miraiand iot botnet analysis - wordpress.com · 2017-03-16 · the dyn attack how to protect...
TRANSCRIPT
![Page 1: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/1.jpg)
SESSION ID:SESSION ID:
#RSAC
Robert Graham
Mirai and IoT Botnet Analysis
HTA-W10
http://blog.erratasec.com@ErrataRob
![Page 2: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/2.jpg)
Robert Graham
#RSAC
What this talk will cover?
Brief overview of Mirai
The cameras themselves
Step by step from infection to attacks
The Dyn attack
How to protect yourself
How tech details fit into government policy debate
![Page 3: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/3.jpg)
Robert Graham
#RSAC
Mirai botnet
Terabit scale attacks end of 2016~600mbps against Brian Krebs~1 terabit against OVH~1.2 terabit against DYn
Infects camerasMost camerasAlso printers, routers
Hundreds of thousands of devices
![Page 4: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/4.jpg)
Robert Graham
#RSAC
Where the botnet resides
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
![Page 5: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/5.jpg)
Robert Graham
#RSAC
CnC servers192.227.222.73192.227.222.74192.227.222.75192.227.222.76188.166.65.12188.166.189.189185.25.51.115185.144.29.7118.89.41.12593.158.216.17054.187.144.22752.163.49.5946.166.185.3446.183.223.22945.119.127.19035.162.249.355.249.154.190
![Page 6: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/6.jpg)
![Page 7: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/7.jpg)
![Page 8: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/8.jpg)
Robert Graham
#RSAC
Ordering camera
![Page 9: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/9.jpg)
Robert Graham
#RSAC
JideTech
from Jose Pagliary at CNN
![Page 10: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/10.jpg)
Robert Graham
#RSAC
Packaging from Shenzhen
![Page 11: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/11.jpg)
Robert Graham
#RSAC
What do the cameras look like?
![Page 12: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/12.jpg)
Robert Graham
#RSAC
HiSilicon HI3518 CPU
![Page 13: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/13.jpg)
Robert Graham
#RSACWhich ports are listening
![Page 14: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/14.jpg)
Robert Graham
#RSAC
What does the camera look like?
23: Telnet
80: HTTP
554: RTSP
9527: some weird shell with no auth
8899: some other web interface
![Page 15: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/15.jpg)
![Page 16: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/16.jpg)
![Page 17: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/17.jpg)
![Page 18: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/18.jpg)
Robert Graham
#RSAC0f539bd5d3ab8a
![Page 19: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/19.jpg)
Robert Graham
#RSAC
0f539bd5d3ab8a
![Page 20: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/20.jpg)
Robert Graham
#RSAC
0f539bd5d3ab8a
![Page 21: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/21.jpg)
Robert Graham
#RSAC
0f539bd5d3ab8a
![Page 22: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/22.jpg)
Robert Graham
#RSAC
Camera/Phone firewalled
AWS
12:38
54.163.237.146ec2-54-163-237-146.compute-1.amazonaws.com
![Page 23: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/23.jpg)
Robert Graham
#RSAC
![Page 24: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/24.jpg)
Robert Graham
#RSAC
Configure firewall
Use RaspberryPi-class device as NAT/firewall to create an isolated subnet
http://blog.erratasec.com/2016/10/configuring-raspberry-pi-as-router.html
![Page 25: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/25.jpg)
Robert Graham
#RSAC
98 seconds to infection!
![Page 26: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/26.jpg)
Robert Graham
#RSAC
Infection process
![Page 27: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/27.jpg)
Robert Graham
#RSAC
The ECHI trick
Generates error message
It’s how the bot recognizes that the output is done
Different devices have different command-prompts, so it’s harder parsing output for a command prompt
![Page 28: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/28.jpg)
Robert Graham
#RSAC
What is busybox?
Most common shell on IoTdevices
![Page 29: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/29.jpg)
Robert Graham
#RSACFind out CPU:x86, ARM, MIPS, PowerPC
![Page 30: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/30.jpg)
Robert Graham
#RSAC
Download bot
![Page 31: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/31.jpg)
Robert Graham
#RSACDownload bot
![Page 32: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/32.jpg)
Robert Graham
#RSAC
Now run the bot
![Page 33: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/33.jpg)
Robert Graham
#RSAC
Kills Telnet
/bin/busybox telnetd –p 2323
![Page 34: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/34.jpg)
Robert Graham
#RSAC
Kills rival bots
![Page 35: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/35.jpg)
Robert Graham
#RSAC
Connect to command/control
![Page 36: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/36.jpg)
Robert Graham
#RSAC
![Page 37: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/37.jpg)
Robert Graham
#RSAC
List of possible attacks
![Page 38: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/38.jpg)
Robert Graham
#RSAC
Attack on Google Project Shield
130 million SYN per second
450 million HTTP queries per secondFrom 175,000 IP addresses
4 million ACK flood
GRE floods
UDP floods
https://arstechnica.com/security/2017/02/how-google-fought-back-against-a-crippling-iot-powered-botnet-and-won/
![Page 39: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/39.jpg)
Robert Graham
#RSAC
DYN DDoS
Classic “hit the root name servers”…except one layer down
Port 53 UDP flood~600gpbs to ~1.2tbps
Amplified by failed DNS lookupsNo cached failed response
![Page 40: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/40.jpg)
Robert Graham
#RSAC
![Page 41: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/41.jpg)
Robert Graham
#RSAC
Dyn uses ‘anycast’
http://dyn.com/dns/network-map/
![Page 42: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/42.jpg)
Robert Graham
#RSAC
Atlanta -> North Virginia
![Page 43: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/43.jpg)
Robert Graham
#RSAC
Add own second DNS
![Page 44: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/44.jpg)
Robert Graham
#RSAC
Add Amazon DNS
![Page 45: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/45.jpg)
Robert Graham
#RSAC
Drop DYN
![Page 46: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/46.jpg)
Robert Graham
#RSAC
All eggs in one basket
![Page 47: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/47.jpg)
Robert Graham
#RSAC
BGP changes
https://stat.ripe.net/widget/bgplay#w.resource=208.78.70.16
![Page 48: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/48.jpg)
Robert Graham
#RSAC
Increase TTLs
![Page 49: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/49.jpg)
Robert Graham
#RSAC
Resolver caching
Resolvers cache responses
Drops records after TTL secondsAnd get a new one
Change: if you can’t get a new one, don’t drop record
![Page 50: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/50.jpg)
Robert Graham
#RSAC
Everybody’s doing it
No persistence in botnet
Many fight to take control of the devices
Many splintered botnets rather than one large botnet
![Page 51: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/51.jpg)
Robert Graham
#RSAC
Conclusion
The same attack won’t work again
![Page 52: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/52.jpg)
Robert Graham
#RSAC
https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
![Page 53: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/53.jpg)
Robert Graham
#RSAC
Complicated
Paras Jha, 20 year old student
Minecraft server maintainer, then anti-DDoS company
Way to drive customers from other anti-DDoS companies
Complicated interactions with the underground
![Page 54: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/54.jpg)
Robert Graham
#RSAC
Source code
Amateurish, like that of 20 year old students
Doesn’t mean “stupid”, just not features of professional coders.
Multiple coders
https://github.com/jgamblin/Mirai-Source-Code
![Page 55: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/55.jpg)
Robert Graham
#RSAC
Apply: How to protect yourself?
You probably don’t have camerasVuln scanning for it on your network is probably pointless
You need a DNS strategy
You need a DDoS strategy
You need a UPnP strategy
![Page 56: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/56.jpg)
Robert Graham
#RSAC
DNS server strategy
Use redundant servers
One should be a server than can handle DDoS
Set longer TTLs
56
![Page 57: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/57.jpg)
Robert Graham
#RSAC
DNS client strategy
Setup your own resolver
Disable discarding stale records after TTL if no response
Make sure services can keep running if DNS failsThe DNS supply chain
57
![Page 58: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/58.jpg)
Robert Graham
#RSAC
Apply: Policy question
For government policy makers crafting laws/regulations
What can government do to ward off IoT botnets.
![Page 59: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/59.jpg)
Robert Graham
#RSAC
It’s a complicated answer
Only 10.9% are in the United States
Unbranded grey market, where they ignore regulation anyway
IoT is behind firewall, cameras are exposed.This was not an IoT botnet
Cameras need remote reset (aka. Backdoor)
Dyn fixed itself, without government help
![Page 60: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/60.jpg)
Robert Graham
#RSAC
An IoT threat model, part 1
No user interactionClicking on links/emails is how you infect your desktop/laptopBut not iPhones, mostlyNot IoT
No exposed portsAt least, as the normSo no direct vulnerable services, OWASP, etc.
60
![Page 61: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/61.jpg)
Robert Graham
#RSAC
An IoT threat model, part 2
Cross Site Request ForgeryClicking on links/emails
Cloud servicePhishing of username/passwordCloud provider gets owned— IoT autoupdate considered harmful
Local WiFi
UPnP etc. for inbound
61
![Page 62: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/62.jpg)
Robert Graham
#RSAC
An IoT threat model, part 3
Vendors demand inbound connectionOld IoT like medical devices, HVAC, etc.
IoT on non-private networksHospitals, bars, universities, etc.
IPv4 vs IPv6IPv4 for IoT increasingly costly, moving to IPv6
62
![Page 63: Miraiand IoT Botnet Analysis - WordPress.com · 2017-03-16 · The Dyn attack How to protect yourself How tech details fit into government policy debate. Robert Graham. #RSAC. Mirai](https://reader034.vdocuments.us/reader034/viewer/2022042807/5f7df4e8e206fe232d520e89/html5/thumbnails/63.jpg)
Robert Graham
#RSAC
Summary
63
Details on how Mirai worksMeans knowing how cameras work
How to protect yourself from MiraiNo Mirai itself, but the attacks it doesFix your DNS
What is the future?What’s the threat model?How can regulations help?