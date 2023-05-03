Share the joy

Mirai-Inspired Botnets Keep Getting Bigger

While the Internet of Things has its perks, it is also a breeding ground for big botnets designed to create crippling DDoS attacks. Weak or default credentials on these devices allow attackers to recruit devices from cameras to routers, and the targets could be anything from a Minecraft server to a large bank’s login page.

There isn’t much your organization can do to stop botnets from forming (you can’t, after all, break into your neighbors’ IoT infrastructure and make all of their passwords more complex for them). The best thing you can do to protect your organization is bot management, which automatically filters good and bad bots. When applied, bot management can help you reduce your risk of a DDoS attack and avoid Mirai and its variants, like the novel HinataBot.

The Legacy of Mirai

First appearing in 2016, Mirai malware took down internet access for millions of users across the globe. Originally, Mirai was a DDoS attack aimed at Minecraft users, but it quickly became an attack method for other targets, including Linux devices, OVH, and Dyn. Mirai used an estimated 145,000 devices to launch massive 1Tbps attacks in 2016, much larger than the current 5.17 Gbps average DDoS attack. In 2022, a Mirai variant had hit 2.5Tbps in size, making it one of the largest DDoS attacks ever reported.

Mirai’s descendants are everywhere. At least 60 Mirai variants exist, and because the source code is public, there will likely be many more in the future. According to some estimates, Mirai variants have infected around 300,000 devices and almost 50,000 unique IPs. Researchers believe that Mirai variants exist in 164 countries so far, and the malware has now expanded its capabilities to include ransomware.

HinataBot Breaks DDoS Records

The newest (and potentially most dangerous) Mirai variant is the HinataBot. Working at unprecedented potential speeds of 3.3Tbps, HinataBot is faster, uses fewer resources, and is more destructive than any of its predecessors. According to researchers, HinataBot uses just under 1% of the resources that its ancestor, Mirai, needed. The frightening thing about HinataBot is that with that 1% of the resources, it can achieve Mirai’s maximum amount of traffic. DDoS attacks could soon become much worse and much more difficult to mitigate.

So far, HinataBot has not been used for any large-scale attacks, but researchers are concerned. Companies with insufficient DDoS protection will not be able to defend themselves against HinataBot DDoS attacks, and even if IoT users do improve their security practices, the lower number of required resources for HinataBot to attack means that their efforts may not make enough of a difference.

Additionally, HinataBot is very new, so it may improve its ability to infiltrate devices as it develops. Although there are currently no zero-day vulnerabilities that it can exploit, new vulnerabilities are discovered every day. So, while you’re still not at immediate risk of experiencing HinataBot DDoS attacks, you should be preparing for them and other large botnets that could take down your website.

Protecting Against Larger DDoS Attacks

To effectively protect yourself and your website or web applications, you need enterprise-grade DDoS protection and bot management. Good bot management can also help you avoid credential stuffing, credit card fraud, and web or data scraping. It will filter out attack traffic before it reaches your systems without unintentionally filtering out wanted traffic, like customers, or good bots used by search engines to rank your website.

Eliminating all bots would likely tank your Google rankings, so it makes sense to invest in a filter that can tell the difference between a good and bad bot. Because Mirai-based DDoS attacks can be so large, you need an effective defense against sudden onslaughts of traffic. An effective bot management solution will utilize a few different strategies to protect your website. To address known bots, a static analysis tool can filter out web requests typical of a bad bot.

Your solution should also provide challenges, like CATPCHAs or cookie acceptance, that are difficult for bots to complete. Ideally, your bot management will be largely automated. It should have multiple security layers including WAF, RASP, and CDN to keep good traffic flowing well and to block bad traffic. Another component of good bot management is behavior evaluation. Traffic patterns on your website are analyzed to determine whether it is desirable traffic or a bot, and if a bot, whether it is good or bad.

Implementing all of these strategies can help you to effectively control your website’s traffic without sacrificing search engine rankings or daily page visits. Although the Mirai malware and its variants are powerful and dangerous, ensuring that you have high-quality bot management in place can reduce the impact of a DDoS attack and, if the particular bot that attacks you attempts to install ransomware, it should help to protect your data.

