Massive Botnet Attack Used More Than 400,000 IoT DevicesResearchers at Imperva Say Incident Mimicked Mirai-Style DDoS Attack
A massive botnet attack earlier this year utilized more than 400,000 connected devices over the course of 13 days, according to researchers at the security firm Imperva.
The attack, which occurred between March and April at one of the firm’s clients in the “entertainment industry,” targeted an online streaming application, Imperva says in a blog. At one point, the botnet produced more than 292,000 requests per minute, the researchers say.
This particular botnet, and the distributed denial-of-service attack associated with it, mirrored some of the same activity seen with the Mirai botnet, which first appeared in 2016. For example, it used some of the same open ports as Mirai malware infected, according to the blog.
"It was the largest Layer 7 DDoS attack Imperva has ever seen," researcher Vitaly Simonovich notes in the blog.
For any online company, these types of distributed denial of service attacks are bound to happen and, in most cases, it's a matter of when not if, Simonovich tells Information Security Media Group. The best preparation is to ensure the company's defenses can handle attacks that are increasing in size.
"If you have a DDoS protection solution in place, you’ll want to check to ensure that the mitigation solution can handle an attack of this size," Simonovich says. "Attackers are continually improving in their capabilities and becoming increasingly more sophisticated, therefore, mitigation solutions should not be overlooked."
During the course of those 13 days the attacks against the online service did not stop, but Simonovich writes that Imperva was able keep the attack from overwhelming the company's infrastructure and the customer reported no downtime. It's not clear why the attack stopped when it did.
The DDoS attack described by Imperva is also known as a Layer 7 or application-layer attack because it targeted the company's web services.
This is the second time that Imperva has observed a massive botnet targeting one of its clients. In 2017, another customer - described as a U.S.-based college - sustained a similar attack when a variant of the Mirai botnet waged a 54-hour distributed denial-of-service attack, with an average traffic flow of 30,000 requests per second that produced over 2.8 billion requests during the incident, Imperva reports.
Imperva researchers haven't yet determined, however, whether the attack described in its new blog used the Mirai malware or any of its variants, and it remains unclear whether the attackers intention was to perform a brute force attack or a credential-stuffing attack.
Compromised IoT Devices
When Imperva researchers looked closer at the IP addresses involved in the attack earlier this year, it determined most were associated with internet of things and other types of connected devices located in Brazil.
The attackers used a same user agent that company's application uses. This allowed them to target the authentication component, while masking its true purpose since the network couldn't tell the difference between malicious and legitimate traffic, according to Imperva. By doing this, the attack could eat up computing resources by overwhelming the application with malicious internet traffic and trigger the denial-of-service attack and disrupt the application.
It's unusual for attackers to use a botnet to target an application.
In other attacks involving botnets, Imperva has recorded attacks at the network level, also called Layer 3/4, which can reach a peak of 500 million packets per second. In this case, however, it's one of the largest botnet attacks that targeted the application layer.
"In general, botnets are used for coordinated attacks, such as DDoS, credential stuffing, brute force attacks, etc," Simonovich says. "The more zombie computers you have in your botnet, the larger the DDoS attack will be. If you want to bring down a web service, it's logical that you will target the application layer and try to overwhelm the web server or the database server."
In botnet attacks, the first step is to compromise connected devices. Once the malware is planted in these devices, they can receive instructions from the command-and-control server and start a distribute denial-of-service attack or carry out other malicious activity.
Many internet of things devices are not designed with security in mind. Earlier this year, a researcher found that nearly 2 million such devices, including security cameras, baby monitors and smart doorbells, were vulnerable to being compromised due to a flaw in their built-in peer-to-peer software (see: 2 Million IoT Devices Have P2P Software Flaw: Researcher).
Botnets on the Rise
Despite the prosecution of the creators of Mirai, botnet attacks have continued (see: UK Sentences Man for Mirai DDoS Attacks Against Liberia).
Following the original Mirai attacks in 2016, the source code of that malware was made public, which allowed anyone to build on it and carry further attacks.
In March, Palo Alto Networks uncovered a new version of the malware with 11 new exploits, specially designed for targeting internet of things devices (see: Mirai Botnet Code Gets Exploit Refresh )
According to a researcher at Palo Alto, the new vulnerabilities were discovered in software used by Barco and LG. These companies were targeted to access larger bandwidth, thus helping the malicious actors to launch a wider attack.
With the increase in use of internet of things devices in enterprises, Imperva's Simonovich notes, the botnet attacks are likely to continue.
"Since 2016, many new IoT vendors have entered the market. Few have learned from the security mistakes of the past. As a result, today IoT devices are used in most of the large botnets we have seen," Simonovich says.
(Managing Editor Scott Ferguson contributed to this report.)