On October 21, 2016, a DDoS attack hit the DNS service provider Dyn. The company is a major DNS provider for many companies in the United States.
In the morning of the attack, Dyn confirmed that its DNS infrastructure located in the East Coast had suffered DDoS attacks from all over the world. The attacks severely affected the business of Dyn's DNS customers, and even worse, websites of customers became inaccessible. These attacks lasted until 13:45 PM ET. Dyn said on its official website that it would track down this issue and release the incident report.
Services affected by this attack included Twitter, Etsy, Github, Soundcloud, Spotify, Heroku, PagerDuty, Shopify, and Intercom. Access to popular websites like PayPal, BBC, Wall Street Journal, Xbox, CNN, HBO Now, Starbucks, New York Times, The Verge, and Financial Times was also affected.
In response, the Computer Emergency Response Team (CERT) initiated an advanced analysis process to follow up and analyze the DDoS attack. According to the CERT analysis, this incident involved multiple factors particularly IoT device security vulnerabilities. In addition to the DDoS attack and DNS security on the surface, there were still many other issues that are worth greater attention and further research.
Dyn said that this DDoS attack involved tens of millions IP addresses, most of which were IoT and smart devices. Dyn believed that the attack came from a malicious code named "Mirai." Hacker organizations NewWorldHackers and Anonymous claimed responsibility for the attack .
The scale of botnets that rely on IoT devices is continuously increasing. Typical IoT DDoS botnet families include the CCTV series that appeared in 2013, ChiekenMM series (including 10771, 10991, 25000, and 36000), and Linux-based cross-platform DDoS botnet families (such as BillGates, Mayday, PNScan, and Gafgyt). CERT has named these Trojans as follows:
| Family | Variant quantity | Sample HASH quantity |
| Trojan[DDoS]/Linux.Mirai | 2 | Greater than100 |
| Trojan[DDoS]/Linux.Xarcen | 5 | Greater than1000 |
| Trojan[DDoS]/Linux.Znaich | 3 | Greater than500 |
| Trojan/Linux.PNScan | 2 | Greater than50 |
| Trojan[Backdoor]/Linux.Mayday | 11 | Greater than1000 |
| Trojan[DDoS]/Linux.DnsAmp | 5 | Greater than500 |
| Trojan[Backdoor]/Linux.Ganiw | 5 | Greater than3000 |
| Trojan[Backdoor]/Linux.Dofloo | 5 | Greater than2000 |
| Trojan[Backdoor]/Linux.Gafgyt | 28 | Greater than8000 |
| Trojan[Backdoor]/Linux.Tsunami | 71 | Greater than1000 |
| Worm/Linux.Moose | 1 | Greater than10 |
| Worm[Net]/Linux.Darlloz | 3 | Greater than10 |
In this incident, the primary victims infected with Mirai were IoT devices, including routers, network cameras, and DVRs. As early as 2013, organizations engaged in DDoS cyber crimes started to shift targets for capturing botnet hosts from Windows to Linux, and from x86 Linux servers to IoT devices with the embedded Linux operating system. Mirai means "future" in Japanese. R&D staff names the new variant "Hajime," which means "beginning" in Japanese.
CERT has captured and analyzed a large number of malicious samples related to smart devices and routers, and worked with related authorities to collect field evidence from some devices. These devices mainly use the MIPS and ARM architectures in which attackers have implanted Trojans due to the existence of such factors as default passwords, weak passwords, serious vulnerabilities that do not get fixed in time. Due to mass production and deployment of IoT devices and insufficient competence of integrators and O&M staff in many application scenarios, a significant proportion of devices use default passwords and vulnerabilities cannot get fixed in time.
Domain Name System (DNS) is a server that converts between domain names and corresponding IP addresses. DNS stores a domain name and IP address mapping table to resolve domain names in messages. Target websites get visits according to the resolution results. If DNS receives a DDoS attack, it cannot resolve domain names properly, and therefore users cannot visit the related target websites.
In DDoS attacks (including Mirai) targeted at IoT devices, attackers perform brute-force cracking on popular password files through the Telnet port, or log on using the default password. If attackers successfully log on through Telnet, they attempt to use the necessary embedded tools like BusyBox and wget to download the bot of the DDoS function, modify executable attributes, and run and control IoT devices. Due to the difference of the CPU command architectures, after determining the system architecture, some botnets can select samples of the MIPS, arm, or x86 architectures for downloading. After running these samples, botnets receive related attacks commands to initiate attacks.
The following weak password can exist in a Mirai sample:
In previous tracking and analysis of IoT botnets, CERT found that many popular devices including DVR, network camera, and smart router brands had the default password problem.
The related source code of the Mirai botnet was released on the Hackerforums by a user "Anna-senpai" on September 30, 2016. The user claimed that the code was released to encourage users to pay more attention to the security industry. After the code was released, the related technology got immediately applied to other malicious software projects. On October 4, 2016, this code was uploaded to GitHub and soon forked for more than 1000 times.
CERT analyzed the Mirai source code uploaded to GitHub on October 4, 2016, and sorted out its code structure:
The leaked Mirai source code mainly consists of two parts:
The following modules are available at the bot end:
| Module file name | Module function |
| attack.c | Used for attacks. The called attack sub-module gets defined in other attack_xxx.c files. |
| checksum.c | Calculates the checksum. |
| killer.c | Ends a process. |
| main.c | Main module calls other sub-modules. |
| rand.c | Generates random numbers. |
| resolve.c | Resolves domain names. |
| scanner.c | It can scan devices that can be attacked, for example, by using weak passwords, on the network. |
| table.c | Stores encrypted domain name data. |
| util.c | Provides some practical tool. |
Similar "open source" behaviors provide extreme bad demonstration effects, and will further reduce the costs for other attackers to attack IoT devices. Therefore, this article does not intend to interpret this code.
The situation awareness and monitoring system of CERT can continuously monitor sample transmission, online control, and attack commands of botnets. In addition to Mirai-related incidents, we also find attacks initiated by IoT botnets against other targets.
| Attack start time and end time | Sample family (named by the original factory) | Attack target | Attack type |
| 2016-10-22 9:36:48 | Family Mayday | 203.195..:15000 Guangzhou Tencent | tcp flood |
| 2016-10-20 8:12:57 | Family DDoS | www.52*.com XXX | |
| 2016-10-20 1:36:20 | Family DDoS | www.ssh*.com/user.php Shenzhen XXX company | |
| 2016-10-9 18:52:35 | Family Billgates | 121.199.. Hangzhou XX cloud | |
| 2016-9-5 10:57:00 | Family Billgates | 59.151.. Beijing XX |
Before 2014, weak passwords were often scanned to implant malicious codes on IoT devices using the Linux system. Since the appearance of the Shell Shock (CVE-2014-6271), this vulnerability was commonly used on the Internet to scan and implant malicious codes. According to the information captured by the CERT Beeswarm system, the number of Linux host intrusion incidents increased significantly since the appearance of the Shell Shock.
The first Shell Shock infection incident detected by CERT occurred in September 2014. Later, CERT published multiple malicious code analysis reports related to IoT devices, such as the Analysis of DYREZA Family Variants Spread Using Routers and Hackers Using HFS to Build Servers and Spread Malicious Codes. Another report, Trojan [DDOS]/Linux. Znaich Analysis Report was not published at that time and now appends to this report. Attackers also used a few other vulnerabilities that can obtain host permissions.
The CERT analysis team believes that IoT botnets spread quickly due to a combination of the following factors:
CERT expounded the view that threats will be spread and generalized in an in-depth manner with the development of Internet Plus, and used the word "Malware/Other" to explain that security threats evolve towards the new fields such as smart devices. As what we are worried about, security threats are now everywhere from smart cars, smart homes, smart wearable devices, to smart cities.
Therefore, in this large-scale DDoS incident targeted Dyn's DNS, CERT attaches more importance to IoT security problems exposed. Although the DNS often gets regarded as the Achilles' heel of the Internet, we should not forget that interworking on the Internet relies on IP addresses, and domain names are generated merely to facilitate memory of users. For most users of the large industries in North America, VPNs and IP addresses get widely used for the connection, and the primary system operation does not rely on the DNS service. Therefore, even though such a heavy-traffic DDoS attack brings inconvenience to netizens when they access websites for a period, it cannot shake the North America social operation and Internet foundation.
Undoubtedly, the DNS is an information infrastructure, but the IoT botnet is not merely a tool for initiating this attack. IoT is an Internet of Things, and also an essential supporting node in the future information society. IoT is a network extended and expanded based on the Internet. It is not merely a network. IoT can use the embedded sensors, devices, and systems that adopt the awareness and information sensing technologies to build complex applications that involve the physical, social space.
Many devices where these applications are placed are necessary infrastructure devices on the critical nodes that maintain the livelihood of the people, or even basic sensors of critical industrial control facilities. Intruding these devices provides more in-depth resource values, and is more dangerous than using these devices to initiate DDoS attacks. The existence of vulnerabilities in a large area on the IoT brings more concealed and dangerous social security risks and national security risks, except that it is difficult to perceive these type of threats.
It is natural to use the public influence as the significant indicator for evaluating the impact of cybersecurity incidents. When security threats gradually become directional and more concealed, we should not restrict our focus only on risks that are easy to identify. In this way, more dangerous threats will be let off. Even though the Dyn DDoS attack only affected access to websites, the underlying concept behind the attack can be easily extended to other applications.
CERT has been strengthening security protection of IoT devices, increasing costs for attacking or intruding IoT devices, and enhancing security threat monitoring and alarm of IoT devices. It is similar to what we've done in the last decade to enable the CERT AVL SDK engine to run on tens of thousands of firewalls and billions of mobile phones.
In this article, we discussed the CERT's perspective of how IoT devices are the major targets of security threats concerning the Dyn attack in 2016. The more we are dependent on IoT technology, more important is the security of IoT devices.
With the advances in technology, IoT is in the process of becoming more secure with latest monitoring and intruder prevention systems. CERT is working to win this battle soon and is hoping to secure this revolutionary technology completely.
To learn more about IoT and security, visit www.alibabacloud.com/blog.
Alibaba Cloud Launches HiTSDB to Accelerate Migration of IoT Devices to the Cloud
2,599 posts | 762 followers
FollowAlibaba Clouder - June 11, 2019
Alibaba Clouder - June 11, 2019
Alibaba Clouder - June 11, 2019
Alibaba Clouder - June 11, 2019
Alibaba Cloud Security - January 13, 2019
Alibaba Clouder - May 31, 2017
2,599 posts | 762 followers
Follow
Anti-DDoS
A comprehensive DDoS protection for enterprise to intelligently defend sophisticated DDoS attacks, reduce business loss risks, and mitigate potential security threats.
Learn More
ECS(Elastic Compute Service)
Elastic and secure virtual cloud servers to cater all your cloud hosting needs.
Learn More
WAF(Web Application Firewall)
A cloud firewall service utilizing big data capabilities to protect against web-based attacks
Learn MoreMore Posts by Alibaba Clouder
