A surge in Distributed Denial-of-Service (DDoS) attacks involving a new Mirai variant known as GorillaBot was observed last month. This variant launched 300,000 attacks, impacting approximately 20,000 organizations globally, with nearly 4,000 organizations in the US being affected.
In 41% of these attacks, the threat actors aimed to overwhelm the target networks with a flood of User Datagram Protocol (UDP) packets. Additionally, a significant number of attacks were TCP ACK Bypass flood attacks, targeting a single port with spoofed TCP Acknowledgement (ACK) packets.
GorillaBot, the Latest Mirai Variant
Researchers at NSFocus identified GorillaBot as a modified Mirai variant that supports various architectures. They observed the threat actor behind GorillaBot launching a massive wave of attacks between Sept. 4 and Sept. 27. The researchers noted that the code reuses Mirai source code but includes a signature message unique to GorillaBot.
NSFocus witnessed the botnet controller using five built-in command-and-control servers in GorillaBot to issue attack commands continuously. The attacks targeted organizations in 113 countries, with China, the US, Canada, and Germany being the most impacted.
Despite being based on Mirai code, GorillaBot introduces 19 DDoS attack methods. These methods include various flood attacks and can pose significant challenges to targeted organizations, as each attack vector may require a different mitigation strategy.
The rise of bad bots like GorillaBot has led to an increase in malicious online traffic. Imperva’s research indicates that such bots now constitute a substantial portion of all Internet traffic, with DDoS attacks being a prevalent use case for bad bots in certain industries.