The teens behind the Mirai botnet(spectrum.ieee.org)
spectrum.ieee.org
The teens behind the Mirai botnet
https://spectrum.ieee.org/mirai-botnet
83 comments
> The Department of Justice made the unusual decision not to ask for jail time. In its sentencing memo, the government noted “the divide between [the defendants’] online personas, where they were significant, well-known, and malicious actors in the DDoS criminal milieu and their comparatively mundane ‘real lives’ where they present as socially immature young men living with their parents in relative obscurity.” It recommended five years of probation and 2,500 hours of community service.
Good to read a story where teen hackers get rehabilitated rather than heavily punished and pushed further into crime. That said, they don't really strike me as genius hackers. More just opportunistic and perpetually online.
Good to read a story where teen hackers get rehabilitated rather than heavily punished and pushed further into crime. That said, they don't really strike me as genius hackers. More just opportunistic and perpetually online.
I thought the more fascinating part was the mandate, as part of the community service, to help the FBI in tracking down additional abusers of Mirai and the resulting success. Seems like the best possible turnout for all parties involved.
These teens convinced themselves that what they were doing was in some way "acceptable", and consequently caused quite a lot of damage.
Other teens convince themselves that some shoplifting, or car stealing, or drug dealing is "acceptable".
Why does the first group get a pass?
Other teens convince themselves that some shoplifting, or car stealing, or drug dealing is "acceptable".
Why does the first group get a pass?
If our society was teetering in the edge of chaos because we couldn’t figure out how to prevent shoplifting maybe there would be a push to exploit the minds of people who can probe the dark mysteries of stealing Tide from CVS.
It doesn't take a genius to hack something. It just takes a curious software engineer with time on their hands.
> Good to read a story where teen hackers get rehabilitated rather than heavily punished and pushed further into crime. That said, they don't really strike me as genius hackers. More just opportunistic and perpetually online.
Rehabilitation is an excellent path, but removing consequences makes rehabilitation significantly less effective. It does not need to be either - or.
It also furthers an apparent divide of justice system, irrelevant if it does or does not exists.
Rehabilitation is an excellent path, but removing consequences makes rehabilitation significantly less effective. It does not need to be either - or.
It also furthers an apparent divide of justice system, irrelevant if it does or does not exists.
> It might be surprising that DDoS providers could advertise openly on the Web. After all, DDoSing another website is illegal everywhere. To get around this, these “booter services” have long argued they perform a legitimate function: providing those who set up Web pages a means to stress test websites.
This reminded me of a Wired article[1] from a few weeks back that argued that many of the kids using these services to DDoS their friends/rivals don't realize they're illegal—so federal agencies are taking out keyword ads to warn potential users:
> In fact, he and other members of [cybercrime-busting group] Big Pipes argue that most booter customers seem to believe—or convince themselves—that merely paying to use one of the services to knock out an adversary’s internet connection isn’t against the law, or at least isn’t an enforceable crime. When the UK’s National Crime Agency (NCA) ran a six-month Google advertising campaign in 2018 to intercept people seeking booter services and warn them about their illegality, Clayton’s research group found that attack traffic in the UK remained flat for those six months, while it increased at its usual pace in other countries.
> In the years since, law enforcement agencies seem to have learned from that experiment: The FBI now also buys similar Google advertisements to warn potential booter customers that paying for the services is a crime. The UK’s NCA, meanwhile, has not only launched new advertising campaigns but even run its own fake booter services to identify would-be customers and then send them warnings—sometimes even with in-person visits—about the consequences of paying for criminal DDOS attacks.
[1] https://www.wired.com/story/big-pipes-ddos-for-hire-fbi/ (For the relevant bits, scroll to the "Honeypots, Google Ads, Knock-and-Talks" section)
This reminded me of a Wired article[1] from a few weeks back that argued that many of the kids using these services to DDoS their friends/rivals don't realize they're illegal—so federal agencies are taking out keyword ads to warn potential users:
> In fact, he and other members of [cybercrime-busting group] Big Pipes argue that most booter customers seem to believe—or convince themselves—that merely paying to use one of the services to knock out an adversary’s internet connection isn’t against the law, or at least isn’t an enforceable crime. When the UK’s National Crime Agency (NCA) ran a six-month Google advertising campaign in 2018 to intercept people seeking booter services and warn them about their illegality, Clayton’s research group found that attack traffic in the UK remained flat for those six months, while it increased at its usual pace in other countries.
> In the years since, law enforcement agencies seem to have learned from that experiment: The FBI now also buys similar Google advertisements to warn potential booter customers that paying for the services is a crime. The UK’s NCA, meanwhile, has not only launched new advertising campaigns but even run its own fake booter services to identify would-be customers and then send them warnings—sometimes even with in-person visits—about the consequences of paying for criminal DDOS attacks.
[1] https://www.wired.com/story/big-pipes-ddos-for-hire-fbi/ (For the relevant bits, scroll to the "Honeypots, Google Ads, Knock-and-Talks" section)
During that time frame, I recall some top players being directy impacted by targeted DDOS attacks from other players. It wasn't too common only because people learned to protect their IP addresses, or change them periodically.
The Mirai botnet had a very negative impact on game play for several servers, and I would argue it was the key factor in the demise of at least one of the servers simply because it rendered certain games unplayable.
The Mirai botnet had a very negative impact on game play for several servers, and I would argue it was the key factor in the demise of at least one of the servers simply because it rendered certain games unplayable.
> The Mirai botnet had a very negative impact on game play for several servers
It's not clear what you're talking about when you say "several servers" or "one of the servers". What servers are you referring to?
It's not clear what you're talking about when you say "several servers" or "one of the servers". What servers are you referring to?
> To get around this, these “booter services” have long argued they perform a legitimate function: providing those who set up Web pages a means to stress test websites.
Don't these botnet services run on compromised computer systems?
Don't these botnet services run on compromised computer systems?
For botnets, yes.
For L7 request floods - they spin up a few dozen machines and use open & private proxies to funnel http requests thru. Sometimes those proxies are misconfigured squid, sometimes it's private proxy services, sometimes it's compromised machines converted into proxies (which may be open or require auth / has been sold).
For L3/L4 amplification/reflection they're buying machines where they can spoof and using UDP amplification lists (other people's machines) to reflect off of (and obviously not getting permission to, etc.).
For L7 request floods - they spin up a few dozen machines and use open & private proxies to funnel http requests thru. Sometimes those proxies are misconfigured squid, sometimes it's private proxy services, sometimes it's compromised machines converted into proxies (which may be open or require auth / has been sold).
For L3/L4 amplification/reflection they're buying machines where they can spoof and using UDP amplification lists (other people's machines) to reflect off of (and obviously not getting permission to, etc.).
This is abstracted away from the customer and there is a wider and richer grayscale than at least I imagined before working at a data company and looking at IP providers for outbound. You have your TV sticks and VPN providers where a careful squinting at the ToS will tell you that users on the other end are signing off on the right to have their bandwidth leased. I don't see how else the supposedly legitimate providers of residential IPs could possibly offer the supply, geo-diversity, and pricing they do.
free hosting
I find it extremely interesting that the fbi buys ads for illegal stuff, rather than Google Just putting up a warning when you search for ddos services
I mean, it's not illegal to search for those keywords, so Google doesn't have much of an incentive to stop running ads on them (at least of their own free will). I'm sure "triple homicide" is a hot keyword for advertising the latest true crime podcast or whatever.
Granted, I'm also a little surprised that the FBI didn't just twist Google's arm about it, but who knows. Maybe Google did them a solid and doesn't actually charge for the ad space, or maybe the FBI is just trying to play nice since Google has plenty of federal contracts.
Granted, I'm also a little surprised that the FBI didn't just twist Google's arm about it, but who knows. Maybe Google did them a solid and doesn't actually charge for the ad space, or maybe the FBI is just trying to play nice since Google has plenty of federal contracts.
> I'm also a little surprised that the FBI didn't just twist Google's arm about it
Just twist their arm? What does it mean for the FBI to twist Google's arm?
Just twist their arm? What does it mean for the FBI to twist Google's arm?
? I'm not entirely sure what you mean.
What I was trying to convey was that the FBI could have exerted some kind of pressure to get Google to run the anti-booter ads of their own volition instead of the FBI (presumably) buying the ads like anyone else would buy ads. I have no idea what that kind of pressure would entail cuz I don't work for the feds and couldn't say what their "do this or else" strategies are like, lol.
What I was trying to convey was that the FBI could have exerted some kind of pressure to get Google to run the anti-booter ads of their own volition instead of the FBI (presumably) buying the ads like anyone else would buy ads. I have no idea what that kind of pressure would entail cuz I don't work for the feds and couldn't say what their "do this or else" strategies are like, lol.
It doesn't cost that much compared to their budget, so it's easier to pay for ads than get into a fight with Google lawyers.
What do you mean by pressure?
I think that you are making an assumption about how the FBI operates.
I think that you are making an assumption about how the FBI operates.
Right, I am assuming, because I'm not particularly familiar with the workings of the FBI lol.
Surely it's obvious that by "pressure" I'm referring to the threat of some sort of nebulous legal-y action if Google didn't comply with [xyz request]. Is that not how law enforcement functions? (I'd be shocked if they were asking very nicely and offering to take Google out to dinner.)
Surely it's obvious that by "pressure" I'm referring to the threat of some sort of nebulous legal-y action if Google didn't comply with [xyz request]. Is that not how law enforcement functions? (I'd be shocked if they were asking very nicely and offering to take Google out to dinner.)
The point is that the real world is not a thriller movie. No, the FBI doesn't do that.
Correct, the fbi never breaks the law or does anything not strictly above board.
What exactly do they do, then?
Of course they do, though not to a big company like Google for something trivial like this when they could pay a bit of money. Threats aren't cost free.
Why would google do that for free when they can get paid?
[deleted]
charcircuit(2)
> The UK’s NCA, meanwhile, has not only launched new advertising campaigns but even run its own fake booter services to identify would-be customers and then send them warnings—sometimes even with in-person visits—about the consequences of paying for criminal DDOS attacks.
The FBI would be indicting them, not just warning them -- go to all that trouble of setting up a fake site, and then you just give up actually indicting them for their crime? What's even the point of that? That they didn't know it was a fake site is no defense, the FBI routinely, say, sells people fake bombs and then indicts them.
The FBI would be indicting them, not just warning them -- go to all that trouble of setting up a fake site, and then you just give up actually indicting them for their crime? What's even the point of that? That they didn't know it was a fake site is no defense, the FBI routinely, say, sells people fake bombs and then indicts them.
There's an extreme difference in severity between trying to buy a bomb and trying to pay for DDoSaaS. I'd rather people come out of this sort of thing unscathed but wiser, especially if they're simply ignorant of the law, which seems to be the objective of that tactic.
Besides, if something is illegal and there's a significant portion of offenders who are truly ignorant of its illegality, perhaps a new approach to education is needed, which this tactic also covers.
Maybe other organizations will take notes...
Besides, if something is illegal and there's a significant portion of offenders who are truly ignorant of its illegality, perhaps a new approach to education is needed, which this tactic also covers.
Maybe other organizations will take notes...
The NCA too, not just the FBI. But the Wired article goes on to say:
> Big Pipes’ Allison Nixon says she hopes that softer tactics like those can intercept would-be booter service operators early, before they start committing felonies: She’s found that most booter operators start as customers before launching their own service. But for people who aren’t dissuaded by those interventions, she says, Big Pipes and its partners at the FBI will still be watching them.
> “The hope is that this whole show of force will convince some of them to quit and get a real job,” Nixon says. “We want to send a message that there are people tracking you. There are people paying attention to you. We have our eyes on you, we might get you next. And it might not even be on Christmas.”
So the honeypots sound like a sort of catch-and-release strategy to scare kids before they start their own DDoS enterprises.
> Big Pipes’ Allison Nixon says she hopes that softer tactics like those can intercept would-be booter service operators early, before they start committing felonies: She’s found that most booter operators start as customers before launching their own service. But for people who aren’t dissuaded by those interventions, she says, Big Pipes and its partners at the FBI will still be watching them.
> “The hope is that this whole show of force will convince some of them to quit and get a real job,” Nixon says. “We want to send a message that there are people tracking you. There are people paying attention to you. We have our eyes on you, we might get you next. And it might not even be on Christmas.”
So the honeypots sound like a sort of catch-and-release strategy to scare kids before they start their own DDoS enterprises.
Right, I was amazed that the NCA seemed to be kinder and gentler than the FBI, which has no problem entrapping people and then putting them in prison.
> What's even the point
Education
Education
"The Rutgers IT department is a joke. This is the third time I have launched DDoS attacks against Rutgers, and every single time, the Rutgers infrastructure crumpled like a tin can under the heel of my boot."
The fact that people think this is impressive is mind boggling to me
The fact that people think this is impressive is mind boggling to me
I don't get it either. Do people not comprehend the scale of the attack they are performing? There's only so much defense any entity can put up.
> "Unfortunately for the owner, he was a big fan of Japanese anime and thus fit the profile of the hacker."
"That's some first class detective work Agent Johnson"
I didn't know ieee had been putting out articles like this, I'll be bookmarking their feed. Thanks OP!
If anybody from ieee is reading this, I'd appreciate more of this type of content, maybe even longer format like you'd find on LRB.
If anybody from ieee is reading this, I'd appreciate more of this type of content, maybe even longer format like you'd find on LRB.
It's interesting that a potentially very large amount of people have the necessary technical skills to set up large botnets. It's mostly teenagers that do it in the Western world since they're both stupidly brave and at the right level of technical knowledge to be able to do the hacking without understanding how much evidence they're leaving behind. Or perhaps they think themselves invincible anyway.
I've known a lot of people who did DDoS and it's honestly like speeding. Chances are that everyone is already doing it so you're not going to get caught, unless you decide to go 140 mph in a 55 mph zone or DDoS Chase bank.
DDoSing your own university and then disclosing publicly it is like going 140 mph in a 55 mph zone though.
DDoSing your own university and then disclosing publicly it is like going 140 mph in a 55 mph zone though.
From Yale Law professor and frequent shitposter Scott Shapiro’s new book, Fancy Bear Goes Phishing https://www.penguin.co.uk/authors/122489/scott-shapiro
FWIW, he's in Sausalito and SF tomorrow if you want to go chat with him;
https://twitter.com/scottjshapiro/status/1661465332832239618
https://twitter.com/scottjshapiro/status/1661465332832239618
I was a Rutgers student when this was happening. I recall some final assignments and exams getting canceled when they attacked the Rutgers network.
When the news broke about the perpetrators behind Mirai and specifically the Dyn attack, I was shocked that such a high-impact attack originated from one of my classmates in the CS department.
When the news broke about the perpetrators behind Mirai and specifically the Dyn attack, I was shocked that such a high-impact attack originated from one of my classmates in the CS department.
I was a student at the same time, and if memory serves correctly, the school's authentication server was down for multiple days at a time. This is a requirement to log into pretty much anything on campus. I remember being unable to access Canvas to download assignments and notes or read professor announcements.
> Paras had started his own DDoS-mitigation service, ProTraf Solutions, and wanted Rutgers to pick ProTraf over Incapsula. And he wasn’t going to stop attacking his school until it switched.
Isn't that just a protection racket? I.e. extortion?
Isn't that just a protection racket? I.e. extortion?
Yes? Are we surprised at the boys’ lack of ethics here?
I had thought, from the way the article was phrased, that the student was in an active dialogue with his school, and this makes me think they should've just kicked him out
No worries, I was just trying to be humorous!
So, in the end trio landed a job in FBI. Like from on a movie.
They try to flip every hacker they find because they're staffed by morons.
The giant stories Brian Krebs wrote about these guys is fascinating, there's many more characters tangentially involved (like the Datawagon guy) that aren't covered in this.
Well now I can't wait to read the book this was drawn from.
"Telnet, an outdated system for logging in remotely."
This comment from the article bothered me. No evidence was given as to why it is outdated. I did a little digging to find that Telnet is vulnerable to several different attacks, but all of it can be mitigated by Transport Layer Security (TLS) security and Simple Authentication and Security Layer (SASL) authentication. Of course many devices don't support TLS and SASL. If a device does support the newer standards I think it's wrong to consider it outdated.
Telnet is not used really at all anymore. Most distributions come without it, or have it disabled by default. Historically it was the only way to connect remotely, as it imitated how connections used to work over phone lines. It's definitely outdated, as SSH is now the defacto.
That last part is interesting, it imitated how connections used to work over phone lines, can you talk more about that or provide a link please? Thank you
> but all of it can be mitigated by Transport Layer Security (TLS) security and Simple Authentication and Security Layer (SASL) authentication
At this point anyone sane should question why he would add TLS and SASL to Telnet (and expect to find clients which would support those too) instead of slapping SSH.
It's like asking why anyone would consider a hand-operated drill outdated, since you can slap an electric motor on it.
At this point anyone sane should question why he would add TLS and SASL to Telnet (and expect to find clients which would support those too) instead of slapping SSH.
It's like asking why anyone would consider a hand-operated drill outdated, since you can slap an electric motor on it.
Telnet is extremely, insanely outdated. It's like walking around in Elizabethan clothes. Just because you also strap on a fanny pack and can go to a modern pub in it doesn't make it up to date. Wearing six inch long pointy toes and a giant codpiece just makes you look ridiculous.
Possible reason: telnet lets you log in with username/password, which is much easier to obtain than an ssh key. Encoded traffic doesn't matter. Paras cs. wouldn't have been able to wiretap the affected servers.
When have you last used it?
How could anybody claim that the teletype protocol is outdated? Teletype refers to this: https://en.wikipedia.org/wiki/Teleprinter
It’s outdated in the same way my 90s baggy jeans are outdated. Technically, they still work as clothing, but people find it unusual if I wear them.
Where do you live, though?
"Outdated" is a reasonable moniker for devices that accept cleartext telnet over the open Internet. That you can retrofit security onto telnet by running it over a TLS tunnel is not especially relevant, nor does it make telnet less outdated; secure devices are better off just using SSH.
What makes a protocol outdated? I would argue that outdated protocols "bake in" outdated assumptions. The telnet protocol has a builtin assumption that the network is secure, while newer protocols for remote administration lack this assumption and assume an actively malicious network.
What makes a protocol outdated? I would argue that outdated protocols "bake in" outdated assumptions. The telnet protocol has a builtin assumption that the network is secure, while newer protocols for remote administration lack this assumption and assume an actively malicious network.
the telnet protocol does not have to be used only on the open internet, just as HTTP (insecure) does not have to be either. It can be used internally for whatever reason you want as well. I don't think that makes it outdated.
And what sort of network do you think the IOT devices from the article were designed to be used on? This kind of thought process (well security isn't important if you use it internally) is exactly the sort of attitude that led to the botnets in the article becoming as large and as devastating as they ended up being
"A bad workman blames his tools" - if you're implementing a solution and you choose the wrong tool for the job, the tool is not to blame. If you need a secure protocol, don't use an insecure protocol.
There are still ample use cases for the insecure protocol.
Can you imagine how incompetent the FBI are that they can barely catch some teenagers? Jesus they're embarrassing.
The protocols and networks the internet runs on are ancient and inherently insecure and flaky, but nobody wants to invest in solutions. These attacks have gotten easier, not harder. So I hope these kind of attacks ramp up in intensity and severity to the point that the nation is crippled by some 15 year old anime nerd. Nothing else will get the government or private industry to take security seriously.
The protocols and networks the internet runs on are ancient and inherently insecure and flaky, but nobody wants to invest in solutions. These attacks have gotten easier, not harder. So I hope these kind of attacks ramp up in intensity and severity to the point that the nation is crippled by some 15 year old anime nerd. Nothing else will get the government or private industry to take security seriously.
Here's the catch me if you can sequel hollywood been waiting for. I would certainly watch this.
Edit: Forgot about American Kingpin. That's a more worthy successor.
Edit: Forgot about American Kingpin. That's a more worthy successor.
A botnet called "future'. Meh.
This did not happen [1] as was documented here[2], here and here[3]. It spices up the story but in truth, one of local telcos was affected but they accounted for less than a third of Liberia's Internet traffic. The weekend-like Internet traffic seen on that day was because of a national holiday.
Additional source: I lived in Liberia during that time managing the local IXP.
[1] https://krebsonsecurity.com/2016/11/did-the-mirai-botnet-rea... [2] https://thehackernews.com/2016/11/ddos-attack-mirai-liberia.... [3] https://twitter.com/DougMadory/status/794592487159529472