PINDROP BLOG

Attackers Running Massive DDoS Floods on a Daily Schedule

The Mirai botnet has been responsible for several of the larger DDoS attacks ever recorded, and it continues to cause trouble for ISPs and large organizations around the world. But researchers say there’s now another botnet that’s being used in massive DDoS attacks that are appearing on a regular schedule every day.

The new series of attacks began began on Nov. 22, starting at 18:30 UTC and lasting for almost exactly eight hours. The attacks involved huge volumes of traffic–as much as 400 Gbps–and will often have sustained volumes of 320 Gbps. Researchers at CloudFlare, who have been tracking the attacks, say that the attackers behind the floods have been highly disciplined in their schedule.

“On the third day the attacker started promptly at 1800 UTC but went home a little early at around 0130 UTC. But they managed to peak the attack over 200Mpps and 480Gbps,” John Graham-Cummings of CloudFlare said in an analysis of the attacks.

“And the attacker just kept this up day after day. Right through Thanksgiving, Black Friday, Cyber Monday and into this week. Night after night attacks were peaking at 400Gbps and hitting 320Gbps for hours on end.”

After six days of the attacks coming on the same schedule, the attackers changed things up and began running the DDoS floods for 24 hours at a time. The attacks are different from the Mirai botnet floods in several ways, including the tool used to run them and the kind of floods.

“Another curiosity with these attacks is that they are not coming from the much talked about Mirai botnet. They are using different attack software and are sending very large L3/L4 floods aimed at the TCP protocol. The attacks are also highly concentrated in a small number of locations mostly on the US west coast,” Graham-Cummings said.

Mirai is a botnet comprised mostly of compromised IoT devices such as DVRs and CCTV cameras and it has generated a number of massive DDoS attacks in recent weeks. Some of the attacks have hit hosting providers and for a time the botnet was being used to attack Internet providers in the country of Liberia. Those attacks were strong enough to disrupt connectivity in the country for significant periods of time.

Image: Dafne Cholet, CC By 2.0 license.

Webinar: Call Center Fraud Vectors & Fraudsters Defeated