The Mirai-fueled DDoS attacks that took the entire country of Liberia offline last week are waning—but researchers say the offensive was merely a test run for something much bigger.
Mirai’s source code is open, so any bad actor out there can download it and get to work. This has led to a range of attackers with varying ability levels carrying out attacks. One particular group, operating what MalwareTech.com dubbed Botnet 14, has taken on significantly bigger targets than most of the Mirai dabblers out there.
“Many of the botnets are simply attacking Minecraft servers and doing technically terrible attacks on websites, e.g. a Farming Simulator game mod site,” said independent researcher Kevin Beaumont, in a posting. In contrast, “it is clear [Botnet 14 is] extremely successful at attacking things….it is the largest of the Mirai botnets and the domain controlling it pre-dates the attacks on Dyn. The capacity makes it one of the biggest DDoS botnets ever seen. Given the volume of traffic, it appears to be the owned by the actor which attacked Dyn.”
Transit providers have confirmed that over 500Gbps of traffic is typically output during attacks, which last a short period but can be enormously crippling.
In Liberia, continued short-duration attacks on its infrastructure overwhelmed the African nation’s single internet cable, with various websites hosted in the country going offline and telcos reporting widespread outages for internet access.
Botnet 14 also tweets, after a fashion, thanks to monitoring from MalwareTech.com. MalwareTech.com’s @MiraiAttacks handle is publishing messages from the botnet, which says things like “DNS Flood for 1 seconds,” then naming the target.
Beaumont himself was live-tweeting about Botnet 14’s activity, and an ominous, creepy message came through: “DNS Flood for 1 seconds…kevin.lies.in.fear.”
Beaumont believes that the actors behind Botnet 14, which he calls Shadows Kill, are merely probing around, ahead of larger attacks, possibly against another nation-state.
“The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation-state,” he said. “Monitoring is continuing of the botnet, but so far it appears they are testing denial of service techniques.”
Photo © SWEvil