Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mirai and Bashlight Join Forces Against DNS Provider Dyn (arstechnica.com)

Posted by BeauHD on from the under-siege dept.

A second wave of attacks has hit dynamic domain name service provider Dyn, affecting a larger number of providers. As researchers and government officials race to figure out what is causing the outages, new details are emerging. Dan Drew, chief security officer at Level 3 Communications, says the attack is at least in part being mounted from a "botnet" of Internet-of-Things (IoT) devices. "We're seeing attacks coming from a number of different locations," Drew said. "An Internet of Things botnet called Mirai that we identified is also involved in the attack." Ars Technica reports: The botnet, made up of devices like home WiFi routers and internet protocol video cameras, is sending massive numbers of requests to Dyn's DNS service. Those requests look legitimate, so it's difficult for Dyn's systems to screen them out from normal domain name lookup requests. Earlier this month, the code for the Mirai botnet was released publicly. It may have been used in the massive DDoS attack against security reporter Brian Krebs. Mirai and another IoT botnet called Bashlight exploit a common vulnerability in BusyBox, a pared-down version of the Linux operating system used in embedded devices. Mirai and Bashlight have recently been responsible for attacks of massive scale, including the attacks on Krebs, which at one point reached a traffic volume of 620 gigabits per second. Matthew Prince, co-founder and CEO of the content delivery and DDoS protection service provider CloudFlare, said that the attack being used against Dyn is an increasingly common one. The attacks append random strings of text to the front of domain names, making them appear like new, legitimate requests for the addresses of systems with a domain. Caching the results to speed up responses is impossible. Prince told Ars: "They're tough attacks to stop because they often get channeled through recursive providers. They're not cacheable because of the random prefix. We started seeing random prefix attacks like these three years ago, and they remain a very common attack. If IoT devices are being used, that would explain the size and scale [and how the attack] would affect: someone the size of Dyn."

56 comments

  1. Mirai? Marai? by Anonymous Coward · · Score: 1

    So which is it?

    1. Re:Mirai? Marai? by Anonymous Coward · · Score: 1, Insightful

      Mirai, editors can eat shit

    2. Re:Mirai? Marai? by Anonymous Coward · · Score: 0

      Mirai, Mirai, I just meet a Botnet Named Mirai..

  2. It's Mirai by Wizy · · Score: 4, Informative

    The name of the bot is Mirai.

    Here is the source: https://github.com/jgamblin/Mirai-Source-Code

  3. This has been on the news all day. by Anonymous Coward · · Score: 0

    Reddit, Airbnb, and some other shit sites were affected.

    No harm was done.

    1. Re: This has been on the news all day. by dfeifer · · Score: 2

      A lot more then that.. there's also a few hundred thousand Shopify stores that were affected as well to include my company's store. Generally directly interfearing with commerce is a big no no as well.

    2. Re:This has been on the news all day. by erice · · Score: 1

      Reddit, Airbnb, and some other shit sites were affected.

      No harm was done.

      Indeed was affected. So, not just people messing around, but people looking for work.

    3. Re: This has been on the news all day. by Anonymous Coward · · Score: 0

      Indeed and every other commercial online job search is worthless and filled with phoney job postings.

    4. Re: This has been on the news all day. by Anonymous Coward · · Score: 0

      I don't know man I got my job from Indeed.

  4. extrajudicial by PopeRatzo · · Score: 1

    If you take down critical infrastructure, you should expect law enforcement to shoot to kill.

    --
    You are welcome on my lawn.
    1. Re:extrajudicial by Anonymous Coward · · Score: 0

      something about color of skin

    2. Re:extrajudicial by JustAnotherOldGuy · · Score: 1

      If you take down critical infrastructure, you should expect law enforcement to shoot to kill.

      This works for me. Or can we get a Kickstarter going to fund some hunter-killer teams?

      --
      Just cruising through this digital world at 33 1/3 rpm...
    3. Re: extrajudicial by cthulhu11 · · Score: 1

      Yet Chris Christie remains alive :-/

  5. dns spammers by Anonymous Coward · · Score: 0

    Spammers would prepend characters on email address domain names. Sounds familiar. It was difficult to filter out. Was able to get around it with Spam Assassin but risked false positives.

    Maybe dns needs something similiar.

  6. We need to decentralize and distribute the system by Anonymous Coward · · Score: 0

    There is no good reason that we should be dependant on this system of domains. Centralized control is dangerous and enables censorship and attacks like this one. Whether it is a criminal, rogue agent, or government we shouldn't be dependant on centralized infrastructure. Obviously it's a lot harder to decentralize than this, but it's a great area for Computer Science research. We need more of it. We need more focus on distributed anonymous decentralized systems of all kinds.

  7. Re:Suck It Obozo Regime by Anonymous Coward · · Score: 0

    Forcing Ecuador to cut of Assange's Internet access didn't work out like you petty thug wannabees planned, did it?

    It wasn't Assange, it was the republic of purple unicorns. Why are you stealing their thunder?

  8. Re:Hillary is behind Dyn by Anonymous Coward · · Score: 1

    Thank you, we appreciate the perspective from the Loony Party.

  9. Random prefix workaround by Angst+Badger · · Score: 4, Interesting

    There may very well be something I'm missing here, but I have a suggestion for how to deal with the random prefix attack.

    Keep a running count of the number of requests for non-existent subdomains. Once they exceed a certain number in a short period of time, cease to respond to requests for subdomains that aren't already cached as valid.

    Example: foo.com, www.foo.com, and mail.foo.com are cached. A flood of requests for (random chars).foo.com starts up. Once this exceeds 100 requests in a minute, all requests for foo.com subdomains are ignored except for foo.com, www.foo.com, and mail.foo.com.

    This would still cut off access to infrequently-accessed subdomains, but subdomains with enough traffic to be in the cache would remain reachable.

    --
    Proud member of the Weirdo-American community.
    1. Re:Random prefix workaround by Zaiff+Urgulbunger · · Score: 1

      Problem is the same system could be use to mount a.... [D]DoS attack on services that depend on sub-domains. E.g. if "example.com" has a business where each customer has their own sub-domain, then all a hacker needs to do to deny-service to example.com is make multiple failed DNS requests.

      Not that your idea isn't a bad one though... it *may* help Dyn themselves mitigate the attack somewhat by given dodgy looking requests a lower priority. But it doesn't really solve it.

      My best idea is actively hunting vulnerable devices and bricking them... but I'm guessing this might not be a popular option!

    2. Re:Random prefix workaround by davecb · · Score: 1

      Also apply negative caching, with a timeout so that when I register OrvilleTorpid.org it eventually propogates.

      --
      davecb@spamcop.net
    3. Re:Random prefix workaround by Anonymous Coward · · Score: 0

      "My best idea is actively hunting vulnerable devices and bricking them... but I'm guessing this might not be a popular option!"
      This is already in the works, using the same Mirai Software. Or so I've heard...

    4. Re:Random prefix workaround by Anonymous Coward · · Score: 0

      This is a decent idea. Combined with existing Response Rate Limits which refuse to answer a client that's flooding the server and it could be very effective.

  10. Consumer protection by Anonymous Coward · · Score: 0

    Could there be no way for consumers of IoT to secure their own devices- a centralized 'app' to check that their IoT are not sending unexpected traffic over the network?

    The widespread growth of IoT connected consumer devices with default and often outdated settings is staggering.

    1. Re:Consumer protection by skids · · Score: 2

      Could there be no way for consumers of IoT to secure their own devices

      If they cannot be arsed to change the default passwords, thinking they'd bother with running such an app is fantasy. And that's how these botnets spread

      Many of these articles seem to implicate a "bug in busybox" or "bug in telnet", but they do not describe any activity consistent with exploiting CVE-2011-2716. At most the articles might suggest elevation of privileges after getting in via a default password, perhaps via CVE-2013-1813, but probably just due to busybox not originally having been intended as a multiuser runmode so such holes are more likely to be present there.

      The "bug" seems to be just journalists not understanding that a default password is not the same thing as a software bug, nor is the language or platform/OS on which malware is targeted at fault for running a program written for it.

      Anyway, since vendors seem to only find it economically viable to make these should-be-local devices totally reliant on overcomplicated cloud services, or even just like to leave hardcoded test accounts on them, and many of the devices contain closed SoC/peripherals so there's no equivalent of OpenWRT for them, even enthusiasts cannot really secure them easily enough to maintain any enthusiasm for the product. They'll end up cutting the feet of some shoeless child in a 3rd world landfill as soon as their manufacturer goes bankrupt or abandons the product line.

      Incidentally if you have an old busybox where and you can alter the udhpc default script and prevent the use of DHCP-acquired hostname/domainname etc, that might be worth the effort if you cannot just reasonably upgrade it.

      --
      Someone had to do it.
    2. Re:Consumer protection by AHuxley · · Score: 1

      Designing in an extra chip or getting a more expensive chip?
      Printing unique passwords on stickers in the packaging?
      Having users search forums to find they lost their special password with the packaging? Then login to blame the brand for the unexpected result?
      Do that over too many generations of products and its less profit for a nice jet or yacht.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:Consumer protection by Anonymous Coward · · Score: 0

      Printing unique passwords on stickers in the packaging?
      Having users search forums to find they lost their special password with the packaging? Then login to blame the brand for the unexpected result?

      user\backdoor: admin
      password: [whatever documented standard (ie 'admin')] + [last8 of MAC\EUI]
      [enforce a default more than 6 bad attempts per minute triggers 5 minute lockout]
      That mac is 99% of the time not only on the packaging already but on relatively unlikely to fall off stickers on the product itself somewhere, and failing that you could still recover it just from just plugging in and sniffing locally if both are lost. Does it solve all the problems, nope not even close, but it addresses one of them, or at least complicates things enough that simple default logins attacks from remote networks aren't going to work efficiently on the scale they do now on the types of devices were talking about.

    4. Re: Consumer protection by cthulhu11 · · Score: 1

      I would think that most home devices like IP cams are unreachable behind NAT so I'm curious about the details.

  11. Why does everyone use such small TTLs now? by chipperdog · · Score: 1

    Why does everyone use such small DNS TTLs? Checking some of the domains (including twitter) that went down, their TTLs are all less than 200...are their networks so dynamic that 1800, 3600, 7200 wouldn't work? Would really minimize the effect of DNS outages...

    1. Re:Why does everyone use such small TTLs now? by Anonymous Coward · · Score: 0

      Because they are using dns changes to load balancing & geo-ip stuff.

    2. Re:Why does everyone use such small TTLs now? by Zaiff+Urgulbunger · · Score: 1

      Why does everyone use such small DNS TTLs? Checking some of the domains (including twitter) that went down, their TTLs are all less than 200...are their networks so dynamic that 1800, 3600, 7200 wouldn't work? Would really minimize the effect of DNS outages...

      Perhaps so they can better deal with DoS attacks on their services; if their web server is under DoS attack, they can simply switch to another IP, but with a high TTL, it would take longer for the new IP to take effect.

    3. Re: Why does everyone use such small TTLs now? by cthulhu11 · · Score: 1

      There's also being able to update the records and have clients use the new values sooner vs later, e.g. when infrastructure fails or to dynamically load balance. I suspect also that in 2016 we still have broken client libraries and caches that violate policies to save a few bytes. Both used to be troublesome.

  12. Re:Hillary is behind Dyn by Darinbob · · Score: 1

    I'd probably vote for him over Trump.

  13. List of Vulnerable IoT devices? by Anonymous Coward · · Score: 0

    Is there a reputable and updated list posted anywhere? I'd like to know if I happen to own something that has a decent chance of being taken over. I'd probably replace it, assuming I could not simply update the firmware.

    Right now the only IoT type devices I have connected are a Buffalo router (DD-WRT out of the box) and a Ooma telephone box. Of course there is also the cable modem, but that is leased.

    Perhaps we could add features to DD-WRT and similar that look at our usage patterns, and notify us when it sees a usage pattern that just seems odd.

    1. Re:List of Vulnerable IoT devices? by skids · · Score: 1

      Is there a reputable and updated list posted anywhere?

      Not that I have found. That would be too much work for not enough online ad exposures.

      Right now the only IoT type devices I have connected are a Buffalo router (DD-WRT out of the box)

      Not sure if Buffalo is good about not putting in backdoors. Check that busybox is over v1.20.0. If not see if you can upgrade (maybe to OpenWRT), or set "domain" and "hostname" to hardcoded values before they get used in udhcpc/default.script or whatever script udhcpc first runs... though that may be a bit paranoid if your ISP is good about not letting users see each other's DHCP traffic. (There are a couple other options also affected, but they are likely not used by DD-WRT)

      No clue on the Ooma.

      Perhaps we could add features to DD-WRT and similar that look at our usage patterns, and notify us when it sees a usage pattern that just seems odd.

      That's harder than it sounds... usage patterns depend a lot on server side code that can change anytime the vendor pleases, and cloud services are always moving around these days.

      --
      Someone had to do it.
  14. Re:Hillary is behind Dyn by Anonymous Coward · · Score: 0

    That site is awesome! If just one of these conspiracy nuts learned about Wordpress and slapped together a reasonably presentable webpage they'd probably end up destroying whatever target they thought implanted chips in their brain or whatever.

    http://homepages.ihug.co.nz/~income/contents.html

    Here's another hilarious example of the kind of page I'm talking aboot:

    http://www.overunitybuilder.com/

  15. Gee, who could have seen this coming? by JustAnotherOldGuy · · Score: 2

    "Dan Drew, chief security officer at Level 3 Communications, says the attack is at least in part being mounted from a "botnet" of Internet-of-Things (IoT) devices."

    Gee, who could have seen this coming? Oh, that's right, lots of people, including me.

    The IoT (Internet of Terrors) is upon us. Buckle up, baby. It's going to be a bumpy ride and it's going to get worse before it gets better...if it ever does, that is.

    Personally I'm not holding out much hope- the damage is done. Millions and millions of craptastic insecure IoT gadgets are out there right now, happily botting away.

    Even if starting tomorrow every single new gadget sold was 100% secure, it's too late- the world's infrastructure is already infected with mountains of this consumer-grade garbage that will be around for a long, long time.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Gee, who could have seen this coming? by Anonymous Coward · · Score: 0

      Don't worry, it'll get better: exactly once.

      When the majority of the Internet switches over to being IPv6 only, a lot of these IoT things are going to be left off the new IPv6 Internet because they don't support anything but IPv4. (And, no, IoT thing isn't a redundant acronym: read the parent comment.)

      It's that point when things will get better.

      Briefly.

      Until the next generation of IPv6 IoT devices become common and are never updated.

  16. DNS sucks by backslashdot · · Score: 0

    Why are we still using DNS? It's stupid. It's not secure. It's ugly. Quit bickering and settle on a secure alternative.

  17. Not that it matter, but . . . by Anonymous Coward · · Score: 0

    The Level 3 CSO is Dale, not Dan.

  18. Busybox by The+Cisco+Kid · · Score: 1

    is not "a pared-down version of the Linux operating system"

    It is often USED as PART of a pared-down Linux install, but is not itself a version of Linux.

    https://www.busybox.net/about....

    BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc.

    1. Re:Busybox by gweihir · · Score: 1

      There is also the thing that it is entirely possible and easy to configure a Linux installation insecurely. You just have to be incompetent and ignore all advice. Many IoT profiteers apparently fit that description.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  19. Turtles all the way down by Hognoxious · · Score: 1

    Is your job to invent phony job postings?

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    1. Re:Turtles all the way down by Cederic · · Score: 1

      I found my current job via Indeed. They linked me through to the corporate recruitment site, I applied on there and the idiots actually employed me.

  20. Technically speaking by campuscodi · · Score: 1

    Technically speaking, Mirai and Bashlight are the most widespread. So it's like launching an attribution dart at a board large as a two-storey building

  21. This is ridiculous. by pjv936 · · Score: 0

    Implement a solution for the DDOS attacks that can filter out the requests as near to the device as possible. And figure out a way to disable or fix the device. And find a permanent solution to the problem like banding devices from the internet if their software is not up to date.

  22. How would I know if my home router is infected? by goombah99 · · Score: 2

    I have two routers. Ones a Zytel provided by the phone company and then I also have one of the russian make one (TP / Archer).

    How would I know if they are part of the botnet?

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:How would I know if my home router is infected? by Anonymous Coward · · Score: 0

      Would it block government science sites? I was following attempts to contact and revive one of the STEREO spacecraft which went into a spin and lost contact during setup as it went behind the sun over a year ago. The images from the still functional twin spacecraft are on the same site.
      PINGs show 100% packet loss Unable to get through for about a week... Other NASA sites are working altough some had nasty stalking iPerceptions stalking code which gives a black page when JS is disabled.

      https://stereodata.nascom.nasa...

    2. Re:How would I know if my home router is infected? by doccus · · Score: 2

      I have two routers. Ones a Zytel provided by the phone company and then I also have one of the russian make one (TP / Archer).

      How would I know if they are part of the botnet?

      Pretty simple. If they still have their default passwords they're almost surely part of it. Just change the password to a good strong one, and you should instantly be off the botnet. At least that seems to me the right approach..+

  23. Who uses DYN for their DNS? by goombah99 · · Score: 1

    What I don't understand is how this is affecting things. Most people and small bussinesses just use the DNS that their service provider offers. I.e. comcast. Another tranche of people change it to something like googles 8.8.8.8. Large bussinesses may implement their own DNS

    So how is it DYN matters? Who uses it?

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Who uses DYN for their DNS? by ShaunC · · Score: 2

      Dyn comes in on the other side of the equation. You use your ISP DNS server (or Google's 8.8.8.8, etc.) to look up addresses. But the people running the servers have to publish those addresses somewhere in the first place, and to do so, some of them use a service like Dyn.

      To use a simplified phone analogy, Dyn publishes a phone book and your DNS server is 411. If you call 411 and the operator can't find the right phone book, they can't give you the number you want.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    2. Re:Who uses DYN for their DNS? by goombah99 · · Score: 1

      thanks

      --
      Some drink at the fountain of knowledge. Others just gargle.
  24. This is where we *really* need the 'grayhats' by Anonymous Coward · · Score: 0

    There have been many debates on slashdot over the years about whether it's a good thing for 'grayhats' to take over and patch/disable compromised PCs which are part of a botnet. Generally the consensus seemed to be it was probably not a good idea. But with the IOT botnets, we're in a whole different situation. It's quite likely that nearly of of them will be not only unpatched but will never even patchable and their sheer numbers are getting overwhelming. If they're starting to effectively bring down large sections of the internet and there's no other realistic solution it's really time for a 'search and destroy/disable' action against them.

  25. Your ISP queries the Dyn by raymorris · · Score: 3, Informative

    Your ISP's name servers don't have the records for each name. Instead, it goes like this:

    Your computer asks your ISP for the IP of mail.yahoo.com
    Your ISP asks the root servers "which DNS servers know about .com names?" The root server says "ask dns.root.com, aka 1.2.3.4." The ISP asks dns.root.com "which DNS servers know about yahoo.com?" Foo.root.com replies "four.dyndns.org knows about yahoo.com names."
    The ISP asks four.dyndns.org "what's the IP for mail.yahoo.com?"
    four.dyndns.org has the record for mail.yahoo.com and sends it back to your ISP.
    The ISP sends it to you.
    The ISP caches the answer for a few minutes, in case your neighbor wants to access mail.yahoo.com too.

  26. Ps many DNS lookups for ads, script slow loading by raymorris · · Score: 2

    If this seems convoluted and slow, it is. In fact, doing DNS lookups for all the ads, javascript, and crap on a web page is a major proportion of the total load time. It's not that loading of the ad banner itself is slow, it's doing the (very indirect) DNS lookups for the domain that counts ad impressions, another domain with Javascript that loads the ad, another domain where the actual ad image is, etc. Plus the site logo is on a CDN domain, the html on the home domain, some other part of the page on images.foo.com, etc. Your browser can easily look up 20 or 30 different names to load just one page.