Security experts from Imperva Security are describing Leet Botnet as more powerful than its counterpart botnet Mirai. In fact, Leet is being regarded as the winner of the title of most powerful DDoS (distributed denial of service) attack of 2016 with a humongous speed of 650 GBPS (gigabit per second) noticed recently by Imperva network. The attack launched through Leet on Imperva displayed this overwhelming traffic and thus, Mirai’s title as the most powerful DDoS attack was claimed by Leet.
According to Imperva Security researchers, on December 21st, a huge DDoS attack was identified, which is definitely the largest such attack ever. This particular incident actually rivaled the one on KrebsonSecurity, which occurred in September 2016 and ranged between 620 and 665 Gbps.
The researchers noted that “So far, all of the huge DDoS attacks in 2016 were associated with Mirai malware. However, the payload characteristics clearly show that neither Mirai nor one of its more recent variants were used for this assault.”
Imperva Incapsula network identified the attacks because the attackers targeted several customers of the company and it was discovered that after failing in their attempt, the target became Imperva itself. Two attacks were launched on the company; the first burst occurred on December 21 at around 10:55 a.m., which lasted for 20 minutes and showed a peak range of 400 Gbps.
The researchers explained that when attackers couldn’t cause a dent with the first attack, they “regrouped and came back for a second round. This time enough botnet “muscle” to generate a 650 Gbps DDoS flood of more than 150 million packets per second (Mpps).”
Remember, Imperva provides cyber security software and services to protect companies’ sensitive data and application software from both external attacks and internal threats.
Much to the attackers’ dismay, the company’s website did not receive much impact from the attacks and the attackers failed to penetrate the customers’ database. According to Imperva researchers, the attack was most probably the result of the attackers “not being able to resolve the IP address of his actual victim, which was masked by Incapsula proxies.”
“Basically, the entire attack was just a mishmash of pulverized system files from thousands upon thousands of compromised devices,” researchers explained in their post.
The company couldn’t identify the IP address or the sort of devices used to launch the attack because the malicious actors used fake IPs to remain undetected. However, it was clear that thousands of infected devices were utilized as botnets for the attacks and the only clue left by the attacker was the “1337” signature that was left in the TCP header.
It was also identified by payload analysis that the attack was launched via two distinct SYN payloads and the packets ranged between 44 and 60 bytes. Some really large packets were also noticed, which ranged from 799 to 936 bytes. The reason was that the lower range was used to achieve higher Mpps packet rates and the larger range was used to enhance the capacity of the attack to up to 650 Gbps.
Use of SYN packets shows that Leet and Mirai both are quite different from each other since Mirai isn’t designed to conduct large-scale SYN attacks and has hard coded TCP options including MSS, SACK, TSVAL, and WSS. Additionally, Mirai payloads are created from random strings.
It is indeed true that the year 2016 has been one of the most disturbing years considering the huge number of DDoS attacks launched this year and the exceedingly high ranges that were attained by the flood of traffic. Just when the year was about to end, we have gotten news about the emergence of Leet Botnet, which is even more powerful and dangerous than the Mirai.