As any CISO will know, botnets are not a new phenomenon on the security landscape – rather, far from it. Many of us recall the early botnets Sub7 and Pretty Park – both Trojan/Backdoor-style remote control channels), both surfaced more than 15 years ago. Bots are nothing more than automated software that perform tasks. Based on the type of bot – its complexity and its use – it can perform with a varying ability of sophistication and autonomy. Consider, for instance, that bots are used by search engines to crawl data and myriad other very productive things. But they can also be used for harm – most commonly in the form of networks of bots (botnets) that enslave computers (called zombies) to do their dirty work. In the age of IoT, we have seen a massive spike in the use of malware to infect internet-connected devices and turn them into botnet zombies.
But the big threat of botnets moving into 2017 and well beyond is their ability to be used in massive DDoS attacks that prey on vulnerable IoT devices – most notably in the Mirai attacks that sparked global attention in late 2016. But what makes botnets and IoT such a potent combination in launching large DDoS strikes? And how did Mirai grow so quickly to be such a potent threat?
On the surface, the process of harvesting botnets is not necessarily an easy exercise. The internet is not particularly “homogeneous”; on it are lots of different computers and devices with different OS versions, connectivity, and patch levels. Not only are they all different in their makeup, they each have different vulnerabilities.
But the home routers, TV-tuner boxes, and thermostats that we see so commonly, make up the Internet-of-things. They are typically very homogeneous, are extremely hard to upgrade or path, and are therefore especially vulnerable to becoming compromised by botnets. What is more, some shipped with the a default password – this has been discussed at length in other readings and it is arguably one of the most direct fixes that will help to slow down this method of infiltration. Additionally, we have seen that the devices used in the major Mirai attacks are all installed on Fairpoint, Comcast and AT&T home networks, so they are easy for hackers to scan for and target.
As the world gains IoT devices at an alarming pace, the threat of large-scale DDoS attacks like Mirai and other potentially more damaging botnet will only increase. In fact, reports from Deloitte and others predict that Mirai attacks will see a pronounced increase in frequency and size in 2017 and beyond – a trend fed most likely from the release of source code for Mirai that was surfaced by Brian Krebs late last year. With new strains of botnets able to enslave a million or more connected devices, Mirai will be a fixture on the CISO’s radar for years to come.
There is no way to prevent DDoS attacks – and certainly no way to prevent a Mirai attack pushing the limits of 1 Tbps or more – but there are very real measures that organizations can take to plan for disruptions and mitigate against these threats. It is not just IoT devices that are vulnerable to being enslaved into a zombie botnet; laptops, desktops, servers, and even printers are common targets. Organizations, and even ISPs have a responsibility to keeping botnet zombies to a minimum to help prevent the next massive scale attack from hitting the Internet. And there are tangible steps you can take to hunt zombies.