Malware

Mirai botnet leverages STOMP Protocol to power DDoS attacks

Cyber criminals are exploiting the capability of the Mirai botnet to use the STOMP Protocol to launch massive DDoS attacks.

The Linux Mirai IoT malware is one of the most popular cyber threats in the moment, its botnet was used to power the massive attacks against the Dyn DNS service, OVH, Brian Krebs’ blog, and likely against the Liberia.

The source code of the Mirai botnet was leaked online on the Hackforum by the user with moniker “Anna-senpai.”

Experts from FlashPoint spotted more than 500,000 vulnerable devices in the wild, the countries with the highest number of vulnerable devices are Vietnam (80,000), Brazil (62,000) and Turkey (40,000).

The Mirai botnet implements various attack vectors, including the STOMP flooding method.

STOMP is a simple application layer, text-based protocol that allows clients communicate with other message brokers. It implements a communication method among for applications developed using different programming languages.

According to experts from Imperva firm , the bot is able to flood the targets with junk STOMP packets.

“In our analysis of Mirai, the malware that recently brought down KrebsOnSecurity and the Dyn DNS service, we described different attack vectors its botnet is programmed to use. Of these, STOMP (Simple Text Oriented Messaging Protocol) floods stood out, largely because this protocol isn’t often used in DDoS assaults.” reads the analysis published by Imperva.

“We decided we should further explain how Mirai uses floods of junk STOMP packets to bring down targeted websites.”

A typical STOMP request is data structure composed of a command, followed by headers in the form <key>: <value> (one per line), and of course a body content ending in a null character.

“A typical STOMP request is a “frame” consisting of a number of lines. The first line contains a command, followed by headers in the form <key>: <value> (one per line). This is followed by body content ending in a null character.” states the analysis.

“Servers use a similar format of headers and body content to respond to the client through a MESSAGE, RECEIPT or ERROR frame.”

Experts from Imperva explained that a TCP STOMP flood is a variation of the common ACK flood attack.

Below the steps of the DDoS STOMP attack:

  • A botnet device uses STOMP to open an authenticated TCP handshake with a targeted application.
  • Once authenticated, junk data disguised as a STOMP TCP request is sent to the target.
  • The flood of fake STOMP requests leads to network saturation.
  • If the target is programmed to parse STOMP requests, the attack may also exhaust server resources. Even if the system drops the junk packets, resources are still used to determine if the message is corrupted.

“Interestingly, the recent attacks shared some similarities with the TCP POST flood we warned about several months ago. Both are attempts at targeting an architectural soft spot in hybrid mitigation deployments.” continues the analysis.

“In these setups, network layer attacks are filtered off-premise, while application layer assaults are mitigated on-premise. This creates a bottleneck that application layer instances can exploit to clog network pipes (explained in more detail here).”

The analysis of the botnet source code reveals that each STOMP attack request is set by default at 768 bytes. Attackers can leverage on a botnet composed of over 100,000 devices that is able to shut down target networks with a 5–10Gbps burst uplink.

A method to mitigate TCP STOMP attack consists in the identification and filtering of malicious requests and filtering them out before they’re able to travel through the network.

Identifying requests is quite simple, the real problem is to discover where such requests are dropped.

“Currently, STOMP assaults are rare. But as the use of Mirai malware becomes increasingly more common, it’s likely we’ll see more of them in the near future. Their existence highlights the importance of off-prem filtering,” Imperva concludes.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Mirai botnet , STOMP)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

56 mins ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

8 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

19 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

23 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.