Industry Trends
As further details become available for the massive distributed denial of service attack against Dyn on Oct 21 2016, here are some things FortiDDoS customers can do to protect themselves from a potential Internet of Things (IoT) botnet-based DDoS attack like Mirai.
Mirai spreads by compromising vulnerable IoT devices such as DVRs. Many IoT manufacturers failed to secure these devices properly, and they don't include the memory and processing necessary to be updated. They are also usually not in control of the destination of their outbound traffic, so if that information is changed or compromised there is nothing they can do. As a result, the attack cannot be stopped at the egress point on the devices themselves. Instead, network segmentation is absolutely critical for protection against outbound attacks. The responsibility for protection from IoT-based DDoS attacks, however, lies at the ingress point of the attack.
(Read my other blog entry: https://blog.fortinet.com/2015/07/20/iot-and-cyberwars)
The Mirai malware responsible for this latest attack is designed to look for telnet services available from the Internet, and checks for several sets of default credentials, such as default username and password. The most common targets were IP CCTV cameras as many have known default credentials.
FortiDDoS is designed to identify and mitigate attacks like the one caused by the Mirai malware. To protect your organization from such inbound DDoS attacks, here is a list of mitigation techniques you can use with FortiDDoS:
Attack Type |
Attack Name |
Attack Description |
Mitigation |
0. |
Straight up UDP flood |
UDP flood |
|
|
Valve Source Engine query flood |
The Valve Source Engine flood is a UDP (amplification) attack used to consume available resources against a server. The attack is designed to flood TSource Engine Query with so many requests to a gaming server that it cannot process all of them, thereby creating a denial attack against the gaming service. This type of attack is geared specifically to the gamers market. It is a reflection attack with responses larger than requests. |
|
|
DNS Water Torture |
Queries of made up of subdomains. Also known as Slow Drip DNS attack. |
|
|
SYN flood with options |
|
|
|
ACK flood |
|
|
|
ACK flood to bypass mitigation devices |
|
|
|
GRE IP flood |
|
|
|
GRE Ethernet flood |
|
|
|
Proxy knockback connection |
Disabled in code |
|
|
Plain UDP flood optimized for speed |
Random UDP flood |
|
|
HTTP layer 7 flood
|
HTTP floods |
|
While the above solutions are based on available information and sources for Mirai botnet, no one can prevent a hacker from modifying existing attack processes. The advantage provided by FortiDDoS is that it looks for behavioral anomalies and responds accordingly. You can be therefore confident that the mitigations outlined above will work regardless of changes to attacks imposed by hackers.