Last week, we wrote about aDDoS attack on well-known investigative cybercrime journalist Brian Krebs.
A DDoS attack is an aggressive sort of DoS attack, where DoS is short for denial of service .
A DoS is a bit like getting into the queue at the station to buy a ticket for the next train, only to have a time-waster squeeze in front of you and slow you down.
By the time the miscreant has asked, innocently enough, about the different sorts of ticket available, and whether it costs extra to take a bicycle, and how much longer it would take if he were to change trains in Manchester, only to walk off without buying a ticket at all…
…you’ve watched your train arrive, load up with passengers, and depart without you.
A DDoS attack is worse: it’s short for distributed denial of service attack, and it’s much the same thing as a DoS, except that the trouble-stirrer doesn’t show up on his own.
Instead, he brings along a big posse of innocent-looking accomplices to flood the whole station with time-wasters.
Genuine customers who are mixed in with the trouble-makers end up waiting far longer than usual – a problem that usually gets more and more frustrating as the backlog grows.
In the attack on Krebs’s site the crooks were able to generate an astonishing combined total of over 600 gigabits per second of time-wasting network traffic.
That’s equivalent to about 60,000 fast home networks all turning their entire bandwith onto Krebs at the same time, or a whopping 600,000 regular ADSL connections at once (assuming a one megabit per second upload speed).
If we assume that even a voracious reader of Krebs’s articles would use at most 10% of a home ADSL connection’s bandwidth when browsing the site, then the cost of neutralising this level of attack is the same as supporting at least six million concurrent legitimate users.
The perpetrators in the mega-DDoS haven’t been identified, but the attack happened not long after Krebs outed a DDoS-for-hire service called vDOS, leading to the arrest of two young hackers in Israel.
(Sophos experts Chester Wisniewski and John Shierdiscuss this attack, and the story behind it, in this week’s Chet Chat security podcast . [Starts at 1’08”.])
(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes .)
The reason we mentioned home networks above, by the way, is that’s exactly where this attack seems to have originated.
Not from malicious bot or zombie software on regular computers, as might have been the case a few years ago, but from so-calledInternet of Things (IoT) devices such as routers, web cameras and perhaps even printers.
If you’re surprised to hear that, don’t be.
Although a typical router or webcam has just a fraction of the computing power of your laptop, it’s more than capable of filling a typical home network with outbound traffic.
(After all, your powerful new laptop relies on your router to handle all that outbound traffic, so if your laptop can fill up the network connection, that’s only possible because the router can fill it on your laptop’s behalf.)
Sadly, in the aftermath of the assault on Krebs, the source code of the malware used in the attack was openly published .
It’s been removed from the hacking forum on which it was originally outed, but it still widely available “for research purposes” to anyone willing to look.
Mirai, as the malware is known, is badly programmed and unfinished, but that doesn’t matter.
It works, and it’s effective primarily because of bad programming in the very IoT devices it uses to do its dirty work.
The Mirai malware package
The Mirai bot, called simply bot in the source code, is written in C, and has three main components:
A call-home system that connects to a command-and-control server (which could be another insecure IoT device) to download details of whom to attack, and how.
A set of attack routines that can generate a range of legitimate-looking but purposeless streams of network traffic to eat away at the victim’s network capacity.
A network scanner that searches randomly across the internet and tries to login in various ways to build and report a list of insecure IoT devices for the next wave of attacks.