Modded Mirai botnet behind massive application layer DDoS attack

A post-mortem of a distributed denial of service attack between April and May this year points to a large new Mirai-style botnet being active, spanning around 402,000 internet protocol addresses.

Security vendor Imperva said the the attack went on for 13 days continuously, with a peak flow of 292,000 requests per second.

The DDoS was directed at the authentication component of a streaming application operated by an entertainment industry customer of Imperva, but the security vendor is not sure if the intent was to perform a brute-force or credentials stuffing attack to take over accounts.

Imperva found that most of the IP addresses were allocated to Brazil-based networks.

Further analysis showed that the devices with the IP addresses involved in the attack responded on ports 2000 and 7547.

These are known to be used by the Mirai worm that has compromised large amounts of Internet of Things devices such as surveillance cameras in the past and commandeered them into botnets for massive DDoS attacks.

Mirai appeared in 2016 when the worm compromised hundreds of thousands of insecure IoT devices and broadband routers.

The worm was blamed for a massive, 1Tbps attack that overwhelmed domain name system services provider Dyn, resulting in several of the internet's largest properties becoming unreachable.

Even though three people were caught and sentenced last year for releasing Mirai on the internet, evolved variants of the worm continue to be used by attackers who modify the source code to add new features and default IoT device credentials.