- Jun 9, 2013
- 6,720
Just 10 days before the end of 2016, researchers from Imperva uncovered a massive 650Gbps DDoS attack generated by a new internet of things (IoT) botnet, dubbed “Leet” after a character string in the payload. It’s the first that can rival Mirai.
The attack—the largest on record for the firm’s network—began around 10:55 a.m. on December 21, targeting several anycasted IPs on the Imperva Incapsula network. The first DDoS burst lasted roughly 20 minutes, peaking at 400Gbps. Failing to make a dent, the offender regrouped and came back for a second, 17-minute round. This time enough botnet “muscle” was used to generate a 650Gbps DDoS flood of more than 150 million packets per second (Mpps).
Though this particular attack was mitigated, things are about to get much worse, researchers said. A payload analysis showed that the entire attack was just a mishmash of pulverized system files from thousands upon thousands of compromised IoT devices—meaning that the Mirai IoT botnet now has competition.
Imperva determined that the culprit behind the offensive was not Mirai, which uses hard-coded SYS file sizes. This attack’s traffic was generated by two different SYN payloads: Regular ones, and abnormally large SYN packets ranging from 799 to 936 bytes in size. The former was used to achieve high Mpps packet rates, while the latter was employed to scale up the attack’s capacity to 650 Gbps.
“Attacks that combine the use of small and large payloads have become increasingly common since we first reported them in the spread their odds by trying to both clog network pipes and bring down network switches,” researchers said in an analysis. They added, “While some [of the large] payloads were populated by seemingly random strings of characters, others contained shredded lists of IP addresses. These shredded IP lists hinted … that the malware we faced was programmed to access local files and scramble their content to generate its payloads.”
Read More. Leet IoT Botnet Bursts on the Scene with Massive DDoS Attack
The attack—the largest on record for the firm’s network—began around 10:55 a.m. on December 21, targeting several anycasted IPs on the Imperva Incapsula network. The first DDoS burst lasted roughly 20 minutes, peaking at 400Gbps. Failing to make a dent, the offender regrouped and came back for a second, 17-minute round. This time enough botnet “muscle” was used to generate a 650Gbps DDoS flood of more than 150 million packets per second (Mpps).
Though this particular attack was mitigated, things are about to get much worse, researchers said. A payload analysis showed that the entire attack was just a mishmash of pulverized system files from thousands upon thousands of compromised IoT devices—meaning that the Mirai IoT botnet now has competition.
Imperva determined that the culprit behind the offensive was not Mirai, which uses hard-coded SYS file sizes. This attack’s traffic was generated by two different SYN payloads: Regular ones, and abnormally large SYN packets ranging from 799 to 936 bytes in size. The former was used to achieve high Mpps packet rates, while the latter was employed to scale up the attack’s capacity to 650 Gbps.
“Attacks that combine the use of small and large payloads have become increasingly common since we first reported them in the spread their odds by trying to both clog network pipes and bring down network switches,” researchers said in an analysis. They added, “While some [of the large] payloads were populated by seemingly random strings of characters, others contained shredded lists of IP addresses. These shredded IP lists hinted … that the malware we faced was programmed to access local files and scramble their content to generate its payloads.”
Read More. Leet IoT Botnet Bursts on the Scene with Massive DDoS Attack
