In this presentation, we will discuss a significant new evolution of the standard DDoS attack model which presents unique challenges for network operators and end-customers alike. Attack methodologies, the novel incorporation of both general-purpose computers and ubiquitous IoT devices working in concert, the use of in-depth reconnaissance techniques previously associated with online espionage and fraud activities, and discussion of the changing nature of attackers will be covered, along with a discussion of the DDoS detection/classification/mitigation techniques, enhanced operational capabilities, and new service delivery models which will be required to successfully defend against these attacks.
CES: Major IoT attack was created recently but not yet much used. Windows-based MIRAI IoT infection attack has crossed platform boundaries and is infecting IoT devices inside enterprise networks. The point of the talk is that the vast majority of enterprise networks are not protected since most enterprise designers succumbed to the delusion that the border firewall was protecting the routers and switches as well.
CES: Therefore, IoT-generated attacks from within the enterprise will bring those networks to a halt. (He reports that 300pps SYN flood to BGP port on Cat 6500s pegs the CPU and kills BGP. Yep). So the issue is that "network security" as exemplified by firewalls create "crunchy outside, chewy inside" models that are vulnerable to IoT bots that are now being developed by MIRAI via Microsoft vulns allowing access inside the firewall.
After infecting Windows computers using remote brute-force attacks (MySQL, MSSQL, RDP, WMI), it proceeds to scan for and infect IoT devices with Mirai binaries using the Mirai scanning and spreading techniques earlier. • After infection, the IoT devices will connect back to the C&C server and will proceed to scan for and infect other IoT devices. • It is built in a modular fashion and has the capabilities to scan for, infect and control IoT devices of different architectures, all in a fully automated fashion.CES: The main point that he wanted people to understand was that this DDoS is coming from inside the enterprise networks and not from outside. People don't appear to be understanding how vulnerable most enterprise networks are, and he thinks that if/when MIRAI attacks happen more often that it will cause network outages inside enterprises that will be hard to recover from.
CES: Another viewpoint is that the MIRAI developers have already noticed that it kills the enterprise networks and are not using it as much as expected because bringing down the enterprise network negates the scope of their attacks on remote sites. So maybe the IoT botnet won't be deployed much. He doesn't know if that is true (he works for Arbor) but he thinks that people shouldn't bet on it.
No comments:
Post a Comment