Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Network Security

Massive Attack from New “Leet Botnet” Reaches 650 Gbps

New Leet Botnet Shows IoT Device Security Regulation May Become Necessary

New Leet Botnet Shows IoT Device Security Regulation May Become Necessary

Just before Christmas, Imperva found its network under a massive DDoS assault that reached 650 Gbps (Gigabit per second), making it one of the largest known DDoS attacks on record.

Powered by what Imperva is calling the Leet Botnet, the attack occurred on the morning of Dec. 21, and was delivered against several anycasted IPs on the Imperva Incapsula network. 

While precise device attribution is not yet possible, it seems likely that, like Mirai, it uses thousands of compromised IoT devices. 

“Due to IP spoofing, it’s hard to accurately identify the devices used in this attack,” Avishay Zawoznik, security research specialist for the Incapsula product line at Imperva, told SecurityWeek. “We did, however, find some reliable clues in the payload’s content. Here, manual analyses of individual payloads pointed to some type of Linux device. For instance, some were ‘stuffed’ with the details of the proc filesystem (/proc) folder, which is specific to Unix-like systems.”

In an analysis of the attack, Imperva assumes that the attacker could not locate the specific target hidden behind Imperva proxies — and chose instead to attack the cloud-based service itself.

The attack came in two waves. The first lasted 20 minutes and peaked at 400 Gbps. This failed in its purpose. “The offender regrouped and came back for a second round,” reports Imperva. “This time enough botnet ‘muscle’ to generate a 650 Gbps DDoS flood of more than 150 million packets per second (Mpps).”

The second wave lasted around 17 minutes, and also failed. “Out of options, the offender wised up and ceased his assault.”

Advertisement. Scroll to continue reading.

Hidden behind spoofed IP addresses, it was impossible to locate the geographical location of the attacking devices; but Imperva was able to analyze the content of the packets being used. Although similar in size to the Mirai attack on KrebsOnSecurity in October, it was immediately clear that this was different. (There have been some suggestions that the Mirai attack against DNS service provider Dyn could have exceeded 1 Tbps.)

Leet’s name comes from a ‘signature’ within the packets. “In the TCP Options header of these packets, the values were arranged so they would spell ‘1337’. To the uninitiated, this is leetspeak for ‘leet’, or ‘elite’,” notes Imperva.

Two separate payloads were used: regular SYN packets (44 to 60 bytes), and abnormally large SYN packets (799 to 936 bytes). The content of the large packets was taken from the compromised devices and scrambled. The result is an inexhaustible supply of obfuscated and randomized payloads that can bypass any signature-based defenses that mitigate attacks by identifying similarities in packet content.

Imperva suggests that the new Leet botnet, rivalling Mirai in capacity, is merely a sign of things to come. With an ever-increasing supply of insecure IoT devices, “like we said, it’s about to get a lot worse.”

There is no immediate solution beyond preparation as far as possible. “Organisations should be prepared to mitigate DDoS attacks and be prepared to get back up and running once the attack is over,” suggests F-Secure security advisor Sean Sullivan. “DDoS attacks cannot be prevented; being prepared to reduce downtime in the aftermath lessens the threat of DDoS. Extortionists will move on to weaker targets that are less prepared.”

In the longer term, the solution to IoT-based botnets will probably have to be regulation. Governments are reluctant to regulate the internet for fear of inhibiting innovation; but there comes a point when it is the only solution. The security industry has been warning about IoT insecurity for years, but manufacturers have still rushed out new and insecure product to gain early market share.

Regulation already exists in other industries — health and engineering, for example. Making IoT manufacturers more clearly legally liable for the effect of insecurity may be a step too difficult. Required security certification might help, but would probably not be enough. But a few seriously heavy fines from a regulator against the worst offenders would make developers take more care over their security.

In the short term, warns Sullivan, “There’s little hope that networking and IoT equipment will become more secure, although ISPs could empower their security teams to run cleaner networks.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet