Posted on July 20, 2022 at 3:30 AM
A recent report has revealed that a new botnet called Mantis was responsible for the DDoS attack that targeted Cloudflare customers last month. Although Cloudflare mitigated the attack, it was regarded as the largest HTTPS DDoS attack to date.
The DDoS attack is the previous record of Meris botnet, peaking at 26 million requests per second and coming from 5,067 devices. Meanwhile, the Meris botnet attack peaked at 21.8 million requests per second.
Cloudflare has been tracking the Mantis botnet attacks against thousands of its customers. The DDoS mitigation company stated that its systems automatically discovered and mitigated the attack and prevented it from doing too much damage to the customers.
Cloudflare assured customers that its systems offer strong protection against HTTP DDoS attacks, including Mantis attacks. The company has also provided additional guidance for its customers to help them stay safe against Mantis and other DDoS attacks in the future.
Mantis Botnet Has Unique Features
Cloudflare explained that its analysts named the botnet Mantis after the Mantis Shrimp to explain its attack model. According to the security firm, the shrimp, while being roughly 10 cm long, can deliver upsetting blows with its claws. On a similar note, the botnet is also powerful despite only being reliant on very few devices.
Generally, botnets work by compromising a large number of connected devices t gain enough firepower for damaging attacks against protected targets.
However, Mantis relies on virtual machines and servers, which offer significantly more resources. It is resource-demanding to generate many HTTPS requests. As a result, the more powerful the devices that make up the swarm of the botnet, the more effective the DDoS attack can be.
In the case of Meris, it was able to achieve strong attacks by recruiting MiktoTik devices, which feature powerful hardware.
Mantis Can Target Several Organizations
Mantis has a wide range of targets, which makes it very dangerous. It can target gaming sectors, finance, news, media, publications, and IT and Telecom. However, the botnet’s main area is the IT and Telecoms sector, with almost 40% of its victims in the sector. The DDoS attack has been launched over 3,000 times against almost a thousand Cloudflare customers over the past 30 days, according to the company.
The report also revealed that organizations in the US are the most targeted, with 20% of the attacks in the country. The attack is also targeting companies and institutions in the Russian Federation, with 15%.
Other targeted countries include the UK, Ukraine, Germany, Canada, Netherlands, Poland, Turkey, and France.
Cloudflare has also introduced a set of best preventive measures to enable admins to provide more protection to their systems and prepare for DDoS attacks. Cloudflare, while describing the capacity of the Mantis malware, stated that it was able to generate the 26 million HTTPS requests per second attack using only 5,000 bots.
Generating 26 million HTTP requests is already difficult without the additional overhead of setting up a secure connection. However, it was easier for Mantis as it achieved it over HTTPS, making it one of the most sophisticated botnets that have ever existed.
An Offshoot Of Meris Botnet, But With Devastating Impact
Cloudflare admitted that HTTPS DDOS attacks are more expensive when it comes to necessary computational resources needed to achieve the attack. It’s very expensive to establish a secure TLS encrypted connection, and Mantis executes the attack easily with the resources at its disposal. This highlights the unique strength behind the botnet.
In contrast with “traditional” botnets that are created from the Internet of Things (IoT) devices like smoke detectors, CC cameras, or DVRs, Mantis utilizes compromised virtual machines to carry out its disastrous attack. It means that each bot is capable of a lot more computational resources than the traditional bot. The result is a total thumb-splitting strength that is unmatched.
Cloudflare revealed that Mantis represents the next generation of the Meris botnet, which depends on TikTok devices. However, Mantis is now expanding its operational capacity to several VM platforms. It is also compatible with various HTTP proxies to launch attacks.
The Mantis, despite its stronger capabilities, works similarly to “Meris” when it comes to its origin. They are in a family, but the Mantis botnet is a revolution that hits hard and fast. The Cloudflare team revealed that the Mantis botnet has been very active for the past few weeks. The firm advised customers to follow the prevention and remediation methods it has provided to stay safe from the devastating impact of the botnet’s DDoS attacks.