Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect...

SESSION ID:SESSION ID:

Robert Graham

Mirai and IoT Botnet Analysis

HTA-W10

http://blog.erratasec.com@ErrataRob

Robert Graham

What this talk will cover?

Brief overview of Mirai

The cameras themselves

Step by step from infection to attacks

The Dyn attack

How to protect yourself

How tech details fit into government policy debate

Robert Graham

Mirai botnet

Terabit scale attacks end of 2016~600mbps against Brian Krebs~1 terabit against OVH~1.2 terabit against DYn

Infects camerasMost camerasAlso printers, routers

Hundreds of thousands of devices

Robert Graham

Where the botnet resides

https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

Robert Graham

CnC servers192.227.222.73192.227.222.74192.227.222.75192.227.222.76188.166.65.12188.166.189.189185.25.51.115185.144.29.7118.89.41.12593.158.216.17054.187.144.22752.163.49.5946.166.185.3446.183.223.22945.119.127.19035.162.249.355.249.154.190

Robert Graham

Ordering camera

Robert Graham

JideTech

from Jose Pagliary at CNN

Robert Graham

Packaging from Shenzhen

Robert Graham

What do the cameras look like?

Robert Graham

HiSilicon HI3518 CPU

Robert Graham

#RSACWhich ports are listening

Robert Graham

What does the camera look like?

23: Telnet

80: HTTP

554: RTSP

9527: some weird shell with no auth

8899: some other web interface

Robert Graham

#RSAC0f539bd5d3ab8a

Robert Graham

0f539bd5d3ab8a

Robert Graham

0f539bd5d3ab8a

Robert Graham

0f539bd5d3ab8a

Robert Graham

Camera/Phone firewalled

54.163.237.146ec2-54-163-237-146.compute-1.amazonaws.com

Robert Graham

Configure firewall

Use RaspberryPi-class device as NAT/firewall to create an isolated subnet

http://blog.erratasec.com/2016/10/configuring-raspberry-pi-as-router.html

Robert Graham

98 seconds to infection!

Robert Graham

Infection process

Robert Graham

The ECHI trick

Generates error message

It’s how the bot recognizes that the output is done

Different devices have different command-prompts, so it’s harder parsing output for a command prompt

Robert Graham

What is busybox?

Most common shell on IoTdevices

Robert Graham

#RSACFind out CPU:x86, ARM, MIPS, PowerPC

Robert Graham

Download bot

Robert Graham

#RSACDownload bot

Robert Graham

Now run the bot

Robert Graham

Kills Telnet

/bin/busybox telnetd –p 2323

Robert Graham

Kills rival bots

Robert Graham

Connect to command/control

Robert Graham

List of possible attacks

Robert Graham

Attack on Google Project Shield

130 million SYN per second

450 million HTTP queries per secondFrom 175,000 IP addresses

4 million ACK flood

GRE floods

UDP floods

https://arstechnica.com/security/2017/02/how-google-fought-back-against-a-crippling-iot-powered-botnet-and-won/

Robert Graham

DYN DDoS

Classic “hit the root name servers”…except one layer down

Port 53 UDP flood~600gpbs to ~1.2tbps

Amplified by failed DNS lookupsNo cached failed response

Robert Graham

Dyn uses ‘anycast’

http://dyn.com/dns/network-map/

Robert Graham

Atlanta -> North Virginia

Robert Graham

Add own second DNS

Robert Graham

Add Amazon DNS

Robert Graham

Drop DYN

Robert Graham

All eggs in one basket

Robert Graham

BGP changes

https://stat.ripe.net/widget/bgplay#w.resource=208.78.70.16

Robert Graham

Increase TTLs

Robert Graham

Resolver caching

Resolvers cache responses

Drops records after TTL secondsAnd get a new one

Change: if you can’t get a new one, don’t drop record

Robert Graham

Everybody’s doing it

No persistence in botnet

Many fight to take control of the devices

Many splintered botnets rather than one large botnet

Robert Graham

Conclusion

The same attack won’t work again

Robert Graham

https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

Robert Graham

Complicated

Paras Jha, 20 year old student

Minecraft server maintainer, then anti-DDoS company

Way to drive customers from other anti-DDoS companies

Complicated interactions with the underground

Robert Graham

Source code

Amateurish, like that of 20 year old students

Doesn’t mean “stupid”, just not features of professional coders.

Multiple coders

https://github.com/jgamblin/Mirai-Source-Code

Robert Graham

Apply: How to protect yourself?

You probably don’t have camerasVuln scanning for it on your network is probably pointless

You need a DNS strategy

You need a DDoS strategy

You need a UPnP strategy

Robert Graham

DNS server strategy

Use redundant servers

One should be a server than can handle DDoS

Set longer TTLs

Robert Graham

DNS client strategy

Setup your own resolver

Disable discarding stale records after TTL if no response

Make sure services can keep running if DNS failsThe DNS supply chain

Robert Graham

Apply: Policy question

For government policy makers crafting laws/regulations

What can government do to ward off IoT botnets.

Robert Graham

It’s a complicated answer

Only 10.9% are in the United States

Unbranded grey market, where they ignore regulation anyway

IoT is behind firewall, cameras are exposed.This was not an IoT botnet

Cameras need remote reset (aka. Backdoor)

Dyn fixed itself, without government help

Robert Graham

An IoT threat model, part 1

No user interactionClicking on links/emails is how you infect your desktop/laptopBut not iPhones, mostlyNot IoT

No exposed portsAt least, as the normSo no direct vulnerable services, OWASP, etc.

Robert Graham

Cross Site Request ForgeryClicking on links/emails

Cloud servicePhishing of username/passwordCloud provider gets owned— IoT autoupdate considered harmful

Local WiFi

UPnP etc. for inbound

Robert Graham

Vendors demand inbound connectionOld IoT like medical devices, HVAC, etc.

IoT on non-private networksHospitals, bars, universities, etc.

IPv4 vs IPv6IPv4 for IoT increasingly costly, moving to IPv6

Robert Graham

Summary

Details on how Mirai worksMeans knowing how cameras work

How to protect yourself from MiraiNo Mirai itself, but the attacks it doesFix your DNS

What is the future?What’s the threat model?How can regulations help?

Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect...

Documents

Transcript of Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect...

· 2019-12-03 · 지난 2016년 9월 20일 미라이 봇넷(Mirai Botnet)에 의해 초당 665Gbps 트래픽의 DDoS 공격이 발생하였다. 이어 9월

Threat Advisory: Mirai Botnet | Akamai · AKAMAI THREAT ADVISORY Threat Advisory: Mirai Botnet Risk Factor: Medium TLP: Green Author: Chad Seaman

Profiling IoT-based Botnet Traffic using DNS › id › eprint › 135834 › 1 › ... · of the Mirai malware that was firstly observed through the Mirai botnet in October 2016

Deliverable 3: Internet of Things Risk Analysis and Assessment · the German Telekom AG into the Mirai botnet, by exploiting vulnerabilities in widely distributed IoT devices within

MIRAI DTL632V200 - T3214G-22 Mirai Service Manual

Botnet Dection system. Introduction Botnet problem Challenges for botnet detection.

Radiological Safety Analysis Computer (RSAC) Program ... Shared Documents/RSAC-7.pdf · The Radiological Safety Analysis Computer (RSAC) Program Version 7.2 (RSAC-7) is the newest

State of the Internet Security –Q2 2017 - RONOGronog4.ronog.ro/presentations/Akamai-Mihnea-Grigore-State-of-the-Internet-Security...Mirai Botnet Targeting Behavior This cloud of

Your Botnet is My Botnet : Analysis of a Botnet Takeover

Firmitas Cyber Solutions - Inforgraphic - Mirai Botnet - A few basic facts on a world-wide epidemic

Mirai botnet的演进 - eol.cn

KURZPORTRÄT IOT- SECURITY...2019/05/04 · – Anatomie eines Angriffs – Mirai-Botnet Verschmelzung von IT, OT und CT Nationaler Akademietag 2019 in Hamburg 12 Chapter 1: allgemeine

The Risks & Rewards of Connecting Commercial Kitchens · Mirai Botnet Attack – October 2016 St. Jude Cardiac Devices – 2015 Owlet Wi-Fi Baby Monitor – 2015 TRENDnet Webcam Hacks

counter botnet RFC@ntia.doc · 2016 Mirai botnet attack targeted many older devices that do not use modern, standard industry best practices for cybersecurity. As products constantly

Miraiand IoT Botnet Analysis - RSA Conference · SESSION ID: #RSAC Robert Graham. Miraiand IoT Botnet Analysis. HTA-W10. @ErrataRob

Mirai - NANOG Archive › sites › default › files › 1_W... · Mirai – Inside of an IoT Botnet Ron Winward Security Evangelist, Americas February 7, 2017

Your Botnet is My Botnet: Analysis of a Botnet Takeoverchris/research/doc/ccs09... · 2020-06-06 · Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco

Botnet Mirai IoT - York University · 2017-04-04 · Mirai IoT Botnet "the future", 未来 ... Mirai can now forces device to report to a central control server. Mirai usage in DDoS

1. Infrastructure Security Mirai Botnet Detection and ... · The attacks had not subsided by October, and the number of participants in the attack campaign is thought to be increasing,

April 25, 2018 - CERT.br€¦ · Compliance to standards (ISO, COBIT, ITIL, etc)? Do you have policies? Do you have X or Y ... CERT.br Passive Metrics of Internet Health: Mirai botnet