Simulating Internet-of-Things / IoT DDoS + Black Nurse with RedWolf
November 29, 2016
How RedWolf has simulated the Mirai DDoS attack:
- RedWolf has completely reverse engineered the Mirai Source Code. We’ve instrumented the Mirai botnet code and is able to launch 100% of the Mirai DDoS capability with 1:1 packet correspondence.
- Highlighted the ‘BlackNurse’ anti-firewall DDoS capability in our UI. Note: This is not a new attack for RedWolf. We have been doing it for years. Because of its recent infamy we have highlighted its existence in our planning tools and user interfaces.
- Developed a methodology to test on-premise and cloud defense functionality against all volumetric and Layer 7 Mirai and Black Nurse attacks.
- This testing can be done at modest bandwidth to prove functionality, but also at large or very large bandwidth levels – legally.
- RedWolf has extended the Mirai source code significantly. A review of the source code shows where the developers are likely to take the capability. RedWolf can now Mirai attacks by providing smooth ramp-up and control of many more attack parameters and variations. If your organization is concerned with Mirai and IoT attacks, you should be concerned about how they can evolve as well. Note: We can not publicly announce the enhancements as they are dangerous – contact RedWolf to find out.
- Upgraded our knowledge base for vendor, architectural and configuration countermeasures should any weaknesses be observed during testing.
Figure 1 – RedWolf ramping up 10 Gigabit/sec increments from different global regions, peaking at 100 Gigabit/sec as part of a test of a national carrier’s DDoS Scrubbing System
Why this matters:
- IoT Botnets are huge: 40,000 to 1 million members. Doing functional testing of defense systems doesn’t require this many IP’s but RedWolf’s cloud testing platform can scale to over 100,000+ attackers if required. You need a lot of real (not simulated) attacking IP’s to make attacks realistic. Traffic should come from all over the world, especially for Layer 7 testing. Internet latency from remote attackers can actually make it harder for mitigation systems to block these attackers.
- The volumetric attacks are larger than ever: RedWolf recommends testing on-premise connectivity to 70 to 90% of the provisioned local capacity and cloud providers to 50-100 Gigabit/sec. Many cloud providers resist tests this large but some allow them. RedWolf will work with you and your protection providers to make the tests as realistic as possible.
- There are new, rarely seen before attack vectors: Black Nurse is a DDoS attack that targets stateful firewalls. Mirai source-code includes ‘TCP Stomp’ attacks that also attack stateful systems. RedWolf knows these attacks are moving beyond TCP/UDP/ICMP with GRE and other protocols not normally seen. Often other protocols are allowed by firewall policy and many default configurations of mitigation systems do not catch them. It is important to include these novel attack vectors into your testing regimen and validate your capabilities.
Why use RedWolf for testing: For 11 years RedWolf has been focused on cloud DDoS testing and we are always in-pace with current and emerging threats. RedWolf quickly obtained and reverse-engineered the Mirai DDoS source code within 24 hours of the first large Mirai attacks. The ‘Black Nurse’ style DDoS that recently made news headlines has been available within the RedWolf platform for years. In total RedWolf has amassed the largest DDoS-on-demand attack library with a constantly updated ‘top 100’ and total library of over 300 unique vectors. RedWolf maintains a stable of over a dozen cutting-edge advanced DDoS vectors developed in-house – these vectors model what the most advanced adversaries are capable of.
If you’d like to do a deep-dive on IoT threats, Mirai, Black Nurse, or any other aspect of the DDoS testing services we offer please contact us and we would be happy to share our knowledge and experience.
RedWolf DDoS tests are designed and configured in its visual DDoS Test designer, the RedWolf platform gui.
