Mirai-based DDoS botnets have lost the exclusivity on high output DDoS attacks, according to DDoS mitigation firm Imperva, who says that it mitigated a DDoS attack of over 650 Gbps and over 150 million packets per seconds (Mpps) on December 21.

The attack came in two different waves, both which attacked Imperva's network after the attacker was unable to determine the target's real IP address, which had been hidden behind the company's mesh of proxy servers.

The first wave, as seen in the graphs below, peaked at 400 Gbps and lasted only 20 minutes. Seeing that the first flood barely made a dent, the attacker came back five minutes later with a larger DDoS cannon that thrusted more than 650 Gbps of junk traffic at the Imperva network.

DDoS attack peaking at 650 Gbps
DDoS attack peaking at 650 Gbps [Source: Imperva]
DDoS attack reaching over 150 Mpps
DDoS attack reaching over 150 Mpps [Source: Imperva]

This second attack lasted only 17 minutes, as the attacker realized it couldn't bring down its target. Compared to the attacks on OVH, KrebsOnSecurity, and Dyn, which lasted days, this was insignificant.

Attack came from a never-before-seen botnet

What was noteworthy about this attack was the botnet that launched it. Until now, attacks of this magnitude have been launched only from botnets built with the Mirai malware that infects and hijacks smart IoT devices.

This attack was different because it didn't come from a Mirai botnet. In fact, after an analysis of some of the DDoS junk traffic, Imperva researchers say that only 0.01% of all packets showed similarities to Mirai attacks. Researchers labeled this similarity as accidental.

The Imperva crew named this unknown botnet as Leet because various TCP options in the junk traffic packets were arranged in such a way to spell out "1337," which stands for "elite" in L33t speak.

Differences from Mirai botnets

Furthermore, researchers found three main differences in the way the botnets operated.

First and foremost, the Mirai malware and its botnets aren't built and don't feature the technical capabilities to launch large SYN attacks, as this attack was.

Second, junk traffic packets sent out by Mirai botnets are all hardcoded with several TCP options that were not present in the packets observed in this attack.

Third and last, the content of each junk traffic packet sent out during a Mirai DDoS attack is made up of random-generated strings. For this attack, the Leet botnet had taken content from actual system files, embedded the content in the DDoS attack's TCP packets, and sent it out towards Imperva's network.

All these clues point to the existence of a new botnet, rather than a heavily modified Mirai version.

While the origin of the Leet botnet can't be attributed to infected IoT devices, it's worth mentioning that until now, no botnet of desktop computers has been ever able to achieve such high output values for DDoS attacks. Attacks of 500 Gbps and more have been solely in the realm of IoT botnets.