IoDDoS The Internet of Distributed Denial of Service Attacks A - PowerPoint PPT Presentation

SPAWAR S YSTEMS C ENTER P ACIFIC IoDDoS – The Internet of Distributed Denial of Service Attacks A Case Study of the Mirai Malware and IoT-Based Botnets 24-26 April, 2017 Presented at the 2 nd International Conference Presented by Roger Hallman, on Internet of Things, Big Data and Security Cybersecurity Research Scientist (IoTBDS 2017) in Porto, Portugal Cybersecurity Science & Technology Branch Email: roger.hallman@navy.mil DISTRIBUTION STATEMENT A: Distribution Unlimited

SPAWAR Systems Center Pacific  Point Loma, San Diego, California, USA  The Department of the Navy’s premier laboratories for Command, Control, Communication, Cyber, Intelligence, Surveillance, and Reconnaissance (C4ISR) – 4,840 Personnel | 2254 Scientists and Engineers 187 PhDs | 1,322 Masters • ~3.2% Hire Rate in 2016 – • ~2,700 Applicants for 86 Positions  SPAWAR has a rich technical history ARPAnet node 3 – – Supported DARPA’s ‘Personalized Assistant that Learns’ (PAL) Program that developed many of the AI technologies that are on mobile phones and tablets – A top generator of patents and license agreements • 131 Invention Disclosures and 62 Patents Issued in 2016 – Prolific Publishers 176 Journal Articles and 232 Conference Papers in 2016 •

Record Breaking DDoS Attacks in 2016  18 September – OVH | French Webhost Spikes of 1.1 TBps –  20 September – Krebs on Security | Cybersecurity Blog 620 GBps –  21 October – Dyn | Domain Name System (DNS) Provider 1.2 TBps –  2 November – Liberian Internet Infrastructure 500 GBps –

The Internet of Things (IoT) Ecosystem  Internet of Things (IoT) is a platform and a phenomenon that allows everything to process information, communicate data, analyze context collaboratively in the service of individuals, other organizations, or businesses: Sensors embedded in Internet- connected ‘things’ (physical or virtual) distributed throughout an environment that provide – real-world data for processing.  Environments: The Smart Home – Industrial Internet –  Explosive Growth: – >40 Billion IoT Devices in use by 2019. – Rush to Market to Satisfy Demand Leads to Security Concerns.

IoT Vulnerabilities and Attack Vectors Vulnerabilities Attack Vectors Insecure Interfaces Weak credentials, capture of plain-text credentials, insecure password recovery systems, or enumerated accounts, and lack of transport encryption may be used to access data or controls. Insufficient Authentication Weak passwords, insecure password recovery mechanisms, poorly protected credentials, and lack of granular access control may enable an attacker to access a particular interface. and Authorization Insecure Network Services Vulnerable networks services may be used to attack a device or bounce an attack off of a device. Lack of Transport Encryption/ The lack of transport encryption allows an attacker to view data being passed over the network. Integrity Verification Privacy Concerns Insecure interfaces, insufficient authentication, lack of transport encryption, and insecure network services all allow an attacker to access data which is improperly protected and may have been collected unnecessarily. Insufficient Security Configurability A lack of granular permissions, lack of encryption or password options may allow an attacker to access device data and controls. An attack (malicious or inadvertent but benign) could come from any device in an IoT system. Insecure Software/Firmware Update files captured through unencrypted connections may be corrupted, or an attacker may distribute a malicious update by hijacking a DNS server. Poor Physical Security USB ports, SD cards, and other storage means allow attackers access to device data and operating systems.

Botnets  An organized collection of malware- infected ‘zombie machines’ distributed computing (e.g., mining bitcoins) – spam and malware distribution – cyber warfare – – click-fraud scams – steal private information – DDoS attacks & DDoS-for-hire  Typically target Information Technology (IT) but more are targeting Operational Technology (OT)

Distributed Denial of Service (DDoS) Attacks

DDoS Attack Taxonomy  Bandwidth Depletion Attacks  Resource Depletion Attacks – Flood the victim network with IP traffic to – Use network resources so that none are left saturate it for legitimate use • Seeks to exhaust resources • Seeks to deny critical services Can cause excess energy use, thus affecting physical Flood Attacks • – IoT components UDP Flood • – Protocol Exploit/Misuse Attacks • Ping-of-Death Attacks • TCP SYN Flood – Amplification Attacks PUSH + ACK Attacks • • Smurf Attacks – Malformed Packet Attacks • Fraggle Attacks • IP Address Attacks • IP Packet Options Attacks

Botnets Used in Larger Attacks  BlackEnergy First describes in 2007 – Main victims were distributed systems • • Used for DDoS attacks Allegedly used during 2008 Russia-Georgia Conflict – NATO Headquarters was the victim of a BlackEnergy attack in 2013 – Integral to the 2015 attack on Ukraine’s power grid – • New BlackEnergy variant used to illegally enter IT and OT systems • KillDisk function – erased processes and corrupted master boot records Not used for DDoS attack • – Demonstrates the dangers of botnet malware used in a coordinated attack

IoT-Based Botnets  At least eight families of IoT botnet username/password combinations AES.DDoS – uses AES for C&C malware in 2015: – communication, steals private information Zollard Worm – exploits a previously ‘patched’ – – PNScan – scans networks for open port 22 and vulnerability exploits common username/password Linux.Aidra – exploits weak – combinations, downloads other malware username/password combinations Tsunami Trojan – modifies files so that it gets – – XOR.DDoS – opens a back door and uses run each time a device boots up, can download COR encryption in both code and C&C other files, kill processes, and spoof IP communication addresses Bashlite – bruteforces routers with common – username/password combinations, steals private information – LizardStresser – scans public IP addresses for Telnet port 23 and exploits common

The Mirai Malware Family  First discovered in May 2016.  Mirai Family Tree: Two ancestor variants – Linux.DDoS.87 Linux.DDoS.89 – • First discovered in May 2016 • Discovered in early August, 2016 uClibc C Library for Embedded Systems • • Connects to the Internet via a Google DNS server • Territorial behavior – runkiller function • runkiller terminates processes with different PIDs Maximum uptime of one week • • Scanner similar to Linux.BackDoor.Fgt Trojan • Capable of launching: • Capable of launching: – HTTP Flood – UDP Flood – UDP Flood TSource Flood – – TCP Flood – DNS Flood – DNS Flood TCP Flood – – TSource Flood – UDP over GRE – TEB over GRE

An Overview of the Mirai Malware  Used to launch high profile DDoS attacks  Capable of the following attacks: in September and October 2016 GRE IP Flood – GRE ETH Flood –  Wide-ranging scans of IP addresses SYN Flood –  62 common username/password ACK Flood – combinations STOMP Flood –  >500,000 devices infected worldwide DNS Flood –  C&C module coded in Go, bots coded in UDP Flood – C HTTP Flood –  Ranges of IP addresses whitelisted: C&C module has 8 program files – Bot code 13 .c files, 10 .h files – US Department of Defense –  Specifically hunts for Anime malware

Mirai’s Workflow

Mirai Command & Control (C&C)  Opens listening ports  Some interesting Mirai C&C functions and files: port 23 – telnet – port 101 – remote API calls on IPv4 addresses – – apiHandler (main.go) • Check user keys  Creates a lightweight thread for API Create and queue attacks • connections on port 101 newAttack (attack.go) –  Infinite loop waiting for telnet connections • Set attack type, duration, and target – admin.go  Botmaster alerted if C&C server fails • Manages authentication • Welcomes the user to the administrative console • Russian strings within management interface

Mirai C&C Administration Console  admin.go: Russian Strings for Authentication, Error Alerts, Commands and Translations prompt.txt Line 1 я люблю куриные наггетсы I love chicken nuggets admin.go Line 38 пользователь user Line 46 пароль password Line 56 проверив счета checking account Line 63 произошла неизвестная ошибка An unknown error occurred Line 64 Press any key to exit. нажмите любую клавишу для выхода .