Researchers have discovered a new DDoS botnet capable of launching attacks with data volumes reaching several Tbps.
Akamai said the malware itself was christened “Hinata” by its author after a character from the Naruto anime series. The security vendor found evidence of the “HinataBot” in its HTTP and SSH honeypots and said it is being actively updated by its authors.
While previous versions launched DDoS flooding attacks over multiple protocols, the newest HinataBot iteration uses just HTTP and UDP flooding techniques.
The actors behind HinataBot originally distributed Mirai binaries, and there are multiple nods to the notorious open source botnet in this new Go-based effort, Akamai said.
Read more on Mirai: Mirai Gears Up For Enterprise Attacks.
“HinataBot is the newest in the ever-growing list of emerging Go-based threats that includes botnets such as GoBruteForcer and the recently discovered (by SIRT) kmsdbot,” it explained.
“Go has been leveraged by attackers to reap the benefits of its high performance, ease of multi-threading, its multiple architecture and operating system cross-compilation support, but also likely because it adds complexity when compiled, increasing the difficulty of reverse engineering the resulting binaries.”
The vendor claimed that, while packet size for HTTP ranged between 484 and 589 bytes, UDP packets were notably larger at 65,549 bytes.
Akamai created its own command-and-control (C2) infrastructure and ran simulated attacks.
“Using our 10-second sample sets and a theorized size of the botnet, we can begin estimating attack sizing,” it said.
“If the botnet contained just 1000 nodes, the resulting UDP flood would weigh in at around 336 Gbps per second. With 10,000 nodes (roughly 6.9% of the size of Mirai at its peak), the UDP flood would weigh in at more than 3.3 Tbps. The HTTP flood at 1000 nodes would generate roughly 2.7 Gbps and more than 2 Mrps. With 10,000 nodes, those numbers jump to 27 Gbps delivering 20.4 Mrps.”
The botnet grows by finding and exploiting old vulnerabilities and brute-forcing weak passwords, reinforcing the need for organizations to build cyber-hygiene into their security strategies.