2. Why this paper?
Not a theoretical paper
Demonstrates real world consequences
Expected creation of billions of IOT devices
3. The Dark Arts are many, varied, ever-changing, and eternal.
Fighting them is like fighting a many-headed monster, which,
each time a neck is severed, sprouts a head even fiercer and
cleverer than before. You are fighting that which is unfixed,
mutating, indestructible.
- Severus Snape
4. How do botnets propagate?
Scan a target
Leverage known exploits
Install the botnet software
Rinse and repeat
5. Fighting back
We must identify these devices and shut them down
But there are so many devices
And we have limited resources
And users are clueless
6. Network Telescope
Watch the unindexed portions of the internet for suspicious
traffic
Use fingerprinting to selectively ID
116 billion probes
55 million probers
7. Identifying infections
Detect a vulnerability scan from the infected device
Banner scan the device for unclosed services
Only tag devices ID’d within 20 minutes of a scan
8. Honeypots
Invaluable for analyzing malware infections
Can determine attacker sophistication and behavior based on
malware reverse engineering
Can dissect infection process
9. Got Milk?
Milkers are similar to honeypots
Figure out what commands a C2 server will send
Identify additional C2 servers
15,194 attacks identified
10. Mirai protected itself better than the IOT
devices it infected
Mirai disables all common unused services
Fingerprinting can’t be done by the usual banner grabbing
Still able to banner grab lesser known services
11. Your tired your poor, your low bandwidth
DVRs, routers, and cameras are all fair game
Atypically composed of devices from non-US countries
More like shambling zombies than a pack of cheetahs
(bandwidth limits matter)
12. Not your average botnet
Botnet owners didn’t care for persistence
This is highly unusual, but makes the botnet much harder to
detect
A rebooted device would simply be re-infected later
13. Evolution
Why log in when you can steal a devices soul? (RCE variant)
It is easy to tack on new infection methods
We will continue to see variants of Mirai for some time
14. But wait! There’s more!
Abuse DNS and residual trust
Make reversing harder by using complex packers
Add support infrastructure, command relays
15. Attackers suffer from the same pains as
regular IOT users
Slow initial growth due to the restricted capability of infected
devices
Infrastructure is required to manage half a million devices
1000 devices to 1 C2 servers
18. Notable achievements
Knocked Liberia off the internet for a period of time
Forced Cloudflare to abandon their deal with Brian Krebs
Harassed DDoS mitigation companies
Knocked Minecraft servers and other gaming services offline
19. Script kiddies do not an Advanced
Persistent Threat make
Mostly childish attacks on people the attackers disliked
Minimal if any lasting damage
We were very lucky no important services were targeted
We could have done better to protect against Mirai
20. Not the sharpest tools in the shed
When I first go in DDoS industry, I wasn't planning on staying in it
long. I made my money, there's lots of eyes looking at IOT now, so it's
time to GTFO. However, I know every skid and their mama, it's their
wet dream to have something besides qbot.
So today, I have an amazing release for you. With Mirai, I usually pull
max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs
been slowly shutting down and cleaning up their act. Today, max pull
is about 300k bots, and dropping.
- One of the Mirai authors
21. It will probably get worse
Attacks get more sophisticated
New attacks come out of nowhere (ransomware)
Mirai was only 600k devices (imagine a billion)
We don’t know how new attacks will leverage IOT
22. Heterogeneity makes for a juicy attack
surface
Easy to target cheap-on-security IOT vendors
Startup vendors have less resources/experience to orchestrate
patching
Spending time to develop exploits for a single device can net you
thousands of infected hosts
It also makes it harder to compromise the entire market
23. How do we fix this?
Basic hardening (ASLR, priv. separation etc)
Teach about patching, make it easier
Find a way to reliably take unsupported devices offline
Identification? What about privacy?
25. It could get better
Vendors are slowly replacing hardcoded passwords with
generated ones
Our society is coming to terms with managing vulnerable
devices in a digital age
We can educate consumers about how to care for devices
better