Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/24/2019
03:10 PM
100%
0%

Mirai-Like Botnet Wages Massive Application-Layer DDoS Attack

IoT botnet-made up mainly of routers-hit a service provider with nearly 300,000 requests-per-second in a 13-day deluge of data.

A collection of more than 400,000 connected devices - mainly home routers - for 13 days leveled a powerful application-layer attack on a online entertainment-service provider.

The attack used packets designed to appear as valid requests to the targeted application with the aim of chewing up bandwidth and server resources and reached a peak rate of 292,000 requests per second, according to a report released on July 24 by security firm Imperva, which blocked the attack.

The distributed denial of service (DDoS) attack, also known as an application-layer or layer-7 attack, came from devices compromised by the attackers and likely aimed to take down the company's service, says Vitaly Simonovich, a security researcher for Imperva.

"This is not the first time this customer got attacked," he says. "In the past, we witnessed this customer get attacked via network-layer DDoS attacks and also attackers have tried to steal their service, or use it without paying them."

Distributed denial-of-service attacks are now considered the cost of doing business online, and companies need to plan for the attacks. In a survey released on July 24, data-center services firm US Signal found that 83% of organizations had suffered a DDoS attack in the past two years, and the average downtime caused by such an attack was 12 hours. The survey also found that 81% of organizations had their web application targeted in a cyberattack. 

"The number of respondents that have experienced DDoS and application attacks is jarring, demonstrating that there is always room for improvement in keeping up with modern cyberthreats," Trevor Bidle, vice president of information security and compliance officer at US Signal, said in a statement.

Yet, network packet floods continue to set new records in terms of volume and sustained traffic. 

The attack on Imperva's client is not the largest, but represents one of the most significant application-layer attacks. Volumetric attacks, which try to overload a target's network bandwidth and infrastructure with a massive deluge of data, have exceeded 500 million packets per second, according to Imperva. For comparison, the DDoS attack against GitHub in 2018 exceeded 1.35 terabits per second, or about 130 million packets per second, the company said.

In 2016, the original Mirai malware, along with several variants, were used to conduct massive DDoS attacks against a variety of targets. More than one attack peaked at more than 600 gigabits per second and the attack against infrastructure provider Dyn in October 2016 exceeded 1 terabit per second.

Volumetric and application attacks are different and target different parts of a company's online infrastructure. Web applications can typically handle tens or hundreds of gigabits of legitimate traffic, but typical Web servers handle perhaps 25,000 requests per second, says Imperva's Simonovich.

"Today, customers that use cloud services can scale up in no time," he says. "This means that when the number of requests is growing, the cloud platform can spawn more servers to handle the load. It also means that the customer will pay more to the cloud provider."

Routers Located in Brazil

Imperva tracked much of the traffic in the latest attack back to compromised home routers in Brazil. While the company does not believe that the attacks came from the Mirai botnet because the code to the malicious software had been released some time ago, underground developers have modified Mirai to incorporate a variety of attacks.

Because of the large number of Internet-of-things devices — tens of billions of network-connected devices by most accounts — and the lack of security concerns of most manufacturers and consumers, the population of vulnerable devices will only likely continue to grow, Imperva said.

"Botnets of IoT devices will only get larger," the company said. "We live in a connected world, so the number of IoT devices continues to grow fast and vendors still do not consider security a top priority."

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
100%
0%
tdsan,
User Rank: Ninja
7/25/2019 | 8:07:12 AM
Interesting points about the cloud

"Today, customers that use cloud services can scale up in no time," he says. "This means that when the number of requests is growing, the cloud platform can spawn more servers to handle the load. It also means that the customer will pay more to the cloud provider."

If we look at this statement, this could affect company's bottom lines because of the sheer volume of data being sent across the network; cloud providers like IBM and Google will protect customers but AWS and Azure will charge customers for ingress data streams. There are organizations that provide a level of protection from a DDoS standpoint but that should be a service provided by the CSP, some of the organizations that help mitigate the problem that is listed on the market place are: (DDoS Protection Companies):
  • Akamai
  • RedGuardian
  • CloudFlare
  • A10
  • Distil Networks

A boatload of others can be found on the link; however, if companies utilized marketplace vendors to address this problem, they will still be charged because of the application is found inside of the Virtual Gateway (VGW), since they are using quasi radius method of accounting, the organizations who have purchased internal marketplace solutions will still be affected; those that have purchased external DDoS solutions (i.e Akamai or CloudFlare) won't feel the financial crunch as much as others, this will be more of an insurance policy.

Todd
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19698
PUBLISHED: 2019-12-10
marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.