Mirai Used STOMP Floods in Recent DDoS Attacks

The Mirai Internet of Things (IoT) botnet has been using STOMP (Simple Text Oriented Messaging Protocol) floods to hit targets, a protocol that isn’t normally associated with distributed denial of service (DDoS) attacks.

Mirai has been responsible for taking major websites offline for many users by targeting the Dyn DNS service, in addition to hosting firm OVH in attacks that surpassed 1Tbps (terabit per second). Mirai was also in an attack against Brian Krebs’ blog in a 665Gbps+ (gigabit per second) assault. The botnet uses various attack vectors to power these massive attacks, including STOMP floods.

Mirai’s source code was released online in early October, and researchers soon observed an uptick in its use for DDoS attacks. With over half a million IoT devices worldwide susceptible to Mirai infection because of their weak security credentials, it does not come as a surprise that the botnet has already expanded in over 164 countries around the world.

One of the contributors to Mirai’s success in the DDoS landscape is the use of floods of junk STOMP packets, which allow it to ultimately bring down targeted websites. 

Imperva security researchers decided to take a deeper dive into the use of STOMP.

Designed as a simple application layer, text-based protocol, STOMP is an alternative to other open messaging protocols, including AMQP (Advanced Message Queuing Protocol). It allows applications to communicate with programs designed in different programming languages and works over TCP, the same as HTTP.

“A typical STOMP request is a ‘frame’ consisting of a number of lines. The first line contains a command, followed by headers in the form <key>: <value> (one per line). This is followed by body content ending in a null character. Servers use a similar format of headers and body content to respond to the client through a MESSAGE, RECEIPT or ERROR frame,” the researchers say.

Mirai, Imperva researchers explain, uses a TCP STOMP flood, which is a variation of the more familiar ACK flood attack. The process goes as follows: the botnet device opens an authenticated TCP handshake with a targeted application using STOMP; after authentication, junk data disguised as a STOMP TCP request is sent to the target; the flood of fake STOMP requests leads to network saturation.

What’s more, should the target be programmed to parse STOMP requests, the attack will also result in an exhaustion of server resources. “Even if the system drops the junk packets, resources are still used to determine if the message is corrupted,” Imperva explains.

The researchers say that the recent attacks shared similarities with the TCP POST flood used in massive 8.7Gbps layer 7 attack observed in April. Because network layer attacks are filtered off-premise, while application layer ones are mitigated on-premise, a bottleneck is created and application layer instances can exploit it to deplete network resources.

Mirai’s source code reveals that each STOMP attack request is set by default at 768 bytes. However, with over 100,000 devices abused by the botnet, it’s clear that the attack will reach a high rate and easily saturate an enterprise grade network that has a 5–10Gbps burst uplink. Smaller networks can be taken down with fewer bots, especially since the default request size can also be increased.

To successfully mitigate a TCP STOMP attack, a solution capable of identifying malicious requests and filtering them out before they’re able to travel through the network is required, the security researchers say. While identifying requests is simple, mainly because STOMP requests aren’t usually received in most applications, the issue is where such requests are dropped.

Hardware solutions that terminate TCP on-premises still allow malicious STOMP requests to travel through the network pipe, which could even make it unavailable. Cloud-based services, however, terminate TCP connections on edge, meaning that attacks are blocked before reaching the network and the risk of saturating it is eliminated.

“Currently, STOMP assaults are rare. But as the use of Mirai malware becomes increasingly more common, it’s likely we’ll see more of them in the near future. Their existence highlights the importance of off-prem filtering,” Imperva concludes.

Related: Disgruntled Gamer ‘Likely’ Behind October US Hacking: Expert

Related: What’s the Fix for IoT DDoS Attacks?