New Leet Botnet Shows IoT Device Security Regulation May Become Necessary
Just before Christmas, Imperva found its network under a massive DDoS assault that reached 650 Gbps (Gigabit per second), making it one of the largest known DDoS attacks on record.
Powered by what Imperva is calling the Leet Botnet, the attack occurred on the morning of Dec. 21, and was delivered against several anycast IPs on the Imperva Incapsula network.
While precise device attribution is not yet possible, it seems likely that, like Mirai, it uses thousands of compromised IoT devices.
“Due to IP spoofing, it’s hard to accurately identify the devices used in this attack,” Avishay Zawoznik, security research specialist for the Incapsula product line at Imperva, told SecurityWeek. “We did, however, find some reliable clues in the payload’s content. Here, manual analyses of individual payloads pointed to some type of Linux device. For instance, some were ‘stuffed’ with the details of the proc filesystem (/proc) folder, which is specific to Unix-like systems.”
In an analysis of the attack, Imperva assumes that the attacker could not locate the specific target hidden behind Imperva proxies — and chose instead to attack the cloud-based service itself.
The attack came in two waves. The first lasted 20 minutes and peaked at 400 Gbps. This failed in its purpose. “The offender regrouped and came back for a second round,” reports Imperva. “This time enough botnet ‘muscle’ to generate a 650 Gbps DDoS flood of more than 150 million packets per second (Mpps).”
The second wave lasted around 17 minutes and also failed. “Out of options, the offender wised up and ceased his assault.”
Hidden behind spoofed IP addresses, it was impossible to locate the geographical location of the attacking devices; but Imperva was able to analyse the content of the packets being used. Although similar in size to the Mirai attack on KrebsOnSecurity in October, it was immediately clear that this was different. (There have been some suggestions that the Mirai attack against DNS service provider Dyn could have exceeded 1 Tbps.)