Bigger Than Mirai: Leet Botnet Delivers 650 Gbps DDoS Attack

Reader Mark Wilson writes: Earlier in the year, a huge DDoS attack was launched on Krebs on Security. Analysis showed that the attack pelted servers with 620 Gbps, and there were fears that the release of the Mirai source code used to launch the assault would lead to a rise in large-scale DDoS attacks. Welcome Leet Botnet. In the run-up to Christmas, security firm Imperva managed to fend off a 650 Gbps DDoS attack. But this was nothing to do with Mirai; it is a completely new form of malware, but is described as "just as powerful as the most dangerous one to date". The concern for 2017 is that "it's about to get a lot worse". Clearly proud of the work put into the malware, the creator or creators saw fit to sign it. Analysis of the attack showed that the TCP Options header of the SYN packets used spelled out l33t, hence the Leet Botnet name.

Leet?

Now that's a term I haven't heard in a long time...

Re: Leet?

Probably about as long as it's been since you saw one going by how childish your comment is...

Re: Leet?

I don't know about you geeks but I get pussy all the time. Stop by my place if you want some.

http://felinerescue.org/

Re: Leet?

My mom is dead, so more power to ya'.

Re:Leet?

[Joce640k]

Now that's a term I haven't heard in a long time...

It's almost as if you didn't read to the end of the article summary before posting that...

Re: Leet?

My car goes faster than that

Re: Leet?

Pussy is pussy man!

Re:Leet?

[cant_get_a_good_nick]

I know this is a troll (and i'll take any downvotes) but one of my fave movie lines...

Ain't had pussy since pussy had you....

l33t?!?! 1990 called

I guess you have to put something in the header, but damn that's trite.

Internet of shit strikes again!

[Desler]

Should rename these from IoT devices to Internet of DDoS devices.

Re:Internet of shit strikes again!

The name in the subject was better. IoS Internet of Shit devices.

Re:Internet of shit strikes again!

https://twitter.com/internetof...

Re:Internet of shit strikes again!

[sg_oneill]

The internet is really trashing its own reputation with this guff. I'm pretty interested in an internet camera system for my house (Live inner city, it gets pretty crazy in my hood) BUT If its just going to make me a sitting duck for s'kiddies building ddos nets, well no, I think i'll hold off.

Re:Internet of shit strikes again!

[cant_get_a_good_nick]

Internet of Never updated, Easily Pwn3d Things,

I.N.E.P.T?

Re:Internet of shit strikes again!

[Anomalyst]

Internet of Never updated, Easily Pwn3d Things,

I.N.E.P.T?

this should be your signature

don't protect the targets. cut off the sources.

When will we finally learn to just cut internet connections that participate in botnet attacks? Yes, I realize that takes time and therefor hardy helps the target currently under attack. It is not a short term solution. it is a medium term solution and it is all you need. This simple rule + the free market combined will solve the problem rather quickly.

Re:don't protect the targets. cut off the sources.

[SciFurz]

When will we finally learn to just cut internet connections that participate in botnet attacks?>

When manufacturers learn not to cut corners on the security or upgrade options of these IoT devices, a.k.a. never.

Re:don't protect the targets. cut off the sources.

[Archangel+Michael]

Manufacturers won't learn anything until it hits them in the pocketbook. And since the IoT devices are a dime a dozen, made by thousands of different fly by night operations in China, that is highly unlikely. Cutting corners is how they make a $24.99 device that does something that eliminates you walking across the room to do.

Re:don't protect the targets. cut off the sources.

[jon3k]

https://www.incapsula.com/blog...

Both attack bursts originated from spoofed IPs, making it impossible to trace the botnet's actual geo-location or learn anything about the nature of the attacking devices.

No way to cut the problem at the root?

[TheDarkMaster]

I know I might be being naive, but there is no way to solve the problem at the root, such as cutting the connection of devices that begin to generate disproportionately traffic aimed at a single site (the target)?

Re:No way to cut the problem at the root?

[houstonbofh]

I know I might be being naive, but there is no way to solve the problem at the root, such as cutting the connection of devices that begin to generate disproportionately traffic aimed at a single site (the target)?

Each source is just a small part of the whole generating traffic the looks "normal" for the most part. So a bit harder to automatically filter. But... Logs and tracking back, and using the existing RIAA procedures to warn and then disconnect those sources would be a good start.

Re:No way to cut the problem at the root?

[Desler]

Do you not know how a DDoS works?

Re:No way to cut the problem at the root?

[Desler]

Exactly. Especially when these IoT bothets are in the hundreds of thousands of devices. The amount of traffic per device is less than what is used simply streaming from Netflix.

Re:No way to cut the problem at the root?

The whole point of a ddos attack is that each bot is only sending small amounts of traffic such as to not alert the user or their ISP.

Re:No way to cut the problem at the root?

[TheDarkMaster]

I know very well, thank you. Enough to know that try to filter at the target of attacks is practically useless and is why I am asking if there is any way that I do not know yet to solve the problem at the other end of the connection. And to avoid another dumb response from you I already know that filtering in the source of the attacks is difficult, If it were easy I would not be asking for alternatives.

Re:No way to cut the problem at the root?

[TheDarkMaster]

I imagined something like that, but this would not limit the effectiveness of the attack? 650Gbps suggest a large number of machines generating a lot of traffic each, if they are using your suggestion this would mean an absurd number of bots involved to be possible.

Re:No way to cut the problem at the root?

[TheDarkMaster]

Oh boy... Yet another random asshole who thinks he's the greatest expert in the universe. Go talk to my hand, okay? I'm looking for alternatives to dealing with a problem that is known to be difficult and at the moment with no solution, I do not have time to deal with brats who do not understand this.

Re:No way to cut the problem at the root?

Now we know what is in the header, couldn't the ISP reject these packets?

Re:No way to cut the problem at the root?

[pr0fessor]

If there is a known C&C that it communicates with or other things that will give away the device then yes some ISPs will call you up, warn you, and then suspend your account until you get the device removed or are able to clean it.

Re:No way to cut the problem at the root?

[gweihir]

Nobody in this attack generates "disproportional traffic". That is the idea of DDoS.

Re:No way to cut the problem at the root?

[aaarrrgggh]

I'll take the liberty of re-phrasing the question: What can be done to prevent "my" IOT devices, which require some access to the internet, from being part of the problem?

Don't really know the answer; consumer routers aren't up to the task, and configuring a more advanced router/firewall isn't easy, and the end devices themselves have terrible security. You could proxy some of the data that is sent by the equipment and track anomalies... but that becomes a lot of work.

Re:No way to cut the problem at the root?

[Archangel+Michael]

Well, asking an expert for an answer, and then dismissing that answer because it doesn't suit you makes you more of an asshole (IMHO). The original poster is entirely correct. I liken it to how to eat an elephant. You see an elephant, and figure you can eat a pound or two a day and it takes a couple years. I look at the Elephant and send my herd of trained ants to eat it, and it is gone in a couple days. It is a perspective that most people (like yourself) have no clue about. You see an ant, and think "it can't eat an elephant", and "I can kill it with my finger", both of which is true, but you are not thinking about the billion or so cousins.

It is why firebombing ant hills is only temporary. They will come back, and you can't stop them. Welcome to our botnet.

Re:No way to cut the problem at the root?

[TheDarkMaster]

He is an asshole because instead of simply saying that the problem is difficult (which I already know) or suggesting a possible solution, he preferred to say that it is impossible and to offend me for having the audacity to want to find a solution where he failed.

As for your answer, I will introduce what I am thinking using your own example: I want to prevent the elephant from being devoured by the ants, what can I do? The most obvious is to take the elephant off the place, works 100%. But I need the elephant in the place so I can not get him out of the place, but I still can not let the ants eat him. I can then eliminate the ants by using a flamethrower, which also works but I have no way of knowing how many ants I'm dealing with. I can then prevent the ants from reaching the elephant by placing the elephant inside a crated box, but I need termites (valid traffic) to reach the elephant, so I have to differentiate the termites from the ants. Do you see where this is going? Options to try to solve the problem exist, the problem is to find which option works in a situation where it will not have obvious solutions.

Re:No way to cut the problem at the root?

[pope1]

If we had a global registry of DDoS targets that we added new addresses to when the bandwidth of an attack broached limit X from number of sources Y (100gbps / 1million bots?), then we could require ISPs to run automated scripts that Null Route those addresses in the database for time period Z (1 day?) The Botnet gets rejected at the edge in those cases, but the end result is the same for the target, they have to move or wait. If you can get the move done fast enough (up on new IP addresses in an automated fashion within seconds, DNS propagation for those new addresses at the same rate), then there is no loss of service, and no profit for the operators of the Botnet. Or no fun if its "just for the Lulz". So the real problem with DDoS is the inherent lack of configuration speed in the current internet. Blocking IP addresses at the edge routers is a manual process and takes time. Bringing NIC cards up on new IP addresses or changing static NATs in firewalls is a manual process and takes times. Changing DNS records and allowing for propagation, etc, etc. So to beat DDoS, we need to have more automated systems in place for migrating services from one address to another. You destroy the perception that there was any effect from the flood, and you beat DDoS.

Re:No way to cut the problem at the root?

[pope1]

So, after thinking about this a little more, there is nothing preventing the Botnet operators from doing a DNS lookup and simply targeting the new IP address. However, that would let us weed out legitimate traffic from botnet traffic over enough iterations. ISPs could have a three strikes rule for clients. 1st time you attempt to contact an IP address on the DDoS target list, strike one, most "strike one traffic" is probably legit, people pressing F5 trying to reload the site, etc. Strike two, and you start to see exactly which addresses are following the DNS chain and propagating the attack, by strike three+ (if ISPs are reporting their "repeat offenders" to a central clearing house), you have a pretty decent picture of all the end nodes in the Botnet. You Null Route those, too, in a separate list. Same TTL expiration as the DDoS target list. When people call their ISPs to bitch, the tech on the other end notices the red flag on the account and asks the owner to kindly unplug their smart toothbrush (or whatever brain dead IoT device is being utilized) if they would like to have their internet turned back on. Avoiding false positives on Botnet membership would require the targeted site to put up some kind of "This site is under attack!" notice so people know to stay clear while the members of the Botnet are identified and blocked.

Re: No way to cut the problem at the root?

The problem is the ants. Use computer vision to identify the ants, then laser or whatever them.

Your stupid example is stupid. The IoT devices - the solution is retroactive.

1 Track the sources through logs.
2. Fine the owners as they left the keys in the car with a lights sign for the children to steal and run over the lady.
3. Owners of IoTs compromised will fix it or be penalized.

This should create some auditing industry if it has not already. There just needs to be money involved to lubercate it.

Now the question is: how to make money by tracking down and shutting down these devices?

Re: No way to cut the problem at the root?

If we can turn the IoT devices on themselves locally, the owner can do something?

Re: No way to cut the problem at the root?

[Archangel+Michael]

The problem isn't the ants (IoT). The ants provide valuable services to the nature of the Savannah. The problem isn't the elephant (Internet domain). The problem is that there are people telling the ants to attack that elephant over there ---->

You want to solve that "people" problem ... and good luck. The internet has made that person more or less anonymous. And unless you're suggesting tracking every person every day on everything they do on the internet, it isn't easily solvable.

In the days of old, when I was just a "newbie" on /. there was this thing called "Slashdot Effect". All you needed to take down a server, was put a article up on Slashdot and it would be Offline for a day or so. This is more or less the same thing.

Re:No way to cut the problem at the root?

[Walter+White]

I just bought a small box with two Ethernet ports for under $150US that I plan to run something like pfSsense or similar on. I'll supplement an HDD and RAM scavenged from a retired laptop to complete the H/W package. The initial rationale was to block DNS requets to any but my preferred provider to defeat the DNS hijacking attacks. Perhaps there would be a way to detect unusual traffic patterns and block them to thwart other sorts of attacks. Better yet, I could restrict outbound connections from my devices to their intended destinations.

I don't know how feasible this is and it is certainly beyond the capabilities of the average user. I wonder if something like this could be produced commercially. Or if the functionality could be added to consumer level routers. I suppose the problem is if consumers are not directly affected by it they are not motivated to pay for it.

I'm just a little more paranoid than most. I don't think I can outrun the bear but I think I can stay ahead of the most of the crowd.

Re:No way to cut the problem at the root?

sooo... what exactly in his post makes you think he doesn't know what a ddos is? is it some shit you're making up in your little limited head that he didn't actually say?

here's a sample solution to filter at the source. after the fact, figure out as many mac addresses as you can for the attack devices. block them isp-wide. pass law in country requiring every isp to comply. when it's cell-type shit with a sim card, have the carrier block the phone. this will force the owner of said device to take some action, like press the factory reset. it might even eventually force devices to auto-update for years and years, since people don't want to buy shit that stops working after a while.

There are many more possible things you can do with a ddos to fix the problem at the source. hey - maybe we could even after the fact find some shit in the tcp header. to post-attack identify and block devices. that would be sw33t. pros and cons to all of them. I know, you're clearly not the guy to help out here - you're a user, not a dev, so you don't have original ideas.

No one was asking you to pitch in here. you have no ideas on the topic, so instead of not replying, you reply the guy is an idiot? sorry - that's only you. the guy who just said it's not possible to create solutions based on the source of the attack. and the guy who doesn't know how one works that's clearly you. you did read the wiki entry on ddos though, but don't get into details bud. you make yourself look quite the fool.

Re:No way to cut the problem at the root?

[aaarrrgggh]

I would say you might be better off with a $50 Ubiquiti EdgeRouter X; cheaper and easier.

(I was just thinking about Breaking Bad this morning...)

Re:No way to cut the problem at the root?

[Anomalyst]

I wonder if some security boffin might publish on github some iptables rate limiting rules in the same vein as dropping inbound ssh connections, but for any outbound IOT device traffic. Perhaps an ISO/ECMA mandated IOT ID byte in the MAC address after vendor ID [FE]? It appears iptables wont match against a MAC Regular Expression in filters.The manpage seems to require requires a fully qualified MAC. In lieu of revising the source code, the logic can be inverted and limit all addresses that aren't specifically allowed, pretty cumbersome, might easier & quicker to revise. Is there a list of vendor MAC ID for the offending devices (dont really care if there are collateral hits on other products from the same vendor, its just a rate limit not a total block, adjust the limit case by case). I wonder how feasible it would be for Cisco, et al. to provide DDOS mitigation access control lists/processors to block such at the source site or ISP.

Re:No way to cut the problem at the root?

[Walter+White]

I would say you might be better off with a $50 Ubiquiti EdgeRouter X; cheaper and easier.

Definitely cheaper and easier. My Asus AC-RT68 is also cheaper and easier.

I'm pretty confident that that pfSense has a broader feature set and is likely more secure than the Asus. I wonder where the EdgeRouter X fits on that spectrum?

that's not how you spell elite. It's 1334

1337

Re:that's not how you spell elite. It's 1334

Nah, this is probably not 1337, but two dastardly parahumans Uber & Leet ...

Did this take down Steam?

There was a DDoS on Christmas that took Steam out for hours but no comment was ever made on the issue.

Re:Did this take down Steam?

Probably because Steam always goes down around Christmas when the new customers hug their servers to death.

Re:Did this take down Steam?

[Desler]

Yes, the "DDoS" was people flooding their store to buy things. Valve still seems to not have learned any lessons from past winter sales.

DDOS has had its 15 minutes

[xanthos]

Ok, everybody who was effected by this raise your hands! Anybody?

These DDOS attacks are mildly interesting but irrelevant in the grander scheme of things. Given the nature of the attack payloads, it probably would have been effective at less than 100 Gbps so why hype the new high watermark? AFAIK, DDOS isn't a huge money maker so this isn't a threat in the same league as ransomware.

Quit trying to promote vandalism as news and maybe, just maybe it will become less interesting a thing to do.

Re:DDOS has had its 15 minutes

Quit trying to promote vandalism as news and maybe, just maybe it will become less interesting a thing to do.

Also quit reporting press releases from security firms that brag about how the were able to defeat this supposedly "most dangerous" botnet to date.

So you were able to defeat it? So why do I care about it?

Re:DDOS has had its 15 minutes

"These DDOS attacks are mildly interesting but irrelevant in the grander scheme of things"

Hitler's conquering of Poland was irrelevant in the grander scheme of things, until it wasn't.

Re:DDOS has had its 15 minutes

I who wonder whom it actually affected.
would ransom style DDOS make a comeback? especially against smaller targets!!

Re:DDOS has had its 15 minutes

[bfpierce]

This is just a test really, and it'll be irrelevant until it's not. Egg on their face and what not.

When they can ramp this up to hit something important that's not air gapped, I wonder if you'll still be on the high horse saying it's 'vandalism'.

DDoS doesn't exist to generate money, it's used to create chaos.

Re:DDOS has had its 15 minutes

For the record, Brian Krebs, a security research blog/reporter who publicizes cyber criminals like the ones involved, who run DDOS farms to attack any victim for a fee paid in bitcoin on the darknet. Read more kids. There are millions of victims. Maybe nobody you know, but that's because you don't pay attention more than not.

Re:DDOS has had its 15 minutes

[thegarbz]

Ok, everybody who was effected by this raise your hands! Anybody?

Me. I'm affected. I'm affected by the display of a possibility. I'm affected by the fact that this amount of bandwidth is available to someone to knock essentially any target offline. Today it's Krebs, tomorrow it's my bank.

Just because my internet wasn't slow doesn't mean that it's a very real problem that needs to be looked in and addressed, just like a bunch of vandals tagging a subway station is good and fun until the tag the windscreen of my car.

Re:DDOS has had its 15 minutes

It is a money maker, Companies who suffer from the DDoS lose revenue, their competitors make a ton during that period

Re:DDOS has had its 15 minutes

[citylivin]

"Ok, everybody who was *sic*effected*sic* by this raise your hands! Anybody?"

Short memory eh? A DDoS attack took down multiple services around oct ( https://www.wired.com/2016/10/... ). That one personally affected me as one of our dns providers went down, causing customers headaches for a day or two.

So yes, ddos attacks do *affect* people, in the real world, right now. And they are scary and newsworthy when they occur.

The end result should be that companies are law bound and forced to support IoT devices for ~15 years from the date of manufacture of the device. It should be no different than an auto recall where you receive a letter in the mail. You think companies do that out of their own good will? no, they were forced to by law. Why were they forced by law to do that? Because people became enraged and the media hyped up that rage so that laws were passed. The media publicizing these events is completely 100% necessary, if our goal is secure devices and an educated populace. I don't see any other way to combat these new IoT botnets, do you? Your solution of "just ignore them" is fanciful. Doesn't work with any sort of crime, so it won't work for botnets. You defend yourself, which in this case means educating manufacturers and your fellow man about a clear and present danger.

Re:DDOS has had its 15 minutes

[michael_wojcik]

Ok, everybody who was effected by this raise your hands! Anybody?

It's certainly possible that with traffic to some sites disrupted, some people turned to other ... entertainments, and in the process effected someone. But I'm afraid you'll have to wait ~9 months for any of the latter group to raise their hands.

This botnet uses SYN-ACK: This helps kill it

See subject: SYN Attack Protection

---

The named value to enable SYN attack protection is located beneath the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters.

Value name: SynAttackProtect

Recommended value: 2

Valid values: 0 1 2

Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.

---

SYN Protection Thresholds

The following values determine the thresholds for which SYN protection is triggered. All of the keys & values in this section are under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters

Value name: TcpMaxPortsExhausted

Recommended value: 5

Valid values: 0-65535

Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.

Value name: TcpMaxHalfOpen

Recommended value data: 500

Valid values: 100-65535

Description: When SynAttackProtect is enabled this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded SYN flood protection is triggered.

Value name: TcpMaxHalfOpenRetried

Recommended value data: 400

Valid values: 80-65535

Description: When SynAttackProtect is enabled this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded SYN flood protection is triggered.

APK

P.S.=> That's software/OS/IP stack side for Windows users (*NIX has analogs - as all std. IP stacks are BSD derived)... apk

Re:This botnet uses SYN-ACK: This helps kill it

Cite your sources when using other people's work!

https://msdn.microsoft.com/en-us/library/ff648853.aspx

Not a huge number

[silas_moeckel]

10g transit ports are about the smallest practical to buy, 40 and 100 are a lot more common. This is a big attack as attacks go but not really pushing a well-built network.

Re:Not a huge number

> This is a big attack as attacks go but not really pushing a well-built network.

This attack is 5% _larger_ than the one that was directed at Krebs's site. Krebs was forced offline because the provider that was keeping his site up could no longer do so pro-bono, and there was no way in hell he could pay market rate for those services: https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/

Also, the attack against Krebs's site was -prior to this most recent one- the largest reported DDoS, ever. So... yeah, not only is this "a big attack as attacks go", it is _the biggest attack_.

Re:Not a huge number

[thegarbz]

This is a big attack as attacks go but not really pushing a well-built network.

This is a larger attack that previously caused a company which defends against these kinds of attacks to cut ties with the customer under attack.
It's also a significantly larger attack than many smaller attacks which have had actual economic damage as not everyone builds your "well-built" network because surprise surprise when you provision a network you design it for maximum load under conditions based on your users, not on the entire weight of an IoT botnet raining hell on you.

Brushing this off is a big mistake.

Re:Not a huge number

These attacks are so big because the networks can deliver these kinds of bandwidths nowadays. It doesn't really matter whether a T1 is saturated by packets from thousands of POTS modems or a modern network succumbs to hundreds of gigabits per seconds. The fact remains that DDoS isn't a sustainable threat.

Re:Not a huge number

> The fact remains that DDoS isn't a sustainable threat.

Do you even WWW, Bro?

5,000,000 1kbps streams of data add up to 5gbps of data. If the target host doesn't have a 5gbps downlink, it will be DoS'd... and all each of the targeting hosts needs is a 1kbps uplink.

Re:Not a huge number

[silas_moeckel]

No, those networks are just not large enough to realistically defend against a DDOS lots of places sell the service few can really back that up.

Re: don't protect the targets. cut off the sources

Don't think of the sources as evil devices. Think of them as computational resources temporarily (very temporarily) repurposed by script-toddlers. A few changes to the malware and, viola, a million CPU cloud.

Fair enough: I have before & see ps... apk

You obviously read my posts where I did post the link, e.g. proof -> http://yro.slashdot.org/comments.pl?sid=4755487&cid=46161879/ (which has a LOT more you can do vs. DDoS/DoS) DOUCHEBAG NITPICKER - why don't YOU offer such good advice vs. DDoS like I have?

* My post now you replied to is +1 upmodded. The link above? +3 INFORMATIVE.

APK

P.S.=> See subject: ... whipslash cuts my posts down to next to nothing in length & runs scripts trying to stop me posting! Ever wonder WHY /.'s source isn't available anymore? THIS is PART of the reason why (dirty tricks).

So, this time?

I couldn't FIT IT IN (lameness filter bs vs. AC posters, worse for me many times) BUT as you can see? I have before so FUCK you nitpicking asshole.. apk

Not that hard in principle to fix this

[Goonie]

Most IoT devices don't need to talk to the entire Internet. At most, they need to phone home to a few servers made by the device manufacturer. So build a protocol in which devices identify themselves, and after authorization the home router then downloads a signed ruleset. If the device is later compromised, the DDoS traffic is blocked and reported somewhere.

Yes, there are quite a few details to work through to reduce the risk of this being spoofed, and dealing with legacy devices, but in principle this could work and wouldn't be too difficult for manufacturers to implement.

Re:Not that hard in principle to fix this

[aaarrrgggh]

Good point; you could create a pretty simple adaptive firewall for each product. Problem is feature changes and off-requests, but if initially blocking doesn't hinder functionality it isn't too bad. I think the DPI engine on my EdgeRouter can get me halfway there... but it would be a pain to maintain individually.

Solution: change the default password on your IoT

[khz6955]

Solution: change the default password on your IoT device and disable UPnP ..