Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Botnet The Internet Communications Network Operating Systems Privacy Security Software News Hardware Linux Technology

Mirai and Bashlight Join Forces Against DNS Provider Dyn (arstechnica.com) 56

A second wave of attacks has hit dynamic domain name service provider Dyn, affecting a larger number of providers. As researchers and government officials race to figure out what is causing the outages, new details are emerging. Dan Drew, chief security officer at Level 3 Communications, says the attack is at least in part being mounted from a "botnet" of Internet-of-Things (IoT) devices. "We're seeing attacks coming from a number of different locations," Drew said. "An Internet of Things botnet called Mirai that we identified is also involved in the attack." Ars Technica reports: The botnet, made up of devices like home WiFi routers and internet protocol video cameras, is sending massive numbers of requests to Dyn's DNS service. Those requests look legitimate, so it's difficult for Dyn's systems to screen them out from normal domain name lookup requests. Earlier this month, the code for the Mirai botnet was released publicly. It may have been used in the massive DDoS attack against security reporter Brian Krebs. Mirai and another IoT botnet called Bashlight exploit a common vulnerability in BusyBox, a pared-down version of the Linux operating system used in embedded devices. Mirai and Bashlight have recently been responsible for attacks of massive scale, including the attacks on Krebs, which at one point reached a traffic volume of 620 gigabits per second. Matthew Prince, co-founder and CEO of the content delivery and DDoS protection service provider CloudFlare, said that the attack being used against Dyn is an increasingly common one. The attacks append random strings of text to the front of domain names, making them appear like new, legitimate requests for the addresses of systems with a domain. Caching the results to speed up responses is impossible. Prince told Ars: "They're tough attacks to stop because they often get channeled through recursive providers. They're not cacheable because of the random prefix. We started seeing random prefix attacks like these three years ago, and they remain a very common attack. If IoT devices are being used, that would explain the size and scale [and how the attack] would affect: someone the size of Dyn."
This discussion has been archived. No new comments can be posted.

Mirai and Bashlight Join Forces Against DNS Provider Dyn

Comments Filter:
  • by Anonymous Coward

    So which is it?

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Mirai, editors can eat shit

  • It's Mirai (Score:5, Informative)

    by Wizy ( 38347 ) <greggatghc&gmail,com> on Friday October 21, 2016 @07:28PM (#53127129) Journal

    The name of the bot is Mirai.

    Here is the source: https://github.com/jgamblin/Mirai-Source-Code [github.com]

    • I have two routers. Ones a Zytel provided by the phone company and then I also have one of the russian make one (TP / Archer).

      How would I know if they are part of the botnet?

      • by doccus ( 2020662 )

        I have two routers. Ones a Zytel provided by the phone company and then I also have one of the russian make one (TP / Archer).

        How would I know if they are part of the botnet?

        Pretty simple. If they still have their default passwords they're almost surely part of it. Just change the password to a good strong one, and you should instantly be off the botnet. At least that seems to me the right approach..+

    • What I don't understand is how this is affecting things. Most people and small bussinesses just use the DNS that their service provider offers. I.e. comcast. Another tranche of people change it to something like googles 8.8.8.8. Large bussinesses may implement their own DNS

      So how is it DYN matters? Who uses it?

      • by raymorris ( 2726007 ) on Saturday October 22, 2016 @11:57AM (#53130325) Journal

        Your ISP's name servers don't have the records for each name. Instead, it goes like this:

        Your computer asks your ISP for the IP of mail.yahoo.com
        Your ISP asks the root servers "which DNS servers know about .com names?" The root server says "ask dns.root.com, aka 1.2.3.4." The ISP asks dns.root.com "which DNS servers know about yahoo.com?" Foo.root.com replies "four.dyndns.org knows about yahoo.com names."
        The ISP asks four.dyndns.org "what's the IP for mail.yahoo.com?"
        four.dyndns.org has the record for mail.yahoo.com and sends it back to your ISP.
        The ISP sends it to you.
        The ISP caches the answer for a few minutes, in case your neighbor wants to access mail.yahoo.com too.

        • If this seems convoluted and slow, it is. In fact, doing DNS lookups for all the ads, javascript, and crap on a web page is a major proportion of the total load time. It's not that loading of the ad banner itself is slow, it's doing the (very indirect) DNS lookups for the domain that counts ad impressions, another domain with Javascript that loads the ad, another domain where the actual ad image is, etc. Plus the site logo is on a CDN domain, the html on the home domain, some other part of the page on ima

      • by ShaunC ( 203807 )

        Dyn comes in on the other side of the equation. You use your ISP DNS server (or Google's 8.8.8.8, etc.) to look up addresses. But the people running the servers have to publish those addresses somewhere in the first place, and to do so, some of them use a service like Dyn.

        To use a simplified phone analogy, Dyn publishes a phone book and your DNS server is 411. If you call 411 and the operator can't find the right phone book, they can't give you the number you want.

  • If you take down critical infrastructure, you should expect law enforcement to shoot to kill.

  • by Angst Badger ( 8636 ) on Friday October 21, 2016 @08:34PM (#53127451)

    There may very well be something I'm missing here, but I have a suggestion for how to deal with the random prefix attack.

    Keep a running count of the number of requests for non-existent subdomains. Once they exceed a certain number in a short period of time, cease to respond to requests for subdomains that aren't already cached as valid.

    Example: foo.com, www.foo.com, and mail.foo.com are cached. A flood of requests for (random chars).foo.com starts up. Once this exceeds 100 requests in a minute, all requests for foo.com subdomains are ignored except for foo.com, www.foo.com, and mail.foo.com.

    This would still cut off access to infrequently-accessed subdomains, but subdomains with enough traffic to be in the cache would remain reachable.

    • Problem is the same system could be use to mount a.... [D]DoS attack on services that depend on sub-domains. E.g. if "example.com" has a business where each customer has their own sub-domain, then all a hacker needs to do to deny-service to example.com is make multiple failed DNS requests.

      Not that your idea isn't a bad one though... it *may* help Dyn themselves mitigate the attack somewhat by given dodgy looking requests a lower priority. But it doesn't really solve it.

      My best idea is actively hunting v
    • by davecb ( 6526 )
      Also apply negative caching, with a timeout so that when I register OrvilleTorpid.org it eventually propogates.
  • Why does everyone use such small DNS TTLs? Checking some of the domains (including twitter) that went down, their TTLs are all less than 200...are their networks so dynamic that 1800, 3600, 7200 wouldn't work? Would really minimize the effect of DNS outages...
    • Why does everyone use such small DNS TTLs? Checking some of the domains (including twitter) that went down, their TTLs are all less than 200...are their networks so dynamic that 1800, 3600, 7200 wouldn't work? Would really minimize the effect of DNS outages...

      Perhaps so they can better deal with DoS attacks on their services; if their web server is under DoS attack, they can simply switch to another IP, but with a high TTL, it would take longer for the new IP to take effect.

      • There's also being able to update the records and have clients use the new values sooner vs later, e.g. when infrastructure fails or to dynamically load balance. I suspect also that in 2016 we still have broken client libraries and caches that violate policies to save a few bytes. Both used to be troublesome.
  • by JustAnotherOldGuy ( 4145623 ) on Friday October 21, 2016 @10:20PM (#53128023)

    "Dan Drew, chief security officer at Level 3 Communications, says the attack is at least in part being mounted from a "botnet" of Internet-of-Things (IoT) devices."

    Gee, who could have seen this coming? Oh, that's right, lots of people, including me.

    The IoT (Internet of Terrors) is upon us. Buckle up, baby. It's going to be a bumpy ride and it's going to get worse before it gets better...if it ever does, that is.

    Personally I'm not holding out much hope- the damage is done. Millions and millions of craptastic insecure IoT gadgets are out there right now, happily botting away.

    Even if starting tomorrow every single new gadget sold was 100% secure, it's too late- the world's infrastructure is already infected with mountains of this consumer-grade garbage that will be around for a long, long time.

  • Why are we still using DNS? It's stupid. It's not secure. It's ugly. Quit bickering and settle on a secure alternative.

  • is not "a pared-down version of the Linux operating system"

    It is often USED as PART of a pared-down Linux install, but is not itself a version of Linux.

    https://www.busybox.net/about.... [busybox.net]

    BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc.

    • by gweihir ( 88907 )

      There is also the thing that it is entirely possible and easy to configure a Linux installation insecurely. You just have to be incompetent and ignore all advice. Many IoT profiteers apparently fit that description.

  • Technically speaking, Mirai and Bashlight are the most widespread. So it's like launching an attribution dart at a board large as a two-storey building

panic: kernel trap (ignored)

Working...