3 Botnets Unite in Huge DDoS Attack

Wednesday, September 7, 2016 @ 03:09 PM gHale


A website suffered from a Layer 7 distributed denial of service (DDoS) attack that involved traffic from over 47,000 distinct IP addresses, researchers said.

Most of the attacks came from IoT (CCTV) devices, home routers, and compromised Linux servers.

RELATED STORIES
Botnet Targets Linux Platforms
Botnet Branches Out into Ransomware
Botnet Returns to Growth Mode
Android Botnet Uses Twitter for C&C

The attack reached 120,000 requests per second, and the attacker used a flood of HTTPS packets in order to maximize resource consumption on the target’s machines, said researchers at Sucuri, who ended up called in to mitigate the incident.

After the attack had subsided, Sucuri researchers found the DDoS traffic didn’t come from a singular source, but the attacker had combined three different distinct botnets.

The company was aware of one of the botnets, which they discovered at the end of June.

This was a 25,000-strong botnet assembled after compromising Internet-connected CCTV devices from different vendors, most of which were running firmware made by Chinese firm TVT.

The group behind this DDoS attack wanted a more powerful assault so it created another botnet to help their efforts.

The group was controlling another botnet comprising 11,767 home routers from eight major industry brands, researchers said.

The attackers took control of these devices by using various firmware vulnerabilities or by hijacking the routers for which device owners didn’t change the default admin panel password.

Compromised Huawei routers made more than half of this botnet, with 6,015 devices, almost 51 percent of the entire botnet. Second came Mikro RouterOS (2,119 devices – 18 percent), AirOS routers (245 routers), but also NuCom 11N Wireless Routers, Dell SonicWall, VodaFone, Netgear, and Cisco.

The home router botnet was very effective because not all compromised devices were in the same geographical area, which would have been easy to block.

Devices were spread all over the world, but mainly in Spanish-speaking countries, such as Spain (45 percent of the entire botnet), Uruguay, Mexico, the Dominican Republic, and Argentina.

The third and last botnet used in the DDoS attack consisted of compromised web servers coming from data centers.

“This new [three-botnet] distribution allowed the attacker to generate a massive number of requests per second without affecting the operation of the infected devices,” Sucuri CTO Daniel Cid said. “Under this configuration, the devices would only need to generate a few requests per second – well within their means.”