The streaming application of an entertainment company was under siege for 13-days as a 400,000 device-strong IoT botnet hammered at its network and servers during an extensive distributed denial-of-service (DDoS) attack.
The attack occurred on April 24, during which the streaming server was hit with more than 290,000 request per second when the attack was in full swing, which makes it one of the largest Layer 7 DDoS attacks recorded.
Layer 7 attacks refer to those targeting the top layer in the OSI model where common internet requests such as HTTP GET and HTTP POST occur, in contrast to network layer attacks such as DNS Amplification. This particular attack sought to crash the company’s servers by overworking it with GET/POST requests.
See also: A Tale of Two Honeypots: From Telnet to the Cloud
Vitaly Simonovich security researcher at Imperva,which detected the attack, wrote in a report that: “The attackers used a legitimate User-Agent, the same as used by the entertainment industry customer service application, to mask their attack.”
“For a time, the attack targeted the authentication component of the streaming application. We are not sure if the intent of the attackers was to perform a brute force attack or DDoS attack, but without an accurate mitigation mechanism, the result was the same — denial of service.”
Entertainment Botnet Attack
When Imperva looked at the attack they found that most of the IPs had the same open ports; 2000 and 7547, theses ports are often associated with IoT device that are infected by Mirai malware.
Upon an analysis of the IPs that were connected to the attack Imperva noticed that the majority of the attack had apparently been orchestrated from a source in Brazil, although false flag efforts by hackers can make tracing the source of an attack challenging.
Mirai, which takes over insecure Internet of Things (IoT) devices, from routers to baby monitors, became infamous in 2016 after using a sprawling network of compromised devices to cripple domain registration service provider Dyn.
The high profile DDoS attack, which made use of over 500,000 infected devices, took Dyn customers including the BBC, Netflix and Twitter offline for hours.
Imperva researchers note that Mirai is a malware that can be altered easily stating that: “Mirai source code contains only DDoS functionality, but nothing prevents the attacker from including other malicious software to take advantage of compromised devices and perform additional attacks, such as brute force.”