Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Mirai Used STOMP Floods in Recent DDoS Attacks

The Mirai Internet of Things (IoT) botnet has been using STOMP (Simple Text Oriented Messaging Protocol) floods to hit targets, a protocol that isn’t normally associated with distributed denial of service (DDoS) attacks.

The Mirai Internet of Things (IoT) botnet has been using STOMP (Simple Text Oriented Messaging Protocol) floods to hit targets, a protocol that isn’t normally associated with distributed denial of service (DDoS) attacks.

Mirai has been responsible for taking major websites offline for many users by targeting the Dyn DNS service, in addition to hosting firm OVH in attacks that surpassed 1Tbps (terabit per second). Mirai was also in an attack against Brian Krebs’ blog in a 665Gbps+ (gigabit per second) assault. The botnet uses various attack vectors to power these massive attacks, including STOMP floods.

Mirai’s source code was released online in early October, and researchers soon observed an uptick in its use for DDoS attacks. With over half a million IoT devices worldwide susceptible to Mirai infection because of their weak security credentials, it does not come as a surprise that the botnet has already expanded in over 164 countries around the world.

One of the contributors to Mirai’s success in the DDoS landscape is the use of floods of junk STOMP packets, which allow it to ultimately bring down targeted websites. 

Imperva security researchers decided to take a deeper dive into the use of STOMP.

Designed as a simple application layer, text-based protocol, STOMP is an alternative to other open messaging protocols, including AMQP (Advanced Message Queuing Protocol). It allows applications to communicate with programs designed in different programming languages and works over TCP, the same as HTTP.

“A typical STOMP request is a ‘frame’ consisting of a number of lines. The first line contains a command, followed by headers in the form <key>: <value> (one per line). This is followed by body content ending in a null character. Servers use a similar format of headers and body content to respond to the client through a MESSAGE, RECEIPT or ERROR frame,” the researchers say.

Mirai, Imperva researchers explain, uses a TCP STOMP flood, which is a variation of the more familiar ACK flood attack. The process goes as follows: the botnet device opens an authenticated TCP handshake with a targeted application using STOMP; after authentication, junk data disguised as a STOMP TCP request is sent to the target; the flood of fake STOMP requests leads to network saturation.

What’s more, should the target be programmed to parse STOMP requests, the attack will also result in an exhaustion of server resources. “Even if the system drops the junk packets, resources are still used to determine if the message is corrupted,” Imperva explains.

The researchers say that the recent attacks shared similarities with the TCP POST flood used in massive 8.7Gbps layer 7 attack observed in April. Because network layer attacks are filtered off-premise, while application layer ones are mitigated on-premise, a bottleneck is created and application layer instances can exploit it to deplete network resources.

Mirai’s source code reveals that each STOMP attack request is set by default at 768 bytes. However, with over 100,000 devices abused by the botnet, it’s clear that the attack will reach a high rate and easily saturate an enterprise grade network that has a 5–10Gbps burst uplink. Smaller networks can be taken down with fewer bots, especially since the default request size can also be increased.

To successfully mitigate a TCP STOMP attack, a solution capable of identifying malicious requests and filtering them out before they’re able to travel through the network is required, the security researchers say. While identifying requests is simple, mainly because STOMP requests aren’t usually received in most applications, the issue is where such requests are dropped.

Hardware solutions that terminate TCP on-premises still allow malicious STOMP requests to travel through the network pipe, which could even make it unavailable. Cloud-based services, however, terminate TCP connections on edge, meaning that attacks are blocked before reaching the network and the risk of saturating it is eliminated.

“Currently, STOMP assaults are rare. But as the use of Mirai malware becomes increasingly more common, it’s likely we’ll see more of them in the near future. Their existence highlights the importance of off-prem filtering,” Imperva concludes.

Related: Disgruntled Gamer ‘Likely’ Behind October US Hacking: Expert

Related: What’s the Fix for IoT DDoS Attacks?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...