ZDNet | Security

This tiny botnet is launching the most powerful DDoS attacks yet

servers

Image: Getty Images/Jetta Productions Inc

Content distribution network (CDN) firm Cloudflare says the botnet behind the biggest distributed denial of service (DDoS) attacks it has recorded has targeted nearly 1,000 of its customers in the past few weeks. 

The botnet – which Cloudflare calls Mantis and which is named after the small, razor-legged prawn – generated a short but record-breaking DDoS attack in June that peaked at 26 million HTTPS requests per second (rps)

The Mantis botnet has hijacked virtual machines and servers hosted by cloud companies rather than relying on low-bandwidth Internet of Things (IoT) devices.

SEE: Google: Half of zero-day exploits linked to poor software fixes

Cloudflare argues Mantis is the next evolution of the Meris botnet, which relied on IoT devices like compromised MikroTik routers to attack popular websites. Thousands of of MikroTik routers were hacked in 2018 and used in DDoS attacks through to 2021

“Similarly, the Mantis botnet operates a small fleet of approximately 5,000 bots, but with them can generate a massive force – responsible for the largest HTTP DDoS attacks we have ever observed,” Cloudflare said.

HTTPS DDoS attacks are more computationally expensive for the attacker and victim due to the cost of establishing an encrypted transport layer security (TLS) connection over the internet, according to Cloudflare. 

“Mantis has branched out to include a variety of VM platforms and supports running various HTTP proxies to launch attacks,” Cloudflare notes

“The name Mantis was chosen to be similar to “Meris” to reflect its origin, and also because this evolution hits hard and fast. Over the past few weeks, Mantis has been especially active directing its strengths towards almost 1,000 Cloudflare customers.”

In the past month, Mantis has launched over 3,000 HTTP DDoS attacks against Cloudflare customers, with 36% of the attacks targeting customers in the internet and telco sector. Other common targets were news organizations and games publishers, but it also targeted websites of organizations in finance, e-commerce and gambling. 

Over 20% of the attacks targeted US organizations and over 15% of attacks targeted Russia-based organizations. Other nations targeted but counting for lower than 5% of attacks include Turkey, France, Poland, Ukraine, the UK, Germany, Netherlands, Canada, Vietnam, Cyprus, China, Hong Kong, Brazil, Sweden, Latvia, India and Philippines.   

image2-7.png

READ MORE HERE