10/22/2016 Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers | Threatpost | The first stop for security news
Threatpost | The first stop for security news
Categories Category List Cloud Security Critical Infrastructure Cryptography Government Category List Hacks Malware Mobile Security Privacy Category List SAS Vulnerabilities Web Security Authors Michael Mimoso Christopher Brook Additional Categories Slideshows The Kaspersky Lab News Service Featured Authors Michael Mimoso Christopher Brook The Kaspersky Lab News Service Featured Posts
All
Yahoo Asks DNI to DeClassify Email…
Bypassing ASLR in 60 Milliseconds
Mobile Applications Leak Device, Location Data Podcasts Latest Podcasts
All
Threatpost News Wrap, October 21, 2016
Threatpost News Wrap, October 14, 2016
Gary McGraw on BSIMM7 and Secure…
Threatpost News Wrap, October 7, 2016
Juan Andres GuerreroSaade and Brian Bartholomew…
Threatpost News Wrap, September 30, 2016 Recommended
The Kaspersky Lab Security News Service Videos Latest Videos
All
BASHLITE Family Of Malware Infects 1…
How to Leak Data From AirGapped…
Bruce Schneier on the Integration of…
Chris Valasek Talks Car Hacking, IoT,…
Patrick Wardle on OS X Malware…
Santiago Pontiroli and Roberto Martinez on… Recommended
The Kaspersky Lab Security News Service
Search
Twitter Facebook Google LinkedIn YouTube RSS
Welcome > Blog Home>Critical Infrastructure > MiraiFueled IoT Botnet Behind DDoS Attacks on DNS Providers 0 4 13 0 0
MiraiFueled IoT Botnet Behind DDoS Attacks on DNS Providers
by Michael Mimoso October 22, 2016 , 6:00 am
A botnet of connected things strung together by the Mirai malware is responsible for Friday’s distributed denialofservice attacks against DNS provider Dyn. The DDoS attacks impacted Internet service on the East Coast of the United States, and were responsible for keeping Dyn and a number of its highprofile customers offline during different times during the day.
Level 3 Communications, a large service provider located in Colorado, said that it was monitoring the attacks and that it believed 10 percent of the IPenabled cameras, DVRs, home networking gear and other connected devices compromised by Mirai were involved in Friday’s attacks.
Related Posts
Threatpost News Wrap, October 21, 2016
October 21, 2016 , 11:11 am
Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others
October 21, 2016 , 10:01 am
Mirai Bots More Than Double Since Source Code Release
October 19, 2016 , 9:00 am
Mirai’s purpose is to continuously scan the public Internet for IoT devices and tries to access them using known default or weak credentials before exploiting and forcing devices to join botnets used in DDoS attacks. The danger posed by Mirai was exacerbated when the hacker allegedly responsible for a 620 Gbps DDoS attack against Krebs on Security and French webhost OVH released the source code for the malware to the public. https://threatpost.com/mirai-fueled-iot-botnet-behind-ddos-attacks-on-dns-providers/121475/ 1/4 10/22/2016 Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers | Threatpost | The first stop for security news Krebs on Security and French webhost OVH released the source code for the malware to the public.
Level 3 and security company Flashpoint confirmed on Friday that Mirai was behind Friday’s attacks, which were still ongoing as of last night. Flashpoint said it is working with law enforcement and other resources to track the source of the attacks.
Dyn, a New Hampshirebased DNS provider, said the attacks began shortly after 7 a.m. Eastern time and the first wave ended at 9:36 a.m., before ramping up again at 11:52 a.m. when a second attack targeted its managed DNS platform.
“This attack was distributed in a more global fashion,” Dyn said in a status update Friday afternoon.
The New York Times said Friday that the FBI and the Department of Homeland Security were investigating the attacks and were not ruling out either criminals or nation state actors as responsible parties.
Dale Drew, CISO of Level 3 Communications, said this afternoon on Periscope that the Mirai botnet was at about 550,000 nodes, and that approximately 10 percent were involved in the attack on Dyn (Level 3’s outage map is below). Earlier this week, Level 3 identified much of the command and control infrastructure used to communicate with bots, and said the number of bots had more than doubled since the source code as released.
“We are seeing others involved as well,” Drew said. “Mirai is a DDoSforrent environment. People buying time on that botnet could be buying time on other botnets as well. They are hitting a number of other DNS sites as well.” Drew did not identify those sites.
DNS providers translate domain names into IP addresses. In Friday’s attacks, someone used compromised connected devices to make an overwhelming number of queries of Dyn and other providers, so much so that they’re unable to keep up and answer legitimate queries.
On Friday, prominent services such as Twitter, Github, Spotify, Reddit, SoundCloud and others were inaccessible for periods of time.
“When the directory service is down, DNS cannot provide and IP address and you cannot get to the host,” Drew said. “It looks like the host is down when, in fact, is the directory service that is down.”
Earlier this week, Level 3 said that a number of attackers were taking advantage of the publicly available source code to hack into IoT devices; it said, for example, that 24 percent of the bots in the Mirai botnet overlapped with another IoT botnet uncovered this summer called Bashlite.
The major source of bots used in the Krebs and OVH attacks are connected DVRs manufactured by XiongMai Technologies of China. The DVRs used in the attack share the same usernamepassword combination root:xc3511 making it child’s play for the attackers to telnet into the devices and recruit them into botnets, Flashpoint said.
“Unlike your PC or your phone, IoT devices don’t have the memory and processing to be secured properly, so they are easily compromised by adversaries and it’s very difficult to detect when that happens,” said Core Security’s Chris Sullivan. “This is what’s driving the new ultrahigh volume DDoS attacks like we saw today. Ultralarge IoT botnets are instructed to make so many superfluous requests of the target that legitimate requests cannot get through. No real damage is done but service is denied for legitimate users.”
0 4 13 0 0 Categories: Critical Infrastructure, IoT
Leave A Comment
Your email address will not be published. Required fields are marked *
Comment
You may use these HTML tags and attributes:
Name
I'm not a robot reCAPTCHA Privacy - Terms Post Comment
Notify me of followup comments by email.
Notify me of new posts by email. Recommended Reads
0 1 17 0 0 October 21, 2016 , 11:11 am Categories: Government, Malware, Podcasts, Privacy, Vulnerabilities
Threatpost News Wrap, October 21, 2016
by Chris Brook
The dangers of Skyping and typing, the fingerprint warrant story, hiding credit card numbers in images, and more are discussed.
Read more...
0 15 135 0 0 October 21, 2016 , 10:01 am Categories: Critical Infrastructure, Hacks, Web Security
Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others
by Tom Spring https://threatpost.com/mirai-fueled-iot-botnet-behind-ddos-attacks-on-dns-providers/121475/ 2/4 10/22/2016 Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers | Threatpost | The first stop for security news
DNS providers Dyn suffered a DDoS attack this morning that affected many of its major customers including Twitter, Spotify, Github and others. Services have been restored as of 9:36 a.m. today.
Read more...
0 12 54 0 0 October 19, 2016 , 9:00 am Categories: IoT, Malware
Mirai Bots More Than Double Since Source Code Release
by Michael Mimoso
Level 3 Communications said the Mirai botnet has recruited close to 500,000 IoT devices since the malware’s source code was released.
Read more... Top Stories
500 Million Yahoo Accounts Stolen By StateSponsored Hackers
September 22, 2016 , 3:47 pm
MiraiFueled IoT Botnet Behind DDoS Attacks on DNS Providers
October 22, 2016 , 6:00 am
Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others
October 21, 2016 , 10:01 am
FruityArmor APT Group Used Recently Patched Windows Zero Day
October 20, 2016 , 7:00 am
Experts ‘Outraged’ by Warrant Demanding Fingerprints to Unlock Smartphones
October 18, 2016 , 4:58 pm
Leftover Factory Debugger Doubles as Android Backdoor
October 14, 2016 , 9:00 am
IoT Botnets Are The New Normal of DDoS Attacks
October 5, 2016 , 8:51 am
Researchers Break MarsJoke Ransomware Encryption
October 3, 2016 , 5:00 am
OpenSSL Fixes Critical Bug Introduced by Latest Update
September 26, 2016 , 10:45 am
Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials
September 22, 2016 , 12:31 pm
Experts Want Transparency From Government’s Vulnerabilities Equities Process
September 20, 2016 , 2:41 pm
Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure
September 15, 2016 , 11:15 am
Generic OS X Malware Detection Method Explained
September 13, 2016 , 9:14 am
Patched Android Libutils Vulnerability Harkens Back to Stagefright
September 9, 2016 , 2:06 pm
Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017
September 8, 2016 , 3:43 pm
Threatpost News Wrap, September 2, 2016
September 2, 2016 , 9:00 am
Insecure Redis Instances at Core of Attacks Against Linux Servers
September 1, 2016 , 1:08 pm
Dropbox Forces Password Reset for Older Users
August 29, 2016 , 9:58 am
Cisco Begins Patching Equation Group ASA Zero Day
August 24, 2016 , 5:53 pm
New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption
August 24, 2016 , 8:00 am
Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers
August 17, 2016 , 4:06 pm
Pokémon GO Spam, Ransomware, On the Rise
August 17, 2016 , 12:58 pm
ProjectSauron APT On Par With Equation, Flame, Duqu
August 8, 2016 , 1:40 pm
Miller, Valasek Deliver Final Car Hacking Talk
August 4, 2016 , 3:26 pm
Researchers Go Inside a Business Email Compromise Scam
August 4, 2016 , 10:00 am
ExportGrade Crypto Patching Improves
August 3, 2016 , 10:00 am
Kaspersky Lab Launches Bug Bounty Program
August 2, 2016 , 9:00 am
Threatpost News Wrap, July 29, 2016
July 29, 2016 , 10:45 am
KeySniffer Vulnerability Opens Wireless Keyboards to Snooping
July 26, 2016 , 9:30 am
Upcoming Tor Design Battles Hidden Services Snooping
July 25, 2016 , 3:51 pm
EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers
July 21, 2016 , 1:18 pm
Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update
July 20, 2016 , 9:21 am
Threatpost News Wrap, July 15, 2016
July 15, 2016 , 11:00 am
Academics Build EarlyWarning Ransomware Detection System
July 14, 2016 , 1:05 pm
xDedic Hacked Server Market Resurfaces on Tor Domain
July 12, 2016 , 11:40 am
Conficker Used in New Wave of Hospital IoT Device Attacks https://threatpost.com/mirai-fueled-iot-botnet-behind-ddos-attacks-on-dns-providers/121475/ 3/4 10/22/2016 Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers | Threatpost | The first stop for security news
June 30, 2016 , 11:48 am
655,000 Healthcare Records Being Sold on Dark Web
June 28, 2016 , 10:00 am
Windows Zero Day Selling for $90,000
May 31, 2016 , 5:44 pm
Millions of Stolen MySpace, Tumblr Credentials Being Sold Online
May 31, 2016 , 1:37 pm
OTR Protocol Patched Against Remote Code Execution Flaw
March 10, 2016 , 10:23 am
WordPress Update Resolves XSS, Path Traversal Vulnerabilities
September 8, 2016 , 12:23 pm
Android Patch Fixes Nexus 5X Critical Vulnerability
September 2, 2016 , 12:49 pm
OneLogin SecureNotes Breach Exposed Data in Cleartext
August 31, 2016 , 3:04 pm
RIPPER ATM Malware Uses Malicious EMV Chip
August 29, 2016 , 1:32 pm
Backdoored DLink Router Should be Trashed, Researcher Says
September 29, 2016 , 4:04 pm
Fairware Attacks Targeting Linux Servers
August 31, 2016 , 10:21 am
Facebook Debuts Open Source Detection Tool for Windows
September 27, 2016 , 12:24 pm
The Final Say
From Kaspersky Blogs
One Small Step into Giant Industrial Security....
The other day, Innopolis – the hitech town just outside the city of Kazan, Tatartstan, 800 kilometers directly to the east of Moscow – became a “world center of industrial systems’ cybers...
Read more…
Windows zeroday exploit used in targeted attacks ...
A few days ago, Microsoft published the "critical" MS16120 security bulletin with fixes for vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync....
Read more…
Who owns our data? Evgeny Chereshnev talks at TedX...
Do you really think you are the owner of your data? Watch the video with Evgeny Chereshnev from TedX Kazan and think again...
Read more…
Blackbox ATM assault
Yet another example of an attack against an ATM: This time the cash machine itself is emulated.
Read more…
Kaspersky Academy attended MIT (IC)3 Annual Confer...
72 guests, among them a global security lead Gordon Morrison, attended the MIT (IC)3 Annual Conference to share the latest insights into the industry. Educational programs manager Christel GampigAvil...
Read more…
Threatpost | The first stop for security news The Kaspersky Lab Security News Service CategoriesBlack Hat | Cloud Security | Critical Infrastructure | Cryptography | Featured | Government | Hacks | IoT | Malware | Mobile Security | Podcasts | Privacy | Security Analyst Summit | Slideshow | Uncategorized | Videos | Vulnerabilities | Web Security
RSS Feeds Home About Us Contact Us
Authors
Michael Mimoso Tom Spring Christopher Brook
Copyright © 2016 Threatpost | The first stop for security news
| Terms of Service | Privacy
https://threatpost.com/mirai-fueled-iot-botnet-behind-ddos-attacks-on-dns-providers/121475/ 4/4