Botnets are often used for DDoS attacks, which can disable the network services of victim system by consuming its bandwidth by (Jing, 2009). According to (Kaspersky Lab, 2017) report, Distributed Denial of Service attacks are on the rise, with over a third (33%) of organizations facing a DDoS attack in 2017, compared to just 17 percent in 2016. In fact, all the organization are at risk of experiencing DDoS attack because of the rapid growth in the cyber threat. Besides, the DDoS attack will more powerful if more connected devices in the botnets. Almost hundreds of millions or maybe there will be billions of Internet-connected devices in future can be perform in such attack. Not all of devices are protected good enough, so the devices are likely to be a part of some IoT botnets. This is more complicated because it firstly requires access to a large number of compromised systems, a botnet, which can be used as distributed sources, all controlled from one master attack workstation. The figure below describes DDoS model by Robert and Eric, 2017.
Figure 2.4 DDoS Model (Robert and Eric, 2017)
Cybercriminals are increasingly using DDoS attacks as a way to gain access to valuable and lucrative corporate data, and not just to cripple a victim’s services. According to Alenezi (2016), criminals used a DDoS attack to disrupt the work of more than 80 major Internet services, including Twitter, Amazon, PayPal, and Netflix. (Based on Kaspersky Lab, 2015) report, the cost of such an incident is between $52,000 and $444,000, as a result of the inability to carry out core business, loss of contracts and opportunities, credit rating impact, and insurance premium increases.
Figure 2.5 Largest DDoS attacks for each year (Alenezi, 2016)
Based on (Kaspersky Lab, 2017) report, the share of SYN DDoS attacks decreased (from 60.43% to 55.63%) due to less activity by the Linux-based Xor DDoS botnet. These attacks still rank first, however the percentage of ICMP attacks (3.37%), still the least common, also fell. The relative frequency of other types of attacks increased, but whereas in the previous quarter TCP attacks ranked second after SYN, UDP overshadowed both these types, rising from second-to-last to second-from-top (in Q4 UDP DDoS accounted for 15.24% of all attacks). Botnets are capable of launching a number of attacks, like Distributed Denial of Service attacks (DDoS), Keylogging, Phishing and Spamming, Identity theft and even other Bot proliferation.
Figure 2.6 DDoS attacks by type in year 2017 (Kaspersky Lab, 2017)
Based on trusted website (Riorey, 2006), DDoS attacks can be distinguished in Network Layer and Application Layer. In Network layer attacks which is layer 3 are almost always DDoS assaults set up to clog the “pipelines” connecting the network, while in Application layer attacks which is layer 7 can be either DoS or DDoS threats that seek to overload a server by sending a large number of requests requiring resource-intensive handling and processing. This includes all approaches that target vulnerabilities or weaknesses in the network and transport layer of the OSI model. The protocols most often attacked are TCP, UDP or ICMP, as they support the Internet. This category is normally used in DDoS attacks because it can be directed against systems connected to the Internet. The examples of TCP attacks are SYN Flood, SYN-ACK Flood, Fragmented ACK, RST or FIN Flood, Synonymous IP, Fake Session, Session Attack and also Misused Application. Next, the TCP Http attack types are Http Fragmentation, Excessive VERB, Excessive VERB Single Session, Multiple VERB Single Request, Recursive GET, Random Recursive GET and Faulty Application. Moreover, the UDP attack types are UDP Flood, Fragmentation, DNS Flood, VoIP Flood, Media Data Flood and Non-Spoofed UDP Flood. The example of ICMP attack types are ICMP Flood, Fragmentation and also Ping Flood.
Figure 2.7 Classification in Network Layer (Riorey, 2006)
(iii) Characteristics of Botnets to Arrange DDoS Attacks
According to Kishore (2017), there are a few characteristics of IoT botnets used to arrange the DDoS attacks. Firstly, most of the IoT malwares are Linux based malwares. The majority of the IoT malware has limited or no side- effects on performance of the host. They become active and perform DDoS on certain command from its botnet sources. Next, many IoT malware reside on IoT devices’ temporary memory (RAM). Besides, most IoT malwares does not use reflection techniques to launch an attack, so it is much difficult to recognize and mitigate the attack using the conventional methods. The volume of traffic floods generated by IoT botnets are very high, in the orders of 100 Gbps or higher, in comparison to conventional PC botnets. Moreover, the location of the infected IoT devices are distributed all around the world. Lastly, apart from generating commonly used traffic floods, namely, HTTP, TCP, UDP traffic, some IoT botnets generates unconventional traffic like GRE traffic and use uncommon “DNS water torture” technique during DDoS attacks.
(iv) IoT Botnets: Mirai Attacks
Based on the statistics from the Malaysia Computer Emergency Response Team (MyCERT), the timeline below illustrates the emergence of Mirai from late 2016 to early 2017. Giaretta et.al (2017) also stated that the Mirai infected hundreds of thousands of connected devices all over the world in year 2016. Beginning in September 2016, a DDoS attack temporarily crippled Krebs on Security, OVH and Dyn. The initial attack on OVH using the Mirai botnet exceeded 1 Tbps in volume among the largest on record. MyCERT observed a large number of IP addresses from Malaysia infected with the Mirai botnet that were recruited to launch the DDoS attack. The Mirai infection in Malaysia is visualized beginning in October 2016, which was the first month, until September 2017. The graph is categorized into state, port number and variant.
Figure 2.8 Mirai Infections in Malaysia 2016 – 2017 (Sharifah, 2017)
The most predominant malware of the last years is Mirai attacks on IoT devices by Nicola et.al (2017). Mirai is a worm-like family of malware that infected IoT devices and corralled them into a DDoS botnet by (Sharifah and Sahrom 2017). Once exploited, the devices are reported to a control server in order to be used as part of a large-scale botnet. Hence, the botnet can be used to perpetrate several types of DDoS attacks exploiting a wide range of protocols.
Figure 2.9 IoT Malwares with DDoS Capabilities (Nicola, 2017)
Mirai botnet is perhaps the most famous of all IoT malware that took down a significant portion of the Internet. Mirai uses the default password for the telnet or SSH accounts to gain shell access. Once it is able to get access to this account, it installs malware on the system. This malware creates delayed processes and then deletes files that might alert antivirus software to its presence. It is difficult to identify an infected system without doing a memory analysis. Mirai opens ports and creates a connection with botmasters and then starts looking for other devices it can infect. After that, it waits for more instructions. Since it has no activity while it waits and no files left on the system, it is difficult to detect.
The Mirai botnet’s source code was released to the public which provided intrusion analysts insight into the attack and associated intrusion detection by (Anna, 2016). The DDoS traffic was produced by a variety of IoT devices. Once it identifies an insecure device, the malware tries to log in with a series of common default passwords used by manufacturers. If those passwords do not work, then Mirai uses brute force attacks to guess the password. Once a device is compromised, it connects to C;C infrastructure and can divert varying amounts of traffic toward a DDoS target.
According to Kambourakis et.al (2017), the bot part (coded in C) is responsible for unleashing one of several DDoS attacks and for exploring the IP space for new victims. In fact, Mirai botnets mostly targets Linux-based IoT devices. The Mirai’s infrastructure shown below is composed of a C&C module that provides the multiple attacks with a management console, a “report” or “collector” server that gathers and maintains information about the active bots in the botnet, as well as “loader” devices that facilitate the propagation of the malware to newly-discovered victims.
Figure 2.10 Overview of Mirai Communication and Basic Components (Kambourakis, 2017)
(v) IoT Botnets: Hajime Attacks
Over the past few months, Hajime has been spreading quickly over worldwide. According to (Martin, 2017), Hajime meaning ‘beginning’ in Japanese, showed its first signs of activity in October 2016. Hajime was first discovered by researchers in October of last year and, just like Mirai (Linux.Gafgyt), it spreads via unsecured devices that have open Telnet ports and use default passwords. In fact, Hajime uses the exact same username and password combinations that Mirai is programmed to use, plus two more. Hajime is a worm according to sources which have placed research on the subject by (Edwards, 2016).
Based on Kaspersky Lab report (2017) in figure 2.11, the malware is building a huge peer-to-peer botnet, a decentralized group of compromised machines discreetly performing spam or DDoS attacks. The very first big difference is that Hajime is built on a peer-to-peer network, whereas Mirai uses hardcoded addresses for the C&C server. Instead of a C&C server address, Hajime pushes command modules to the peer-to-peer network. Based on the hardcoded credentials included in the worm’s source code, Hajime targets routers, DVRs, and CCTV systems, just like Mirai by (Edwards, 2016).
Figure 2.11 Distribution of Hajime infectors by country (Kaspersky Lab, 2017)
According to Kaspersky Lab report (2017) in figure 2.12, there is no attacking code or capability in Hajime, only a propagation module. Hajime also an advanced and stealthy family, uses different techniques, which is mainly brute-force attacks on device passwords to infect devices and then takes a number of steps to conceal itself from the compromised victim. Thus, the device becomes part of the botnet. Once on an infected device, it takes multiple steps to conceal its running processes and hide its files on the file system. According to Kaspersky Lab report, Hajime infections had primarily come from Vietnam (over 20%), Taiwan (almost 13%) and Brazil (around 9%) at the time of research. Most of the compromised devices are located in Iran, Vietnam and Brazil. Overall, throughout the research period, Kaspersky Lab revealed at least 297,499 unique devices sharing the Hajime configuration.
Figure 2.12 Distribution of infected devices by country (Kaspersky Lab, 2017)
(vi) Comparison between IoT Botnets Mirai and Hajime
Hajime botnet was first discovered by researchers in October of last year just like Mirai botnet, it spreads via unsecured devices that have open Telnet ports and use default passwords. In fact, Hajime uses the exact same username and password combinations that Mirai is programmed to use. Unlike Mirai, which uses hardcoded addresses for its command and control (C;C) server, Hajime is built on a peer-to-peer network. There is not a single C;C server address, instead the controller pushes command modules to the peer network and the message propagates to all the peers over time. This is typically considered a more robust design as it makes take downs more difficult. Hajime is also stealthier and more advanced in comparison to Mirai. Once on an infected device, it takes multiple steps to conceal its running processes and hide its files on the file system. The author can open a shell script to any infected machine in the network at any time, and the code is modular, so new capabilities can be added on the fly. It is apparent from the code that a fair amount of development time went into designing this worm.