Malicious attackers have used the freely available Mirai malware to launch a distributed denial of service attack on the small African nation of Liberia, a security researcher says.
UK-based network engineer Kevin Beaumont said the attacks had been going on for a week. As the country had just one Internet cable, installed in 2011, there was a single point of failure.
The Mirai malware has been used in a number of big attacks in the last two months. Around 100,000 Internet-of-Things devices were harnessed to attack Dynamic Networking Services, a major domain name services provider in the US last month. Nobody has reliably measured the magnitude of this attack, but it made the headlines as it affected well-known website like Twitter and Netflix.
The French hosting provider OVH was hit by a DDoS close to 1TBps but this has largely been ignored by the mainstream tech media, probably because it happened in an European country.
{loadposition sam08}Much more publicity has been given to the attacks on the KrebsOnSecurity website, owned by security writer Brian Krebs, though these attacks peaked at 665GBps.
Botnet #14 - ACK flood for 240 seconds
— Mirai Attacks (@MiraiAttacks) 2 November 2016
[Targets]
41.57.81.28/32
41.57.81.29/32
41.57.81.30/32
41.57.81.25/32
41.57.81.26/32
41.57.81.27/32
Beaumont said that the attacks on Liberia appeared to be more of a test rather than anything else. The Mirai botnet used was one of the larger ones, and appeared to be capable of generating attacks up to 500GBps.
All the attacks on this African country had been of short duration, Beaumont said, leading to the conclusion again that they were meant to test out the efficacy of a method of attack, rather than actually cause an economic or other impact.
A website MalwareTech.com has set up a Twitter account with the handle MiraiAttacks to track attacks by the malware.
The site said it was monitoring the ongoing events by deploying "around 500 custom telnet servers designed to emulate vulnerable IoT devices; our code will simulate a real telnet server and await a command specific to the Mirai malware before passing the IP address to our database.
"Due to the fact (that) Mirai self-propagates by scanning the entire Internet (with the exception of a few reserved ranges), we are able to see every scanning bot as soon as it hits one of our 500 IP addresses.
"Unfortunately, scanning the entire Internet takes quite a while when you’re using an IoT device with the processing power of a pocket calculator, which is why we made the decision to deploy hundreds of telnet servers to increase the rate of mapping, rather than just running a few for a couple of months."