The Mirai botnet made global headlines when it knocked out Dyn DNS and took many prominent websites offline on the East Coast. Now there’s a botnet powered by a new malware that has been unleashed upon the West Coast of the United States. CloudFlare has been mitigating the attack and detailing its odd characteristics. The team at the prominent CDN have noticed an interesting pattern, namely, that the attacker or attackers behind the botnet seem to be working regular hours, like the average Joe.
The initial attack began at 1830 UTC on November 23 and peaked at 172 million packets per second and 400 Gbps. It lasted the duration of an average workday, running continuously for around 8.5 hours before coming to a halt at 300 UTC. The attacks followed a similar pattern, starting at around 1800 UTC and lasting approximately 8 hours, until November 29, when the attacker/s began working around the clock. The most intense attacks reached 200 Mpps and 400 Gbps. It’s possible that the initial 8 hour attack shifts were preliminary tests leading up to an around-the-clock assault.
As CloudFlare notes, the attacks have been aimed primarily at West Coast locations and are not coming from the infamous Mirai botnet. The attacks have consisted of large-scale floods of Layer 3 and Layer 4 packets directed at the TCP protocol, though CloudFlare has been able to resolve them throughout the strange episode.
It’s also unknown what sorts of devices have been leveraged for the attack, though it’s fair to speculate that abysmally insecure IoT devices may have been involved. The news of the West Coast attack comes hot on the heels of the White House Commission on Enhancing National Cyber-security’s report, which highlights the rampant proliferation of vulnerable IoT devices and the threat they pose to critical infrastructure.
CloudFlare has not been forthcoming with any further details regarding the attack, so we are unsure as to how long it lasted and how much the CDN now knows about it.