This paper is included in the Proceedings of the 26th usenix security Symposium August 16–18, 2017 • Vancouver, bc, Canada
Yüklə 382,3 Kb. Pdf görüntüsü
|
Target Attacks
Cluster Notes
Lonestar Cell 616
2 Liberian telecom targeted by 102 reflection attacks. Sky Network 318
15, 26, 6 Brazilian Minecraft servers hosted in Psychz Networks data centers. 1.1.1.1 236
1,6,7,11,15,27,28,30 Test endpoint. Subject to all attack types. 104.85.165.1 192
1,2,6,8,11,15,21,23,26,27,28,30 Unknown router in Akamai’s AS. feseli.com 157
7 Russian cooking blog. minomortaruolo.it 157
7 Italian politician site. Voxility hosted C2 106
1,2,6,7,15,26,27,28,30 C2 domain from DNS expansion. Exists in cluster 2 seen in Table 8. Tuidang websites 100
— HTTP attacks on two Chinese political dissidence sites. execrypt.com 96 — Binary obfuscation service. auktionshilfe.info 85 2,13
Russian auction site. houtai.longqikeji.com 85 25
Runescape 73 — World 26 of a popular online game. 184.84.240.54 72 1,10,11,15,27,28,30 Unknown target hosted at Akamai. antiddos.solutions 71 —
Table 10: Mirai DDoS Targets — The top 14 victims most frequently targeted by Mirai run a variety of services. Online games, a Liberian cell provider, DDoS protection services, political sites, and other arbitrary sites match the victim heterogeneity of booter services. Many clusters targeted the same victims, suggesting a common operator. Attack Target Date Sample Size Intersection Akamai
† 09/21/2016 12,847 96.4%
Google Shield † 09/25/2016 158,839 96.4%
Dyn 10/21/2016 107,464 70.8%
Table 11: Mirai Attack IPs — Client IPs from attacks on Krebs on Security (denoted † ) and Dyn (denoted ) intersected signifi- cantly with Mirai-fingerprinted scanning our network telescope, confirming that both attacks were Mirai-based, but the lower Dyn intersection hints that other hosts may have been involved. targeted least once. This direct adversarial behavior reaf- firms the notion of multiple, competitive botnet operators. 6.3
High Profile Attacks Several high profile DDoS attacks brought Mirai into the limelight beginning in September 2016. We analyze the following three Mirai victims as case studies: Krebs on Security, Dyn, and the Liberian telecom provider Lones- tar.
Krebs on Security The popular Krebs on Security blog has had a long history of being targeted by DDoS attacks (Figure 10), and on September 21, 2016 was subject to an unprecedented 623 Gbps DDoS attack — with Mirai as the prime suspect. Placing this attack in context, it was significantly larger than the previously reported largest publicly-disclosed DDoS attack victim (i.e., Spamhaus at 300+ Gbps [77]), but we note that attacks to non-disclosed targets of 500 Gbps and 800 Gbps were reported in 2015 and 2016 respectively [7]. To confirm the origin of the attack, we intersected a list of 12,847 attack IPs observed by Akamai with the Mirai IPs we saw actively scanning during that period. We found a 96.4% overlap in hosts. Google Shield, who later took over DDoS protection of Figure 10: Historical DDoS Attacks Targeting Krebs on Se- curity — Brian Krebs’ blog was the victim of 269 DDoS attacks from 7/24/2012–9/22/2016. The 623 Gbps Mirai attack on 9/21/2016 was 35 times larger than the average attack, and the largest ever recorded for the site. the site, separately maintained a larger sample of 158,839 attack IPs for an HTTP attack on September 25, 2016. When given the Mirai scanning IPs from that day, they found 96% of their attack IPs overlapped. Our results illustrate the potency of the Mirai botnet, despite its com- position of low-end devices concentrated in Southeast Asia and South America. We also identified which C2 clusters were responsible for some of the largest attacks by correlating attack commands with naming infrastruc- ture, and we note that cluster 1 (Figure 7) was responsible for this attack. Dyn
On October 21, 2016, Dyn, a popular DNS provider suffered a series of DDoS attacks that disrupted name resolution for their clients, including high-traffic sites such as Amazon, Github, Netflix, PayPal, Reddit, and Twitter [71]. Consistent with Dyn’s postmortem re- port [36], we observed 23 attack commands that targeted Dyn infrastructure, from 11:07–16:55 UTC. The first 21 attacks were primarily short-lived (i.e., 25 second) USENIX Association 26th USENIX Security Symposium 1105 SYN floods on DNS port 53, along with a few ACK and GRE IP attacks, and followed by sustained 1 hour and 5 hour SYN attacks on TCP/53. We note a 71% intersec- tion between the 107K IPs that attacked Dyn and Mirai scanning in our network telescope. This indicates that, while the attack clearly involved Mirai, there may have been other hosts involved as well. Although the first several attacks in this period solely targeted Dyn’s DNS infrastructure, later attack commands simultaneously targeted Dyn and PlayStation infrastruc- ture, potentially providing clues towards attacker mo- tivation. Interestingly, the targeted Dyn and PlaySta- tion IPs are all linked to PlayStation name servers — the domain names ns<00–03>.playstation.net re- solve to IPs with reverse DNS records pointing to ns<1-4>.p05.dynect.net, and the domain names ns<05–06>.playstation.net resolve to the targeted PlayStation infrastructure IPs. The attacks on Dyn were interspersed amongst other attacks targeting Xbox Live, Microsoft DNS infrastruc- ture, PlayStation, Nuclear Fallout game hosting servers, and other cloud servers. These non-Dyn attacks are either ACK/GRE IP floods, or VSE, which suggests that the targets were Valve Steam servers. At 22:17 UTC, the botnet issued a final 10 hour-long attack on a set of Dyn and PlayStation infrastructure. This pattern of behavior suggests that the Dyn attack on October 21, 2016 was not solely aimed at Dyn. The attacker was likely targeting gaming infrastructure that incidentally disrupted service to Dyn’s broader customer base. The attack was carried out by Cluster 6. Lonestar Cell Attacks on Lonestar Cell, a large tele- com operator in Liberia and the most targeted victim of Mirai (by attack account), have received significant attention due to speculation that Mirai substantially de- teriorated Liberia’s overall Internet connectivity [14, 42]. Others have questioned these claims [45]. We cannot pro- vide insight into Liberia’s network availability; instead, we analyze attack commands we observed. Beginning at 10:45 UTC on October 31, 2016 until December 13, 2016, a single botnet C2 cluster (id 2) issues a series of 341 attacks against hosts in the Lonestar AS. 87% of the attacks are SYN or ACK floods and targeted both full sub- nets and addresses within 168.253.25.0/24, 41.57.81.0/24, and 41.57.85.0/24, all of which belong to Lonestar Cell or its parent company, MTN Group. In addition to IP targets, we observe an NXDO- MAIN attack issued on November 8, 2016 that targeted simregistration.lonestarcell.com. A single C2 IP never seen previously or subsequently issued a single attack on December 14. Attacks on Lonestar infrastruc- ture continued again at 09:24 UTC on January 16, 2017 and persisted until February 8, 2017, issuing 273 attacks from a single C2 IP address. In total there were 616 at- tacks, 102 of which used reflect traffic against Voxility, Google, Facebook, and Amazon servers towards Lonestar networks. The attack was carried out by C2 cluster 2 and used the C2 domains: “mufoscam.org”, “securityup- dates.us”, “jgop.org”, and “zugzwang.me”. As we have seen, Mirai primarily used direct, non- reflective attacks on a wide range of protocols including the less common GRE and VSE protocols. Even without relying on amplification attacks, Mirai was still able to in- flict serious damage as evidenced by high-profile attacks against Krebs on Security, Dyn, and Lonestar Cell. Fur- thermore, the juxtaposition of attacker geography (largely Southeast Asia and South America) and victim geography (majority in the U.S.) places a spotlight on the importance of global solutions, both technical and non-technical, to prevent the rise of similar botnets. Otherwise, adversaries will continue to abuse the most fragile hosts to disrupt the overall Internet ecosystem. 7 Discussion Mirai has brought into focus the technical and regulatory challenges of securing a menagerie of consumer-managed, interfaceless IoT devices. Attackers are taking advantage of a reversal in the last two decades of security trends especially prevalent in IoT devices. In contrast to desktop and mobile systems, where a small number of security- conscious vendors control the most sensitive parts of the software stack (e.g. Windows, iOS, Android) — IoT de- vices are much more heterogeneous and, from a secu- rity perspective, mostly neglected. In seeking appropri- ate technical and policy-based defenses for today’s IoT ecosystem, we draw on the experience of dealing with desktop worms from the 2000s. Security hardening The Mirai botnet demonstrated that even an unsophisticated dictionary attack could com- promise hundreds of thousands of Internet-connected de- vices. While randomized default passwords would be a first step, it is likely that attacks of the future will evolve to target software vulnerabilities in IoT devices much like the early Code Red and Confickr worms [8, 70]. To miti- gate this threat before it starts, IoT security must evolve away from default-open ports to default-closed and adopt security hardening best practices. Devices should con- sider default networking configurations that limit remote address access to those devices to local networks or spe- cific providers. Apart from network security, IoT de- velopers need to apply ASLR, isolation boundaries, and principles of least privilege into their designs. From a compliance perspective, certifications might help guide consumers to more secure choices as well as pressure manufacturers to produce more secure products. 1106 26th USENIX Security Symposium USENIX Association Yüklə 382,3 Kb. Dostları ilə paylaş:
|