A week ago, between the 22nd and 24th of September, an unprecedented distributed-denial-of-service (DDoS) attack was waged on Brian Krebs’ website, an independent security journalist. This attack is considered to be one of the largest DDoS ever recorded on the internet. According to publications, the website was attacked with a 665Gbps flood of traffic, dubbed by Akamai the “biggest attack we’ve ever seen”. Akamai eventually decided to cancel Krebs’ account, having to invest too much resources in coping with it.

Another important fact is that the botnet that caused this is comprised mostly of internet-connected cameras, including CCTVs (closed-circuit televisions). An earlier similar campaign was published in the Radiation research two months ago, where CyberX revealed the First IoT Worm Aimed at CCTVs.

Putting it all together, the CyberX research team decided to investigate the Krebs attack. The team reversed Mirai, the malware responsible for this attack, and is the first to prove that the Krebs attack is Mirai utilizing GRE. These GRE floods are undoubtedly unique and give a clue about the extremely massive size of the botnet.

Below appears the actual screenshot, taken while reversing the Mirai malware from the Krebs attack. It shows the construction of the packet containing GRE with the protocol type Transparent Ethernet Bridging. By looking at the code, one can observe the following:

  • ebx + 0 = 0x45 (length of IP header)
  • ebx + 9 = 0x2F (GRE)
  • ebx + 0x14 + 2 = 0x6558 (Transparent Ethernet Bridging)

It also has the code to use GRE with IP protocol type.

CyberX also found additional details regarding the CNC servers in this attack (network.santasbigcandycane.cx and report.santasbigcandycane.cx), the method of spreading (telnet) partial list of affected vendors (Mobotix, Dahua, Sunluxy, Smc) and more.

gre

According to many publications, this might signal the beginning of an era where attackers use hackable IoT devices, which include significant security issues, to leverage unprecedented large scale attacks. The CyberX research team will continue to research this attack and other similar campaigns, in the hopes of getting to the source of these botnets, prior to execution. This is a race against time, as IoT devices are ubiquitous and the resulting attacks are very costly.

Additional information could be found on

http://get.cyberx-labs.com/radiation-report