Hackers have combined botnets to launch the most powerful DDoS attacks

13 January 2022

In the first half of December, StormWall specialists recorded a flood of DDoS attacks with a capacity of more than 1 Tbit/s, which lasted for several days. Essentially, the hackers attacked companies from the entertainment industry, online retail, publishers and the fintech sector, especially crypto services. The attacks were carried out by attackers using a new botnet consisting of tens of thousands of servers running different versions of operating systems, as well as webcams, routers, smart TVs and other smart devices.

Since the botnet includes different devices based on different operating systems with different software installed, it is reasonable to assume that they were infected in different ways, such as brute-force attacks or exploiting security vulnerabilities. Each new attack has roughly the same strength, but at the same time a different geographical distribution, which suggests that in this case not a single botnet is used, but several motley botnets grouped in a single management system to which the attackers have access.

The botnet's resources are shared by multiple users who can launch DDoS attacks simultaneously. To launch an attack, each attacker does not use the entire botnet, but only a part of it. But even a part of it allows to organize an attack with a capacity of several hundred Gbit/s. Since each hacker can access only a part of the botnet, other attackers have the opportunity to use the remaining power at the same moment, so the attackers can launch lengthy attacks.

The botnet works without IP address substitution (spoofing) because the attacks use data centers and Internet service providers that prohibit IP address substitution. According to experts, about 50% of the malicious traffic originates from Japan, 30% from the US and 20% from other countries.

There is nothing unique about these attacks; they are quite easy to filter with available capabilities, as the botnet operates without IP address substitution. However, most victims, including telecom operators, lack these capacities. It is not so easy to add these capacities now, as equipment delivery times range from several months to a year.

You can defend against such attacks by deploying a geographically distributed protection network and filtering attacks closer to the regions from which they were launched. To create an effective system to protect against such attacks requires large channel capacity, as well as large capacity in terms of network and computer equipment. However, the situation is complicated by the fact that there is currently a shortage of network cards and processors, and the supply of the necessary equipment takes many months. To effectively protect online resources from destructive attacks, it is better to use professional solutions offered by companies specializing in protection against DDoS attacks. Implementation of professional solutions will help to avoid severe economic losses.