Mirai Common Attack Methods Remain Consistent, Effective

  /     /     /  
Publicated : 23/11/2024   Category : security


Mirai Common Attack Methods Remain Consistent, Effective


While relatively unchanged, the notorious IoT botnet still continues to drive DDoS.



The Mirai botnet continues to break records for driving the biggest and most disruptive distributed denial of service (DDoS) attacks ever seen, researchers say.
To help victims of these scenarios, Corero Network Security
released a report
today analyzing the common attack methods of the notorious botnet, which have changed little in recent years. Still, Mirai has spawned numerous
variants
to maintain its core purpose: exploit vulnerabilities in
IoT devices
to create an army of botnets to mount DDoS attacks.
Whats interesting about
Mirai
is that it is still effective without having evolved much at all, Huy Nguyen, cyber security engineer for Corero Network Security, tells Dark Reading.
Though none of its myriad
variants
veer from Mirais original attack vectors, it still poses a dangerous threat, one that is bolstered by the growing pool of vulnerable IoT devices being added to networks every day, he wrote in the report.
Indeed, typical Mirai attack vectors are problematic enough to damage even large organizations, Nguyen says. Moreover, threat actors with limited technical skills can build Mirai botnets using resources found on the Internet, thanks in part to
the leak of its source code
in 2016.
This makes it easy for attackers to abuse myriad devices that are installed across enterprises without being patched, Nguyen says. Script kiddies can build their own botnet easily with a few commands, he wrote.
And though they need to exploit vulnerable IoT devices with a remote code execution (RCE) bug to drop the malware and launch a DDoS attack, RCE flaws are not rare, as most people tend not to update home routers, access points, IP cameras, and the like, Nguyen noted.
Mirai
has been wreaking havoc since the mid-2010s, and is well known in the cybersecurity realm for having spawned numerous disruptive DDoS attacks against global organizations — including French technology company OVH, the government of Liberia, and
DNS provider Dyn
in an attack that affected websites such as Twitter, Reddit, GitHub, and CNN.
Mirais core competency is to turn
IoT devices
like routers and cameras into zombies that attackers can control and use to deluge targets with massive amounts of traffic, forcing DDoS.
While at times it has
appeared to evolve
with the addition of
new features
or
targets
, or its use of
new programming languages
, the botnet still maintains nine key attack vectors for flooding networks with traffic to force DDoS over its lifetime until now, according to Corero.
One is a UDP flood, a type of attack normally aimed to overwhelm the bandwidth of the victim. In this attack, victims could be a destination IP, subnet, or multiple subnets.
A second is whats called a Vale Source Engine query flood that leverages the static TSource Engine Query as its payloads. This attack, if there are no command parameters, sends UDP traffic to destination port 27015.
The third attack method is one dubbed DNS Water Torture that does not go after a specific destination IP or subnet, but aims to overwhelm the resource of a DNS server by sending DNS queries to open resolvers, which prevents resolution in the victims domain.
A fourth Mirai attack method is similar to a UDP flood but with fewer options and optimized for higher PPS, requiring only three arguments to trigger.
The fifth is an attack called a SYN flood that doesnt carry a payload and randomizes various ports and is tricky for defenders to block. Another attack, an ACK flood, is similar to a SYN flood but carries a payload, which is random and aimed solely at making the attack harder to block.
Mirais seventh attack method is one in which the botnet tries to not act like a bot, making it challenging for defenders to distinguish between normal and abnormal traffic, according to the report. It uses Simple Text Oriented Messaging Protocol (STOMP), a layer-7 application text-based protocol, but can change it to a different protocol for greater impact.
Another attack is a GRE flood that encapsulates the IP packets inside of GRE packets, randomizing the source IP, destination IP, UDP source port, UDP destination port, and UDP payload of the inner packet. This long-time method can use a remarkably high BPS volume and can cause significant damage to targeted victims, Nguyen wrote.
The last known Mirai attack method is an advanced and flexible layer 7 HTTP flood attack, which an attacker can customize with setting parameters, he added.
While its attack methods have remained consistent, the
delivery
of the Mirai malware may be different across device type, platform, or exploitable bugs, which makes it rather unique, Nguyen wrote. However, Corero chose to focus its report on revealing the botnets common attack methods to better
prepare defenders
to mitigate a DDoS attack that leverages the botnet.
That said, organizations can best defend against botnets like Mirai by implementing specialized solutions to detect network anomalies and mitigate against volumetric attacks, he says.

Last News

▸ New threat discovered: Mobile phone ownership compromised. ◂
Discovered: 23/12/2024
Category: security

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Mirai Common Attack Methods Remain Consistent, Effective