Geographical distribution of Mirai bots in recent DDoS attack
Geographical distribution of Mirai bots in recent DDoS attack (via Incapsula)

What appears to be a new version of the Mirai malware was behind a massive DDoS attack that targeted an unnamed US college and lasted for 54 hours straight, reports cyber-security firm Incapsula, who was providing DDoS mitigation service for the affected college.

The attack started on February 28 and was a "Layer 7" attack, which focused on exhausting server resources, rather than clogging the college's bandwidth with junk traffic.

Incapsula says the attack, which lasted well over two days, blasted 30,000 RPS (requests per second) at their target, with a peak value of 37,000 RPS.

Overall, the attack remained at steady levels, without peaks and dips in activity, as the below chart shows. Incapsula also reports that one day after the first 54-hour-long DDoS ended, attackers tried again, but this time around the attack only averaged 15,000 RPS and they gave up only after 90 minutes.

DDoS attack - requests per second
DDoS attack - requests per second (via Incapsula)

After analyzing the DDoS traffic logs, Incapsula says the attacker used mostly CCTV cameras, DVRs, and routers to launch his attack, which is consistent with the typical devices the Mirai malware is capable of infecting.

New Mirai bot version spotted

The Mirai DDoS bot was developed at the end of 2015 but became known only in the summer of 2016. The malware became famous when various groups used it to attack the blog of security researcher Brian Krebs, French ISP OVH, and managed DNS service Dyn.

The attacks were massive in nature, and the Dyn incident caused around a quarter of the Internet's sites to go down.

Mirai's author, trying to avoid bringing too much attention to himself, released the malware's source code online after the first attacks on KrebsOnSecurity. Attacks on OVH, Dyn, and other targets were attributed to different botnets built with slightly modified Mirai versions, built from this publicly leaked source code.

One of the many malware developers who used this source code managed to assemble a massive botnet of over 400,000 Mirai bots. This botnet caused great disturbances for various ISPs in Germany and the UK after the malware coder tried to hijack some of their routers, to add to his botnet. UK police arrested a suspect in this incident.

Since his arrest, the number of Mirai botnets and bots has been steadily going down, as security firms have been aggressively taking down botnet C&C servers.

Incapusla experts believe the Mirai botnet responsible for this recent DDoS attack is a new version of the Mirai malware. Previously, researchers from Dr.Web and Kaspersky Lab spotted another new Mirai variant that could use Windows devices as intermediaries before spreading to IoT equipment, its natural targets.

Next week, on April 6, McAfee will release a report on the inner workings of Mirai botnets, based on data acquired from various honeypots.