SlideShare a Scribd company logo

DDOS ATTACK - MIRAI BOTNET

S
Sukhdeep Singh Sandhu

This document discusses DNS flood DDoS attacks and the Mirai botnet. It provides details on how Mirai infects devices, launches attacks, and then conceals its presence. It also outlines five stages of defense against Mirai: awareness, blocking access, finding adversaries, protecting target access, and mitigation plans like vulnerability scanning and traffic monitoring.

Technology
1 of 22
1
2
3
4
5
6
Most read
7
8
9
10
Most read
11
12
Most read
13
14
15
16
17
18
19
20
21
22
CYBER THREAT DNS FLOOD - DDOS ATTACK
DDOS ATTACK • What is DDOS attack • Distributed Denial of Service attack is also referred as DDOS is an attack to bring down the online service of any system by overloading it with request or ping • Types of DDOS • Volume based • Protocol Based • Application Based
DDOS – DNS FLOOD ATTACK • The attacker targets a DNS (Domain Name System) Server of an organization or a geographical zone to utilize its resources • The legitimate users/queries to the DNS Server will not be resolved and resulting in Denial of Service
DDOS ATTACK - MIRAI BOTNET
MIRAI BOTNET MELBOURNE IT – DDOS ATTACK
MIRAI BOTNET 1. Scanning phase 2. Brute Force 3. Report Server 4. Malware Infection 5. Deleting Presence 6. Execution - Attack 7. After Attack
MIRAI BOTNET Scanning phase The first stage is to scan the IP Addresses of potential victim system and the hacker ping random IP addresses to find the genuine ones.
BRUTE FORCE Here it tries to Brute force the victim devices and it uses default password, majorly on IOT Devices
REPORT SERVER & MALWARE INFECTION Once Mirai has successfully login for the first time, it will scan and send the system IP and the user credentials to the Report server
REPORT SERVER & MALWARE INFECTION Loader program will asynchronously infect these vulnerable devices by • Logging in • Determine the system environment and • Finally will download and execute the architecture- specific malware
MIRAI – DELETING PRESENCE • Mirai try to conceal its presence after infecting the device • It will delete the downloaded binary and obfuscating its process name into some pseudorandom alphanumeric string.
ATTACK - MIRAI Once the Zombie machine is created, two major steps for attack is • Zombie machine setup Networking and open PF_INET socket of TCP and use port 48101 to listen to network traffic • When attack is launched, it telnet to the client and start FLOODING
AFTER ATTACK • Mirai use Telnet to communicate to C2 Server, so after the attack is launched it will kill other processes bound to TCP/22 or TCP/23, as well as processes associated with competing bot infections • It also simultaneously scan for new victims
DEFENSE & FORENSIC MIRAI Prevention and Mitigation
FIVE STAGES OF DEFENSE Training and Process plays an very important role in Defending against any cyber attack, in our case of Mirai Botnet, Mirai leaves signature and if the Admin is well aware of them and have followed a proper procedure they can identify the Malware • Any Linux ELF files have a folder as /watchdog/ Awareness
FIVE STAGES OF DEFENSE Training and Process plays an very important role in Defending against any cyber attack, in our case of Mirai Botnet, Mirai leaves signature and if the Admin is well aware of them and have followed a proper procedure they can identify the Malware • Any Linux ELF files have a folder as /watchdog/ • Any Directory with name /dvrHelper Awareness
FIVE STAGES OF DEFENSE Training and Process plays an very important role in Defending against any cyber attack, in our case of Mirai Botnet, Mirai leaves signature and if the Admin is well aware of them and have followed a proper procedure they can identify the Malware • Any Linux ELF files have a folder as /watchdog/ • Any Directory with name /dvrHelper • Block TCP port 48101 Blocking Access Awareness
FIVE STAGES OF DEFENSE • DNS Detection • DNS Logs must be examined for any abnormalities and as shown in the graph any spike, should be examined • Drop Quick Retransmission – any legitimate client will not send same queries again soon. RFC1034 ad RFC1035 suggests, if retransmission is coming from same source it must be dropped Blocking Access Awareness Finding Adversaries
FIVE STAGES OF DEFENSE Mirai Vulnerability Scanner • Simple, yet powerful tool to identify Mirai Vulnerability. It is provided by Incapsula • Cisco NetFlow – Powerful tool to monitor Network traffic such as: • Source IP address • Destination IP address • Source port • Destination port • Layer 3 protocol • TOS byte • Input interface Blocking Access Awareness Finding Adversaries Protecting Target Access
FIVE STAGES OF DEFENSE • Mirai Vulnerability Scanner • Simple, yet powerful tool to identify Mirai Vulnerability. It is provided by Incapsula • Cisco NetFlow – Powerful tool to monitor Network traffic such as: • Source IP address • Destination IP address • Source port • Destination port • Layer 3 protocol • TOS byte • Input interface Blocking Access Awareness Finding Adversaries Protecting Target Access
FIVE STAGES OF DEFENSE DDOS Mitigation plans • Geographic Infrastructure Diversity • Hybrid Cloud Infrastructure • Multi WAN Entry point for Large Enterprise and help from ISP to re- route the traffic • Get help from experts Blocking Access Awareness Finding Adversaries Protecting Target Access Mitigation Plans
DDOS ATTACK - MIRAI BOTNET

More Related Content

PPTX
DNS spoofing/poisoning Attack
Fatima Qayyum
 
PDF
IoT Security, Mirai Revisited
Clare Nelson, CISSP, CIPP-E
 
PPTX
The Mirai Botnet and Massive DDoS Attacks of October 2016
William Slater III
 
PPTX
DoS or DDoS attack
stollen_fusion
 
PPTX
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 
PPTX
Wireshark
Kasun Madusanke
 
PPTX
DDoS - Distributed Denial of Service
Er. Shiva K. Shrestha
 
PPTX
Intrusion Prevention System
Vishwanath Badiger
 
DNS spoofing/poisoning Attack
Fatima Qayyum
 
IoT Security, Mirai Revisited
Clare Nelson, CISSP, CIPP-E
 
The Mirai Botnet and Massive DDoS Attacks of October 2016
William Slater III
 
DoS or DDoS attack
stollen_fusion
 
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 
Wireshark
Kasun Madusanke
 
DDoS - Distributed Denial of Service
Er. Shiva K. Shrestha
 
Intrusion Prevention System
Vishwanath Badiger
 

What's hot (20)

PPTX
Ransomware Attack.pptx
IkramSabir4
 
PPT
IDS and IPS
Santosh Khadsare
 
PDF
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
PPTX
Understanding NMAP
Phannarith Ou, G-CISO
 
PPTX
Basics of Denial of Service Attacks
Hansa Nidushan
 
PDF
12 types of DDoS attacks
Haltdos
 
PDF
Ch 5: Port Scanning
Sam Bowne
 
PDF
Wireless Hacking
VIKAS SINGH BHADOURIA
 
PPTX
Network scanning
oceanofwebs
 
PPT
DDoS Attacks
Jignesh Patel
 
PPT
Honeypot honeynet
Sina Manavi
 
PPT
Firewalls
University of Central Punjab
 
PPT
Dmz
أحلام انصارى
 
PPTX
NMAP - The Network Scanner
n|u - The Open Security Community
 
PDF
DNS (Domain Name System)
Shashidhara Vyakaranal
 
PPTX
Malware & Anti-Malware
Arpit Mittal
 
PPT
Introduction to Malware
amiable_indian
 
PPT
Proxy servers
Kumar
 
PPTX
Recon with Nmap
OWASP Delhi
 
PPT
DDoS Attack PPT by Nitin Bisht
Nitin Bisht
 
Ransomware Attack.pptx
IkramSabir4
 
IDS and IPS
Santosh Khadsare
 
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Understanding NMAP
Phannarith Ou, G-CISO
 
Basics of Denial of Service Attacks
Hansa Nidushan
 
12 types of DDoS attacks
Haltdos
 
Ch 5: Port Scanning
Sam Bowne
 
Wireless Hacking
VIKAS SINGH BHADOURIA
 
Network scanning
oceanofwebs
 
DDoS Attacks
Jignesh Patel
 
Honeypot honeynet
Sina Manavi
 
Firewalls
University of Central Punjab
 
Dmz
أحلام انصارى
 
NMAP - The Network Scanner
n|u - The Open Security Community
 
DNS (Domain Name System)
Shashidhara Vyakaranal
 
Malware & Anti-Malware
Arpit Mittal
 
Introduction to Malware
amiable_indian
 
Proxy servers
Kumar
 
Recon with Nmap
OWASP Delhi
 
DDoS Attack PPT by Nitin Bisht
Nitin Bisht
 
Ad

Similar to DDOS ATTACK - MIRAI BOTNET (20)

PPTX
DDOS ATTACKS
Shaurya Gogia
 
PPTX
Cyber Security Terms
Suryaprakash Nehra
 
PPTX
How to stay protected against ransomware
Sophos Benelux
 
PDF
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
Aditya K Sood
 
PPTX
Information about malwares and Attacks.pptx
malikmuzammil2326
 
PDF
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
Shah Sheikh
 
PPTX
Hacking by Pratyush Gupta
Tenet Systems Pvt Ltd
 
PPT
Security and Linux Security
Rizky Ariestiyansyah
 
PPTX
Botnets Attacks.pptx
MuhammadRehan856177
 
PDF
(130119) #fitalk apt, cyber espionage threat
INSIGHT FORENSIC
 
PPTX
BOTNET
SOHITGOBINDAMSHAW
 
PDF
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
APNIC
 
PPTX
UTM (unified threat management)
military
 
PPT
Hacking tutorial
MSA Technosoft
 
PPTX
Lecture 7 Attacker and there tools.pptx
AsmaaLafi1
 
PPT
Fight fire with fire draft
Nishant Agrawal
 
PPTX
Network Penetration Testing
Mohammed Adam
 
PPT
Hacking
rameswara reddy venkat
 
PPT
Hacking
Roshan Chaudhary
 
PPTX
Ids 009 network attacks
jyoti_lakhani
 
DDOS ATTACKS
Shaurya Gogia
 
Cyber Security Terms
Suryaprakash Nehra
 
How to stay protected against ransomware
Sophos Benelux
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
Aditya K Sood
 
Information about malwares and Attacks.pptx
malikmuzammil2326
 
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
Shah Sheikh
 
Hacking by Pratyush Gupta
Tenet Systems Pvt Ltd
 
Security and Linux Security
Rizky Ariestiyansyah
 
Botnets Attacks.pptx
MuhammadRehan856177
 
(130119) #fitalk apt, cyber espionage threat
INSIGHT FORENSIC
 
BOTNET
SOHITGOBINDAMSHAW
 
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
APNIC
 
UTM (unified threat management)
military
 
Hacking tutorial
MSA Technosoft
 
Lecture 7 Attacker and there tools.pptx
AsmaaLafi1
 
Fight fire with fire draft
Nishant Agrawal
 
Network Penetration Testing
Mohammed Adam
 
Hacking
rameswara reddy venkat
 
Hacking
Roshan Chaudhary
 
Ids 009 network attacks
jyoti_lakhani
 
Ad

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Teaching material agriculture food technology
LiaRayya
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
KodekX | Application Modernization Development
KodekX
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 

DDOS ATTACK - MIRAI BOTNET

  • 1. CYBER THREAT DNS FLOOD - DDOS ATTACK
  • 2. DDOS ATTACK • What is DDOS attack • Distributed Denial of Service attack is also referred as DDOS is an attack to bring down the online service of any system by overloading it with request or ping • Types of DDOS • Volume based • Protocol Based • Application Based
  • 3. DDOS – DNS FLOOD ATTACK • The attacker targets a DNS (Domain Name System) Server of an organization or a geographical zone to utilize its resources • The legitimate users/queries to the DNS Server will not be resolved and resulting in Denial of Service
  • 5. MIRAI BOTNET MELBOURNE IT – DDOS ATTACK
  • 6. MIRAI BOTNET 1. Scanning phase 2. Brute Force 3. Report Server 4. Malware Infection 5. Deleting Presence 6. Execution - Attack 7. After Attack
  • 7. MIRAI BOTNET Scanning phase The first stage is to scan the IP Addresses of potential victim system and the hacker ping random IP addresses to find the genuine ones.
  • 8. BRUTE FORCE Here it tries to Brute force the victim devices and it uses default password, majorly on IOT Devices
  • 9. REPORT SERVER & MALWARE INFECTION Once Mirai has successfully login for the first time, it will scan and send the system IP and the user credentials to the Report server
  • 10. REPORT SERVER & MALWARE INFECTION Loader program will asynchronously infect these vulnerable devices by • Logging in • Determine the system environment and • Finally will download and execute the architecture- specific malware
  • 11. MIRAI – DELETING PRESENCE • Mirai try to conceal its presence after infecting the device • It will delete the downloaded binary and obfuscating its process name into some pseudorandom alphanumeric string.
  • 12. ATTACK - MIRAI Once the Zombie machine is created, two major steps for attack is • Zombie machine setup Networking and open PF_INET socket of TCP and use port 48101 to listen to network traffic • When attack is launched, it telnet to the client and start FLOODING
  • 13. AFTER ATTACK • Mirai use Telnet to communicate to C2 Server, so after the attack is launched it will kill other processes bound to TCP/22 or TCP/23, as well as processes associated with competing bot infections • It also simultaneously scan for new victims
  • 14. DEFENSE & FORENSIC MIRAI Prevention and Mitigation
  • 15. FIVE STAGES OF DEFENSE Training and Process plays an very important role in Defending against any cyber attack, in our case of Mirai Botnet, Mirai leaves signature and if the Admin is well aware of them and have followed a proper procedure they can identify the Malware • Any Linux ELF files have a folder as /watchdog/ Awareness
  • 16. FIVE STAGES OF DEFENSE Training and Process plays an very important role in Defending against any cyber attack, in our case of Mirai Botnet, Mirai leaves signature and if the Admin is well aware of them and have followed a proper procedure they can identify the Malware • Any Linux ELF files have a folder as /watchdog/ • Any Directory with name /dvrHelper Awareness
  • 17. FIVE STAGES OF DEFENSE Training and Process plays an very important role in Defending against any cyber attack, in our case of Mirai Botnet, Mirai leaves signature and if the Admin is well aware of them and have followed a proper procedure they can identify the Malware • Any Linux ELF files have a folder as /watchdog/ • Any Directory with name /dvrHelper • Block TCP port 48101 Blocking Access Awareness
  • 18. FIVE STAGES OF DEFENSE • DNS Detection • DNS Logs must be examined for any abnormalities and as shown in the graph any spike, should be examined • Drop Quick Retransmission – any legitimate client will not send same queries again soon. RFC1034 ad RFC1035 suggests, if retransmission is coming from same source it must be dropped Blocking Access Awareness Finding Adversaries
  • 19. FIVE STAGES OF DEFENSE Mirai Vulnerability Scanner • Simple, yet powerful tool to identify Mirai Vulnerability. It is provided by Incapsula • Cisco NetFlow – Powerful tool to monitor Network traffic such as: • Source IP address • Destination IP address • Source port • Destination port • Layer 3 protocol • TOS byte • Input interface Blocking Access Awareness Finding Adversaries Protecting Target Access
  • 20. FIVE STAGES OF DEFENSE • Mirai Vulnerability Scanner • Simple, yet powerful tool to identify Mirai Vulnerability. It is provided by Incapsula • Cisco NetFlow – Powerful tool to monitor Network traffic such as: • Source IP address • Destination IP address • Source port • Destination port • Layer 3 protocol • TOS byte • Input interface Blocking Access Awareness Finding Adversaries Protecting Target Access
  • 21. FIVE STAGES OF DEFENSE DDOS Mitigation plans • Geographic Infrastructure Diversity • Hybrid Cloud Infrastructure • Multi WAN Entry point for Large Enterprise and help from ISP to re- route the traffic • Get help from experts Blocking Access Awareness Finding Adversaries Protecting Target Access Mitigation Plans