A new botnet that is capable of some of the larger DDoS attacks ever seen has emerged in the last few days, launching floods of up to 650 Gbps and using a unique payload that researchers say is effective at evading security systems.
The network came to light on Dec. 21 when researchers at Imperva saw a two-part DDoS attack that began with a 20-minute flood that peaked around 400 Gbps. A few minutes later, the attackers pushed the button again, this time hitting a peak volume of 650 Gbps and throwing more than 150 million packets per second at the targets. That volume of attack traffic approaches the enormous DDoS floods generated by the Mirai botnet over the last few months. The largest of the known Mirai floods was around 1 Tbps of traffic.
The Imperva researchers said the attacks from the new botnet, which they’ve named Leet, came from spoofed IP addresses and ended after a total of about 37 minutes. Aside from the high volume involved in the attacks, the other interesting piece is the makeup of the packets Leet is sending at its targets. Some of the packets are typical SYN packets, but others are more than 10 times as large as normal packets and include some very odd ingredients.
Imperva researchers said the attacks it saw last week clearly were not from any of the Mirai botnets.
“While some payloads were populated by seemingly random strings of characters, others contained shredded lists of IP addresses. These shredded IP lists hinted at the way the payload content was generated. It seems that the malware we faced was programmed to access local files (e.g., access logs and iptable lists) and scramble their content to generate its payloads,” Avishay Zawozni and Dima Bekerman of Imperva wrote in an analysis of the attack.
“Basically, the entire attack was just a mishmash of pulverized system files from thousands upon thousands of compromised devices.”
So as the attackers behind the botnet compromise new devices and add them to the network, the malware they’re employing finds specific files on the devices and grabs random data from them to use as the payload in the Leet DDoS packets. That technique gives the attackers the ability to get by some of the common security defenses deployed to identify and mitigate DDoS attacks.
“Specifically, it makes for an effective obfuscation technique that can be used to produce an unlimited number of extremely randomized payloads. Using these payloads, an offender can circumvent signature-based security systems that mitigate attacks by identifying similarities in the content of network packets,” Zawozni and Bekerman said.
Despite some similarities, the Imperva researchers said the attacks it saw last week clearly were not from any of the Mirai botnets. The payloads are entirely different and the Mirai malware isn’t configured to generate the kind of SYN floods that Leet is. Also, Mirai’s malware has hardcoded TCP options that the new Leet payloads don’t.
Image: Howard Lake, CC By-Sa license.