The Persistent Prowess of Mirai: Unchanging yet Successful Attack Methods

The Mirai Botnet: A Persistent Threat With Limited Evolution

The Mirai botnet, one of the most notorious distributed denial of service (DDoS) botnets, continues to break records by driving the biggest and most disruptive attacks ever seen. Researchers warn that while Mirai‘s attack methods have changed little in recent years, its numerous variants and the increasing pool of vulnerable Internet of Things (IoT) devices pose a dangerous and growing threat. This report aims to analyze the common attack methods of the Mirai botnet and provide advice on how organizations can defend against this persistent threat.

Mirai‘s Dangerous Prowess

Mirai, which has been wreaking havoc since the mid-2010s, is known for spawning numerous disruptive DDoS attacks against global organizations. It has targeted companies like French technology firm OVH, the government of Liberia, and DNS provider Dyn, resulting in widespread outages of popular websites such as Twitter, Reddit, GitHub, and CNN. Mirai‘s core competency lies in its ability to turn IoT devices like routers and cameras into zombies, giving attackers control over them to launch massive DDoS attacks.

What makes Mirai particularly dangerous is its ability to remain effective without significant evolution. Even though its variants continue to leverage the original attack vectors, Mirai capitalizes on the growing number of vulnerable IoT devices being connected to networks. According to Huy Nguyen, a cyber security engineer for Corero Network Security, the leak of Mirai‘s source code in 2016 has made it easy for threat actors, including those with limited technical skills, to build their own botnets by exploiting unpatched IoT devices that are prevalent in enterprises.

The Common Attack Methods of Mirai

Although Mirai‘s attack methods have remained consistent, the botnet has spawned numerous variants that utilize different programming languages and target specific weaknesses in device types and platforms. Corero Network Security’s report identifies nine key attack vectors that Mirai has employed throughout its lifetime:

1. UDP Flood: This attack floods the victim’s bandwidth by overwhelming it with UDP traffic. The victim can be a destination IP, subnet, or multiple subnets.
2. Vale Source Engine Query Flood: This attack sends UDP traffic to port 27015 and leverages the static TSource Engine Query as its payloads.
3. DNS Water Torture: This attack aims to overwhelm a DNS server by sending DNS queries to open resolvers, preventing resolution in the victim’s domain.
4. Simplified UDP Flood: This attack is similar to a UDP flood but optimized for higher packets per second (PPS) and requires only three arguments to trigger.
5. SYN Flood: This attack randomizes various ports and is difficult to block as it does not carry a payload.
6. ACK Flood: This attack is similar to a SYN flood but carries a random payload, making it harder to block.
7. Protocol-Morphing Attacks: Mirai can change its protocol, such as using the Simple Text Oriented Messaging Protocol (STOMP), making it challenging for defenders to distinguish between normal and abnormal traffic.
8. GRE Flood: This attack encapsulates IP packets inside GRE packets, randomizing source IP, destination IP, UDP source port, UDP destination port, and UDP payload. It can cause significant damage to targeted victims.
9. Layer 7 HTTP Flood: This advanced attack allows attackers to customize parameters for a highly effective flood attack.

Defending Against Mirai

As organizations face the ongoing threat of Mirai and its variants, it is crucial to implement specialized solutions to detect network anomalies and mitigate against volumetric attacks. Organizations can take proactive measures to defend against Mirai and similar botnets:

• Invest in Network Anomaly Detection: Deploying network anomaly detection systems can help organizations identify and respond to unusual traffic patterns associated with botnet activity.
• Mitigate Volumetric Attacks: Organizations should consider implementing techniques such as traffic filtering, rate limiting, and redirection to protect their networks from the massive traffic generated by Mirai botnets.
• Regularly Patch IoT Devices: To prevent Mirai from exploiting vulnerable IoT devices, organizations should maintain a robust patch management strategy and ensure that router, access point, IP camera, and other IoT device firmware is regularly updated.
• Educate Users: Promote awareness among users about the importance of updating home routers and other IoT devices to safeguard against potential vulnerabilities.

Conclusion

The Mirai botnet continues to pose a significant threat due to its ability to exploit vulnerable IoT devices and launch devastating DDoS attacks. Despite limited evolution in its attack methods, Mirai‘s numerous variants maintain their effectiveness in targeting enterprises. Defending against Mirai requires a multi-faceted approach, including network anomaly detection, mitigation strategies against volumetric attacks, regular patching of IoT devices, and user education. As the pool of vulnerable IoT devices grows, organizations must prioritize the security of their networks and remain vigilant in the face of evolving cyber threats.