Pierluigi Paganini July 26, 2019

Researchers at Imperva revealed that an undisclosed streaming service was hit by a massive DDoS attack that stopped it for 13 days.

An undisclosed streaming service was hit by a 13‑day DDoS massive attack powered by a Mirai botnet composed of 402,000 IoT devices.

Imperva confirmed that its systems were able to repel the attack and the service remained up and running during the DDoS attack.

“Targeting the authentication component of your site, this DDoS attack was led by a coordinating 402,000 different IPs, lasted 13 days and directed a peak flow of 292,000 RPS (Requests Per Second). Such a massive attack is more than possible — one of our CDN customers in the entertainment industry was hit by one earlier this spring.” reads the blog post published by Imperva.

According to Imperva, it was the largest Layer 7 DDoS attack it has ever seen.

The attack occurred between April and early May, it was an application layer DDoS attack that generated more than 100,000 HTTP requests per second (RPS), peaking at 292,000 RPS. The attackers used a legitimate User-Agent widely used by the entertainment industry customer service application, to mask their attack.

The attackers attempted to saturate the authentication component of the streaming site.

Experts noticed that most of the IPs that were involved in the attack had the same opened ports: 2000 and 7547. These ports are usually associated with Mirai infections. Researchers also revealed that the attack originated mainly from Brazil.

Experts explained that Layer 7 DDoS attacks are harder to counter bacause the malicious traffic mimicks legitimate one.

You need a 3rd party vendor that can handle both Application Layer 7 DDoS attacks and Network Layer 3/4 DDoS attacks.

“However, a botnet with 400,000 IPs can perform a “slow and low” attack: each IP tries a few logins,  goes inactive, and then tries a few more. In such a technique, the access rate is very low, mimicking legitimate login attempts, and staying under rate limit policies.  You can protect yourself, your business and your reputation by using the Account Takeover Protection capability of Imperva’s Application Security stack. Stay safe!” concludes Imperva.

Pierluigi Paganini

(SecurityAffairs – DDoS, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]