Brian Krebs's KrebsOnSecurity site went offline for several days last week under a sustained DDoS attack of approximately 620 gigabits per second, which is, on Akamai's measurement (Akamai DDoS state of the internet, Q3 2016), the largest DDoS attack publicly documented to that point. Akamai, who had been providing pro bono protection for the site for some years, withdrew the service when the attack volume passed a level at which providing it free was no longer commercially defensible. Google's Project Shield took the site over and absorbed the continuing attack (Krebs's own account, krebsonsecurity.com).
The attack composition is the part that needs documenting. The traffic is generated, predominantly, by compromised Internet-of-Things devices: consumer-grade cameras, DVRs, home routers, and similar small-form-factor network appliances running embedded Linux on commodity SoCs. The compromise vector is, in the great majority of cases, default-credential login over telnet on port 23 or SSH on port 22. The botnet, which is being analysed under the name Mirai by several research groups, scans aggressively for devices on those ports, attempts a small dictionary of default username-password pairs (root/xc3511, root/vizxv, root/admin, etc — the dictionary is short), gains shell on devices that respond, downloads a binary appropriate to the device's CPU architecture, and adds the device to the botnet. The botnet's infection rate has been remarkable; estimates run from several hundred thousand to over a million devices in active control as of this morning.
The technical sophistication of Mirai is, by 2016 standards, modest. The credential dictionary is short. The exploits are not novel. The C2 infrastructure is centralised and traceable. The DDoS techniques used (UDP flood, SYN flood, GRE flood, the standard volumetric battery) are well-understood. What is unusual is not the malware. It is the population of vulnerable devices the malware reaches. Fifteen years of consumer IoT product development with default credentials, no patch infrastructure, and no operational ownership has produced an internet-attached device population in which a substantial fraction will respond to root/xc3511. The bill for that fifteen years of indifference has, this month, started to arrive.
The defensive question is structurally different from previous DDoS waves. The Spamhaus 2013 attack was DNS reflection — a configuration weakness in DNS resolvers that operators could fix. Mirai is not a configuration weakness. The compromised devices are working as designed, in the sense that "designed" means "shipped with the credentials the manufacturer set, exposed to the internet by default, never updated". The remediation requires either replacement of the devices (which their owners have no commercial incentive to do, because the devices continue to work for their primary purpose), or active intervention by access ISPs (which involves customer-facing work that ISPs are reluctant to take on), or aggressive scanning and remote remediation by the security community (which is legally fraught and operationally awkward), or regulatory action against device manufacturers (which is in early stages of conversation, with the BSI in Germany and the FTC in the US doing the most public work). None of these are quick.
For our customer estates, the immediate operational concern is around the IoT footprint inside the corporate perimeter. Several customer organisations have substantial deployments of IP cameras, environmental sensors, building-management systems, and similar that are within the scope of the same architectural pattern as Mirai's targets. The devices are often procured outside IT, deployed without inventory in the CMDB, and rarely included in the patching and credential-rotation cadence that covers the rest of the estate. The audit work this autumn, on the back of the Mirai disclosure, is to find every IoT device on customer networks, identify the credential and patch posture for each, and bring them into the standard hardening cadence. The Browne Jacobson estate has approximately three hundred such devices on the inventory we did last year; the spot check this week found around forty more that the inventory had missed. The manufacturing client's estate is larger and the surprise factor will be greater. We are starting that work next month.
For the wider conversation about DDoS resilience, the Mirai-class attacks have changed the planning numbers. The 620 Gbps against Krebs is, on current evidence, neither the largest the botnet can produce nor the largest we will see this year. The infrastructure population that can withstand an attack of that scale is small — the major content delivery networks, a handful of hyperscale providers, and a few specialised DDoS protection services. Self-hosting on a single colocation pipe is no longer a viable posture for any internet service that might attract attacker attention. The vCISO conversation about hosting strategy is going to need to factor that change in. Most customers are already on CDN-fronted architectures; the few that are not will be moving in the next six months.
The thing I keep coming back to is the responsibility question. Mirai's compromised devices belong to consumers who are unaware they are infected. The traffic is sourced from those consumers' connections, the impact is felt by the targets of the attack, and neither the consumers nor the device manufacturers — who in many cases no longer support the product or in some cases no longer exist — bear any direct cost. The structural problem is the misalignment of incentives along the chain from manufacturer to consumer to ISP to victim. The IoT regulatory conversation that is starting in several jurisdictions is, at base, an attempt to move some cost onto the manufacturers — through liability rules, mandatory patch-support periods, certification requirements — and that conversation is going to dominate device-security policy for the next several years. The first proper attempt is the EU Cybersecurity Package the Commission is consulting on this autumn (European Commission Cybersecurity Strategy 2016 communication). Whether it produces meaningful change before the next Mirai-class attack is the question.