An unnamed college in the United States was the target of a distributed denial of service (DDoS) attack, launched using a variant of the Mirai botnet.
The attack lasted over 54 hours straight, from February 28 through March 3. This makes the attack notable for duration alone, in a world where the average DDoS attack lasts approximately 8 hours.
Researchers from Imperva Incapsula, the security company employed by the school, immediately identified the attack as originating from a Mirai variant botnet due to the Mirai signatures that were available, including header values and traffic sources.
However, the bots used in the attack used 30 agents, all different from the five that are hardcoded into the default Mirai version. When added to the size and duration of the attack, this led the security researchers to conclude that they were dealing with a new, application-level variant of Mirai. This variant is distinguished from the publicly available default Mirai, which was responsible for last year’s network-level DDoS attacks on Dyn DNS and Krebs on Security.
The average traffic flow of requests during the attack was 30,000 requests per second (RPS), peaking at 37,000 RPS. Over the 54-hour attack, the college network was hit with over 2.8 billion requests. Traffic originated in 9,793 IP addresses worldwide, with the majority in the U.S., Israel and Taiwan.
The devices that were harnessed to leverage the DDoS attack included CCTV cameras, routers, and DVRs. The researchers discovered that 56% of the DVRs used in the hack came from a single manufacturer, who has been notified of the role of its products in the attack.
The security company noted that open telnet and TR-069 ports may have been exploited by the attackers for recognized vulnerabilities. Last November, researchers at Bad Cyber linked the TR-069 vulnerability with a variant of Mirai, which may have been used in the college attack.
The researchers noted that less than a day later, another DDoS ‘burst’ attack was launched at the same target, but lasted only an hour and garnered half the average requests per second of the original attack. Several more bursts are expected before the hackers move on.