Akamai Diversity

The Akamai Blog

Protecting against Mirai with DNS Security

One of the biggest cyberthreats making the rounds on the internet is the Mirai botnet. Mirai targets connected Internet of Things (IoT) devices, using each infected device to launch DDoS attacks and cause website outages around the globe by flooding them with queries. Examples of recent Mirai-generated web outages are the Dyn attack which took down or significantly slowed sites like Airbnb, Twitter, the New York Times, CNN, Fox News, Netflix and many other popular domains in late October of this year, as well as the attack that temporarily took down security expert Brian Krebs' KrebsOnSecurity website in September.

Mirai has evolved and expanded since the October attacks when the source code was released. The most recent development in Mirai v2 attacks occurred on December 6, 2016 when it began using Domain Generation Algorithms (DGAs) rather than hardcoded DNS as it had before, to make it harder for the security community to block the botnet's access to its command and control (C&C) centers. The Mirai v2 attack volume can be extremely strong, and the high volume of activity can easily exhaust end-user bandwidth. Remediation is also difficult and time-consuming, and once a device is rebooted it is vulnerable to being re-infected within minutes, due to its continual rescanning of the internet. The devices most vulnerable to Mirai are home routers, DVRs and internet-connected remote cameras, largely because these devices typically don't have the appropriate security software installed to protect them from the malicious botnet, and usually have external access enabled that is exploited by Mirai. Additionally, consumers often use the factory-default security passwords, which are easy for hackers to break through.

Consumers rarely know that one of their devices has been infected as performance continues as normal for the most part. The impact on communications service providers (CSPs), however, can be detrimental if adequate protections aren't in place. The flood of queries may significantly slow the CSP's network--or make it completely inoperable--which leads to a high volume of customer support calls; or worse, subscribers cancelling service.

So, what can security professionals do to stop this costly and insidious attack from infecting devices on corporate and telecom networks? The truth is there is no way to completely eliminate or block Mirai today. Because the Mirai code is open source, the botnet has gained widespread momentum that security teams are finding hard to combat. However, because Mirai uses DNS to communicate to its C&C servers and launch DNS-based DDoS attacks, DNS data--when backed by data science, machine learning, and other algorithmic methods--can be used to significantly reduce the damage this botnet can inflict. Nominum, now part of Akamai, ThreatAvert is used to protect networks from these attacks and preserve network integrity. The solution has warded off many Mirai-induced attacks thus far, keeping CSP networks protected and maintaining a good online experience for subscribers. ThreatAvert is especially effective against Pseudo Random Subdomain (PRSD) attacks, one of the attack vectors used by Mirai.

DNS provides an added layer of security
Nominum, now part of Akamai, ThreatAvert provides a layer of defense against Mirai, mitigating the potential damage of the botnet by disrupting command and control queries issued by recent attack variants. While this is not on its own enough to completely stop Mirai, ThreatAvert helps CSPs buy more time as they address Mirai in a more systematic way, such as remotely updating infected devices or replacing outdated routers connected to their network. Through the combination of Nominum, now part of Akamai, Data Science and the insights gained by other security researchers (specifically 360), ThreatAvert is continually updated with the latest C&C domains and knows to block those queries when they occur. It also identifies the DGAs used by Mirai to communicate with the C&C services, and mitigates them as well.

Because it already exists in CSP networks, using a DNS-based security solution is relatively low-cost yet yields very high processing power using Nominum's DNS servers. It offers a layer of protection that is convenient and fairly easy to deploy.

The image below shows where the highest concentrations of Mirai-infected devices are located, city-by-city around the globe. The pie charts represent the relative size of the infection of each city by CSP. Currently South America and parts of Asia are the most impacted, yet as the image illustrates, Mirai is causing damage on a global scale.

Miria botnet around the world

If there were a silver bullet against Mirai it would be much stronger protections that are built into the IoT devices themselves--but those protections don't currently exist, nor might they ever. The biggest challenge with Mirai is that it changes quickly and constantly, so any knowledge the industry attains can become obsolete in a matter of hours, as its behavior morphs and new variants appear. With so many vulnerabilities to keep up with, device manufacturers simply don't have the ability or expertise to address all of them--which is why DNS data is such a powerful tool when it comes to understanding the constantly changing nature of this damaging threat. ThreatAvert, which takes this continually updated data to keep ahead of Mirai and other cyberthreats, can be one of the best defenses for keeping a CSP's network performance at optimal levels.