Mirai-based botnet launches major DDoS attack on streaming service

A massive 13-day long Distributed Denial of Service (DDoS) attack on a single online service has been launched by a Mirai-based botnet, according to Imperva.

The botnet, which was observed coordinating 402,000 different IPs, most of which are apparently located in Brazil, was using Internet of Things (IoT) devices with opened ports 2000 and 7547, ports that have been historically associated with devices infected by the Mirai malware, a report states.

The attack, Imperva says, peaked 292,000 RPS (Requests-Per-Second), being the largest Layer 7 (application layer) assault the Internet security company has seen to date.

To mask their attack, the actor used a legitimate User-Agent that resembled the one used by the service’s own application (an organization in the entertainment industry).

“For a time, the attack targeted the authentication component of the streaming application. We are not sure if the intent of the attackers was to perform a brute force attack or DDoS attack, but without an accurate mitigation mechanism, the result was the same — denial of service,” Imperva states.

While specific protections could prevent account takeover attacks, a botnet of such scale can perform a “slow and low” assault, where “each IP tries a few logins, goes inactive, and then tries a few more.” With a low access rate, the botnet mimics legitimate login attempts are remains under rate limit policies.

The botnet launching this attack is based on Mirai, the IoT malware that first emerged in 2016. More recently, security researchers have observed Mirai variants that target devices specifically intended for businesses, suggesting a shift if focus on enterprise environments.

The malware first compromises improperly protected or vulnerable IoT devices, and then uploads malicious code to ensure they can receive commands from the command and control (C&C) server.