Mirai Writes New Chapter in the History of DDoS Attacks
The Mirai malware is seen as a milestone in the threat landscape, showing that IoT botnets can be used in distributed denial-of-service (DDoS) attacks and can deal significant blows. It entered the spotlight in autumn last year, and its damage is likely to be felt for some time to come.
Here’s a timeline of the most important events in the life of the Mirai malware:
– Early August 2016: Independent security researchers start analyzing Mirai, which had gone almost unnoticed because samples were difficult to retrieve from infected IoT devices (mostly routers, DVRs and IP cameras)
– September 20, 2016: Mirai botnet of 145,607 devices (IP cams and DVRs) hits a few Minecraft servers hosted by French provider OVH. Two consecutive assaults added up to almost 1Tbps and the botnet continued to add infected IoT devices by the thousands
– September 20, 2016: Mirai DDoS botnet targets the website of security journalist Brian Krebs with a sustained attack of more than 600Gbps. The journalist was forced to take down the website for three days until he could find better protection from the assaults.
– Around October 1, 2016: Mirai source code becomes available on public forums, allowing hackers to create their own botnets, add new features to the malware and create variants that would evade detection
– October 21, 2016: Mirai operators shake the Internet as they fire at Dyn, a major DNS service provider. The shock hits high-profile websites like Twitter, Github, Reddit, Netflix, Airbnb, PayPal, Amazon, Spotify, with some of them becoming temporarily unavailable to users.
– November 4, 2016: Liberia is hit with a DDoS attack from a botnet based on Mirai malware code, knocking offline websites hosted in the country. Security researcher Kevin Beaumont says the blow packed more than 500Gbps of meaningless traffic.
– November 27, 2016: The variant of Mirai that knocked Deutsche Telekom routers offline also impacts the routers of UK Internet Service Providers TalkTalk, UK Post Office and Kcom, affecting more than 100,000 customers.
Since the Mirai source code was released, hackers can create new variants of the malware and carry out DDoS attacks. Until now, security researchers have detected more than 430 Mirai-based botnets hitting targets across the globe. Although most act for just a few seconds, there are records of assaults lasting for an hour.
Mirai, though, was not the first botnet to recruit hundreds of thousands of connected devices. In 2013, an anonymous security researcher created an army of about 420,000 embedded systems in an experiment that ran from March through December. Hijacking this many devices was possible because they were exposed on the web and ran with the default password, or no password at all.
Regardless of the malware family used in DD0S attacks, one thing is certain: botnet masters have found a powerful, easy-to-use weapon.
Photo credit: Jack Moreh for Freerange StockDDoS Mirai smart home vulnerability