A new variant of the infamous Mirai IoT malware was spotted in the wild. It launched a 54-hour DDoS attack on an unnamed U.S. college.
Even though this attack occurred on February 28, Imperva Incapsula is informing the world about this today. The researchers strongly believe it is a new variant of the Mirai, one that is “more adept at launching the application layer assaults.”
Average traffic flow was about 30,000 requests per second and peaked at 37,000 RPS, which DDoS mitigation firm said was the most of they have seen out of some of the Mirai botnet so far. “In total, attack generated more than 2.8 billion requests.”
In the 54-hour DDoS attack on college, the researchers observed a pool of attacking devices which are normally associated with Mirai such as the DVRs, CCTV cameras and routers. Attack traffic originated from the 9,793 IPs worldwide, but about 70% of the botnet traffic came from only 10 countries.
U.S. topped this ist by having 18.4 percent of the botnet IPs. Israel was next with 11.3 percent, followed by Taiwan with 10.8 percent. The remaining seven countries of the top 10 were Turkey with 6 percent, India with 8.7 percent, Russia with 3.8 percent, Mexico and Italy both with 3.2 percent, Bulgaria with 2.2 percent and Colombia with 3 percent of the botnet traffic.
Other signature factors such as header order and header values also helped the researchers identify the attack as a Mirai-powered botnet, yet the DDoS bots hid behind different user-agents than the five hard coded in the default Mirai version; it used 30 user-agent variants. Incapsula said, “This–and the size of the attack itself–led us to believe that we might be dealing with a new variant, which was modified to launch more elaborate application layer attacks.”