PINDROP BLOG

Mirai Botnet Attacks on Liberia Drop Off

The attacks from the Mirai botnet against targets in the country of Liberia that have been ongoing for several days have now stopped, at least for the time being.

For more than a week, attackers have been throwing short, but highly potent DDoS floods of various types against a number of sites in the small country of Liberia. The attacks have had the effect of causing intermittent Internet outages inside the country, which only has one link to the global network. Researchers have been following the attacks for some time, and in recent days the the botnet has been launching repeated large-scale attacks against networks in Liberia.

But since yesterday, the attacks have stopped. The Mirai Attacks tracker, which posts each new DDoS attack on Twitter, shows no attacks from botnet #14, the one that was attacking Liberia, since late Thursday. The drop-off in attacks came soon after researcher Kevin Beaumont published an analysis of the DDoS floods against Liberia.

“The control domain they were using has also been disabled,” Beaumont said.

Mirai, like most botnets, isn’t just one network of compromised devices. The Mirai source code has been public for more than a month and there are many separate attackers and groups using it to build up their own botnets. Botnet #14 is just one piece of the puzzle, but it’s the largest one. Beaumont said that specific network likely is the same one used to attack DNS provider Dyn two weeks ago, an operation that took a number of high-traffic sites offline for several hours at a time on Oct. 21.

“The capacity makes it one of the biggest DDoS botnets ever seen. Given the volume of traffic, it appears to be the owned by the actor which attacked Dyn,” Beaumont said in his analysis.