Rise of the Machines: The Dyn Attack Was Just a Practice Run December 2016 Authors James Scott, Sr. Fellow, ICIT Drew Spaniel, Research, ICIT Copyright © 2016 Institute for Critical Infrastructure Technology – All Rights Reserved Upcoming Event Learn More about the concepts discussed in this publication at the 2017 ICIT Winter Summit. Registration is Now Open – www.ICITWinterSummit.org 1 Contents Contents ........................................................................................................................................................ 1 Introduction .................................................................................................................................................. 3 A Simplification of the Internet .................................................................................................................... 4 Protocols ....................................................................................................................................................... 5 ISO OSI ..................................................................................................................................................... 5 TCP/IP ...................................................................................................................................................... 6 Anatomy of a Distributed Denial of Service Attack ................................................................................. 7 Constructing a Botnet ........................................................................................................................... 7 Conventional Botnets ............................................................................................................................ 9 IoT Botnets .......................................................................................................................................... 10 Launching a DDoS Attack .................................................................................................................. 11 DDoS-as-a-Service ............................................................................................................................. 12 Mirai Incidents ............................................................................................................................................ 13 KrebsonSecurity ...................................................................................................................................... 13 OVH ISP ................................................................................................................................................. 14 Dyn .......................................................................................................................................................... 16 Liberia ..................................................................................................................................................... 18 Lappeenranta, Finland ............................................................................................................................. 19 Trump/ Clinton Campaigns ..................................................................................................................... 21 WikiLeaks ............................................................................................................................................... 22 Russian Banks ......................................................................................................................................... 23 Evolution of IoT Malware .......................................................................................................................... 25 Linux.Darlloz .......................................................................................................................................... 25 Aidra ....................................................................................................................................................... 25 Qbot/ Qakbot ........................................................................................................................................... 25 BASHLITE/ Lizkebab/ Torlus/ gafgyt ................................................................................................... 27 Mirai ........................................................................................................................................................ 28 Mirai Attack Chain ............................................................................................................................. 31 Source Code Analysis ......................................................................................................................... 32 2 Building a Botnet ................................................................................................................................ 33 Attribution ........................................................................................................................................... 37 Remediation ........................................................................................................................................ 37 Linux/IRCTelnet ..................................................................................................................................... 37 Evolution of Mirai ....................................................................................................................................... 38 Sectors at Greatest Risk .............................................................................................................................. 40 The Financial Sector ............................................................................................................................... 40 The Healthcare Sector ............................................................................................................................. 42 The Energy Sector ................................................................................................................................... 43 Recommendations and Remediation ......................................................................................................... 44 This Is a Marathon, Not a Sprint ............................................................................................................. 44 Develop Actionable Incident Response Plans ........................................................................................ 44 Regulate Responsibly .............................................................................................................................. 46 Backdoors for the “Good Guys”, means Backdoors for the “Bad Guys” ................................................ 47 Develop Penetration Tested IoT Software and Hardware Featuring Security-by-Design ...................... 48 Improving Security Controls at the Organization Level ......................................................................... 49 Hold Manufacturers Accountable ........................................................................................................... 49 Reduce the Dependence on Foreign IoT Devices ................................................................................... 50 Prevent DDoS Amplification and Redirection Attacks by Mandating BCP38 ....................................... 51 Fund and Promote Independent Cybersecurity Test-bed Initiatives ....................................................... 52 Conclusion .................................................................................................................................................. 52 Contact Information .................................................................................................................................... 54 Websites & Social Media ............................................................................................................................ 54 Sources ........................................................................................................................................................ 55 3 Security-by-design is an indispensable prerequisite to the establishment of vital critical infrastructure resiliency. Each device vulnerable to adversarial compromise, inflates and bolsters the exploitable cyber-attack surface that can be leveraged against targets, and every enslaved device grants adversaries carte blanche access that can be utilized to parasitically entwine malware into organizational networks and IoT microcosms, and that can be leveraged to amplify the impact and harm inflicted on targeted end-users, organizations, and government entities - James Scott, Sr. Fellow, ICIT Introduction The perfect storm is brewing that will pummel our Nation’s public and private critical infrastructures with wave upon wave of devastating cyberattacks. The Mirai malware offers malicious cyber actors an asymmetric quantum leap in capability; not because of sophistication or any innovative DDoS code, rather it offers a powerful development platform that can be optimized and customized according to the desired outcome of a layered attack by an unsophisticated adversary. Right now, script kiddies and cyber-criminal gangs are already drastically expanding their control over vulnerable IoT devices, which are enslaved to malicious purposes and can be contracted in DDoS-for-Hire