Thought leadership. threat analysis, news and alerts.
Largest DDoS Attack by Packet Volume Unleashed
Cybersecurity software company Imperva recently uncovered the largest distributed denial-of-service (DDoS) attack by packet volume.
According to Imperva, in early January, this year, the company’s DDoS protection service mitigated a DDoS attack against one of its clients which unleashed more than 500 million packets per second. This DDoS attack unleashed the most packets per second ever recorded.
What Is Packets Per Second (PPS)?
Packets per second (PPS) measures the forwarding rate – referring to the number of network packets that can be processed by networking equipment such as a router. Forwarding rate is often confused with throughput rate, also known as bandwidth.
Throughput rate refers to the amount of data that can travel through your internet connection. While forwarding rate is measured by PPS, throughput rate is measured by bits per second (bps) or Gigabits per second (Gbps).
In layman’s terms, throughput rate can be likened to the weight capacity of an elevator, while the forwarding rate can be likened to the maximum number of people permitted inside the elevator. Similar to humans, network packets come in different sizes and shapes. Similar to the difficulty of knowing how many people will fit into an elevator due to the differences in sizes and shapes, there are no real means of knowing how many network packets make a gigabit.
Protocol DDoS Attacks versus Volumetric DDoS Attacks
For years, DDoS protection service providers and clients have focused on throughput attacks, also known as volumetric DDoS attacks or bandwidth-intensive attacks. Forwarding attacks, also known as protocol DDoS attacks or PPS attacks, meanwhile, are given less attention.
Protocol DDoS Attacks
Protocol DDoS attack is a type of attack that goes after server resources directly. This type of attack is measured by packets per second (PPS). If the packets-per-second rate is large enough, the server will crash.
One of the ways by which attackers crash servers in a protocol DDoS attack is through syn flood. In a syn flood DDoS, an attacker exploits part of the normal TCP three-way handshake, consuming resources on the targeted server and rendering it unresponsive.
TCP, which stands for transmission control protocol, refers to the protocol which defines how computers send packets of data to each other. The attacker in syn flood DDoS sends TCP connection requests faster than the targeted computer can process them, causing network saturation.
According to Imperva, the syn flood DDoS that the company’s DDoS protection service mitigated in early January, this year was “augmented by a large syn flood (packets of 800-900 bytes)”. Imperva added, “The source ports and addresses of the traffic sent to our customer’s server were highly randomized and probably spoofed.”
Volumetric DDoS Attacks
In a volumetric DDoS attack, an attacker sends voluminous traffic to a site to overwhelm its bandwidth. The DDoS attacks proliferated by Mirai are examples of volumetric DDoS attacks.
Mirai is a malicious software (malware) that infects computers, in particular, internet of things (IoT) devices such as routers, using factory default login and password combinations. The first version of Mirai infected hundreds of thousands of IoT devices using factory default login and password combinations.
Once infected with Mirai malware, these compromised IoT devices are then turned into a botnet – an army of infected IoT devices controlled by an attacker or attackers to conduct malicious activities such as DDoS attacks. The creator of Mirai made the source code of this malware publicly available, enabling others to use this malware for their own means.
According to the UK National Crime Agency (NCA), Daniel Kaye from Egham, Surrey operated his own Mirai botnet, composed of a network of infected Dahua security cameras, to carry out DDoS attacks on Lonestar, the largest Liberian internet provider. The NCA said that the traffic from Kaye’s Mirai botnet was so high in volume that it disabled internet access all over Liberia in November 2016. A UK court recently sentenced Kay to 2 years and 8 months for this cybercrime.
Another way by which attackers launch volumetric DDoS attack is through memcached – a database caching system for speeding up websites and networks. Memcached isn’t supposed to be exposed to the public internet. Arbor Networks, however, reported on February 27, 2018 that many memcached had been deployed worldwide with no authentication protection, leaving them vulnerable for attackers to exploit.
On February 28, 2018, popular code repository GitHubreported that its site was unavailable for few minutes as a result of a memcached-based DDoS attack which peaked at 1.35Tbps via 126.9 million packets per second.
Memcached attack works by sending spoofed requests to vulnerable servers. These vulnerable servers then respond with a larger amount of data than the spoofed requests, magnifying the volume of traffic.
Unlike Mirai which needs to infect vulnerable devices, DDoS attacks using the memcached approach only need to spoof the IP address of their victim and send small queries to multiple memcached servers. According to Akamai, memcached can have an amplification factor of over 500,000, which means that a 203 byte request results in a 100 megabyte response.
How to Prevent DDoS Attacks
While PPS and bandwidth-intensive DDoS attacks are both highly destructive or damaging to victims, in terms of mitigation, these two differ.
In the case of the GitHub DDoS attack, while it was considered as the largest DDoS attack ever at the time, which peaked at 1.35Tbps; the unleashed packets per second, meanwhile, was only 126.9 million – 4 times lesser than the volume of packets in the recent DDoS attack uncovered by Imperva.
"For a DDoS protection or mitigation service, mitigating a high PPS attack can be its Achilles heel, while a bandwidth-intensive attack can be much easier to handle, even with hundreds of gigabits per second, if it is composed of a smaller number of large-sized packets,” Imperva said.
The Driz Group is Imperva’s partner and can help your organization to mitigate DDoS attacks in a matter of minutes. Contact ustoday and protect your infrastructure and sensitive information.
Mirai Botnet Operator Responsible for Cutting Off Internet Access of an Entire Country Jailed
A UK court recently sentenced to 2 years and 8 months 30-year-old Daniel Kaye for operating the Mirai botnet, which resulted in cutting off the internet access of the entire country of Liberia.
Kaye pleaded guilty in carrying out intermittent Distributed Denial of Service (DDoS) attacks on the Liberian telecommunications provider Lonestar MTN. According to Kaye, he was hired by a rival Liberian network provider and paid a monthly retainer to conduct intermittent DDoS attacks on Lonestar.
According to theUK National Crime Agency (NCA), from September 2016, Kaye started operating his own Mirai botnet, composed of a network of infected Dahua security cameras, to carry out intermittent DDoS attacks on Lonestar. In November 2016, the NCA said that the traffic from Kaye’s Mirai botnet was so high in volume that it disabled internet access all over Liberia.
The intermittent DDoS attacks on Lonestar, the NCA added, resulted in revenue loss of tens of millions in US dollars as customers left the network, and cost the company approximately 600,000 USD for remedial cost to prevent the attacks from happening again.
What Is a Mirai Botnet?
Mirai is a malicious software (malware) that infects Internet of Things (IoT) devices, such as video cameras, and turns these infected IoT devices into a botnet – referring to a group of infected computers that’s operated under the control of a cybercriminal to conduct malicious activities such as DDoS attacks.
Mirai first came to public attention on September 20, 2016, when it attacked Brian Krebs’ security blog. The DDoS attack on Krebs’ security blog was considered one of the largest on record at the time. By the end of September 2016, just days after the DDoS attack on Krebs’ security blog, the author of Mirai, using the name “Anna Senpai”, released the source code of Mirai on an online hacking forum. Anna Senpai claimed that 380,000 IoT devices had been infected by the Mirai malware and formed part of the botnet that took down Krebs’ website.
The Mirai source code reveals that this malware continuously scans the internet for IoT devices that use any of the 61-factory default username and password combinations. While 62 username and password combinations are listed on the Mirai source code, there’s one duplication, leaving only 61 unique username and password combinations.
Given that many owners of IoT devices didn’t bother to change factory default usernames and passwords combinations, the Mirai malware easily infected hundreds of thousands of IoT devices and turned them as a botnet for DDoS attacks.
The publication of the Mirai source code on an online forum encouraged other cybercriminals to copy the code and operate their respective Mirai botnets. Following the publication of the Mirai source code, a series of high-profile DDoS attacks were attributed to Mirai botnets.
On October 21, 2016, Mirai brought down a big chunk of the internet on the U.S. east coast. Dyn, an internet infrastructure company, was a subject a DDoS attack that subsequently rendered popular websites inaccessible to the public. Dyn, in a statement, said that a significant volume of DDoS attack traffic originated from Mirai botnets. To date, the perpetrator of the Dyn DDoS attack remains unknown and no case has been filed against anyone in relation to this attack.
In addition to Lonestar DDoS attacks, Kaye also admitted to launching DDoS attacks using his own Mirai botnet on Deutsche Telekom that affected 1 million customers in November 2016. Kaye was extradited to Germany for this crime but only received a suspended sentence.
Three college-age friends in late 2017, Paras Jha, Josiah White and Dalton Norman, pleaded guilty before a U.S. court in creating the Mirai malware. Jha, in particular, pleaded guilty in launching multiple DDoS attacks using Mirai on Rutgers University computer system, resulting in the shutting of the University’s server used for all communications among faculty, staff and students.
Jha, White and Norman dodged jail. Jha, in particular, was ordered by a New Jersey court to pay $8.6 million in restitution and serve 6 months of home incarceration for launching DDoS attacks on the Rutgers University computer network.
The U.S. Department of Justice, in a statement, said that Jha, White and Norman’s involvement with the Mirai ended when Jha posted the Mirai source code on an online forum. “Since then, other criminal actors have used Mirai variants in a variety of other attacks,” the U.S. Department of Justice said.
The publication of a source code of a malware has two sides. First, it encourages script kiddies – those who attempt to launch cyberattacks using scripts or codes written by others, such as in the case of Mirai. Many script kiddies, using the original Mirai source code, have been able to build their own DDoS botnets and offer the service called “DDoS-for-hire”.
Second, the flipside of making a malware source code public is that this enables the cybersecurity community to study the code and develop tools and advisories that could render this malware inoperable or useless.
There are currently available security tools that block DDoS attacks coming from Mirai botnets. Also, a simple change of factory default username and password combinations can prevent IoT devices from being infected by the Mirai malware and, in effect, could prevent DDoS attacks.
Cybercriminals are, however, relentless in their campaigns. Since the publication of the Mirai source code, cybercriminals have tweaked the Mirai source code, for instance, infecting not just IoT devices, but enterprise servers as well. Attackers also don’t simply use factory default login details in infecting computer devices, but also exploit known security vulnerabilities.
New Mirai Variant Hijacks Enterprise Linux Servers for DDoS Attacks
Researchers at Netscout have discovered a new variant of Mirai – a malicious software (malware) once known for hijacking hundreds of thousands of Internet of Things (IoT) devices, including wireless cameras, routers and digital video recorders, to conduct powerful distributed denial-of-service (DDoS) attacks.
Instead of infecting IoT devices, researchers at Netscoutsaid that the new Mirai variant infects non-IoT devices, in particular, enterprise Linux servers running Apache Hadoop YARN, to serve as DDoS bots.
The original Mirai malware, at its peak, infected hundreds of thousands of IoT devices, controlling these infected IoT devices as botnet to conduct high-impact DDoS attacks. Botnet refers to a group of computers controlled by attackers without the knowledge and consent of the owners to conduct malicious activities, including DDoS attacks. In a DDoS attack, the botnet or controlled computers act in unison, flooding the internet connection of a target, for instance, a particular website.
The original Mirai first came to public attention when it launched a DDoS attack against the website of journalist Brian Krebson September 20, 2016. A few days after, on September 30, the source code of Mirai was publicly released on the English-language hacking community Hackforums by a user using the screen name “Anna-senpai”.
Paras Jha, 22, the person behind Anna-senpai, pleaded guilty for co-creating Mirai. According to the U. S. Department of Justice, from December 2016 to February 2017, Jha along with his 2 college-age friends Josiah White and Dalton Norman, admitted that they successfully infected more than 100,000 IoT devices, such as home internet routers, with Mirai malware and used the hijacked IoT devices to form a powerful DDoS botnet.
Since the public release of the source code of Mirai, a number of Mirai variants have been created and released into the wild. According to Netscout researchers, this latest Mirai variant “is the first time we’ve seen non-IoT Mirai in the wild”.
How the Latest Mirai Variant Works?
To deliver the latest Mirai variant, attackers exploit the security vulnerability of Apache Hadoop YARN.
Apache Hadoop is an open source software framework that enables a cluster or group of computers to communicate and work together to store and process large amounts of data in a highly distributed manner. Meanwhile, YARN, which stands for Yet Another Resource Negotiator, is a key feature of Hadoop that helps in job scheduling of various applications and resource management in the cluster.
According to Netscout researchers, the latest Mirai malware will exploit unpatched Linux servers running on Apache Hadoop YARN, and will attempt to brute-force – attacks that systematically attempt to guess the correct username and password combination – the factory default username and password of the Hadoop YARN server.
DemonBot Vs. Latest Mirai Variant
Researchers at Radwaredetected last month another malware called “DemonBot” that infects Hadoop clusters by leveraging YARN’s unauthenticated remote command execution.
The main similarity between DemonBot and the latest Mirai variant is that both malware exploit the Hadoop YARN security vulnerability in order to infect computers. Both malware programs also turn infected computers as botnet for the purpose of launching DDoS attacks.
Enterprise Linux servers running Apache Hadoop YARN infected by DemonBot and the latest Mirai variant are dangerous as these servers account for large volumes of DDoS traffic.
The main difference between DemonBot and the latest Mirai variant is that DemonBot spreads only via central servers and doesn’t expose worm-like behavior exhibited by Mirai variants. Mirai’s worm-like behavior – its ability to spread itself within networks without user interaction – makes it a more dangerous malware than DemonBot.
According to Radware researchers, as of late October, this year, attackers attempted to exploit the Hadoop YARN vulnerability to deliver the DemonBot at an aggregated rate of over 1 million per day.
Original Mirai Vs. Latest Mirai Variant
According to Netscout researchers, the latest Mira variant behaves much like the original Mirai. This means that both have worm-like behavior and enslaves infected computers for the purpose of launching DDoS attacks.
The main difference between the original Mirai and the latest Mirai variant is that while the original Mirai runs on IoT devices, the latest Mirai variant runs on Linux servers, in particular, those running Apache Hadoop YARN.
“Linux servers in datacenters have access to more bandwidth than IoT devices on residential networks, making them much more efficient DDoS bots,” researchers at Netscout said. ”A handful of well-resourced Linux servers can generate attacks that compete with a much larger IoT botnet.”
According to Netscout researchers, there are tens of thousands of attempts per day to exploit the Hadoop YARN vulnerability to deliver the latest Mirai variant.
The risk of further cyberattacks is high for machines infected by malware like Mirai. To prevent attackers from hijacking your organization’s Linux servers running Apache Hadoop YARN for DDoS attacks, make sure to configure your YARN’s access control by using strong username and password combination.
Also, keep all your organization’s software up-to-date and prevent brute-force attacks by implementing an account lockout policy. For instance, after a certain number of failed login attempts, the account is locked out until an administrator unlocks it.
By leveraging the security vulnerability in enterprise Linux servers running Apache Hadoop YARN, attackers can generate much powerful DDoS attacks. Protect your organization’s online resources like websites from DDoS attacks by using an easy to use, cost-effective and comprehensive DDoS protection.
Contact us today if you need assistance in protecting your organization’s network from malware like Mirai and protecting your organization’s online resources from DDoS attacks.
New Botnet Launches DDoS Attacks from Linux Computers
Researchers at SophosLabs have discovered a new botnet that launches a distributed denial-of-service (DDoS) attack from compromised Linux servers and IoT devices.
What is a DDoS Botnet?
A botnet is a collection of computers compromised by a malicious software (malware) and controlled as a group without the owners' knowledge to conduct illegal activities, including DDoS attacks.
In a DDoS attack, hijacked or compromised computers are controlled as a group to attack a particular target, for instance, to overwhelm a particular website with traffic to render the site inaccessible to legitimate users. By leveraging the use of a botnet, attackers can carry out large-scale DDoS attacks.
DDoS attacks don’t just target websites. They also target servers (web, email, DNS, file), web apps, banking, trading and e-commerce platforms, and VoIP systems.
Latest DDoS Botnet
SophosLabs researchers called the latest DDoS botnet that they’ve discovered “Chalubo”. The researchers said they first observed Chalubo in the wild in late August this year. On the 6th of September 2018, SophosLabs researchers said they first recorded how Chalubo works via a honeypot, a decoy computer system used in tracking new hacking methods.
According to the researchers, Chalubo attacks SSH servers, a software program used to remotely access Linux operating systems. There are currently a variety of Chalubo botnet versions for different processor architectures, including both 32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL and PowerPC.
Chalubo attackers gain access to a computer by using publicly known default and common username and password combinations. Once the attackers gain access to a computer, it issues commands that retrieve the Elknot, also known as Linux/BillGates malware, a notorious DDoS botnet family that runs on both Linux and Windows operating systems. Elknot, in turn, delivers the rest of the Chalubo botnet package.
This recently reported DDoS botnet incorporates the code of two other notorious DDoS botnets, the Mirai botnet and Xor.DDoS botnet.
In December last year, 3 college-age friends pleaded guilty for creating the Mirai botnet. According to the U.S. Department of Justice, the Mirai botnet, at its peak, consisted of hundreds of thousands of compromised IoT devices used to launch DDoS attacks.
Xor.DDoS botnet, meanwhile, was first observed in the wild in 2015. This botnet hijacks Linux computers for DDoS attacks. While Mirai uses 62 default username and password combinations to gain access to a computer or device, Xor.DDoS uses common or weak username and password combinations.
Chalubo, in particular, uses some of Mirai’s randomizing functions and what appears to be an extended form of the util_local_addr function. Chalubo also uses Xor.DDoS’ DelService & AddService functions, as well as Chalubo’s script gets dropped exactly in the same manner as Xor.DDoS. While Chalubo copies a few code snippets of Mirai and Xor.DDoS, it’s a different botnet taken as a whole, researchers at SophosLabs said.
“The majority of functional code in this bot is entirely new, with a focus on their own Lua handling for, primarily, performing DoS attacks with DNS, UDP, and SYN flavours,” SophosLabs researchers said. “The Lua script built into the bot is a basic control script for calling home to a C2 [command-and-control] server to inform the C2 about details of the infected machine.”
Chalubo’s Lua script communicates with the command-and-control server – a computer that’s controlled by attackers – to receive further instructions. The purpose of the script is to download, decrypt and then execute whatever the script finds.
Chalubo's main components, dropper (the Elknot), main bot and Lua script, are encrypted using the ChaCha stream cipher in an effort to prevent detection. SophosLabs researchers observed that Chalubo triggered the infected computer to conduct a DDoS attack against a single Chinese IP address over port 10100, without masking the local source IP.
According to SophosLabs researchers, the creator or creators of Chalubo botnet may be at the end of testing their botnet and we may see an increase in activity from this new botnet.
A DDoS botnet negatively impacts the hijacked computers. In a similar manner, a DDoS attack negatively impacts a target.
Here are a few signs that the computer in your organization may be a part of a botnet:
-Computer fan kicks into overdrive even when it’s idle
-It takes a long time to shut down the computer or it won’t shut down properly
-Computer programs and internet access are slow
Here are some security measures to prevent attackers from turning the computers in your organization as part of the Chalubo, Mirai or Xor.DDoS botnets:
-Change default and common username and password combinations as these botnets hunt computers using default and common or weak username and password combinations
-In the case of the Chalubo botnet, use SSH keys instead of passwords for logins
-Keep all your software up-to-date
On the part of the DDoS botnet target, a successful DDoS attack against a website, server, e-commerce platform or VoIP system negatively impacts the target’s reputation and damages existing client relationships.
DDoS botnets can be prevented from attacking online resources by regularly monitoring traffic and by conducting a DDoS testing – called in the cybersecurity field as penetration or pen testing.
By monitoring the traffic of your organization’s online resources, abnormal and suspicious traffic can be flagged early on. In DDoS testing, simulated DDoS attacks are conducted against the online resources of your organization to check if they can withstand real DDoS attacks.
Contact ustoday if you need assistance in preventing attackers from hijacking your organization’s computers as part of a DDoS botnet or if you want assistance in protecting your organization’s online resources from DDoS attacks.
Most Universities at Risk of DDoS Attacks
The recent distributed denial of service (DDoS) attack on the online services of the Scotland-based University of Edinburgh adds to the growing list of universities hit by DDoS attacks.
Last September 10th, University of Edinburgh’s online services, including wireless services, websites and many online student services were disrupted for several hours as a result of a DDoS attack. The attack was done during the busy “Welcome Week” period of the university.
“I apologise for the disruption to this service, particularly during the busy Welcome Week period,” Gavin Ian McLachlan Chief Information Officer at the University of Edinburgh, said in a statement. “I realise how frustrating this must have been.”
DDoS Attacks on Colleges and Universities: Who, When and Why
A recent study conducted by Jisc provides a picture of who may be launching these DDoS attacks, in particular, on UK’s colleges and universities based on the specific time these attacks were done.
Jisc is a UK not-for-profit company that offers internet service via the Janet Networkto UK research and education community, including the University of Edinburgh.
Jisc said, “there is evidence both circumstantial and from the justice system to suggest that students and staff may well be responsible for many of the DDoS attacks we see on the Janet Network.”
The Jisc study found that DDoS attacks on colleges and universities were usually done during school period and attacks dramatically decrease during holiday times, such as summer breaks, Christmas, Easter and May half term breaks.
“This pattern could indicate that attackers are students or staff, or others familiar with the academic cycle,” Jisc said. “Or perhaps the bad guys simply take holidays at the same time as the education sector. Whichever the case, there’s no point sending a DDoS attack to an organization if there’s no one there to suffer the consequences.”
Several students had been prosecuted in the past for attacking their colleges or universities. Adam Mudd, a student at West Herts College, pleaded guilty for launching DDoS attacks against his college; while Paras Jha, a student at Rutgers University, pleaded guilty for launching DDoS attacks against his university.
These college and university students don’t just target their own schools. In April 2017, Adam Mudd received a 2-year jail sentence for running “Titanium Stresser”, a DDoS-for-hire service that launched 1.7 million DDoS attacks against victims worldwide.
In December 2017, Jha with two college-age friends, pleaded guilty for creating the Mirai botnet – referring to the hundreds of thousands of IoT devices compromised by Jha’s group using 62 common default login details and using them as a botnet or zombie army to conduct a number of powerful DDoS attacks.
According to the U.S. Department of Justice, Jha’s involvement with the Mirai botnet ended when he posted the source code for Mirai on a criminal forum in the fall of 2016. In October 2016, internet infrastructure company Dyn became a target of DDoS attacks, which resulted in bringing down a big chunk of the internet on the U.S. east coast. The DDoS attacks against Dyn temporarily took offline major websites, such as Amazon, Twitter and Netflix. “We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets,” Dynsaid in a statement.
The Jisc study also showed a significant decrease of DDoS attacks on the Janet Network starting in April 2018. Jisc theorized that this reduction of DDoS attacks could be a result of the Operation Power Off, a coordinated operation conducted by the Dutch Police and the UK’s National Crime Agency with the support of Europol and a dozen law enforcement agencies from around the world.
Operation Power Off took down the DDoS marketplace webstresser.org and resulted in the arrests of the site’s administrators located in the UK, Croatia, Serbia and Canada.
According to the European Union Agency for Law Enforcement Cooperation (Europol), webstresser.org was the world’s biggest marketplace to hire DDoS services, with 4 million recorded attacks as of April 2018.
For as low as EUR 15 a month, individuals with little to no technical knowledge launched crippling DDoS attacks via webstresser.org, the Europol reported.
Jisc said that beyond disgruntled college and university students and staff, there are far more serious criminal players at work that these institutions ignore at their peril.
Jisc added that some of these more sophisticated DDoS attacks are designed, not just to bring down an online service offline but also to steal intellectual property, targeting valuable and sensitive and information held at these educational institutions.
Preparing for DDoS Attacks
Here are some security measures that can fortify your organization’s IT defenses in case a disgruntled student, a staff or other criminal elements decide to launch a DDoS attack against your organization:
Look for abnormal incoming traffic, including sudden traffic rise and visits from suspicious IP addresses and geolocations. These could all be indicators that criminal elements are testing your organization’s IT defenses prior to conducting a crippling DDoS attack or attacks.
Consider conducting your very own DDoS attack against your organization’s IT infrastructure. This simulated cyberattack, known in the cybersecurity community as pen testing, can prepare your organization when the real DDoS attacks happen.
Contact us today if you need assistance in protecting your organization against DDoS attacks.
Mirai Is Evolving as a DDoS Attack Tool
Mirai, the malware that nearly brought down the internet, is evolving and being refined by cybercriminals as a distributed denial of service (DDoS) attack tool.
Symantec's Principal Threat Analysis Engineer Dinesh Venkatesan recently disclosed that he uncovered multiple Mirai variants. Venkatesan said that these multiple Mirai variants are hosted in a live remote server.
Each of these Mirai variants is described to be aimed for a particular platform, making the Mirai portable across different platforms.
According to Venkatesan, one of the major obstacles encountered by script-kiddies, also known as copy/paste malware authors, is portability – the ability of a malware to run on different platforms “in a self-contained capsule without any runtime surprises or misconfiguration”.
The newly uncovered Mirai variants found an answer to the problem of portability by leveraging on the open source tool called “Aboriginal Linux”. According to the author of Aboriginal Linux, this open source tool "automatically create cross compilers and bootable system images for various targets, such as arm, mips, powerpc, and x86".
Using the Aboriginal Linux, the author or authors of the newly uncovered Mirai variants were able to develop versions of the malware tailored for a targeted platform, ranging from routers, IP cameras and even Android devices.
Symantec's Venkatesan said that the newly uncovered Mirai variants spread by scanning devices with default factory login details or known security vulnerabilities.
Original Mirai Botnet
In December last year, 21-year old Paras Jha, along with his two college-age friends Josiah White and Dalton Norman, pleaded guilty for creating the Mirai botnet.
According to the U.S. Department of Justice, in the summer and fall of 2016, Jha, White and Norman created and launched the Mirai botnet – referring to computers infected by the Mirai malware and controlled by Jha’s group without the knowledge or permission of the owners of the computers.
The U.S. Department of Justice said the trio used the Mirai botnet, which at its peak consisted of hundreds of thousands of compromised IoT devices, to launch DDoS attacks.
DDoS attacks refer to cyberattacks which use multiple computers (like the Mirai botnet), controlling these computers without the computers’ owners knowledge for the purpose of making an online service unavailable by overwhelming it with traffic.
"The defendants [Jha, White and Norman] used the botnet to conduct a number of powerful distributed denial-of-service, or ‘DDOS’ attacks, which occur when multiple computers, acting in unison, flood the Internet connection of a targeted computer or computers,” the U.S. Department of Justice said.
While the latest Mirai variants infect not just IoT devices but also Android devices, the computers infected by the original Mirai malware were limited to IoT devices, including routers, wireless cameras, digital video and recorders.
According to the U.S. Department of Justice, the trio’s involvement with the original Mirai ended when Jha posted the source code of Mirai on an online forum in September 2016. “Since then, other criminal actors have used Mirai variants in a variety of other attacks,” the U.S. Department of Justice said.
Jha’s group was able to infect hundreds of thousands of IoT devices with the Mirai malware and turned it into a botnet or zombie army for DDoS attacks by using a short list of 62 common default usernames and passwords.
In October 2016, the DDoS attack against the internet infrastructure company Dynbrought down a big part of the internet on the U.S. east coast. The DDoS attack against Dyn made the world’s top websites, such as Amazon, Twitter and Netflix, temporarily inaccessible. “We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets,” Dyn said in a statement.
Other Mirai Variants
Early variants of Mirai include Satori, a Mirai variant that morphed into several versions as well. One version of Satori targets Huawei home router HG532. Satori was first observed in the wild by Check Pointresearchers in November 2017. Similar to the original Mirai, Satori has DDoS capabilities and has been reported to launch several DDoS attacks.
According to Check Point, Huawei was informed prior to the public disclosure of Satori. Before the public disclosure of Satori as well Huawei patched the vulnerability.
In May 2018, researchers at FortiGuard Labsuncovered another variant of Mirai called “Wicked”. This Mirai variant particularly infects Netgear routers and CCTV-DVR devices.
According to FortiGuard Labs, Wicked infects Netgear routers and CCTV-DVR devices by using known and available cyberexploits, many of them are old exploits. Similar to the original Mirai and other Mirai variants, Wicked can also be used for DDoS attacks.
Here are some measures in preventing attackers from turning your organization’s IoT devices into a zombie soldier for DDoS attacks:
-Change default login details into something strong and unique
-Install firmware updates in a timely manner
-When setting up Wi-Fi network access, use a strong encryption method
-Use wired connections instead of wireless connections
-Disable the following:
If your organization has an online presence, it's imperative that your organization is equipped in stopping DDoS attacks.
A successful DDoS attack against your organization’s online service negatively impacts your organization’s reputation, can cause loss of customer trust and financial losses. Prolong and unmitigated DDoS attacks can also result in permanent business closure.
Contact us today if you need assistance in securing your organization’s online services from DDoS attacks and if your organization needs assistance in securing IoT devices from being turned into zombie devices for DDoS attacks.
DDoS Attacks: Protecting Your Business from Critical Disruption
In March 2018, developer platform GitHub was struck by the most powerful DDoS (distributed denial-of-service) attack ever recorded.
How big? 1.35 terabits of traffic was hitting GitHubeach second.
Still, GitHub was not without its defenses.
Within 10 minutes of the attack starting, GitHub’s DDoS mitigation service stepped in to combat it. They routed all incoming and outgoing traffic and scrubbed data, blocking all malicious packets responsible.
Such decisive action paid off. The attack ended eight minutes after the service took over, and GitHub was able to get back on track after just five minutes of downtime.
If GitHub had been without such a fast, effective response, the outcome of the attack might have been much worse.
A DDoS attack is a fairly cold-blooded attempt to disrupt a server, service or network’s standard operation by bombarding it with excessive traffic.
They incorporate a number of compromised computer systems to mount the attack, essentially overwhelming the target system and affecting genuine traffic.
GitHub had been targeted before, with an attack lasting for six days in 2015.
A company or organization’s website can be severely affected by a DDoS attack, potentially costing them lots of money in lost business. In fact, the average cost of a DDoS attack for businesses rose to more than $2.5 millionin 2017.
Research highlights just how common DDoS disruptions are for many companies. A staggering 849 of 1,010 enterprises questioned had been hit by a DDoS attack. DDoS disruption was estimated to cost target businesses as much as $100,000 per hour.
These figures make for disturbing reading, especially for smaller companies on a much tighter budget than their larger competitors. Still, even for global corporations, the risk of a DDoS attack can be incredibly troubling: after all, they may have more to lose.
Effective cybersecurity and preparation have never been more vital. Every cent available must be channeled into reinforcing your business against potential threats.
Still, this is easier said than done: cybercrime and security can be daunting. To help you understand how best to defend yourself against DDoS attacks, we have explored some of the most effective options below:
Get to know the symptoms
Recognizing the signs of an incoming DDoS attack can make a significant difference to how you handle it.
There is no real warning for a DDoS attack, though. While some hackers may issue threats, there will generally be nothing other than the assault itself.
As you might not browse your own website much on a day to day basis, it may not be until customers begin complaining about its performance than the warning bells start to sound.
However, certain other clues will tip you off:
The earlier you’re able to spot the warning signs, the sooner you can start to act.
Have a plan
Every business should have a plan in place for a potential DDoS attack. Once you confirm that your system has been targeted, you can jump to your plan and follow it. Being prepared helps to reduce the likelihood of panic or making mistakes that exacerbate the disruption.
Make sure all key players from each department are alerted to the situation and understand how best to handle it at their end. If everyone can work together and focus on damage limitation, you’re more likely to come out of the DDoS attack with minimal impact.
Companies that have no preparations for dealing with such a situation could waste valuable time trying to make sense of it.
Know how to prioritize
You will only have limited access to your system during a DDoS attack. Make sure you focus on keeping the most high-value services and applications running to preserve as much ‘normal’ function as possible.
Again, this comes down to planning. You should have an immediate idea which areas can be let go and which must be the priority.
Pay attention to your network security
Conducting security audits on your network on a regular basis is an effective way to keep your system protected.
Take a close look at the strength of passwords (particularly for the most vulnerable areas), review which employees have access to key data, and run comprehensive checks on software. Do you have the most up to date versions? Have any known security risks come to light with an application you’re using?
A network security audit may not be enough in itself to defend your business against a DDoS attack, but it can play a large part in the process. Incorporate this into ongoing workplace routines: make sure it becomes a habit and is never overlooked.
Letting your system go without the proper audits and preparations can leave it vulnerable to attack. Being complacent and assuming your business will escape the attention of cybercriminals is never a smart move.
Turn to the professionals
Your system security is paramount to keeping your business up and running. Not only does your entire flow of service depend on effective protection, so too does your customers’ experience.
Lengthy downtime can leave buyers with little choice but to start looking elsewhere if you cannot meet their needs. On top of this, they may wonder how safe their personal and financial data are within your company.
Hiring a professional cybersecurity firmto defend your system against DDoS attacks can help to take the strain. You will be free to focus on other areas of running your business while the experts handle the heavy lifting.
Are you concerned about your company’s vulnerability to DDoS attacks? What steps have you taken to safeguard your system? Share your thoughts and ideas below and contact ustoday to protect your organization.
DDoS Attacks: Dangers and Ways to Protect your Network
DDoS (Distributed Denial of Service) attacks continue to make headlines. In the past week, one such act caused severe traffic issuesduring a key political debate in Mexico, affecting a website opposing presidential candidate Andres Manuel Lopez Obrador.
Elections are set to take place on 1 July, and the target domain has been openly critical of his policies. During the attack, 185,000 visits took place in just 15 minutes; the majority originated in China and Russia.
This was a blatant attempt to crash the site, and the culprits have yet to be identified. Doing so can be incredibly difficult, as the traffic originates from compromised systems that disrupt sites involuntarily.
This isn’t the first time DDoS attacks have disrupted political websites, and countries are taking action to defend themselves. The US Election Assistance Commission has dedicated over $380m in funding for cybersecurity.
DDoS attacks defined
As discussed above, DDoS attacks involve flooding the target website with traffic from numerous origin points, possibly numbering in the thousands. As a result, stopping the DDoS attack in its tracks is basically impossible; there’s no single IP address causing the issue, and blocking all traffic will be restricting access for legitimate visitors.
They’re different to DoS attacks, which involve just a single computer and IP address working in conjunction to flood a vulnerable system.
There are a few common types of DDoS attack, including traffic-based ones.
Bandwidth attacks are another danger, which overload the system with overwhelming loads of ‘junk’ data, disrupting network bandwidth. This can cause a total denial of service.
Application DDoS attacks use data messages to reduce the application layer’s resources and make the system unable to function as it should.
When a website is unable to provide its customers or members with the services they expect, it can damage their reputation and disrupt their revenue. There’s a risk to security too, with consumers left wondering how safe their personal data may be.
This is a major concern for today’s more tech-savvy users, who are much more aware of the dangers lax security measures and cyber-attacks pose.
Taking action against DDoS attacks
How can you protect your network against DDoS attacks and ensure your business or organization is prepared to handle one if the worst happens?
Minimize the potential
Minimizing the surface area that would be vulnerable to attacks is key, as it essentially reduces the number of options available to would-be DDoS attacks.
To do this, consider guarding resources with Load Balancers or Content Distribution Networks. You can also place restrictions on traffic reaching vital parts of your system, such as your database servers, for further protection.
Create a plan of action
You need a plan for every major cybersecurity risk threatening your business and customers. With a DDoS plan, the key aspect is determining how you will keep delivering services if an attack manages to disrupt your system.
You should make sure everyone within your company is made aware of what a DDoS attack is, how it may manifest, and how their work would be affected.
The aim is to make sure your company as a whole would essentially be able to roll with the proverbial punches, to minimize the disruption and get back on track as soon as possible.
Get to know the signs
It’s best to learn the warning signs of an impending DDoS attack. While high-volume situations are common and can be damaging, low-volume ones may be triggered by troublemakers as a test of your network’s capabilities. These attacks allow cybercriminals / hackers to identify potential holes within your security.
Pay attention to your average traffic patterns. This may help you spot significant changes in geographic sources and volumes, enabling you to take preventative action before the attack is fully underway.
Capture the packet
When you start to notice a DDoS attack is in effect, you should try to spot the key characteristics in order to take action against it. DDoS attacks typically rely on forceful traffic volumes your system simply can’t handle, and while it may be impossible to sort the ‘good’ traffic from the ‘bad’, you can identify telltale similarities between sources.
Run a fast packet capture of the attack, and you should be able to find similarities fairly easily as the majority of traffic hitting your website will be part of the attack. Giveaway details might reveal themselves in the user agent or URI, but once you find a pattern you’ll be able to initiate a block via router ACL or firewall.
Routers and firewalls can stop specific IP addresses and filter unnecessary protocols, but they’re not a complete defense against high-volume attacks. Firewalls in particular should not be depended on to keep your entire network safe.
Again, having a plan in place and being prepared to shift gears is critical to minimize the disruption as much as possible.
DDoS attacks are, sadly, not going to go away any time soon. Your business or organization has to take steps necessary to stay as protected as possible and put a contingency plan in place to stop your infrastructure collapsing if an attack takes place.
Working with cybersecurity specialists and running a vulnerability assessment of your network can help you prepare. Want to know more about the options available to you?
Give our expert team a call!
Huawei IoT Exploit Code Meant for DDoS Attack Released to the Public
Another malware code that’s meant to cause distributed denial-of-service (DDoS) has recently been made public on Pastebin website.
The publication of the code of a DDoS threat can’t be taken lightly. Whenever new cyberexploits become publicly available, cybercriminals are quick to add these to their attack arsenal.
When the Mirai malware code – another DDoS threat was made public – it unleashed unprecedented DDoS attacks.
The newly published malware code is a Mirai variant and particularly targets the vulnerability in Huawei home router model HG532. According to security researchers at NewSky Security, the newly published malware has already been used in cyberattacks, including the Satori DDoS attack.
With the release of the full working code of this Mirai variant, security researchers at NewSky Security said that “we expect its usage in more cases by script kiddies and copy-paste botnet masters.”
Considering that Huawei retains a significant share of the router market, exploitation of these IoT devices can have a significant effect. According to IDC, Huawei's total router market share increased from 18.9% in the 2nd quarter of 2016 to 25.2% in the 2nd quarter of 2017.
What is Satori?
Satori is an updated variant of the Mirai malware. It particularly exploits the vulnerability in Huawei home router model HG532. The vulnerability allows remote code execution, enabling attackers to access and make changes to Huawei home routers found in different parts of the world.
Unlike the Mirai malware which relies on default usernames and passwords to infect IoT devices, Satori doesn’t need usernames and passwords. Security researchers at Qihoo 360 Netlab said, “The bot [Satori] itself now does NOT rely on loader/scanner mechanism to perform remote planting, instead, bot itself performs the scan activity. This worm like behavior is quite significant.”
According to the security researchers at Qihoo 360 Netlab, in December 2017, the Satori malware was able to infect over 280,000 Huawei routers in just 12 hours.
In November 2017, security researchers at Check Point reported that hundreds of thousands of Satori exploits have already been found in the wild. Check Point discreetly informed Huawei about the security vulnerability and soon thereafter the company issued a security update.
“An authenticated attacker could send malicious packets to port 37215 to launch attacks,” Huawei said in acknowledging the Satori exploit. “Successful exploit could lead to the remote execution of arbitrary code.”
What is Mirai?
Satori’s code is based on Mirai malware code. In late September 2016, the hacker simply known as “Anna-senpai” made public the Mirai code.
What the original Mirai does was used the internet to search for IoT devices (including wireless cameras and routers) with weak security – particularly those with default usernames and passwords, control these devices and use them to attack targets such as other computers and websites. According to Anna-senpai, 380,000 IoT devices were infected with the Mirai malware to stage a DDoS attack against the Krebs on Security website.
Barely a month after the Mirai was published online, the DDoS attacks against Dyn happened. Dyn is a domain name service (DNS) provider which many websites rely upon. The DDoS attacks against Dyn resulted in temporarily shutting down popular websites like Amazon, Twitter and Netflix.
“We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets,” Dyn said in a statement. According to the company, 100,000 IoT devices were infected with the Mirai malware to attack its infrastructure.
In early December last year, three men, Paras Jha, Josiah White and Dalton Norman, pleaded guilty in creating and operating the Mirai malware in violation of the US Computer Fraud and Abuse Act.
“In the summer and fall of 2016, White, Jha, and Norman created a powerful botnet – a collection of computers infected with malicious software and controlled as a group without the knowledge or permission of the computers’ owners,” the US Department of Justice said in a statement.
The US Department of Justice added, “The defendants used the botnet to conduct a number of powerful distributed denial-of-service, or ‘DDOS’ attacks, which occur when multiple computers, acting in unison, flood the Internet connection of a targeted computer or computers.”
Jha, in particular, pleaded guilty in conducting a series of DDoS attacks against networks of Rutgers University from November 2014 to September 2016. The DDoS attack on Rutgers University, according to the Department of Defense, temporarily shut down the university’s central authentication server, which maintained the gateway portal through which students, faculty and staff deliver assignments and assessments.
According to the US Department of Justice, White, Jha and Norman’s involvement with the original Mirai ended in the fall of 2016, when Jha publicly released the source code of Mirai. The Justice Department said, “Since then, other criminal actors have used Mirai variants in a variety of other attacks.”
US Acting Assistant Attorney General Cronan said that the Mirai is a powerful reminder that “as we continue on a path of a more interconnected world, we must guard against the threats posed by cybercriminals that can quickly weaponize technological developments to cause vast and varied types of harm.”
Since the release of the Mirai code, there has also been a noticeable increase in DDoS-for-hire – a group of cybercriminals that provides paying customers with distributed denial of service (DDoS) attack service to anonymously attack any internet-connected target.
Imperva Incapsula reported that in the third quarter of 2017, majority or 90.2% of DDoS attacks were under 10 Mpps and were predominantly the result of DDoS-for-hire activity.
DDoS attacks are costly. They can make your organization’s website slow or inaccessible. They can disrupt business activities, prevent customers from accessing online accounts and bring about significant costs in remedying the DDoS effects.
Huawei recommends the following measures to circumvent or prevent your Huawei routers from being infected by Satori malware:
Contact us at The Driz Group if you want more information on how to protect your business from DDoS attacks in under an hour, with no hardware to buy, and no resources or ongoing maintenance.
DDoS Threat Landscape in 3rd Quarter of 2017
They're getting more powerful and persistent. This is how Imperva Incapsula described the global distributed denial-of-service (DDoS) threat landscape in the 3rd quarter of 2017.
In its Global DDoS Threat Landscape Q3 2017, Imperva Incapsula defined DDoS attack as a “persistent, distributed denial of service event” against a particular IP address or domain. Imperva Incapsula considers a DDoS attack as a single attack when it’s conducted at least 60 minutes, held prior to an attack-free period and followed by another attack-free period of the same duration or longer.
“In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer,” the United States Computer Emergency Readiness Team (US-CERT) defines DDoS attack. “By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a website or send spam to particular email addresses. The attack is ‘distributed’ because the attacker is using multiple computers, including yours, to launch the denial-of-service attack.”
Imperva Incapsula identifies two types of DDoS attacks: network layer attack and application layer attack.
Network layer attack is defined as a DDoS attack that causes network saturation by consuming much of the available bandwidth. Attack under this type is measured in million packets per second (Mpps) and gigabits per second (Gbps) – referring to the amount of bandwidth it can consume per second.
Application layer attack, meanwhile, is defined as a DDoS attack for the purpose of bringing down a server by exhausting its processing resources – CPU or RAM – with a high number of requests. Attack under this type is measured in requests per second (RPS) – referring to the number of processing tasks initiated per second.
Network Layer DDoS Attacks
In terms of network layer attacks, 90.2% were under 10 Mpps, 4.8% between 10-50 Mpps, 2.1% between 50-100 Mpps and 2.9% above 100 Mpps. The largest network layer attack recorded last quarter reached 299 Gbps.
According to Imperva Incapsula, attacks under 10 Mpps were mostly the result of DDoS-for-hire activities.
On average, each network layer attack target suffered 17.7 attacks in the span of the quarter, while the most repeatedly attacked victim encountered 714 attacks in the span of the quarter.
Top Attacked Industries
The Imperva Incapsula report showed that online gambling is the number one industry targeted by network layer DDoS attackers (34.5%), followed by gaming (14.4%), internet services (10.8%), financials (10.1%), retail (5.8%), IT and software (5.8%), media and publishing (5.8%), cryptocurrency or bitcoin platforms (3.6%), transportation (2.2%) and telecom (1.4%).
The following reasons were put forward why over a third of the network layer DDoS attacks were targeted on gambling sites and related services:
The report also found that 3 out of 4 of bitcoin sites were attacked in the last quarter. The relatively high number of DDoS attacks on cryptocurrency exchanges and services observed in the 3rd quarter of 2017 was attributed to the recent staggering spike in the price of bitcoin, which more than doubled in the period of the quarter.
Top Attacked Countries
Hong Kong was the most targeted with 31% of the total global network layer DDoS attack, followed by the US (19%), Germany (12.8%), Philippines (7.6%), China (7.2%), Taiwan (7.1%), Singapore (4.4%), Malaysia (3.9%), Japan (0.8%) and Canada (0.8%).
Almost a third of the network layer DDoS attacks last quarter went to Hong Kong as a result of a large-scale campaign against a Hong Kong-based hosting service provider. Taiwan and the Philippines also made it to the top 10 list as a result of large campaigns targeting gambling websites in these countries.
Application Layer DDoS Attacks
In terms of application layer DDoS attacks, on average, each victim suffered 17.7 attacks in the span of the quarter, while the most repeatedly attacked victim encountered 714 attacks in the span of the quarter.
The US ranked as the most targeted country in terms of application layer DDoS attack (53.3%), followed by Netherlands (8.8%), Singapore (6.3%), Belgium (5%), Italy (4.4%), Germany (3.9%), Russia (3.1%), Japan (3.1%), Hong Kong (1.8%) and Australia (1.5%).
Imperva Incapsula’s global DDoS threat report for the 3rd quarter of 2017 showed that attackers use botnet – a group of malware-infected IoT devices – in carrying out DDoS attacks. These malware-infected IoT devices are remotely controlled by attackers and device owners have no knowledge that their devices are used for DDoS attacks.
In terms of attack requests, 16.9% came from China, 7.6% from Vietnam, 7.2% from Turkey, 5.7% from the US and 4% from India. Meanwhile, in terms of the number of attacking devices, 42.5% came from China, 11.1% from the US, 5.4% from Vietnam, 2.9% from India and 2.2% from Turkey.
DDoS Mitigating Measures
The main distinction between network layer DDoS attack and application layer DDoS attack is that they target different resources. A network layer DDoS attack tries to clog the network, for instance, consuming much of the available bandwidth, while application DDoS layer attempts to drain resources like CPU and memory.
As these 2 types of DDoS attacks target different resources, the attacks are also executed differently. Considering that these 2 types of DDoS attacks target different resources and are executed differently, mitigating each of these DDoS threats needs a substantially different set of security methods.
It’s also important to take into consideration the difference between Gbps and Mpps for mitigation purposes.
Gbps is defined as the measure of the total load placed on a network, also known as throughput, while Mpps is defined as a measure of the rate at which packets are delivered, also known as forwarding rate.
For instance, if your organization’s DDoS mitigation solution has the capability to handle 100 Gbps and process packets at a rate of 20 Mpps, a 50 Gbps DDoS attack at a rate of 40 Mpps can still bring down your organization’s network.
Adding a guaranteed DDoS mitigation to your application or network does not have to be complicated, and does not require an upfront investment. Connect with us today to better understand all available option, and secure your web applications and networks.
Steve E. Driz