internet of Things (IoT). With Gartner estimating that by 2020, 50 billion connected “things” will be on the internet, the potential of available bots for Mirai operators to infect could explode exponentially. Very little protection is standing in the way of this growth.

The Mirai code, which was used on the website, proved that eventually, DDoS attacks will likely outpace what service providers like Akamai can scrub. More recently, the Mirai Botnet was used to knock out 900,000 Deutsche Telekom customers. The infection was due to a vulnerability that was found on port 7547 when using the TR-069 or TR-064 protocols. These services are used in the remote management of the routers found in customer homes. One researcher discovered that there are over 40 million devices on the internet with port 7547 open, making them potentially vulnerable to Mirai infections. If you can imagine the potentially staggering amount of work required to continually update these devices, you can begin to understand why it simply isn’t done often enough or at all. This is why the mere threat of a DDoS attack is enough for some companies to open their wallets to ransom requests.


The growth of IoT devices that Gartner is estimating isn’t just coming from DVRs, routers, and handheld devices. There is potentially a much more widely deployed vulnerable computer on the horizon called Smartdust. These very small chips contain a system of tiny microelectromechanical systems (MEMS) such as sensors, robots, or other devices that, for example, can transmit temperature, vibration, GPS coordinates, and more. If these IoT devices support IPv6, they could use Low Power Wireless Personal Area Networks (6LoWPAN) to access the internet. With the onboard batteries receiving their recharge energy source from wireless networks or even heat from the landfill they are buried in, these little guys could be on the internet forever. Technologies like LORA/SIGFOX promise to provide devices with connectivity that costs little or nothing. If the cost of nanoscale sensors drops to a price point that essentially makes them disposable, IoT vendors will likely skimp on security measures, assuming that they will become garbage.

For example, projects that lean toward sensory information collected from trillions of devices such as Planetary Skin Institute’s project or HP’s Central Nervous System for the Earth (CeNSE) could introduce overwhelming numbers of bots if they are compromised. CeNSE is a project that proposes to collect, communicate, and analyze data from billions of nanoscale sensors. These sensors would be deployed in a Machine to Machine (M2M) network, but could also utilize 6LoWPAN to connect to the internet. This could become a huge problem for forgotten sensors with a long battery life and perpetual connectivity. After their primary use expires, if they don’t have a hardware shutdown function built in, they could be sitting in a landfill and still used for malicious activities for decades. We can look to Apple HomeKit for inspiration on how to minimize the risk of connected zombie devices. To be part of the ecosystem, 3rd party vendors have to support strong encryption and device identity in hardware, which would help to protect against many of the “low hanging fruit” attacks that plague devices involved in Mirai. Unfortunately, when scaling devices into the billions, cost to go to market becomes a major obstacle. The only way to convince vendors to do the right thing is to create standards that people want like electronic devices UL or CE. This may require government intervention at a world-wide scale. The problem with this is obvious.

Protection Against DDoS

Vendors such as A10, F5, and Radware manufacture scrubbing appliances that can be used to remove DDoS traffic from normal traffic streams. The question is, can they scale as the DDoS attacks grow every year in size by double digits? After speaking with one major United States service provider, we learned that their strategy against DDoS is to simply keep buying more bandwidth, which allows them to carry additional DDoS traffic loads and pushes the problem of stopping DDoS onto the shoulders of the companies being attacked. Victims of DDoS engage these companies like Akamai for mitigation services, but, as Brian Krebs found out, their scrubbing capabilities were pushed to capacity.

Unfortunately, expensive traffic scrubbers are the best way today to mitigate DDoS attacks. There is a lot of discussion on forums like about implementing best practices. For example, BCP38 could be used to perform ingress filtering on spoofed addresses, but the big service providers have no motivation to implement it and besides, source address validation only resolves part of the problem. Ultimately, we need a way to detect, pinpoint, and remove devices that are participating in malicious traffic patterns like DDoS.

NetFlow and IPFIX collection systems can detect and even pinpoint the device participating in a DDoS attack, but removal is a tough one. Imagine a typical home with lots of appliances and handheld devices sitting behind a firewall performing NAT. Since they all leave the house with the same IP address, how do you know which device(s) in the house are engaged in the malicious activity?