Intermittent DDoS attacks powered by the largest of the many Mirai-powered botnets targeting the African nation of Liberia have ceased today.
Researcher Kevin Beaumont who disclosed the attacks on Thursday said also that the domain controlling the attacker’s command and control infrastructure was disabled by registrar eNom; that domain pre-dates the DDoS attacks two weeks ago against Dyn.
While the attacks against Liberia have been shut down, they did this week periodically interrupt Internet service to the country and one mobile service provider told the IDG News Service that the attacks were “killing” its business and revenue.
Beaumont, a security architect with a U.K. company, said that Liberia has one undersea cable servicing Internet connectivity for the entire country. Telecommunications companies and service providers jointly own the cable, which provided the attackers with a single point of failure to focus their attack.
Beaumont also said that the botnet was able to generate 500 Gbps of traffic, making it among the largest attacks ever publicly recorded. The researcher, however, believes this was a test of denial-of-service capabilities against a nation.
“The attacks were short in duration, done in different ways against the same targets over a prolonged period, and against a nation which has some interesting characteristics – small, low profile, low percentage of Internet use per head,” Beaumont told Threatpost.
Once Beaumont published his report on Thursday, the attackers also pointed their DDoS traffic at a botnet monitoring service called MalwareTech, tracking its activity, and sent veiled threats to Beaumont.
Botnet #14 – DNS flood for 1 seconds
[Targets]
http://www.malwaretech.com (8.8.8.8/32)— Mirai Attacks (@MiraiAttacks) November 2, 2016
Botnet #14 – DNS flood for 1 seconds
[Targets]
kevin.lies.in.fear (8.8.8.8/32)— Mirai Attacks (@MiraiAttacks) November 2, 2016
“I believe they were trying to silence security researchers,” Beaumont said.
Mirai is malware that is used to scan for and compromise poorly secured connected devices such as IP-enabled cameras and DVRs. The malware’s source code has been publicly available since early October, and many different actors have taken advantage of that to recruit devices into botnets for the purposes of DDoS attacks.
DNS provider Dyn was targeted two weeks ago with two DDoS attacks that impacted not only Dyn’s ability to service its high-profile customers such as Twitter, Netflix and others, but also caused sluggish Internet service on the U.S. East Coast. Mirai botnets also were used in DDoS attacks against Krebs on Security and French webhost OVH; both of those attacks were reportedly larger than the attacks against Liberia.
“Mirai devices make up lots of different botnets. Threat actors ‘own’ a device and recruit it into their own botnet,” Beaumont said. “The largest of the tracked Mirai botnets is this one.”
Beaumont also said that the last command-and-control server controlling the botnet had an IP address in the Ukraine, but cautioned that it could be an attempt at misdirection; also the attack occurred only during certain times of the day.
With the contentious U.S. presidential election coming up on Tuesday, experts are concerned about hackers attempting to interfere with voters casting their ballots. NBC News reported yesterday that a coordinated effort between law enforcement and intelligence agencies is ready to counter any attempts by adversaries to sway voters via social media or worse, attacks against Internet connectivity or power utilities.
One unnamed Obama administration official was quoted by NBC: “We need to be prepared on every front, not just technical but messaging, and so on. Because any reporting irregularity could be incredibly disruptive. … They can cause tremendous chaos, and by the time we are able to attribute, the damage may have already been done.”
