Skip to content
Naked Security Naked Security

The Mirai DDoS botnet: Brian Krebs claims to know who wrote it

How do you trace the source of an attack that came from network devices located all around the globe? Krebs thinks he's done it...

Late last year, we wrote about a DDoS attack on well-known investigative cybercrime journalist Brian Krebs.

DDoS, sadly, has become a well-known word in its own right these days (in case you are wondering, it’s pronounced “dee-doss”), a short way of saying distributed denial of service.

That’s where thousands of computers, or perhaps even millions of them, gang up on an online service they don’t like and all deliberately start using it at the same time.

A DDoS is, by definition, a cyberattack, even if the network traffic it creates would be unexceptionable in everyday life, such as simply browsing to the main page on someone’s website.

Krebs’s website was DDoSed (yes, it’s a verb as well as a noun and an adjective) with more than 600 Gbit/sec of time-wasting traffic produced by a botnet, or zombie network, of computers infected with malware called Mirai.

The Mirai botnet isn’t made up of infected laptops, desktops and servers, but of a vast array of low-powered internet devices – the “things” that make up the Internet of Things (IoT) – such as home routers and webcams.

Unfortunately, when it comes to generating bogus network traffic, a $10 router or a $15 webcam is more than powerful enough to fill up the average home network all by itself, where there’s typically anywhere from 1 Mbit/sec to 10 Mbit/sec of upstream bandwidth available.

Even more unfortunately, many IoT devices are designed, built and delivered with scant regard for security, and are installed without much care, often with well-known default passwords unchanged, and with access left open to anyone who cares to come knocking.

Crassly put, IoT devices that cost 5% as much as your laptop tend to get 5% as much security love-and-care, or even less, although they can do 100% as much damage in a DDoS attack.

(If you think it through, the traffic generated by your laptop goes through your router anyway, so your laptop can’t fill your network connection any fuller than your router can.)

Insecure IoT devices are therefore widely abused by cybercriminals who make a living out of taking them over and charging other crooks to use them to knock people offline.

Why DDoS?

There are many reasons for mounting a DDos attack, from knocking a competitor offline to harm their business, through extorting money not to repeat the process, to retribution and payback, which seems to be what motivated the attack on Krebs.

But who was behind the Krebs attack?

How do you trace the source of an attack that came from network devices located all around the globe?

Well, who better to try to find out than Brian Krebs himself…

…and that’s exactly what he thinks he’s done, in what he describes like this:

[E]asily the longest story I’ve ever written on [my] blog. It’s lengthy because I wanted to walk readers through my process of discovery, which has taken months to unravel. The details help in understanding the financial motivations behind Mirai and the botnet wars that preceded it.

We enjoyed reading it for the very reasons Krebs gives above, but also because it’s a reminder of the tough job that law enforcement faces, and of why we should congratulate cybercrime investigators when they achieve real results:

If you’ve ever wondered why it seems that so few Internet criminals are brought to justice, I can tell you that the sheer amount of persistence and investigative resources required to piece together who’s done what to whom (and why) in the online era is tremendous.

In the words of the selfsame online era, “True dat.”


4 Comments

Security Theatre ™

As a “Security Professional” myself, it’s long past time we stopped engaging in forensic fantasies and admit that, absent a complete rethink of programming itself, “security” is modern snake oil.

Reply

Krebs account on his site is fascinating, a veritable nested dolls of intrigue. What I found most interesting was the number of youthful players who portray themselves as security experts while perpetrating their attacks, somewhat like protection rackets. Their exchanges with Krebs et al. are also quite fascinating. The average internet user is clueless about this subculture. Krebs investigative skills are without equal, in my opinion. I can’t even imagine spending the amount of he and the others spent crawling through the internet underground. I have enough to do running a network and trying to teach people about the basics of internet security, and working on the family farm.

Reply

If I may repeat what I said in the article, “True dat.”

We can all do our own little bit to help, at least in respect of attacks of this sort that rely on sloppily used IoT devices:

Change those default passwords. (Otherwise everyone and anyone knows what they need to log in.)

Avoid listening for logins on the WAN interface unless you absolutely need to. (Otherwise everyone and anyone can try to log in.)

Look out for firmware updates. (Set a date – for example, twice a year when the clocks change if you have daylight savings – to see if your device vendors have put out any updates that you missed.)

Vote with your chequebook/credit card/PayPal account. (Don’t just buy on marketing bumf or funkiness alone – favour vendors with a visibily positive attitude to security.)

Reply

Read his post yesterday and found it quite funny that it all started with kid throwing a tantrum over Minecraft. Growing into a pathetic tantrum throwing adult villain.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!