One of the pieces of the fragmented Mirai botnet is using its massive capacity to attack telecom providers in the small African country of Liberia and the attacks are strong enough to cause intermittent loss of connectivity inside the country, researchers say.
The attacks against Liberia have been going on for at least week and mostly have been short in duration. However, the attacks have been very powerful and researchers say that they’re likely being used as tests to gauge the effects of the DDoS floods. Kevin Beaumont, a security researcher who has been monitoring the Mirai attacks, said the floods are reaching as much as 500 Gbps in peak traffic. Because Liberia’s Internet connection comes from just a single undersea cable, which is owned jointly by the country’s telecom providers, the huge attacks are causing serious connectivity issues.
“Over the past week we’ve seen continued short duration attacks on infrastructure in the nation of Liberia. Liberia has one internet cable, installed in 2011, which provides a single point of failure for internet access. From monitoring we can see websites hosted in country going offline during the attacks,” Beaumont said in an analysis of the attacks.
The botnet that’s involved in these attacks likely is the same portion of Mirai that was used to attack DNS provider Dyn last month. Beaumont said via email that the domain being used to control the botnet, known as #14, was registered before the Dyn attack and the size of the attacks maps closely to the ones that hit Dyn, as well. Mirai botnet #14 also attacked MalwareTech, a site that tracks botnet traffic.
But it’s the repeated, short, powerful attacks on Liberia’s infrastructure that has researchers concerned. The idea of a single botnet operator being able to affect the connectivity of an entire nation is troubling, to say the least.
“The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state,” Beaumont said.
Although the Mirai botnet, which is made up of embedded devices such as CCTV cameras and DVRs to a large degree, is not huge when measured by the number of compromised devices, its capacity is significant. Aside from the attack on Dyn, the botnet also has been used to generate two of the larger DDoD attacks ever seen in recent months.
The Mirai Attacks Twitter account tracks the botnet’s activity in real time and shows continued attacks on Liberia’s telecom providers as recently as Thursday morning.
Image: Alan Levine, CC By 2.0 license.