Meet the Leet DDoS Botnet, Just as Powerful as Mirai

Leet Botnet was recently used during 650Gbps attack on Incapsula’s Imperva network.

Security experts from Imperva Security are describing Leet Botnet as more powerful than its counterpart botnet Mirai. In fact, Leet is being regarded as the winner of the title of most powerful DDoS (distributed denial of service) attack of 2016 with a humongous speed of 650 GBPS (gigabit per second) noticed recently by Imperva network. The attack launched through Leet on Imperva displayed this overwhelming traffic and thus, Mirai’s title as the most powerful DDoS attack was claimed by Leet.

According to Imperva Security researchers, on December 21st, a huge DDoS attack was identified, which is definitely the largest such attack ever. This particular incident actually rivaled the one on KrebsonSecurity, which occurred in September 2016 and ranged between 620 and 665 Gbps.

More: Mirai botnet: what it is, what it has done, and how to find out if you’re part of it

The researchers noted that “So far, all of the huge DDoS attacks in 2016 were associated with Mirai malware. However, the payload characteristics clearly show that neither Mirai nor one of its more recent variants were used for this assault.”

Imperva Incapsula network identified the attacks because the attackers targeted several customers of the company and it was discovered that after failing in their attempt, the target became Imperva itself. Two attacks were launched on the company; the first burst occurred on December 21 at around 10:55 a.m., which lasted for 20 minutes and showed a peak range of 400 Gbps.

The researchers explained that when attackers couldn’t cause a dent with the first attack, they “regrouped and came back for a second round. This time enough botnet “muscle” to generate a 650 Gbps DDoS flood of more than 150 million packets per second (Mpps).”

More: BlackNurse Attack Can Bring an Entire Business Offline with Just One Laptop

Remember, Imperva provides cyber security software and services to protect companies’ sensitive data and application software from both external attacks and internal threats.

Much to the attackers’ dismay, the company’s website did not receive much impact from the attacks and the attackers failed to penetrate the customers’ database. According to Imperva researchers, the attack was most probably the result of the attackers “not being able to resolve the IP address of his actual victim, which was masked by Incapsula proxies.”

“Basically, the entire attack was just a mishmash of pulverized system files from thousands upon thousands of compromised devices,” researchers explained in their post.

The company couldn’t identify the IP address or the sort of devices used to launch the attack because the malicious actors used fake IPs to remain undetected. However, it was clear that thousands of infected devices were utilized as botnets for the attacks and the only clue left by the attacker was the “1337” signature that was left in the TCP header.

More: OVH hosting suffers 1Tbps DDoS attack; largest Internet has ever seen

It was also identified by payload analysis that the attack was launched via two distinct SYN payloads and the packets ranged between 44 and 60 bytes. Some really large packets were also noticed, which ranged from 799 to 936 bytes. The reason was that the lower range was used to achieve higher Mpps packet rates and the larger range was used to enhance the capacity of the attack to up to 650 Gbps.

Use of SYN packets shows that Leet and Mirai both are quite different from each other since Mirai isn’t designed to conduct large-scale SYN attacks and has hard coded TCP options including MSS, SACK, TSVAL, and WSS. Additionally, Mirai payloads are created from random strings.

It is indeed true that the year 2016 has been one of the most disturbing years considering the huge number of DDoS attacks launched this year and the exceedingly high ranges that were attained by the flood of traffic. Just when the year was about to end, we have gotten news about the emergence of Leet Botnet, which is even more powerful and dangerous than the Mirai.

DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this Incapsula’s DDoS Downtime Cost Calculator.

Did you enjoy reading this article? Kindly do like our page on Facebook, follow us on Twitter and Google + and help us grow.

Newest Sales

Written by Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.