Just 10 days before the end of 2016, researchers from Imperva uncovered a massive 650Gbps DDoS attack generated by a new internet of things (IoT) botnet, dubbed “Leet” after a character string in the payload. It’s the first that can rival Mirai.
The attack—the largest on record for the firm’s network—began around 10:55 a.m. on December 21, targeting several anycasted IPs on the Imperva Incapsula network. The first DDoS burst lasted roughly 20 minutes, peaking at 400Gbps. Failing to make a dent, the offender regrouped and came back for a second, 17-minute round. This time enough botnet “muscle” was used to generate a 650Gbps DDoS flood of more than 150 million packets per second (Mpps).
Though this particular attack was mitigated, things are about to get much worse, researchers said. A payload analysis showed that the entire attack was just a mishmash of pulverized system files from thousands upon thousands of compromised IoT devices—meaning that the Mirai IoT botnet now has competition.
Imperva determined that the culprit behind the offensive was not Mirai, which uses hard-coded SYS file sizes. This attack’s traffic was generated by two different SYN payloads: Regular ones, and abnormally large SYN packets ranging from 799 to 936 bytes in size. The former was used to achieve high Mpps packet rates, while the latter was employed to scale up the attack’s capacity to 650 Gbps.
“Attacks that combine the use of small and large payloads have become increasingly common since we first reported them in the spread their odds by trying to both clog network pipes and bring down network switches,” researchers said in an analysis. They added, “While some [of the large] payloads were populated by seemingly random strings of characters, others contained shredded lists of IP addresses. These shredded IP lists hinted … that the malware we faced was programmed to access local files and scramble their content to generate its payloads.”
Also, Mirai payloads are generated from random strings, while the payloads in this attack were structured from the content of system files.
This all points to a new botnet, identified by the signature the malware’s author left in the TCP header: “1337.” This is hacker code for “Leet,” a.k.a. “Elite.”
Ominously, the attack is a sign of things to come, the researchers said.
“So far, all of the huge DDoS attacks of 2016 were associated with the Mirai malware,” the researchers said. “However, the payload characteristics clearly show that neither Mirai nor one of its more recent variants was used for this assault.”
They added, “With 650Gbps under its belt, the Leet botnet is the first to rival Mirai’s achievements. However, it will not be the last. This year we saw DDoS attacks escalate to record heights and these high-powered botnet are nothing more than a symptom of the times.”