Posted on November 7, 2021 at 3:28 PM
Cloudflare Reports Several “Record-Setting HTTP attacks” on VOIP services
Cloudflare researchers say the DDoS attack on VOIP is a record-setting one, after recording several devastating attacks for the third quarter. The researchers noted that they recorded one of the largest botnet attacks ever recorded, plus strong network-layer attacks and “record-setting HTTP DDoS attacks.”
Cloudflare stated that the number of attacks shows the influx of DDoS attacks on voice over IP (VOIP) service providers. For example, the recent attack on Bandwidth.com led to several outages, which left companies scrambling to deal with the aftermath of the attack.
The Cloudflare researchers stated that they were able to prevent “one of the largest attacks ever recorded in HTTP attacks.
Most of the attacks do not take more than 1 hour, which reiterates the need for automatic DDoS mitigation solutions. Specifically, 94.4% of all the DDoS attacks lasted under one hour, with only o.4% of the attacks accounting for attacks under 6 hours.
Firms In The US Topped The List For Most Attacks
The report showed that companies and organizations in the US topped the list for the highest number of attacks for the second quarter. Companies in Canada and the UK were also among the most targeted, according to the report.
Some of the major industries impacted include IT, gambling, gaming, and software, with an average increase in the attack of 573% in the second quarter compared to the first quarter.
Generally, the number of DDoS attacks in the world rose to 44%, based on the research by Cloudflare. Africa and the Middle East topped the chart for the third quarter, with an average attack of 80%.
The report also revealed that Morocco recorded the highest number o DDoS attacks in Q3 2021, with a third of every packet being part of an attack.
Most DDoS Attacks Come From Servers In China, The US, And India
Although RST and SYN attacks were more common, the researchers discovered that there has been an increase in DTLS amplification attacks. Threat actors deployed massive DDoS attacks on VoIP service providers as they attempt to take SIP infrastructure down.
Data from Cloudfare indicated that the most DDoS attacks come from servers and devices in India, the US, and China, although attacks in china dropped by 30% in the quarter,
Cloudflare also reported about the Meris botnet, which is powered by the Internet of Things (IoT) devices, which include home gadgets, PCs, routers. They are hijacked and used as slave nodes in a botnet’s network.
According to Cloudfare, Meris has been discovered as one of the most dangerous botnets deployed to launch some of the biggest HTTP DDoS attacks in history. The researchers also stated that the third quarter saw one of the most notable HTTP attacks (a 17.2M rps), which targeted a customer in the financial services industry.
Additionally, Meris has been deployed to target organizations and networks around the world, which includes news sites such as KrebsOnSecurity.
Attackers Used Both Meris And Mirai Botnets
It was discovered infecting several equipment and routers manufactured by the Latvia-based firm MikroTik. The company’s blog noted that a bug in the MikroTik RouterOS was exploited to deliver coordinated DDoS attacks by threat actors. Some of the vulnerabilities were patched in 2018, but it seems the threat actors launched their attacks on the bugs that remained unpatched, according to Cloudflare.
The researchers also compared the botnet with the Mirai botnet discovered in 2016. However, there are slight differences in their operational capacity and targets. Mirai targets infected IoT devices using low computational power like smart cameras. However, Meris uses data processing capabilities and higher processing power to exploit vulnerable devices. This makes them more dangerous and effective when causing harm on a much larger scale.
Although Meris has more capabilities than its Mirai counterpart, the researchers have not seen any significant damage it has caused on systems of devices. Also, there hasn’t been any major recorded damage or outage it has caused, according to Cloudflare.
On the other hand, the Mirai-variant botnet has been discovered on several attacks. The firm stated that its customers on the Spectrum and Magic Transit services were targeted using the Mirai botnet. According to the report, the threat actors used network-layer attacks with over a dozen TCP and UDP-based attacks, peaking several times above 1Tbps.
The report revealed that the number of attacks peaked in September, but started decreasing from August both in traffic delivered and volume as well as the number of packets delivered.
