A Sign of DDoS to Come

By Charles Parker, II; InfoSec Architect

Attackers are always looking for new and novel methods of attack. These initially may be difficult to defend against, as these were new to the environment.

Of the recent attacks, Mirai has been a major contributor to the malware business.
This has created quite a stir in the market. Mirai was coded to target embedded systems and IoT devices as tools to spread the malware and also as attack tools. This malware sample is notable in that this malware created the largest DDoS attacks recorded to this junction.

This has been shown to be a rather significant issue for those affected, even with a DDoS protection app in place with third-party vendors.

The Mirai attack does not have a specific set of targets in mind. This bot army focuses its energy on any particular target based on any number of reasons, from the person or entity. Each time the bots are rented, a specific target is chosen.

The prior publicized targets have been Krebs on Security (620 Gps), Deutsche Telecom, KCOM, Irish telco Eir, the French internet provider OVH (1.1 Tbps), Dyn, and others.

Method of Attack
The attack has evolved over time. Initially, Mirai utilized routers manufactured by the Taiwan company ZyXEL.

This particular router posed the vulnerability with port 7547, a maintenance interface, using the TR-064 and TR-069 protocols.

Once exploited, the unauthorized third party may access and alter the router LAN configuration and become part of the bot army.

Originally they began with 200K bots. Now, there are over 400K bots to carry out the attacks. There could be as many as 5M routers that could be vulnerable to this exploit. These bots have a minimum rental period of two weeks.

For the person renting the destructive bots, the number of bots and duration drive the cost. The attack may be extended, as this has been coded to spoof the individual bot’s IP address.

This works to appear to be a new node that had not been blacklisted yet.

This has been a rather significant issue and alarming trend. This attack alone has garnered a mass amount of attention and press, cost the targets large amounts of money, and at times lost their DDoS defense vendor.

As this issue brings much attention to the weak link, the equipment manufacturers have started to focus on reviewing the issue. As an example, ZyXEL began to investigate this issue.

The vulnerability allegedly was arising from one of the chipset providers (Econet) with chipsets RT63365 and MT7505. As of December 2016, ZyXEL was working on a patch.
Another option is to place the equipment behind a firewall or NAT with no ports exposed. This is important as with this being exposed, it is vulnerable. Rather short-term yet effective remediation for this issue is to reboot the equipment.

This clears the memory, removing the issue. This, although effective is problematic as this may be reinfected with little effort. As an additional step, the default password should be changed.

Vendors & IoT
There has been a continuing issue where the vendors and IoT security meet. These devices have overlooked security for years, via using insecure protocols, not securing the device’s communication, and most of other factors.

The persons devising attacks clearly have taken notice of this and are exploiting the IoT devices left and right.

There are only a few mass attacks that have been on this level and with such immediate devastation. A business could be attacked for no reason and suffer the detrimental effects

About The Author
Charles Parker, II began coding in the 1980s. Presently CP is an Information Security Architect at a Tier One supplier to the automobile industry. CP is presently completing the Ph.D. (Information Assurance and Security) with completing the dissertation. CP’s interests include cryptography, SCADA, and securing communication channels.
He has presented at regional InfoSec conferences. Charles Parker, II can be reached online at charlesparkerii@gmail.com and InfoSecPirate (Twitter).