Streaming Service Suffers 13-Day DDoS Siege by IoT Botnet

A botnet of over 400,000 IoT devices held a 13-day distributed denial-of-service (DDoS) siege against the streaming app of a company in the entertainment business.

Directed at the authentication component, the attack started around April 24 and hit with as many as 292,000 requests per second (RPS) at its peak, making it one of the largest Layer 7 DDoS strikes.

It held a constant rate above 100,000 requests and the adversary kept the flow well over 200,000

A Layer 7 (application layer) DDoS attack is not meant to exhaust the internet connection bandwidth, as is the case with volume-based attacks (e.g. UDP, ICMP floods), or a system’s resources (SYN flood). Since the target is an application, the intent is to hit it with so many GET/POST requests that the server crashes.

DDoS mitigation company Imperva held the service running for the entire duration of the attack, observing requests from 402,000 different IP addresses.

Most of the attacking devices were located in Brazil, the company says in a report today, noting that this was the largest Layer 7 DDoS assaults it dealt with.

Spikes as high as 300,000 RPS have been observed in the past. In 2017, the website for the Russian newspaper Meduza was a target of a DDoS attack with requests above the volume observed by Imperva.

Because the attacker also focused on the authentication component of the service, the intent remains unclear in the incident handled by Imperva. The botnet’s main goal may have been testing credentials on the service by brute-forcing the login.

However, this large a volume of requests can lead to a denial-of-service condition when no proper mitigation solutions were in place.

“The attackers used a legitimate User-Agent, the same as used by the entertainment industry customer service application, to mask their attack.” – Imperva’s Vitaly Simonovich

Linking this activity to an IoT botnet was possible by looking at the ports used. Imperva saw that most of the devices sending the requests had ports 7547 and 2000 open.

Port 7547 is a standard one for the Customer Premises Equipment WAN Management Protocol (CWMP) – intended for auto-configuration and remote management of home routers, modems, and other CPEs.

Port 2000 is also linked to routers, MikroTik in particular, as it is used on these devices for the bandwidth test server protocol.

Requests may seem benign

Layer 7 DDoS attacks can be difficult to defend against because applications are designed to accept requests from users and serve them resources.

In this case, the adversary also used the same user agent as the service’s application and targeted the authentication component.

Distinguishing the malicious connections from the botnet became more difficult because the requests came from distinct systems and were for legitimate action.

Furthermore, brute-force protection would not work in this instance, since there were so many bots that could try different credentials. When the limit would be reached, the bot could take a break and then resume activity.

This technique has been named “low and slow” exactly because it takes longer for the adversary to achieve their goal, but it is also harder to defend against since it mimics the activity of a legitimate user.