Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/24/2019
03:10 PM
100%
0%

Mirai-Like Botnet Wages Massive Application-Layer DDoS Attack

IoT botnet-made up mainly of routers-hit a service provider with nearly 300,000 requests-per-second in a 13-day deluge of data.

A collection of more than 400,000 connected devices - mainly home routers - for 13 days leveled a powerful application-layer attack on a online entertainment-service provider.

The attack used packets designed to appear as valid requests to the targeted application with the aim of chewing up bandwidth and server resources and reached a peak rate of 292,000 requests per second, according to a report released on July 24 by security firm Imperva, which blocked the attack.

The distributed denial of service (DDoS) attack, also known as an application-layer or layer-7 attack, came from devices compromised by the attackers and likely aimed to take down the company's service, says Vitaly Simonovich, a security researcher for Imperva.

"This is not the first time this customer got attacked," he says. "In the past, we witnessed this customer get attacked via network-layer DDoS attacks and also attackers have tried to steal their service, or use it without paying them."

Distributed denial-of-service attacks are now considered the cost of doing business online, and companies need to plan for the attacks. In a survey released on July 24, data-center services firm US Signal found that 83% of organizations had suffered a DDoS attack in the past two years, and the average downtime caused by such an attack was 12 hours. The survey also found that 81% of organizations had their web application targeted in a cyberattack. 

"The number of respondents that have experienced DDoS and application attacks is jarring, demonstrating that there is always room for improvement in keeping up with modern cyberthreats," Trevor Bidle, vice president of information security and compliance officer at US Signal, said in a statement.

Yet, network packet floods continue to set new records in terms of volume and sustained traffic. 

The attack on Imperva's client is not the largest, but represents one of the most significant application-layer attacks. Volumetric attacks, which try to overload a target's network bandwidth and infrastructure with a massive deluge of data, have exceeded 500 million packets per second, according to Imperva. For comparison, the DDoS attack against GitHub in 2018 exceeded 1.35 terabits per second, or about 130 million packets per second, the company said.

In 2016, the original Mirai malware, along with several variants, were used to conduct massive DDoS attacks against a variety of targets. More than one attack peaked at more than 600 gigabits per second and the attack against infrastructure provider Dyn in October 2016 exceeded 1 terabit per second.

Volumetric and application attacks are different and target different parts of a company's online infrastructure. Web applications can typically handle tens or hundreds of gigabits of legitimate traffic, but typical Web servers handle perhaps 25,000 requests per second, says Imperva's Simonovich.

"Today, customers that use cloud services can scale up in no time," he says. "This means that when the number of requests is growing, the cloud platform can spawn more servers to handle the load. It also means that the customer will pay more to the cloud provider."

Routers Located in Brazil

Imperva tracked much of the traffic in the latest attack back to compromised home routers in Brazil. While the company does not believe that the attacks came from the Mirai botnet because the code to the malicious software had been released some time ago, underground developers have modified Mirai to incorporate a variety of attacks.

Because of the large number of Internet-of-things devices — tens of billions of network-connected devices by most accounts — and the lack of security concerns of most manufacturers and consumers, the population of vulnerable devices will only likely continue to grow, Imperva said.

"Botnets of IoT devices will only get larger," the company said. "We live in a connected world, so the number of IoT devices continues to grow fast and vendors still do not consider security a top priority."

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
100%
0%
tdsan,
User Rank: Ninja
7/25/2019 | 8:07:12 AM
Interesting points about the cloud

"Today, customers that use cloud services can scale up in no time," he says. "This means that when the number of requests is growing, the cloud platform can spawn more servers to handle the load. It also means that the customer will pay more to the cloud provider."

If we look at this statement, this could affect company's bottom lines because of the sheer volume of data being sent across the network; cloud providers like IBM and Google will protect customers but AWS and Azure will charge customers for ingress data streams. There are organizations that provide a level of protection from a DDoS standpoint but that should be a service provided by the CSP, some of the organizations that help mitigate the problem that is listed on the market place are: (DDoS Protection Companies):
  • Akamai
  • RedGuardian
  • CloudFlare
  • A10
  • Distil Networks

A boatload of others can be found on the link; however, if companies utilized marketplace vendors to address this problem, they will still be charged because of the application is found inside of the Virtual Gateway (VGW), since they are using quasi radius method of accounting, the organizations who have purchased internal marketplace solutions will still be affected; those that have purchased external DDoS solutions (i.e Akamai or CloudFlare) won't feel the financial crunch as much as others, this will be more of an insurance policy.

Todd
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21273
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key va...
CVE-2021-21274
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to...
CVE-2021-23345
PUBLISHED: 2021-02-26
All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:///etc/passwd'>.
CVE-2021-21297
PUBLISHED: 2021-02-26
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default beh...
CVE-2021-21298
PUBLISHED: 2021-02-26
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via th...