A newly discovered variant of the Mirai malware recently was used in a massive, sustained DDoS attack against a college in the United States, an attack that lasted more than two days.
The Mirai malware has been involved in several of the larger DDoS attacks ever seen, including one that hit the Dyn DNS provider earlier this year and another that took down French hosting provider OVH. The latter attack reached a peak volume of 1 Tbps. Mirai is unusual in other ways, as well, particularly the fact that attackers typically use it to infect IoT devices such as DVRs and surveillance cameras and even home routers.
The new attack, observed by researchers at Imperva, included traffic from those types of devices and reached a peak volume of about 37,000 requests per second. While the attacking devices were familiar, there were some differences in the way the malware itself behaved.
“We also noticed that the DDoS bots used in the attack were hiding behind different user-agents than the five hardcoded in the default Mirai version. This–and the size of the attack itself–led us to believe that we might be dealing with a new variant, which was modified to launch more elaborate application layer attacks,” Dima Bekerman of Imperva said in a post analyzing the attack.
The attacking devices used more than 30 different user-agents and traffic came from nearly 10,000 individual IP addresses. The largest chunk of traffic came from compromised devices in the U.S., but there were many attacking from Israel, Taiwan, and India, as well. All in all, the Mirai attack on the college lasted 54 straight hours, Bekerman said. A second, shorter attack hit the college the new day.
Mirai has been used in a variety of different types of attacks, both small and large, for the last six months. The source code for the malware was released last fall, which has helped fuel the fire. Bekerman said the attack on the unnamed college may be a harbinger of things to come.
“Looking at the bigger picture, this variant of Mirai might be a symptom of the increased application layer DDoS attack activity we saw in the second half of 2016. That said, with over 90 percent of all application layer assaults lasting under six hours, an attack of this duration stands in a league of its own,” he said.