Mirai and Bashlight Join Forces Against DNS Provider Dyn

A second wave of attacks has hit dynamic domain name service provider Dyn, affecting a larger number of providers. As researchers and government officials race to figure out what is causing the outages, new details are emerging. Dan Drew, chief security officer at Level 3 Communications, says the attack is at least in part being mounted from a "botnet" of Internet-of-Things (IoT) devices. "We're seeing attacks coming from a number of different locations," Drew said. "An Internet of Things botnet called Mirai that we identified is also involved in the attack." Ars Technica reports: The botnet, made up of devices like home WiFi routers and internet protocol video cameras, is sending massive numbers of requests to Dyn's DNS service. Those requests look legitimate, so it's difficult for Dyn's systems to screen them out from normal domain name lookup requests. Earlier this month, the code for the Mirai botnet was released publicly. It may have been used in the massive DDoS attack against security reporter Brian Krebs. Mirai and another IoT botnet called Bashlight exploit a common vulnerability in BusyBox, a pared-down version of the Linux operating system used in embedded devices. Mirai and Bashlight have recently been responsible for attacks of massive scale, including the attacks on Krebs, which at one point reached a traffic volume of 620 gigabits per second. Matthew Prince, co-founder and CEO of the content delivery and DDoS protection service provider CloudFlare, said that the attack being used against Dyn is an increasingly common one. The attacks append random strings of text to the front of domain names, making them appear like new, legitimate requests for the addresses of systems with a domain. Caching the results to speed up responses is impossible. Prince told Ars: "They're tough attacks to stop because they often get channeled through recursive providers. They're not cacheable because of the random prefix. We started seeing random prefix attacks like these three years ago, and they remain a very common attack. If IoT devices are being used, that would explain the size and scale [and how the attack] would affect: someone the size of Dyn."

It's Mirai

[Wizy]

The name of the bot is Mirai.

Here is the source: https://github.com/jgamblin/Mirai-Source-Code

Random prefix workaround

[Angst+Badger]

There may very well be something I'm missing here, but I have a suggestion for how to deal with the random prefix attack.

Keep a running count of the number of requests for non-existent subdomains. Once they exceed a certain number in a short period of time, cease to respond to requests for subdomains that aren't already cached as valid.

Example: foo.com, www.foo.com, and mail.foo.com are cached. A flood of requests for (random chars).foo.com starts up. Once this exceeds 100 requests in a minute, all requests for foo.com subdomains are ignored except for foo.com, www.foo.com, and mail.foo.com.

This would still cut off access to infrequently-accessed subdomains, but subdomains with enough traffic to be in the cache would remain reachable.