Mirai botnet leverages STOMP Protocol to power DDoS attacks

Pierluigi Paganini November 18, 2016

Cyber criminals are exploiting the capability of the Mirai botnet to use the STOMP Protocol to launch massive DDoS attacks.

The Linux Mirai IoT malware is one of the most popular cyber threats in the moment, its botnet was used to power the massive attacks against the Dyn DNS service, OVH, Brian Krebs’ blog, and likely against the Liberia.

The source code of the Mirai botnet was leaked online on the Hackforum by the user with moniker “Anna-senpai.”

Experts from FlashPoint spotted more than 500,000 vulnerable devices in the wild, the countries with the highest number of vulnerable devices are Vietnam (80,000), Brazil (62,000) and Turkey (40,000).

mirai-shodan-vulnerable-devices

The Mirai botnet implements various attack vectors, including the STOMP flooding method.

STOMP is a simple application layer, text-based protocol that allows clients communicate with other message brokers. It implements a communication method among for applications developed using different programming languages.

According to experts from Imperva firm , the bot is able to flood the targets with junk STOMP packets.

“In our analysis of Mirai, the malware that recently brought down KrebsOnSecurity and the Dyn DNS service, we described different attack vectors its botnet is programmed to use. Of these, STOMP (Simple Text Oriented Messaging Protocol) floods stood out, largely because this protocol isn’t often used in DDoS assaults.” reads the analysis published by Imperva.

“We decided we should further explain how Mirai uses floods of junk STOMP packets to bring down targeted websites.”

A typical STOMP request is data structure composed of a command, followed by headers in the form <key>: <value> (one per line), and of course a body content ending in a null character.

“A typical STOMP request is a “frame” consisting of a number of lines. The first line contains a command, followed by headers in the form <key>: <value> (one per line). This is followed by body content ending in a null character.” states the analysis.

“Servers use a similar format of headers and body content to respond to the client through a MESSAGE, RECEIPT or ERROR frame.”

Experts from Imperva explained that a TCP STOMP flood is a variation of the common ACK flood attack.

Below the steps of the DDoS STOMP attack:

  • A botnet device uses STOMP to open an authenticated TCP handshake with a targeted application.
  • Once authenticated, junk data disguised as a STOMP TCP request is sent to the target.
  • The flood of fake STOMP requests leads to network saturation.
  • If the target is programmed to parse STOMP requests, the attack may also exhaust server resources. Even if the system drops the junk packets, resources are still used to determine if the message is corrupted.

“Interestingly, the recent attacks shared some similarities with the TCP POST flood we warned about several months ago. Both are attempts at targeting an architectural soft spot in hybrid mitigation deployments.” continues the analysis.

“In these setups, network layer attacks are filtered off-premise, while application layer assaults are mitigated on-premise. This creates a bottleneck that application layer instances can exploit to clog network pipes (explained in more detail here).”

The analysis of the botnet source code reveals that each STOMP attack request is set by default at 768 bytes. Attackers can leverage on a botnet composed of over 100,000 devices that is able to shut down target networks with a 5–10Gbps burst uplink.

A method to mitigate TCP STOMP attack consists in the identification and filtering of malicious requests and filtering them out before they’re able to travel through the network.

Identifying requests is quite simple, the real problem is to discover where such requests are dropped.

“Currently, STOMP assaults are rare. But as the use of Mirai malware becomes increasingly more common, it’s likely we’ll see more of them in the near future. Their existence highlights the importance of off-prem filtering,” Imperva concludes.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Mirai botnet , STOMP)



you might also like

leave a comment