Tuesday, October 4, 2016

Why the Mirai IoT Botnet Changed the DDoS Game

Over the weekend the Mirai code for the IoT botnet was released on the internet. Essentially, this allows copy cats and borderline script kiddies to adjust the code as needed for their own misguided use. The Mirai botnet was the botnet that took down both Krebs and OVH last week and there’s been debate as to the number of hosts commanded by it. Either way, it ended up throwing two of the largest DDoS attacks ever seen. The OVH attack tipped the scales at around 1 tbps, which is like wielding your own personal Death Star across the internet. 

This being said, I think we’ll see the Mirai botnet start declining, but that they’ll be an uptick in IoT related DDoS attacks. This was only one botnet, made mostly from small cameras attached to the internet, but what happens when someone goes out and starts creating a botnet from multiple IoT related devices? What if they slowly harvest vulnerabilities within the plethora of insecure IoT devices? An attacker could slowly command an army of soda machines, thermostats, cars, DVRs, etc that when combined will be larger than anything we’ve ever seen before. This like a botnet-of-botnets (BoB) making one mega-botnet to rule them all (okay, now there’s LOTR references in here too, sorry).

Either way, the Mirai IoT botnet has shown that DDoS is about to turn it up to 11 real soon and hopefully the Akamai’s, Cloudflares, Google, etc are going to be ready for it. These providers are always looking to have N-size the amount of bandwidth from the largest known DDoS attack on record, so this might leave have them scrambling to determine bandwidth sizes for the future. I also think the ISPs need to start playing a bigger role here when it comes to botnets of this size, but regulation and corporation from other countries would also need to be involved and this has always historically been difficult.

So this is why Mirai changed the game. It almost completely brought down a DDoS mitigation network, which means if there were two botnets of equal size it would be difficult to maintain. This also means if they can’t support multiple attacks of this size their other customers will be left unprotected and vulnerable to attack, or even leaving their “always on” customers with a potential internet outage.  Lastly, this starts the herding of an untapped market of IoT devices ripe for the picking and I think we’ll see copy cats using similar code on different IoT devices real soon. Things are about to get interesting.

No comments:

Post a Comment