A botnet made up of 402,000 enslaved Internet-of-Things (IoT) devices has staged a 13-day distributed denial-of-service (DDoS) attack against an undisclosed streaming service, according to a blog post by cybersecurity firm Imperva. The company said it successfully counteracted the onslaught and the target suffered no downtime.
The attack, which goes back to late April and early May, was the largest application-layer DDoS attack (i.e. targeting Layer 7 of the OSI model) that Imperva has ever observed. The attackers apparently attempted to exhaust the application server’s resources with a barrage of HTTP traffic in a bid to take the service, or parts thereof, out. The onslaught was consistently well above 100,000 HTTP requests per second (RPS), peaking at 292,000 RPS.
For a time, the attack was directed at the authentication component of the streaming site. Chances are then that that the attackers carried out brute-force attacks and tested logins, although no analysis of the brute-force aspects of the attack was performed.
Nevertheless, a closer look at the IPs of the devices involved showed that the attack originated mainly from Brazil. Also, most of the devices had two ports open, 2000 and 7547, that are known to have been used by Mirai.
The Mirai botnet malware is notorious for having hijacked tens of thousands of IoT devices in 2016 that were then unleashed to conduct a series of DDoS attacks. This included knocking out thousands of websites for many internet users, especially on the US East Coast.
Compared to attacks that hit Layers 3 (Network) and 4 (Transport) of the OSI stack, Layer 7-specific attacks often receive less attention and can be harder to counter, including because applications are intended to receive requests from users and the bogus requests are made to look like legitimate traffic. DDoS attacks in general may also be intended as smoke screens for other nefarious actions.