Researchers have observed a new variant of the dreaded Mirai botnet in the wild after it launched a 54-hour(!) DDoS attack against an unnamed U.S. college.
Security researchers at Imperva Incapusla have revealed details about the attack, which struck the educational institution on February 28. The attack started toward the end of the month and ran continually for 54 hours, the security company revealed.
This particular variant is “more adept at launching application layer assaults”, compared to other variants who are commonly known to launch network layer attacks, researchers added.
The average traffic flow registered at 30,000 requests per second (RPS) and clocked a peak of 37,000 RPS. This peak traffic is “the most we’ve seen out of any Mirai botnet”, Imperva says. Altogether, the 54-hour DDoS marathon attack registered over 2.8 billion requests.
Researchers were able to determine the DDoS attack was based on a Mirai botnet through a number of factors including header order, values and traffic sources. Further research revealed that the pool of attacking devices included common Mirai-compromised devices such as CCTV cameras, broadband routers and DVRs.
“While we don’t know for sure, open telnet (23) ports and TR-069 (7547) ports on these devices might indicate that they were exploited by known vulnerabilities,” researchers noted.
A majority of the compromised devices, over 70% of the botnet, stemmed from ten countries. By order of most compromised to least, they are the United States, Israel, Taiwan, India, Turkey, Russia, Italy, Mexico, Colombia and Bulgaria.
The security researchers underline the evolution of Mirai’s capabilities since the source code went public last year. Malware developers have since expanded the botnet’s range and trajectory for more elaborate and effective attacks.
Summing up the unprecedented attack, the researchers stated:
[W]ith over 90 percent of all application layer assaults lasting under six hours, an attack of this duration stands in a league of its own.