At the end of October, the Mirai botnet was used to launch a massive DDoS attack against managed DNS infrastructure provider Dyn in the United States.
The attack resulted in multiple large websites going down in the States and South Africa, including Twitter, PayPal, and the Sony PlayStation Network.
Kyle York, Dyn’s Chief Strategy Officer, confirmed that the “sophisticated attacks” were across multiple attack vectors and Internet locations.
One source of the attack traffic was devices infected by the Mirai botnet.
“We observed tens of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack,” said York.
The Mirai botnet
The Mirai botnet is essentially made up of tens of millions of unsecured Internet of Things devices, such as cameras, printers, and routers.
The Mirai malware is used to scan the Internet for IoT systems protected by factory default usernames and passwords – which can then be exploited and made part of the botnet.
The devices are then used to attack a target.
An attack on Liberia
Following the attack on Dyn, ZDNet reported that a large DDoS attack through a Mirai botnet – known as Botnet 14 – was used to attack telecommunications providers in Liberia.
Multiple reports stated that the attack was an attempt to take the entire country offline, with some stating that the move was successful.
Security experts have subsequently stated the attack did not take Liberia offline, despite exceeding 500Gbps, but that Internet traffic was affected.
Krebs on Security said that although the country was not knocked offline, the Mirai botnet posed a threat to an entire country’s Internet connectivity.
The attack which would take down South Africa
Vernon Fryer, group chief technology security officer at Vodacom, previously stated that a DDoS attack of 200Gbps to 300Gbps aimed at certain targets in South Africa would be enough to wipe the country off the Internet.
Mirai-based attacks in recent weeks have been recorded at well over 600Gbps, while there have been reports that the attacks against Dyn were close to the 1Tbps mark.
MyBroadband spoke to Neotel, who is a key player in South Africa’s Internet landscape, and NAPAfrica, which hosts layer 2 Internet exchange points within Teraco’s local data centres, about a possible Mirai attack.
There is a risk
Moya Rapholo, Information Security Product Management at Neotel, said there is always a risk a country could come under attack from botnets like Mirai.
“South Africa is a developing country, so the bandwidth pipe sizes that we use relative to ‘world’ or ‘developed’ countries are much smaller and cyber criminals can take advantage of these limitations,” said Rapholo.
He said users still believed that “traditional” security controls such as firewalls were enough to stop DDoS attacks – but this was not the case.
“We are moving towards more proactive measures such as Security Operation Centre and Security Information and Event Management which can significantly minimise the risks.”
Rapholo said companies must not view information security as an afterthought and Internet services should be bundled with some form of security.
Andrew Owens, Product Development Manager at Teraco, said from a NAPAfrica perspective, the primary risk would be if the exchange fabric were to be targeted.
“The peering ranges we use are not supposed to exported to the global table, and even if someone were to accidentally leak the prefixes, any attack would affect that particular member’s network only,” said Owens.
“As an IX, our primary function is switching packets. We do use a system that will alert members of security risks, but we cannot scrub the traffic. That is a service that our members and clients offer.”
“The other consideration would be if the source and destination of the attack were both peered at the exchange.”
“Technically, it may be possible to cause congestion on member ports at the exchange, but the initiator of the attack would have to make sure that infected PCs are all on networks that are peered at the exchange. Currently, NAPAfrica has ‘connected’ capacity of 1.6Tbps.”
Owens said it is difficult to determine a number, in terms of size, which would take the country offline – given that “an attacker would need to find a target that would affect all of the capacity on all of the cables coming into the country”.
The best defence against a distributed attack is a distributed defence, he said.
Dominic White, CTO at SensePost, said for an attack to take down the entire country, three resilient aspects of South Africa’s Internet landscape would need to be overwhelmed.
“We have multiple connections coming into the country. Taking all of them down would be hard,” he said, referencing the ACE, SAT3, WACS, SEACOM, and EASSy cables, along with wireless links.
He added that many of the big operators have “smart people and DoS contingency plans and can move quickly to mitigate a possible attack”.
“Additionally, many South African companies have the same and can continue to operate.”
White also said many “South African” Internet properties aren’t hosted in South Africa, but are hosted in international data centres.
“That said, with enough devices, some careful planning, and quick reactions to changes defenders put in place, a DDoS can always take down something.”