A university in the US was hit by a 54-hour, non-stop DDoS attack at the end of last month, apparently caused by a Mirai-powered botnet.
News of the attack comes from data and application security firm Imperva, which counts the targeted college as a customer. According to a blog post by Dima Bekerman, a security researcher at Imperva, the attack started in the early hours of the morning on 28 February, with the average traffic flow clocking in at over 30,000 requests per second (RPS), although a peak of about 37,000 RPS was seen. Over the course of the attack, more than 2.8 billion requests were generated.
"Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet," said Bekerman.
"Our research showed that the pool of attacking devices included those commonly used by Mirai, including CCTV cameras, DVRs and routers. While we don't know for sure, open telnet (23) ports and TR-069 (7547) ports on these devices might indicate that they were exploited by known vulnerabilities."
Upon further investigation, Bekerman and his colleagues found 56% of the IPs used in the attack belonged to DVRs manufactured by a single vendor, which has now been contacted by Imperva.
Neither the name of the college involved, nor the DVR maker have been revealed.
Bekerman said there are several things that set this attack apart from others using Mirai.
The first is that the DDoS bots used in the attack "were hiding behind different user-agents than the five hardcoded in the default Mirai version".
"This and the size of the attack itself led us to believe that we might be dealing with a new variant, which was modified to launch more elaborate application layer attacks," said Bekerman.
The second is the sheer length of the onslaught.
"With over 90% of all application layer assaults lasting under six hours, an attack of this duration stands in a league of its own," he said.
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Is the future of business AI specialized services?Customer case study While other AI infrastructure providers chase a wide audience, FluidStack is taking a more ‘high-end’ approach
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
Horabot campaign targeted businesses for more than two years before finally being discoveredNews The newly-discovered Horabot botnet has attacked companies in the accounting, investment, and construction sectors in particular
-
UK crime fighters wrangle “several thousand” potential cyber criminals in DDoS-for-hire honeypotNews The sting follows a recent crackdown on DDoS-for-hire services globally
-
Brand-new Emotet campaign socially engineers its way from detectionNews This latest resurgence follows a three-month hiatus and tricks users into re-enabling dangerous VBA macros
-
US begins seizure of 48 DDoS-for-hire services following global investigationNews Six people have been arrested who allegedly oversaw computer attacks launched using booters
-
Microsoft says “it’s just too difficult” to effectively disrupt ransomwareNews The company details its new approach to combatting cyber crime as the underground industry drains $6 trillion from the global economy
-
Will triple extortion ransomware truly take off?In-depth Operators are now launching attacks with three extortion layers, but there are limitations to this model
-
Beating the bad bots: Six ways to identify and block spam trafficIn-depth Not all traffic is good. Learn how to prevent bad bots from overrunning your website
