The last couple of weeks have seen two of the larger DDoS attacks ever recorded, and researchers have attributed them in part to a large botnet called Mirai comprising mostly infected IoT devices. Looking closely at some other large-scale DDoS attacks with similar characteristics, researchers at Cloudflare discovered that the attackers are specifically using Layer 7 attacks and generating massive numbers of requests on the order of one million requests per second.
The Mirai botnet is made up of tens of thousands of compromised devices, many of which are Internet-connected CCTV cameras, according to researchers. The attackers behind the botnet are using default telnet login credentials to connect to these cameras and then install the malware, which then scans for other devices with open telnet connections to perpetuate the cycle. Mirai has been identified as the botnet behind attacks that have reached volumes of 1 Tbps.
Researchers at Cloudflare, the global hosting and DNS provider, investigated a couple of similarly large attacks that crossed the company’s network, both of which were Layer 7 attacks. These attacks use huge volumes of HTTP requests to a target server and Cloudflare has seen two attacks recently that reached more than a million requests per second. One of the attacks peaked at just 2 Gbps of volume and the other hit 360 Gbps, but both utilized a large number of devices from networks in Vietnam and Ukraine, Cloudflare said.
The first attack used short HTTP requests.
“This attack continued for 15 minutes. Multiple recent attacks had >1 Mrps and lasted for minutes. This particular attack peaked at 1.75 Mrps. It was composed of short HTTP requests (around 121 bytes per request), without anything unusual in the HTTP headers. The requests had a fixed
Cookie header. We counted 52,467 unique IP addresses taking part in this attack,” Marek Majkowski of Cloudflare said in a post on the attacks.
“The attacking devices have port 23 (telnet) open or closed. Never filtered.”
The second attack had a different makeup, with very long payloads and a larger number of attacking devices.
“This attack topped out at 360Gbps per second of inbound HTTP traffic. It’s pretty unusual for an HTTP attack to generate a substantial amount of network traffic. It’s the long payload sent after the request headers that allowed the attackers to generate substantial traffic. Since this attack we’ve seen similar events with varying parameters in the request body. Sometimes these attacks came as GET requests, sometimes as POST. Additionally, this particular attack lasted roughly one hour, with 128,833 unique IP addresses,” Majkowski said.
One of the telltale behaviors of the Mirai malware is that it will disable telnet after it it’s installed a new device. This prevents other malware from infecting the device and stops legitimate users from connecting, too. Majkowski said Cloudflare’s research shows the devices used in the attacks on its networks likely are Mirai-infected cameras.
“First, all of the attacking devices have port 23 (telnet) open (closing connection immediately) or closed. Never filtered. This is a strong hint that the malware disabled the telnet port just after it installed itself,” Majkowski said.
“Most of the hosts from the Vietnamese networks look like connected CCTV cameras. Multiple have open port 80 with presenting ‘NETSurveillance WEB’ page.”
Botnets are old threats, but the nature of the attacks they’re used to launch have evolved consistently over time. IoT-based botnets are now part of that threat landscape and will continue to grow in complexity and size, Majkowski said.
“Although the most recent attacks have mostly involved Internet-connected cameras, there’s no reason to think that they are likely the only source of future DDoS attacks. As more and more devices (fridges, fitness trackers, sleep monitors, …) are added to the Internet they’ll likely be unwilling participants in future attacks,” Majkowski said.
Image from Flickr stream of Krysten Newby.