A newer and more potent version of Mirai malware was used last month to pummel an unnamed U.S. college with a 54-hour long distributed denial of service (DDoS) attack.
The attack began on February 28 and peaked at 37,000 requests per second (RPS) averaging 30,000 rps for a total of 2.8 billion requests during the period the attack took place, said Imperva Incapsula, whose customer was the unnamed target. The attackers harnessed the power of thousands of CCTV cameras, DVRs and routers possibly using an open telnet (23) ports and TR-069 (7547) ports.
The majority of devices used were in the United States,18.4 percent, with Israel and Taiwan supplying another 10 percent each.
Imperva believes follow up attacks may take place by the same attacker.
Earlier versions of Mirai were responsible for attacks last fall that took down the Dyn DNS service and security researcher Brian Krebs' KrebsonSecurity website.
“Given the success of those attacks, along with the public availability of the Mirai source code, it was clearly only a matter of time before botnet herders began experimenting with new versions of the malware,” Imperva researcher Dima Berkman wrote.
Imperva spotted several differences with the latest attack that leads its researchers to believe it has been upgraded. In this case, the DDoS bots used in the attack hid behind different user agents, up to 30, that the five found hardcoded in the original code along with the size would indicate this is a new variant.
Another differentiating factor is this was an application layer attack, unlike the network layer attacks that took place earlier.
“That said, with over 90 percent of all application layer assaults lasting under six hours, an attack of this duration stands in a league of its own,” Birkman said.