An emerging IoT botnet has been observed launching record-breaking distributed denial-of-service (DDoS) attacks recently, but its lack of spoofing functionality enables remediation, Netscout reports.
Dubbed Aisuru, the botnet is part of a new class of DDoS-capable malware, referred to as TurboMirai. The threats are reminiscent of the infamous Mirai IoT botnet, and can launch DDoS attacks that exceed 20 terabits per second (Tbps).
Operating as a DDoS-for-hire service, Aisuru was mainly observed targeting online gaming platforms, but avoiding governmental, law enforcement, military, and similar entities.
The same as other TurboMirai-class botnets, Aisuru can increase attack traffic per botnet node, and packs multi-use functions, allowing operators to use it for credential stuffing, AI-based web scraping, phishing, and spamming activities. It also includes a residential proxy service.
The botnet mainly consists of consumer-grade broadband access routers, CCTV cameras, DVR systems, and other devices running similar OEM firmware versions.
“The botnet retains the direct-path UDP, TCP, GRE, and DNS query-flooding capabilities of the original Mirai botnet, supplemented by carpet-bombing targeting, pseudo-randomization of UDP and TCP source/destination ports and TCP flag combinations, and organic HTTP application-layer DDoS capability,” Netscout notes.
Aisuru can launch both high-bandwidth (large packets, high bits per second) and high-throughput (small packets, high packets per second) attacks, and can disrupt services through outbound and crossbound attacks.
Most of the attacks attributed to Aisuru and similar TurboMirai-class botnets have been single-vector, direct-path attacks, and lacked spoofed traffic, as the malware did not run on privileged processes. Additionally, the bots are part of broadband access networks with source-address validation (SAV) mechanisms enabled.
This, Netscout notes, allows traceback and correlation with subscriber information, allowing defenders to identify, quarantine, and clean up the compromised devices.
“Comprehensive defense requires instrumentation of all network edges with outbound/crossbound suppression equal in priority to inbound mitigation. Intelligent DDoS mitigation systems (IDMSs), network infrastructure best current practices (BCPs) such as infrastructure ACLs (iACLs), and proactive remediation of abusable CPE are essential,” Netscout notes.
Related: ShadowV2 DDoS Service Lets Customers Self-Manage Attacks
Related: Cloudflare Blocks Record-Breaking 11.5 Tbps DDoS Attack
Related: Arch Linux Project Responding to Week-Long DDoS Attack
Related: ‘MadeYouReset’ HTTP2 Vulnerability Enables Massive DDoS Attacks
