The Mirai botnet continues to make headlines as it unleashes the largest and most disruptive distributed denial of service (DDoS) attacks ever seen, according to researchers. To assist the victims of these attacks, Corero Network Security has released a report that examines the common attack methods employed by this notorious botnet, which have remained largely unchanged in recent years. Despite its lack of evolution, Mirai has given rise to numerous variants that exploit vulnerabilities in IoT devices to build a network of botnets for launching DDoS attacks.
Huy Nguyen, a cyber security engineer for Corero Network Security, commented on Mirai’s effectiveness despite its minimal evolution, stating: “What’s interesting about Mirai is that it is still effective without having evolved much at all.” According to the report, the growing number of vulnerable IoT devices being connected to networks every day adds to the threat posed by Mirai. Even the conventional attack vectors used by Mirai can inflict severe damage on large organizations, warns Nguyen. Additionally, the leak of Mirai’s source code in 2016 has made it easier for threat actors with limited technical skills to build their own botnets using readily available resources on the internet.
Exploiting vulnerable IoT devices with a remote code execution (RCE) bug is a crucial step for launching a Mirai attack. However, RCE flaws are not uncommon since many users neglect to update their home routers, access points, IP cameras, and other similar devices, as pointed out by Nguyen. This negligence makes it easy for attackers to abuse the vast number of unpatched devices installed across various enterprises. The report highlights how script kiddies, even with minimal expertise, can create their own botnets using just a few commands.
With its enduring legacy, Mirai has wreaked havoc since the mid-2010s and gained notoriety for launching numerous disruptive DDoS attacks against global organizations. Some examples of such attacks include those targeting French technology company OVH, the Liberian government, and DNS provider Dyn, which affected websites like Twitter, Reddit, GitHub, and CNN. Mirai’s main objective is to convert IoT devices, such as routers and cameras, into zombies that attackers can control and use to flood targets with massive amounts of traffic, ultimately causing a DDoS.
Although Mirai has appeared to evolve at times, incorporating new features, targeting new devices, or employing new programming languages, the botnet has consistently maintained nine key attack vectors for executing DDoS attacks throughout its lifespan. One such attack vector is a UDP flood, which overwhelms the bandwidth of the victim. Another attack method, called Vale Source Engine query flood, utilizes the static TSource Engine Query with UDP traffic. Mirai also employs a DNS Water Torture attack that aims to overwhelm DNS servers by sending queries to open resolvers.
The remaining attack methods include variations of floods, such as UDP floods optimized for higher packets per second (PPS), SYN floods that randomize various ports, and ACK floods that make blocking the attack more challenging by carrying random payloads. The botnet can also employ protocols like Simple Text Oriented Messaging Protocol (STOMP) to make traffic appear normal, and it can use GRE packets to encapsulate IP packets and cause significant damage to targeted victims. Lastly, Mirai is capable of executing advanced HTTP flood attacks with customizable parameters.
Corero suggests that organizations can best defend against botnets like Mirai by implementing specialized solutions that can detect network anomalies and mitigate volumetric attacks. Although the delivery of the Mirai malware may differ across device types, platforms, or exploitable bugs, the focus of the report is to shed light on the botnet’s common attack methods, thereby enabling defenders to better prepare themselves to mitigate DDoS attacks launched by the botnet.
In conclusion, the Mirai botnet continues to pose a significant threat with its ability to orchestrate massive and disruptive DDoS attacks. Despite its minimal evolution, the botnet remains highly effective and capable of exploiting the growing number of vulnerable IoT devices. By understanding the botnet’s common attack methods and implementing appropriate defense measures, organizations can better protect themselves against the destructive force of Mirai.