New botnet with lots of cameras and some routers

DDoS attacks send ripples on the ocean of the Internet, produced by creations of various sizes - botnets. Some of them feed at the top of the ocean, but there also exists a category of huge, deep water monstrosities that are rare and dangerous enough they could be seen only once in a very long time.

November 2021 we encountered, and mitigated, several attacks from a botnet, that seems to be unrelated to one described and/or well-known, like variants of Mirai, Bashlite, Hajime or Brickerbot. 

Although our findings are reminiscent of Mirai, we suppose this botnet is not based purely on propagating Linux malware, but a combination of brute forcing and exploiting already patched CVEs in unpatched devices to grow the size of it. Either way, to confirm how exactly this botnet operates, we need to have a sample device to analyze, which isn’t our area of expertise.

This time, we won’t give it a name. It is not 100% clear what we are looking at, what are the exact characteristics of it, and how big this thing actually is. But there are some numbers, and where possible, we have made additional reconnaissance in order to better understand what we’re dealing with. 

But let us first show you the data we’ve gathered, and leave conclusions closer to the end of this post.

First attack: November 8, 2021
14 973 devices with an attack peaking at 961 Gbps and 88 Mpps, this two minute long attack was the first in a series of assaults, aiming both the homepage and our customers’ resources. DNS amplification + "TCP random flood"  (later on that).

Distribution of answering endpoints from the attack sample implies the fact that we are looking at a botnet consisting primarily of connected cameras and routers, most notably two Cisco router models, responsible for approximately 15-25% of the identified parts of the botnet.

Second attack: November 12, 2021
Almost 10 000 devices, first pure "TCP random flood".

Third attack: November 13, 2021
17 509 devices, same "TCP random flood".

Fourth attack - our customer, November 13, 2021
Second largest attack, peaking at 841.6 Gbps and 74 Mpps. DNS amplification + "TCP random flood". With "only" 8600 devices.

Fifth attack: November 20, 2021
19 900 devices.

Since November 20, attacks have stopped, but we suppose that attackers simply switched to more vulnerable targets, instead of flexing at one of the DDoS attacks mitigation vendors.

In the first and the most serious attack yet there were 14 973 devices, taking part in the amplification attack reaching pretty high numbers. 1 Terabit per second is one terabit per second, after all. In the last attack we are looking at 19 900 endpoints. Which is bad news.

The attack vector used by this botnet is somewhat unusual. This is what could be called a "TCP random flood", although we weren’t able to find such a type of an attacking vector through quick search. What happens with these attacking devices is that they establish a TCP connection with the victim server and then flood it with random data, with large packets almost at the MTU limit.

In our experience, this is a not very widespread attacking vector, because higher bandwidth could be generated using reflection techniques, and higher packet intensity could be achieved by lowering the size of sent packets. This technique is more evasive than the UDP flood or smallest packet attack, hence the established TCP connection, but the random payload made us curious. Technically, that’s an L7 DDoS attack, but...

The thing is, web-servers, like the most popular NGINX, analyze part of the payload rather quickly and serve an HTTP 400 error, closing the connection.

The most sound reason why attacks are very short is the fact that if the exploited devices still serve their primary function, attacker don’t want to be very obvious and "lend" it for extended periods of time, which could be suspicious for the device’s owner - it is probably working a little "slower" when executing a DDoS attack, compared to when not.

Although, considering the fact that amplification is still very much available for attacks over the public Internet, meaning huge collateral damage, maybe that’s not the end of it. Here we are looking at something consistent in the size of attack power, but nobody knows how it would evolve in the future. Three times what we saw here for a little longer and there you’ve got the record-breaking event.