Hackers use Mirai code, blended tactics to launch DDoS attack in 2016
Hackers use Mirai code, blended tactics to launch DDoS attack in 2016

The release of the Mirai botnet source code late last summer set the stage for the series of massive DDoS attacks that took place during the closing months of 2016 and has possibly positioned this type of cyberattack to dominate the headlines in 2017.

Nexusguard's Q4 Distributed Denial of Service (DDoS) Threat Report noted that the release of the Mirai botnet source code in August led to the number of IoT devices infected with Mirai to more than double in just two months from 213,000 to 493,000. This gave the bad guys the ability to launch series of 200 gigabyte per second DDoS attacks culminating in the massive attack on DynDNS in October.

“The popularity of the Mirai botnet and similar IoT vulnerabilities gave hackers ample ammo to overwhelm security and operations in Q4. Malicious actors will continue to invent new attacks and blend them with multiple factors for maximum impact, forcing companies to rely on big data and intelligence-driven mitigation and develop strategic response teams that can quickly handle new threats,” Reggie Yam, Nexusguard's chief innovation and strategy officer told SC Media.

This also allowed those launching the attacks to increase the pressure by enabling more 200GBps attacks and a 152 percent in attack frequency and duration.

As usual, Yam said, most DDoS attacks during the year originated from the United States, 31.6 percent, followed by China, 19.8 percent, and Japan, 13.6 percent. However, China led the world in having the most vulnerable devices, 116,065, followed by the U.S., Brazil, Italy and Croatia.

“The U.S. is always either the first or second source of the most of the DDoS attacks.The widespread internet service and indispensable use of internet in daily life induce the U.S. to be the cyberattackers' target,” he said.

The end of 2016 also saw a shift in the attack methods being used, particularly for Mirai. For the vast majority of the year Network Time Protocol (NTP) attacks dominated being associated with 97.5 of all attacks 771,031,567 attacks of Mirai botnet infections Nexusguard recorded, but in December a sudden and sharp uptick in those using DNS too place. By the end of the month 17,973,585, or about 2.3 percent of the total, of the attacks could be attributed to DNS.

Another change was an increase in the level of attack complexity. “Attackers launched blended attacks to overload targeted monitoring, detection, and logging systems. Overloaded systems impeded the identification of hacking activities, resulting in the failure to take immediate action to stop attacks,” the report stated.

Yam explained that countering this new attack strategy requires infosec pros to take a more pragmatic and comprehensive approach when designing their network's defenses.

“One should accept that in terms of cybersecurity - no one vendor, product or service can fully protect any environment indefinitely. Therefore, security professionals should evaluate and implement multiple overlapping technologies that complement one another, or defense-in-breadth. Most importantly, one must not misunderstand that such strategy should just cover the technology aspect, but to make sure strategies extend to cover people and processes as well,” he said.

The combination of new attack methods, growing numbers of infected IoT devices likely means continued problems this year.

“IoT devices were proven powerful enough to generate complex attacks that pose substantial threats to cybersecurity now and in the future. The sheer volume of IoT devices provides a large quantity of actual IP addresses available for generating advanced attacks such as application attacks and slow flooding, to name just a few. IoT botnets will continue to pose a major cybersecurity challenge in 2017,” the report concluded.