Three Botnets Combined by Attackers to Launch Massive A DDoS Attack

An unnamed website is at the end of a huge Layer 7 DDoS attack which involved traffic generated from over 47,000 distinct IP addresses, most of which belonged to IoT  devices, like home routers, and also compromised Linux servers.

A US web security vendor named Sucuri, was called into mitigate the incident. He also said  the attack reached a huge 120,000 requests per second, and attacker used flood of HTTPS packets to maximize the resource consumption on target’s machines.

Once the attack had started, Sucuri experts that are investigating the incident discovered that the DDoS traffic did not come from one singular source, but the attacker combined three different distinct botnets.

The company is well aware of one of the botnets, which they have previously discovered in the end of June.

This was a very strong botnet of 25,000. Assembled after compromising Internet-connected CCTV devices from different vendors, most of these are running firmware made by the Chinese firm TVT.

The group that is behind this recent DDoS attack was not content with the capabilities provided by this botnet and they also created another botnet to help their other efforts.

According to Sucuri, the group is also controlling another botnet comprising 11,767 home routers from eight major industry brands.

The attackers had managed to take control of these devices by using various firmware vulnerabilities or by hijacking the routers for which device owners didn’t change the default admin panel password.

Compromised Huawei routers consist of more than half of this botnet, with 6,015 devices, almost 51 percent of the entire botnet. Next position goes to  Mikro RouterOS (with 2,119 devices – 18 percent), AirOS routers (245 routers), but also NuCom 11N Wireless Routers, VodaFone, Dell SonicWall, Netgear, and Cisco.

The home router botnet was very effective because not all compromised devices were in the same geographical area, which would have been easy to block.

Devices were spread all over the world, but mainly in Spanish-speaking countries, such as Spain (45 percent of the entire botnet), the Dominican Republic, Mexico, Uruguay, and Argentina.

The third and last botnet used in the DDoS attack was made up by compromised web servers coming from data centers.

Sucuri isn’t the only company that has discovered huge botnets of IoT devices engaging in DDoS attacks. Researchers from Arbor Networks have also discovered a botnet of 120,000 IoT devices, saying that, overall, DDoS botnets are currently controlling over 1 million IoT devices.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients