Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bigger Than Mirai: Leet Botnet Delivers 650 Gbps DDoS Attack (betanews.com)

Posted by msmash on from the security-woes dept.

Reader Mark Wilson writes: Earlier in the year, a huge DDoS attack was launched on Krebs on Security. Analysis showed that the attack pelted servers with 620 Gbps, and there were fears that the release of the Mirai source code used to launch the assault would lead to a rise in large-scale DDoS attacks. Welcome Leet Botnet. In the run-up to Christmas, security firm Imperva managed to fend off a 650 Gbps DDoS attack. But this was nothing to do with Mirai; it is a completely new form of malware, but is described as "just as powerful as the most dangerous one to date". The concern for 2017 is that "it's about to get a lot worse". Clearly proud of the work put into the malware, the creator or creators saw fit to sign it. Analysis of the attack showed that the TCP Options header of the SYN packets used spelled out l33t, hence the Leet Botnet name.

2 of 74 comments (clear)

  1. This botnet uses SYN-ACK: This helps kill it by Anonymous Coward · · Score: 2, Interesting

    See subject: SYN Attack Protection

    ---

    The named value to enable SYN attack protection is located beneath the registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters.

    Value name: SynAttackProtect

    Recommended value: 2

    Valid values: 0 1 2

    Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.

    ---

    SYN Protection Thresholds

    The following values determine the thresholds for which SYN protection is triggered. All of the keys & values in this section are under the registry key

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters

    Value name: TcpMaxPortsExhausted

    Recommended value: 5

    Valid values: 0-65535

    Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.

    Value name: TcpMaxHalfOpen

    Recommended value data: 500

    Valid values: 100-65535

    Description: When SynAttackProtect is enabled this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded SYN flood protection is triggered.

    Value name: TcpMaxHalfOpenRetried

    Recommended value data: 400

    Valid values: 80-65535

    Description: When SynAttackProtect is enabled this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded SYN flood protection is triggered.

    APK

    P.S.=> That's software/OS/IP stack side for Windows users (*NIX has analogs - as all std. IP stacks are BSD derived)... apk

  2. Re:Not a huge number by Anonymous Coward · · Score: 3, Interesting

    > This is a big attack as attacks go but not really pushing a well-built network.

    This attack is 5% _larger_ than the one that was directed at Krebs's site. Krebs was forced offline because the provider that was keeping his site up could no longer do so pro-bono, and there was no way in hell he could pay market rate for those services: https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/

    Also, the attack against Krebs's site was -prior to this most recent one- the largest reported DDoS, ever. So... yeah, not only is this "a big attack as attacks go", it is _the biggest attack_.