In this post I talked about the motivations for DDOS. Political acts, extortion, revenge… all typical motivations.
That doesn’t really account for the Mirai DDOS. The first one on September 19, 2016 was motivated by gaming. The attacker went after the company that hosted a tool used by Minecraft against DDOS. Then there was an even bigger one on October 12. According to the FBI, that one was also motivated by Minecraft.
Let’s take a step back and look at the Mirai botnet. First, it was IoT devices, the first known attack that originated from them. The botnet was created by taking advantage of default passwords and telnet and other vulnerabilities, but I’m going to concentrate on those two
I’m concentrating on those two factors because they are issues we have known about for years. There are 147 CVEs that mention default passwords. This goes back to 1999, but that’s only because CVEs were first recorded in 1999. telnet has had a secure replacement available since 2005, so we shouldn’t still be relying upon it.
And yet, still IoT devices use both insecure methods, allowing Mirai to cause havoc at least twice. We learned to use ssh and other secure access methods on computers attached to the Internet, but it appears we didn’t learn the same lesson with IoT.
This is a case where we really could have benefited from hindsight.
After the DDOS, we fixed everything that caused this and now everything is great, right?
Well, no, not so much. Mirai is still out there and has been updated to look for new vulnerabilities and it still uses default passwords and telnet. We still haven’t learned and it’s still possible for IoT devices to be easily added to a botnet.
Studying the causes of this problem as well as proposing potential solutions is a good topic for a Field Note for DTRAP. If this is in your field of expertise or you’d like to propose a solution, write one.