All the companies and the personnel that work in the field of DDoS protection services are well versed with the Mirai Malware. Mirai is a malware that attacks the IOT(Internet of Things) devices such as printers, cameras etc. and uses them as bots for a large scale DDoS attack.
How is Mirai DDoS attack different?
There are about 7-9 billion IoT devices in the world. These devices can be infested with the Mirai malware and converted into Mirai botnets. Mirai IOT botnets attack the targeted host at a much larger scale. The originator of these attacks uses a two-step process for instilling the software in IoT devices and them using them for a concentrated attack.
Firstly, the attackers scan for the devices that can be used as a bot in the event of an attack. In the earliest stages, the attacker scanned for Linux devices with default administrative password. But it is believed that now the Windows devices can be used as bots as well. Once the devices are identified, the attacker loads the Mirai malware into these devices.
In the event of an attack, the attacker sends the command from their source server. This command is relayed to the thousands of bots created earlier. All these bots attack simultaneously on a single target rendering it helpless.
Mirai targeted Devices
The Mirai DDoS bots are installed on the Internet Of Things devices. The devices such as printers, DVR, scanners etc. that can be connected to a network are converted into bots and used to launch an attack. This is the main reason why the Mirai DDoS attacks are launched on a large scale. In the past, these DDoS attacks went up to a scale of 600k.
Mirai Targeted Locations
The Mirai attackers targeted devices in the Asia Pacific region. Another prominent region that the attackers chose to stretch their range was South America. These regions constituted 50 percent of the devices infected by Mirai.
History of Mirai
The Mirai virus came into limelight in October of 2016 with its first massive scale attack. It targeted high profile websites such as Netflix, PayPal and GitHub. The Mirai attack started by scanning the devices with telnet ports and a default administrative password. The attackers could easily identify these devices and convert them into bots. Gradually, the attackers expanded their range by scanning new ports. They also started identifying new protocols to expand the range of devices they could infect.
In a month, the Mirai DDoS attacks reached a peak of whooping 600k. however, its stable state was between 200-300k.
The popular attack on KerbsON security was at a rate of 600 Gbps. Another massive attack on DYN was very popular as it took down sites such as Spotify, PayPal and GitHub.
In the Future
As per speculation, the Mirai attackers are planning a concentrated attack of over 100k bots by infecting new IoT devices. About One and a half years ago, the source code of the Mirai was made available so that even the most layman of computer programmers could launch an attack on their own. This has made most of the IoT devices across the world susceptible to Mirai malware.
In the earlier cases, it was observed that the attackers scanned for devices particularly with default administrative passwords such as routers and printers. However, it is suspected that the new source code for Mirai will contain a combination of more than 60k usernames and password in the future. The new Mirai malware contains a few minor alterations such that the attacks could be carried out more effectively.
However, the numbers are just an estimate of what could possibly the largest concentrated DDoS attack ever. The thing to worry is that the target of these attacks can never be predicted unless the attackers ask for a ransom.
Hence, if you are into DDoS security and hosting services, it would be wise to be careful and keep an effective monitoring of your servers.