A powerful new botnet is being blamed for massive and sustained DDoS attacks that security researchers at CloudFlare compare to Mirai when it comes to intensity and scope.
The attacks began Nov. 23 and ran for eight hours daily, similar to an average workday. The consistent attacks occurred for seven straight days, starting each day at 10 a.m. PST. On the eighth day, the attackers turned up the heat, with DDoS assaults lasting 24 hours. Peak volumes reached 400 Gbps, close to that of Mirai, where attacks peaked at 620 Gbps.
“We believe that attackers were targeting gaming and virtual goods sites and services,” said John Graham-Cumming, CTO of CloudFlare who spotted the attacks and wrote about them in a blog post Friday. Attacks are believed to have originated from IP addresses in China and exclusively targeted servers in California.
“Attacks are focused on exhausting transmission control protocol resources at the Level 3 and Level 4 of a target’s TCP network layer,” Graham-Cumming said. He added that these SYN flood DDoS attacks differ from Mirai-type attacks that targeted the L7 (HTTP) network layer.
At this time CloudFlare can’t identify what type of devices (IoT, PCs or servers) this botnet is built upon. In the case of Mirai malware, attackers used botnets made up of IoT devices.
Since Mirai’s initial attack in September source code for the malware has been released. Last week, a new Mirai variant was identified that targeted DSL routers (TCP NTP Port 7547) of Germany’s Deutsche Telekom customers and knocked 900,000 of them offline.
“We are seeing a host of these new types of high-volume DDoS attacks,” Graham-Cumming said. “The underlying DDoS attacks are nothing new – technically speaking. It’s the volume, persistence and scope of the attacks that we are watching carefully.”
He suspects that Mirai DDoS attacks will continue in relatively short, intense and focused bursts. Graham-Cumming said this is because the Mirai source code has been released and most attackers are now buying time on Mirai botnets for time-limited assaults.