Attack of the machines: Internet’s biggest meltdown caused by Mirai botnet

22 Oct 2016

The rise of botnets like Mirai shows how vulnerable machines can be compromised and used to attack human infrastructure. Image: Willyam Bradberry/Shutterstock

The latest attack using the Mirai botnet shows just how vulnerable we humans are in the IoT world.

Millions of US internet users lost access to popular online sites like Twitter, Spotify, Reddit and CNN because of the Mirai botnet, which recruited unsecured IoT devices and marshalled them into a massive DDoS attack.

Across much of the US, from LA to New York, the internet on Friday was just not working. While users could not understand why their favourite websites were inaccessible, the security world has quickly come to the conclusion that the attack was the work of a new class of botnet.

This botnet – known as Mirai, in this case – effectively targets vulnerable internet-connected devices from CCTV cameras to internet of things (IoT) devices in the home, to unleash havoc on businesses anywhere in the world.

Effectively, there is no website on the planet that can withstand a targeted DDoS attack where millions of devices are – often unknown to their owners – crowding the front door of websites, rendering them inaccessible.

Tens of millions of IoT devices used in attack on Dyn

Attack of the machines: Internet’s biggest meltdown causes by Mirai botnet

Depiction of effects of attack on Dyn by Mirai botnet. Image: Level3 Communications

In this case, the DDOS attack targeted a New Hampshire-based internet company called Dyn, which provides domain name systems (DNS) services to some of the world’s most trafficked websites.

According to the chief strategy officer of Dyn, Kyle York, the DDoS attack marshalled “tens of millions” of malware-infected devices connected to the internet.

After battling three or more waves of attacks, Dyn managed to get its systems operational by the end of the day on Friday.

The FBI is currently investigating what happened and how.

The attack is believed to be the handiwork of the Mirai botnet that was released into the wild by a hacker known as Anna-senpai.

Mirai effectively spreads to vulnerable IoT devices by continually scanning the internet for IoT systems protected by factory default or hard-coded usernames and passwords.

This was the botnet that silenced US infosec journalist Brian Krebs, of Krebs on Security, in a 620Gbps DDOS attack in recent weeks.

The same botnet took French hosting provider OVH offline after enlisting some 145,000 IoT devices and hacked CCTV cameras to mount an attack.

In this way, hackers can simply knock websites offline at a whim.

Cheap components at the heart of war of the machines

According to Krebs, citing researchers at security firm Flashpoint, the latest attack used hacked IoT devices – mainly DVRs and IP cameras made by Chinese company XiongMai Technologies – to attack Dyn.

XiongMai’s components are often sold downstream to other tech manufacturers.

Krebs warns that because of this selling policy, many mass-produced IoT devices are essentially unfixable and will remain a danger to others unless they are completely unplugged from the internet.

“That’s because while many of these devices allow users to change the default usernames and passwords on a web-based administration panel that ships with the products, those machines can still be reached via more obscure, less user-friendly communications services called ‘Telnet’ and ‘SSH.’

“Telnet and SSH are command-line, text-based interfaces that are typically accessed via a command prompt (eg, in Microsoft Windows, a user could click Start, and in the search box type ‘cmd.exe’ to launch a command prompt, and then type ‘telnet’ to reach a username and password prompt at the target host).”

Timeline of the attack

Dyn reported the outages at 7.10am EST.

Services were restored two hours later.

Sites were affected not only in the US, but as far away as Australia, and a second wave of attacks began at 1am in Sydney, lasting five hours.

At the peak of the attack, the average DNS connect time for 2,000 websites went from the normal 500 milliseconds to 16 seconds.

Dyn has produced a full timeline of the attack here.

The future of the internet as we know it is at stake

As Krebs pointed out, the IoT revolution means that the world is flooded with all manner of vulnerable devices, using components that are easy for manufacturers to source.

The existence of Mirai and similar botnets suggests that hackers now have an on-off switch for the internet as we know it.

What is particularly frightening is that the attacks are being augmented and customised by copycat hackers.

According to security firm Flashpoint: “While Flashpoint has confirmed that Mirai botnets were used in the 21 October 2016 attack against Dyn, they were separate and distinct botnets from those used to execute the DDoS attacks against Krebs on Security and OVH. Earlier this month, Anna_senpai, the hacker operating the large Mirai botnet used in the Krebs DDoS, released Mira’s source code online. Since this release, copycat hackers have used the malware to create botnets of their own in order to launch DDoS attacks.”

The only way nations can prevent such crippling attacks in the future will be to establish clear rules about device security and, of course, the security of components within devices.

The European Commission is currently drafting new cybersecurity requirements to beef up security around IoT devices like cameras and DVRs.

This top-down approach may be the only way to prevent online businesses, and ultimately consumers in their own homes, from falling victim to the whims of mischievous hackers.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years