Security researchers have discovered flaws in the Mirai botnet that might be used to mitigate against future attacks from the zombie network.
Scott Tenaglia, a researcher at endpoint security firm Invincea, found a weakness in the HTTP flood attack that Mirai is capable of mounting. Specifically a stack buffer overflow vulnerability in the code that offers a means to crash the process, and therefore terminate the attack from that bot.
Flood attacks are the most straightforward (and crude) way to DDoS a webiste. The flaw might be leveraged to stop such attacks, though crucially not offering a way to prevent other forms of assault. This simple “exploit” is an example of active defence against an IoT botnet that could be used by any DDoS mitigation service to guard against a Mirai-based HTTP flood attack in realtime. Although it can’t be used to remove the bot from the IoT device, it can be used to halt the attack originating from that particular device. Unfortunately, it’s specific to the HTTP flood attack, so it would not help mitigate the recent DNS-based DDoS attack that rendered many websites inaccessible.
Hacking back is a controversial approach because it involves making changes to systems in different countries without permission either from a device’s owner, an ISP or carrier. Invincea is keen to add a disclaimer on its research. “We are not advocating counterattack, but merely showing the possibility of using an active defence strategy to combat a new form of an old threat,” Tenaglia said.
Independent researchers described the flaw as an interesting find rather than anything capable of thwarting the threat. “The vuln is genuine, but I can’t see it being exploited to take control, just stop [a] current attack,” noted one researcher.