How to avoid being a part of a Mirai attack

Mirai (Japanese for "the future") is malware that turns networked devices into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets IoT devices such as IP cameras and home routers.

Devices infected by Mirai continuously scan the internet for the IP address of Internet of things (IoT) devices. Mirai then identifies vulnerable IoT devices using a table of more than 60 common factory default usernames and passwords, and logs into them to infect them with the Mirai malware.

Mirai came onto the scene in late 2016 as the malware supporting very large DDoS attacks, including a 650 Mbps attack on the Krebs on Security site. It’s also purported to have been the basis of the attack in October 2016 that brought down sites including Twitter, Netflix, Airbnb and many others.

Since then, Mirai has morphed into the most aggressive and effective botnet tool we’ve seen to date. When our research team reviewed the Incapsula logs after the Krebs attacks last fall, they found that indeed the Mirai botnet had been active well before the September attack. Imperva discovered a botnet of 49,657 Mirai-infected devices spread over 164 countries with the top infected countries Vietnam, Brazil and the United States.

But even before Mirai became public, the team identified vulnerable IoT devices as an increasing source of DDoS botnets and saw a problem in the making.

Back in 2014, we started seeing a massive increase in the number of weekly unique DDoS bot sessions and identified CCTV surveillance devices as a contributing factor, most of which were open to abuse through easily guessable default passwords. In 2015, Imperva discovered a botnet executing HTTP GET flood DDoS attacks that peaked around 20,000 requests per second (RPS) from 900 CCTV cameras throughout the globe.

The cameras were all running BusyBox — a package of stripped-down Unix utilities for systems with limited resources. The research foreshadowed the targeting of IoT devices as the next-generation source of botnets.

But it wasn’t until Mirai was publicly announced on Hack Forums in October that this IoT prediction gained energy. Mirai’s focus on effectiveness at aggressively recruiting some of the most vulnerable IoT devices has made it a popular choice for hackers that want to create very large botnets.

Only weeks after the release of the original Mirai source code, Imperva documented a new variant that was found to be responsible for exploiting a newly discovered TR-069 vulnerability on wireless routers. With the exploit code added, the new variant was able to knock more than 900,000 Deutsche Telecom customers offline.

In March, Incapsula mitigated a Mirai-based attack that indicated the malware had mutated yet again. Before this attack, it appeared as though the Mirai botnet DDoS attacks focused on launching network layer DDoS attacks — attacks that try to flood the network pipes forcing traffic to slow to a crawl. This new attack saw a Mirai botnet launch an application layer attack on a U.S. college website that lasted over 54 hours. The average traffic flow came in at over 30,000 RPS and peaked at around 37,000 RPS — the most Imperva has seen out of any Mirai botnet. In total, the attack generated over 2.8 billion requests.

What’s interesting about Mirai’s ability to launch application layer attacks is that it takes far fewer bots to bring a website down through an application attack. In this case, it took fewer than 10,000 infected IP cameras, DVRs and routers to launch a sizable attack.

Additional measures to ensure IoT devices do not become unwitting members of a Mirai botnet include blocking internet access to admin ports and disabling universal plug and play (UPnP) on the router or firewall. Also, consider isolating IoT devices on your network using segmentation or firewall policies and only let IoT devices communicate with IP addresses that are approved. Finally, scan your network with our Mirai vulnerability scanner to see if it hosts a device vulnerable to Mirai injection attacks.

For more information, please contact me at jon.burton@imperva.com.

About the author:

As the Director of Sales Engineering at Imperva, Jon Burton’s role is to assist you in protecting what matters most: “data”, and tightening security at your network’s edge.  As a member of the Information Systems Security Association and Global SaaS and Software Sales Engineering leader with over 20 years of industry experience, Jon believes in delivering business value and creating lasting relationships through trust, candor and true business acumen. He has expertise in Cybersecurity, Cloud Security, Cloud Sales, Hardware Development and Product Life Cycle Development and am a thought leader in overall Organizational Data Security.