Attackers Combine Three Botnets to Launch Massive DDoS Attack

Share this…

Crooks use a botnet of CCTV cameras, one of home routers, and one made up by compromised web server.

An unnamed website has been at the end of a ferocious Layer 7 DDoS attack that involved traffic from over 47,000 distinct IP addresses, most of which belonged to IoT (CCTV) devices, home routers, and compromised Linux servers.

Sucuri, a US web security vendor who was called in to mitigate the incident, says the attack reached a whopping 120,000 requests per second, and that the attacker used a flood of HTTPS packets in order to maximize resource consumption on the target’s machines.

Most of the DDoS traffic came from hijacked CCTV systems

After the attack had subsided, Sucuri experts that were investigating the incident discovered that the DDoS traffic didn’t come from one singular source, but the attacker had combined (possibly rented) three different distinct botnets.

The company was well aware of one of the botnets, which they previously discovered at the end of June.

This was a 25,000-strong botnet assembled after compromising Internet-connected CCTV devices from different vendors, most of which were running firmware made by Chinese firm TVT.

The group behind this recent DDoS attack wasn’t content with the capabilities provided by this botnet and had also created/rented another botnet to help their efforts.

A quarter of the traffic also came from compromised home routers

According to Sucuri, the group was controlling another botnet comprised of 11,767 home routers from eight major industry brands.

The attackers had managed to take control over these devices by using various firmware vulnerabilities or by hijacking the routers for which device owners didn’t change the default admin panel password.

Compromised Huawei routers made more than half of this botnet, with 6,015 devices, almost 51 percent of the entire botnet. Second came Mikro RouterOS (2,119 devices – 18 percent), AirOS routers (245 routers), but also NuCom 11N Wireless Routers, Dell SonicWall, VodaFone, Netgear, and Cisco.

Geographic distribution of compromised home routers

Geographic distribution of compromised home routers

Most compromised home routers found in Spanish-speaking countries

The home router botnet was very effective because not all compromised devices were in the same geographical area, which would have been easy to block.

Devices were spread all over the world, but mainly in Spanish-speaking countries, such as Spain (45 percent of the entire botnet), Uruguay, Mexico, the Dominican Republic, and Argentina.

The third and last botnet used in the DDoS attack was made up by compromised web servers coming from data centers.

“This new [three-botnet] distribution allowed the attacker to generate a massive number of requests per second without affecting the operation of the infected devices,” Sucuri CTO Daniel Cid explains. “Under this configuration, the devices would only need to generate a few requests per second – well within their means.”

Sucuri isn’t the only company that has discovered huge botnets of IoT devices engaging in DDoS attacks. Researchers from Arbor Networks have also discovered a botnet of 120,000 IoT devices, saying that overall, DDoS botnets are currently controlling over 1 million IoT devices.

Beginning of large-scale Layer-7 DDoS

Beginning of large-scale Layer-7 DDoS