Academy Students Learn from the Mirai Botnet

November 1, 2016

On October 21, 2016, the internet experienced one of the largest DDOS attacks in history. It was hard to miss an attack that took out sites as big and widespread as Twitter and Shopify.

SecureSet Academy students were given the learning opportunity to reverse-engineer the “Internet of Things” code that enabled the attack. SecureSet Academy Director of Education John Black, our resident expert, led the students through the exercise. You can read John’s comments on the attack in the Denver Post (copied below).

Internet of Things Security Holes Partly to Blame for Massive Internet Outage
This article originally appeared in the Denver Post and was written by .

The cyberattack that took out many of the internet’s most popular websites Friday is bound to happen again, local security experts say.

Friday’s distributed denial of service (DDoS) attack targeted the New Hampshire-based domain name server provider Dyn Inc. Security researchers say it was enabled by insecure Internet of Things devices whose owners failed to change a default password. Infected with the malware Mirai, hundreds of thousands — and potentially millions — of insecure devices ultimately could join this botnet army to create future havoc on the Web.

“For Internet of Things, there’s been an explosion in this sector. Your connected refrigerator, your door alarm, your webcams, there’s a proliferation of devices. They’re in people’s homes. They’re secured by ordinary people who don’t know much about security and don’t change the credentials,” said John Black, a professor at the University of Colorado and the director of education for SecureSet Academy in Denver. “Somebody somewhere has figured this out and probed the internet to find these devices. And they’ve found thousands and thousands of them.”

Mirai was released publicly on the dark Web this month, according to Brian Krebs, a cybersecurity journalist whose own site was knocked offline by the malware in September, before the public release.

This week, security researchers at Level 3 Communications in Broomfield, estimated that the Mirai army had doubled in size to 493,000 IoT bots since Oct. 1. On Friday, Level 3’s chief security officer, Dale Drew, said about 10 percent of the bots were involved in Friday’s attack.

“Mirai is a DDoS-for-rent environment. The person buying time on that botnet could be buying time on others as well,” Drew said during a Periscope interview explaining the cyberattack.

Friday’s attack on Dyn left many users thinking their internet service was down. But really, Dyn was unable to keep up with the numerous requests to translate common names, like, into the proper numerical address. They couldn’t reach Spotify, Reddit or the New York Times. But if users knew the numerical IP address, they could still get to the site.

In the past, denial of service attacks were done by zombie computer network of either malware infected computers or sympathetic supporters, said Black. But with access to the massive IoT device community, the potential for major interruptions in the future is unprecedented.

“It’s very useful (for hackers) if you can take a service offline for a couple of hours,” Black said. “The new IoT base technique is generating so much traffic at a level that we’re not able to deal with yet, which is really going to suck because we’ve grown use to working on the internet.”

Level 3’s vast internet network, which literally connects countries via undersea communications cables, was operating normally on Friday, Drew said. While outage sites like pointed to Level 3 being down, he said that happens when people are trying to get to, for example, Amazon, but can’t because of the DNS attack.

“It looks like you can’t get there because of the network so people are blaming the network for that particular issue when it’s really directory assistance that won’t give you the IP address,” Drew said. “If you knew the IP address, you could get there.”

If a denial of service appears to be happening to your site, Drew recommends businesses call their internet service provider for guidance. They can also change their DNS source by switching to a different provider.

For consumers, Black recommends making sure all your computer devices — from Nest thermostats to Hue lightbulbs — are protected with unique passwords.

“The problem is that you’re an unwitting accessory to this problem but you’re probably not affected by it much. Someone loses Twitter for a couple hours, and they don’t care very much,” Black said. “Getting people motivated to lock their device is hard.”