DDoS

Since November 23, an unidentified group has been using a massive botnet to launch large DDoS attacks on a daily basis, targeting a small number of targets concentrated on the US west coast.

According to Cloudflare, a company that among other things provides DDoS mitigation services, the attacks aren't linked to a variant of the Mirai malware that was used in recent months to create massive botnets and launch similar DDoS attacks.

Furthermore, the attacks aren't just big, but massive. Cloudflare says that attacks have peaked at 400 Gbps and higher on a daily basis.

According to Cloudflare's John Graham-Cumming, the attacks are Layer 3 and Layer 4 (OSI Model) floods sent via TCP.

What's even more interesting is that these attacks follow the same pattern every day, commencing at the same hours and lasting for 8-8.5 hours, like someone working at a desk job.

The DDoS attacks started at around 18:00 UTC and ended at 03:00 UTC, consistent with day timezones in the Americas.

Daily DDoS attacks detected in the past 10 days
Daily DDoS attacks detected in the past 10 days (via Cloudflare)

Recently, the pattern broke, but in a bad way. Instead of 8-hour-long DDoS attacks, the floods of junk traffics are now going for 24 hours straight, all around the clock.

Currently, the make-up of this botnet is unknown, but all bets are on IoT devices, which are much easier to corral and enslave in DDoS botnets.

This past week, a botnet created with the Mirai IoT malware has created havoc in Germany and the UK, where it led to prolonged downtimes for customers of ISPs that used a particular set of routers that shared the same vulnerability.