The Leet Botnet powered a 650 Gbps DDoS attack before Christmas

Just before Christmas a massive DDoS attack powered by a new botnet dubbed Leet Botnet hit the network of the firm Imperva.

Security experts from the firm Imperva observed a massive attack against the company network on the morning of Dec. 21. The massive DDoS attack reached 650 Gbps, according to the researchers it was powered by the Leet Botnet and targeted several anycasted IPs on the Imperva Incapsula network.

The attack was launched once again by thousands of compromised IoT devices.

The attack didn’t target a specific customer of the company, likely because hackers were not being able to resolve the IP address of the victim that was hidden by the Incapsula mitigation proxies.

“It’s hard to say why this attack didn’t focus on a specific customer. Most likely, it was the result of the offender not being able to resolve the IP address of his actual victim, which was masked by Incapsula proxies.” reads the analysis published by Imperva.

Experts observed two distinct DDoS burst, the first one lasted 20 minutes and peaked at 400 Gbps, while the second burst lasted around 17 minutes and reached 650 Gbps.

“The first DDoS burst lasted roughly 20 minutes, peaking at 400 Gbps. Failing to make a dent, the offender regrouped and came back for a second round. This time enough botnet “muscle” to generate a 650 Gbps DDoS flood of more than 150 million packets per second (Mpps).” continues the analysis.

Both attacks failed. The experts were not able to track the real source of the attacks because hackers used spoofed IPs.

The analysis of the content of the packets composing the malicious traffic revealed that the attack was powered by Leet botnet, so called due to a ‘signature’ within the packets.

“The first thing we noticed was that the offender left a “signature” of sorts in some of the regular-sized SYN packets. In the TCP Options header of these packets, the values were arranged so they would spell “1337”. To the uninitiated, this is leetspeak for “leet”, or “elite”.” states Imperva.

Experts also noticed that the large content of the SYN payloads (799 to 936 bytes) that were populated by seemingly random strings of characters, others contained shredded lists of IP addresses.

“It seems that the malware we faced was programmed to access local files (e.g., access logs and iptable lists) and scramble their content to generate its payloads.”

Not only Mirai botnet, threat landscape as a new actor, the Leet botnet that can be equally dangerous.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Leet botnet, DDoS)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.