US college hit by 54-hour Mirai DDoS attack

New Mirai variant unleashed a 30,000 RPS storm higher education institution

A university in the US was hit by a 54-hour, non-stop DDoS attack at the end of last month, apparently caused by a Mirai-powered botnet.

News of the attack comes from data and application security firm Imperva, which counts the targeted college as a customer. According to a blog post by Dima Bekerman, a security researcher at Imperva, the attack started in the early hours of the morning on 28 February, with the average traffic flow clocking in at over 30,000 requests per second (RPS), although a peak of about 37,000 RPS was seen. Over the course of the attack, more than 2.8 billion requests were generated.

"Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet," said Bekerman.

"Our research showed that the pool of attacking devices included those commonly used by Mirai, including CCTV cameras, DVRs and routers. While we don't know for sure, open telnet (23) ports and TR-069 (7547) ports on these devices might indicate that they were exploited by known vulnerabilities."

Upon further investigation, Bekerman and his colleagues found 56% of the IPs used in the attack belonged to DVRs manufactured by a single vendor, which has now been contacted by Imperva.

Neither the name of the college involved, nor the DVR maker have been revealed.

Bekerman said there are several things that set this attack apart from others using Mirai.

The first is that the DDoS bots used in the attack "were hiding behind different user-agents than the five hardcoded in the default Mirai version".

"This and the size of the attack itself led us to believe that we might be dealing with a new variant, which was modified to launch more elaborate application layer attacks," said Bekerman.

The second is the sheer length of the onslaught.

"With over 90% of all application layer assaults lasting under six hours, an attack of this duration stands in a league of its own," he said.

Featured Resources

Security analytics for your multi-cloud deployments

IBM Security QRadar SIEM solution brief

Download now

Five reasons to move to the cloud

Join the enterprises moving their workloads to the cloud

Download now

Architecting hybrid IT and edge for digital advantage

Why business leaders should consider a hybrid IT strategy

Download now

Six reasons to accelerate remote asset monitoring with AI

How to optimise resources, increase productivity, and grow profit margins with AI

Download now

Recommended

Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021
Microsoft open sources CodeQL queries used in Solorigate inquiry
Security

Microsoft open sources CodeQL queries used in Solorigate inquiry

26 Feb 2021
CISA warns of ongoing Accellion File Transfer Appliance attacks
hacking

CISA warns of ongoing Accellion File Transfer Appliance attacks

25 Feb 2021
What is a Trojan?
Security

What is a Trojan?

25 Feb 2021

Most Popular

How to build a CMS with React and Google Sheets
content management system (CMS)

How to build a CMS with React and Google Sheets

24 Feb 2021
Npower shuts down app after hackers steal user data
hacking

Npower shuts down app after hackers steal user data

25 Feb 2021
New monitors for an agile new normal
Sponsored

New monitors for an agile new normal

19 Feb 2021