Liberia Latest Target for Mirai BotnetAre Attacks a Test Run for a Larger One to Come?
The small west African country of Liberia recently became an unlikely target for the Mirai botnet, the vast army of poorly secured internet-connected devices that security experts worry may continue to cause distributed denial-of-service attack problems for service providers.
The DDoS attacks against targets in Liberia went on for at least a week, says Kevin Beaumont, a security architect based in Liverpool, England. By late Nov. 3, the attacks stopped. But at one point, they reached 500 gigabits per second, an intensity unheard of until recently.
The country apparently was struck by the same botnet that last month hit networking company Dyn, which supplies DNS services to Twitter and Spotify and many other popular websites, Beaumont says. The attack on Dyn underscored how a focused electronic assault on just one company could be amplified for maximum effect (see Botnet Army of 'Up to 100,000' IoT Devices Disrupted Dyn).
DDoS attacks blast streams of unwanted data traffic to websites, online gaming companies, ISPs and other entities, aiming to make their services unresponsive. Organizations hit with DDoS attacks can't actually stop them but rather have to put in place expensive mitigations that filter the attack traffic.
The strikes have reached a new level of intensity since mid-September. Security experts say hackers have taken control of millions of internet of things devices, such as CCTV cameras, digital video recorders and baby monitors, and infected them with DDoS attack code.
The targeting of Liberia, which has a population of 4.2 million and experienced a bloody 14-year civil war that ended in 2003, is puzzling.
"I suspect they were using Liberia for testing because nobody would notice," Beaumont tells Information Security Media Group.
Evolution of DDoS Attacks
Experts are closely watching the evolution of the attacks. That's done, in part, by setting up "honeypots," or traps consisting of IoT devices that researchers know will become immediately infected by DDoS malware. Studying the honeypots gives insight into targets as well as the command-and-control servers used to send attack instructions to the bots.
The researchers known as @MalwareTechBlog and @2sec4u have set up an automated Twitter feed, @miraiattacks, that provides real-time information on IP addresses that Mirai is targeting and the type of DDoS attacks conducted. Since the Twitter feed was launched on Oct. 23, it has posted updates on 28 Mirai botnets. Each number represents a different command-and-control server.
Mirai botnet #14 is the dry name given to the group of devices that attacked Liberia. "The botnet is huge," Beaumont says. The attacks against Liberian operators were short but made up of large bursts of traffic, he adds.
The attacks in Liberia likely would not have drawn much attention if it weren't for Beaumont, who began investigating where Mirai traffic was aimed. He wrote a blog post on Nov. 3, which subsequently drew media attention.
Liberia's internet connectivity is served, in part, by a submarine fiber optic cable activated in December 2012. The Africa Coast to Europe cable winds from Europe to the southern part of the continent along the west coast. Its total capacity is 12.8 Tbps, according to operator Orange.
The landing point in the country is managed by the Cable Consortium of Liberia, which involves the country's Telecommunication Authority and private operators. Efforts to reach operators weren't immediately successful.
Although DDoS attacks have been a nuisance for more than two decades, the intensity of the latest IoT attacks has been surprising. DDoS attacks are typically between 1 Gbps and 15 Gbps, but at least two over the last two months have reached between 500 Gbps and 1 Tbps.
In September, computer security journalist Brian Krebs saw his website hit with a 665 Gbps attack, and French hosting provider OVH saw Mirai-powered attack traffic peak at 800 Gbps.
Those attacks received attention in computer security circles, but it was the later Dyn attack, which hampered access to Amazon, PayPal, Spotify, Twitter and many other popular websites, that brought the problems around hacked internet-connected devices to mainstream attention.
Large DDoS attacks are noisy and tend to draw attention. Shortly after the Dyn attacks, the White House said the Department of Homeland Security was investigating. But those behind the attacks remain unknown.