Security

How the Mirai botnet almost took down an entire country, and what your business can learn

Security researcher Kevin Beaumont recently discovered a botnet attack that almost took down all internet service in Liberia. Here's what you need to know.

africamap.jpg
Image: iStockphoto/mega73

A recent DDoS attack from a Mirai botnet nearly killed internet access across the entire country of Liberia in Africa. The botnet, dubbed Mirai botnet 14, was tracked by security researcher Kevin Beaumont, who wrote about the attack on Medium.

Mirai is the open source, denial of service toolkit that was behind the historic DDoS attack on Dyn that took many major web properties, such as Twitter and Netflix, offline in late October. In the wake of that attack, Beaumont monitored botnet attacks through a website called MalwareTech.com.

While most of the tracked attacks were fairly elementary, there was one that stuck out. Mirai botnet 14 seemed to be going after larger targets, and had a high rate of success, Beaumont discovered.

SEE: Security awareness and training policy template (Tech Pro Research)

"Transit providers confirm over 500gbit/sec of traffic is output during attacks," Beaumont wrote in his Medium post. "Attacks last a short period. It is the largest of the Mirai botnets and the domain controlling it pre-dates the attacks on Dyn. The capacity makes it one of the biggest DDoS botnets ever seen. Given the volume of traffic, it appears to be the owned by the actor which attacked Dyn."

The problem is further complicated when Liberia's infrastructure is taken into account. In Liberia, a single internet cable provides all of the nation's (population 4.5 million, as per the World Bank) internet access, which also provides, as Beaumont noted, a "single point of failure."

While the attacks were taking place, Beaumont wrote, websites hosted in Liberia were being taken offline and some citizens experienced "intermittent internet connectivity, at times which directly match the attack." This is troublesome, because it shows that the Mirai toolkit, which is open and available to anyone who wants it, could potentially be used to take an entire country offline.

Additionally, while Beaumont was tweeting about the attack, the botnet itself began sending messages via a Twitter account. One read: "kevin.lies.in.fear."

Bob Gourley, co-founder of the cyber security consultancy Cognitio and former CTO of the Defense Intelligence Agency, said that Cognitio has also been tracking massive botnets and their ability to perpetrate these kinds of DDoS attacks that could take countries offline. They call it a "nation-blanking attack." Although Liberia is a smaller target, Gourley said, these attacks prove that it could happen to a larger country.

"The ability to conduct these attacks is growing," Gourley said. "Imagine what size attacks will be possible in just 30 days. Imagine Venezuela, Colombia and Ecuador all being taken offline at the same time. Or you pick the other countries that get hit. How will that mess with your business supply chain?"

Also, with the holidays coming up, another example would be of a similar DDoS attack taking a website like eBay or Amazon offline during peak shopping times, Gourley said. Or, imagine the US Post Office, FedEx, or UPS experiencing an attack during their busiest shipping times.

SEE: Dyn DDoS attack: 5 takeaways on what we know and why it matters

However, it isn't just major retailers that are at risk. The rise of these botnets, and the DDoS attacks they power, should be addressed by every company.

"With the availability of cheap and easy-to-build Botnets using Internet of Things devices, DDoS attacks will increase and have significant impacts on networks all over the globe," said John Pironti, president of IP Architects, LLC.

The release of the code for botnets like Mirai and Bashlight has lowered the barrier of entry for an attacker to enter the space. It's not only made it less expensive to commit such an attack, but it's made it easier to accomplish with less technology as well, Pironti said.

"The Genie is out of the bottle," Pironti said. "The public release of the Mirai and Bashlight attack code have created brand new opportunities for advisories to carry out highly effective attacks with minimal cost and effort."

Because many of these attacks are perpetuated through IoT devices, companies of all sizes should take steps to secure and manage all of the endpoints on their network. Start by identifying the devices, isolating them, and limiting their internet access.

Organizations should also train employees to recognize the signs of a potential DDoS and report it to IT, so that mitigation efforts can be enacted to limit outage.

The 3 big takeaways for TechRepublic readers

  1. Mirai botnet 14 was used to attack the African country of Liberia, taking nearly the entire country offline intermittently.
  2. The botnet was based on the same Mirai code used in the botnet attack on Dyn, and appears to have been conducted by the same actor, said security researcher Kevin Beaumont.
  3. The Mirai botnet 14 attack on Liberia further highlights the need for improved security around enterprise IoT and better education for employees on recognizing attacks.

Also see

About Conner Forrest

Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.

Editor's Picks

Free Newsletters, In your Inbox