The mammoth botnet of 2017 was “Reaper”, also known as “IoT Troop”, which compared to its parallel of 2016, “Mirai”, looks set to have a considerably larger impact and is significantly more complicated.
Looking back, the Mirai botnet seems relatively simple by comparison. While Mirai caused widespread denial-of-service, it infected connected devices such as Internet routers and IP cameras by simply exploiting weak or default passwords. Reaper, by contrast, actually uses software-hacking techniques to break into devices instead. Wired compared the two by equating Mirai’s techniques to merely checking doors to see if anyone had left theirs open, to Reaper actively picking the lots.
It is also much more dangerous. By late October of last year, Reaper had already infected over a million networks worldwide, including the U.S. The botnet still appears to be in its recruitment phase, and DDoS experts are waiting for an attack to be launched using the powerful new bot. Its potential magnitude could unleash a type of Internet chaos we haven’t yet seen causing serious financial and reputational damage to targeted groups.
Researchers at the Israeli security firm Check Point and Chinese security firm Qihoo 360 each published reports in October detailing the new IoT botnet. Check Point warned that “a massive Botnet is forming to create a cyber-storm that could take down the Internet” at a much more rapid pace and with far greater potential damage than the Mirai botnet. Qihoo noted that the number of unique active bot IP addresses that Reaper as gathering was more than 10K per day. They also saw “millions of potential vulnerable device IPs being queued into the c2 system waiting to be processed by an automatic loader that injects malicious code to the devices to expand the size of the botnet”.
Another alarming aspect of Reaper is the fact that its scan behavior is not especially aggressive, meaning it can stay under the radar. Furthermore, it is designed to spread from one infected device to another within the same network, so it can grow very quickly.
IoT devices don’t rely on spoofing to create large-scale attacks. They are real endpoints with real IP addresses. This makes it much harder for security services to block every single individual device that is sending attack traffic. Furthermore, as the IoT devices are widely distributed around the world, each IP needs to be treated differently. A company can’t just block a network segment or a particular country’s IP range in order to defend themselves against it.
Check Point warned that many IoT devices are susceptible to infection by the Reaper malware, including GoAhead cameras, D-Link, NETGEAR and TP-Link devices. They urged companies to get “the proper preparations and defense mechanisms in place before an attack strikes”.Not updating devices and turning off WAN-style features may leave your admin password exposed, despite its complexity.
The network must also be secured. High-performance DDoS detection and mitigation are absolute essentials when fighting IoT botnets and the sophisticated kind of multi-vector DDoS attacks that we saw grow across 2017. Rapid detection and mitigation will be essential in the wake of an attack like Reaper to make sure that services are not disrupted and that legitimate traffic can still pass through.
DDoS defense solutions need to understand normal traffic patterns and behaviors in order to identify and block anomalous traffic. They should be allowing legitimate user traffic to pass through while simultaneously identifying and analyzing threats.
Enterprises should put in place a hybrid DDoS protection model that combines the on-premise DDoS defense with cloud capabilities for real-time protection.