Distributed Denial of Service (DDoS) Attacks from non-traditional Sources
Description
A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. They target a wide variety of important resources, like banks,eCommerce websites, Internet Service Providers (ISPs) etc., and present a major challenge to people who publish and access important information.
Nowdays, attackers are exploiting the unsecured internet connected embedded IoT (Internet of Things) devices to launch DDoS attacks against their targets.
There are much reasons for choosing Internet of things (IoT) devices as DDoS attack vectors because IoT devices could be remotely accessed via easily guessable login credentials. These are usually factory default usernames and passwords and limitations of their operating system and processing power,sothey may not include any advanced security features.
Embedded devices are often designed to be plugged in and forgotten after a very basic setup process. Many don't get any firmware updates or owners fail to apply them and the devices tend to only be replaced when they've reached the end of their lifecycle. As a result, any compromise or infection of such devices may go unnoticed by the owner and this presents a unique lure for the remote attackers.
Most of the embedded IoT devices are shipped with Linux operation systems (different CPU architecture in design) and SSH & Telnet services being enabled.
Example of Embedded Internet-of-Thing (IoT) devices:
• Digital video recorders (DVRs)
• CCTV video cameras
• Smart TVs
• Printers
• Webcams
• Surveillance (IP) cameras
• home routers
• Cable television set-top boxes
• Satellite set-top boxes
IoTBotnet (Malware)
Recently, IoT devices have been used to create large-scale botnets (networks of devices infected with self-propagating malware ) that can execute crippling distributed denial-of-service (DDoS) attacks.
About Mirai Malware
Mirai is a piece of malware that infects IoT devices and is used as a launch platform for DDoS attacks.
Mirai is built for two core purposes:
• Locate and compromise IoT devices to further grow the botnet.
• Launch DDoS attacks based on instructions received from a remote C&C.
Tactics used by Mirai Malware
Mirai performs wide-ranging scans of IP addresses. The purpose of these scans is to locate under-secured IoT devices (insecure routers, IP cameras, digital video recorders and other easily hackable devices.) .The Mirai bot uses a short list of common default usernames and passwords to scan for vulnerable devices.
Mirai uses a brute force technique for guessing passwords / dictionary attacks over IoT device enabled SSH (TCP Port 22) and Telnet services (TCP Port 23 / 2323).
Mirai's attack function enables it to launch HTTP floods and various network (OSI layer 3-4) DDoS attacks. When attacking HTTP floods, Mirai is capable of launching GRE IP and GRE ETH floods, as well as SYN and ACK floods, STOMP (Simple Text Oriented Message Protocol) floods, DNS floods and UDP flood attacks.
Mirai's attack function enables it to launch HTTP floods and various network (OSI layer 3-4) DDoS attacks. When attacking HTTP floods, Mirai bots hide behind the predefined & customized default user-agents.
Mirai is capable of launching GRE IP and GRE ETH floods, as well as SYN and ACK floods, STOMP (Simple Text Oriented Message Protocol) floods, DNS floods and UDP flood attacks.
Mirai malware powered botnets are capable of generating hugh amount of traffic (e.g more than 600 Gbps)against any chosen targets.
Preventive Countermeasures
• Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
• Update IoT devices with security patches as soon as patches become available.
• Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
• Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
• Understand the capabilities of any IoT devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.
• Monitor Internet Protocol (IP) port 2323/TCP,Port 22/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol
• Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.
References
- -flaw-found-in-millions-of-
- -flaw-found-in-millions-of-
- --
Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in
EmoticonEmoticon