PINDROP BLOG

Mirai, Google, and the Future of DDoS

OAKLAND–When the Mirai botnet burst onto the scene last year, it did so in style, with two of the largest DDoS attacks on record. One of the initial targets of its wrath was the site run by reporter Brian Krebs, and the attack set off a chain reaction that not only took the site offline but eventually got Google’s anti-DDoS team involved.

Mirai is not the typical botnet, for a number of reasons, including the fact that many of the compromised machines that make it up are actually IoT devices, not normal computers. There are hundreds of thousands of DVRs, CCTV cameras, and other devices in the Mirai network, and attackers have used the botnet to generate enormous attacks. The attack on Krebs on Security hit a peak of more than 600 Gbps, and one that hit French hosting provider OVH a few weeks later was around 1 Tbps.

When the attackers targeted Krebs’s site, it was protected by DDoS mitigation services provided by Akamai. But the company eventually had to drop its protection, which it was providing for free, because the size of the attack was affecting its ability to protect other customers. So Krebs contacted Google, whose parent company, Alphabet, has an incubator called Jigsaw that runs Project Shield, a free DDoS protection service for journalists, news providers, and other sites. The service protects hundreds of sites now, and when Krebs reached out to Google, the company’s anti-DDoS team took on the challenge.

“There’s a lot to be said for economies of scale.”

“We thought about it for about an hour because we wondered if this botnet was strong enough to knock us offline. But we figured it Mirai could take us down, then we were probably already at risk anyway,” Damian Menscher, a security reliability engineer who runs Google’s DDoS protection team, said during a talk at the Enigma conference here Wednesday.

Right away, Menscher and his team ran into some hurdles. In order to migrate the site to Project Shield, Krebs needed to prove that he owned the site. But he couldn’t do that because the site was offline at the time. The next option was to show that he controlled the DNS for the site, but Akamai’s Prolexic unit still had that. And, Krebs had locked his domain with the registrar to prevent hit from being hijacked, and the provider initially said it couldn’t unlock it on a weekend, but Google’s engineers eventually went through contacts at the provider to fix that.

After that was all worked out, Project Shield was able to get Krebs’s site back online. But within 15 minutes of Krebs tweeting that the site was coming online again, the attackers launched another DDoS flood at the site. A minute later the Mirai botnet came back with a fresh attack on the site, too, all of which Google’s system was able to handle. Menscher said the experience defending Krebs on Security taught his team a few lessons.

“Defending a small site is hard. And shared debugging is really hard,” he said. “We’re mostly set up to protect large sites. Attacks are growing exponentially.”

The operation also allowed Google to collect a list of IP addresses involved in the Mirai botnet, which it has shared with law enforcement agencies and other security researchers. Google’s size and position on the Internet gives it the ability to see things other companies don’t and its business model has made availability a top priority.

“Most services are thinking mostly about confidentiality an integrity. At Google we think availability is pretty important,” Menscher said. “There’s a lot to be said for economies of scale.”