A failed Mirai botnet attack left 900,000 of Deutsche Telekom’s network customers without Internet this weekend (continuing into this week) after a botched attempt to hijack consumer routers in Germany. The large-scale attack was designed to quietly recruit the devices for a wider botnet attack and follows on from findings released this week which found that cybercriminals have begun exploiting a critical flaw that may be in millions of home routers. Dilip Pillaipakam, VP/GM of service provider business at Infoblox commented below.
Dilip Pillaipakam, VP/GM of Service Provider Business at Infoblox:
“In this latest attack, the attackers were clearly trying to recruit a large botnet of CPE gear for further DDoS attacks. Although the attack failed, there appears to be additional unexplained scanning being done on different ports that could be going after different vulnerabilities, so this probably won’t be the last we see of this.
“The attack on Deutsche Telekom is a wake-up call that carriers are vulnerable to today’s large-scale DDoS attacks. This latest attack highlights for telcos the importance of remaining vigilant and creating safeguards against today’s increasingly sophisticated botnet and malware attacks. Consumers around the world look to telcos to provide connectivity and 24/7 Internet service and the failure to do so can cost telcos millions of dollars in lost revenue and brand reputation, not to mention incurring customer wrath. Moreover, the fact that cybercriminals are beginning to exploit vulnerabilities in consumer routers has frightening implications as it means our homes and home networks are no longer safe.”
Best practices comment
“Attacks such as the Deutsche Telekom attack in Germany can be used to change settings that enable communication with command and control (C&C) sites via DNS. As there is no silver bullet to protect from such attacks, service providers need to multiple protection mechanisms, including DNS-based protection mechanisms. Service providers can use many tactics to battle against these kind of attacks, including:
- Anycast implementations using BFD to help maintain service up time and localise failures and volumetric attacks. Implementation of multiple anycast groups can help prevent cascade failures due to volumetric attacks
- Response policy zones (RPZ), with appropriate threat feeds to block communication with C&C infrastructure
- Network analytics to identify active security threats and prevent tunnelling breaches
- Advanced DNS protection, coupled with elastic scaling NFV capability to help absorb an initial attack so the security ecosystem can identify flows that need to be blocked or scrubbed
- An architecture that leverages fault segmentation, redundancy and recoverability. For telcos and other service providers, I recommend separating of caching and authoritative DNS on separate network segments as well as at multiple locations in order to ensure carrier-grade reliability and minimal network downtime.”