Mirai Botnet Launches Fresh 54-Hour DDoS Attack

A new variant of the Mirai botnet has launched a fresh distributed denial of service (DDoS) attack that lasted over three days. Mirai – run by a type of malware able to infect and take control of IoT devices – was used in October 2016 to conduct one of the biggest DDoS attacks on record, launched against DNS service provider Dyn, taking down majors sites such as Twitter, Reddit, Netflix, and Github in the process. The Mirai source code was made public soon after. This latest Mirai attack, which used a modified version of the code, targeted a US college for around 54 hours straight, according to DDoS protection service Incapsula.

“The attack, which started on February 28 and ran for 54 hours straight, targeted one of our customers, a US college,” reports security expert Dima Bekerman for Incapsula. “The average traffic flow came in at over 30,000 RPS and peaked at around 37,000 RPS—the most we’ve seen out of any Mirai botnet. In total, the attack generated over 2.8 billion requests.”

“Our research showed that the pool of attacking devices included those commonly used by Mirai, including CCTV cameras, DVRs and routers,” Bekerman explains. “While we don’t know for sure, open telnet (23) ports and TR-069 (7547) ports on these devices might indicate that they were exploited by known vulnerabilities.”

“We also noticed that the DDoS bots used in the attack were hiding behind different user-agents than the five hardcoded in the default Mirai version,” he adds. “This–and the size of the attack itself–led us to believe that we might be dealing with a new variant, which was modified to launch more elaborate application layer attacks.”

Incapsula expects further Mirai attacks in the coming months.