A massive botnet attack hit an entertainment industry user earlier this spring, said officials at security provider, Imperva.
It was the largest Layer 7 DDoS attack Imperva has ever seen with the botnet coordinating 402,000 different IPs, lasting 13 days and directed a peak flow of 292,000 RPS (Requests Per Second).
In spite of the ferocity of the attack, the Imperva customer suffered no downtime, said Vitaly Simonovich, a security researcher at Imperva in a post.
“Imperva has mitigated Layer 3/4 attacks that, using a different measure, peaked at 500 million packets per second,” Simonovich said. “This, however, was the largest DDoS Layer 7 (application layer) attack to date we have observed, using the most relevant measure for Layer 7 attacks, Requests Per Second.”
By analyzing the IPs that performed the attack, we found that the main source was Brazil, he said.
The attackers used a legitimate User-Agent, the same as used by the entertainment industry customer service application, to mask their attack. In spite of this, our client classification mechanism could distinguish it from the customer’s legitimate application.
For a time, the attack targeted the authentication component of the streaming application. We are not sure if the intent of the attackers was to perform a brute force attack or DDoS attack, but without an accurate mitigation mechanism, the result was the same — denial of service.
So we began looking for a common denominator. We found that most of the IPs had the same opened ports: 2000 and 7547. These are associated with IoT devices infected by the Mirai malware according to the cybersecurity blog, Recorded Future.
Following the release of Mirai’s source code some years ago, new variants have emerged. Some of them just included additional IoT device default credentials to target more vendors’ devices, while others added new functionality.
“Compromising the IoT device is the first part of the attack,” Simonovich said. “Thereafter, the attacker uploads malicious software to the device that will receive commands from a Command and Control server (CnC). Mirai source code contains only DDoS functionality, but nothing prevents the attacker from including other malicious software to take advantage of compromised devices and perform additional attacks, such as brute force.”
Since 2016, new IoT vendors have entered the market. The problem is few of these vendors have learned from the security mistakes of the past. As a result, today IoT devices are used in most of the large botnets we have seen.
“Botnets of IoT devices will only get larger,” Simonovich said. “We live in a connected world, so the number of IoT devices continues to grow fast and vendors still do not consider security a top priority.”