In early September 2023, Qrator Labs identified and successfully mitigated one of the year’s most consequential Layer 7 DDoS attacks, executed by what is currently recognized as the largest botnet in existence. This attack targeted a government organization and exploited 5.76 million compromised Internet of Things (IoT) devices, among other internet-connected systems.
The botnet emerged in late March 2023 with 1.33 million IP addresses involved in an assault on an online betting platform. By May, the scale had surged to 4.6 million, shifting its focus to governmental infrastructures. By September, the botnet’s growth was alarming, reaching nearly six million IPs—a staggering 333% increase within just six months.
Initially, the botnet targeted the online gambling sector, but its rapid expansion into government systems marked a troubling trend. The September DDoS attack was executed in two distinct phases, the first mobilizing 2.8 million devices, followed shortly by another wave that involved three million additional devices. Qrator Labs’ telemetry indicated that the primary sources of this malicious traffic were widely distributed across several regions, with significant contributions from Brazil, Argentina, the United States, India, and Vietnam.
Andrey Leskin, CTO of Qrator Labs, emphasized the threat posed not just by the botnet’s sheer size, but its potent capability. When unleashed on inadequate defenses, such a network can unleash tens of millions of requests per second, overwhelming servers with alarming speed. Even specialized DDoS protection services can find it challenging to cope if they are inundated with simultaneous attacks on multiple clients, underscoring the risk these incidents pose across entire service ecosystems.
This situation is part of a larger pattern of escalating cyber threats, with other record-breaking attacks reported recently. Cloudflare noted a separate incident involving the largest volumetric DDoS attack on record, which peaked at 11.5 terabits per second. While this event was brief, lasting only 35 seconds, its magnitude signals a concerning trajectory in the capabilities of attackers utilizing internet traffic floods.
While the September attack leveraged a historically high number of 5.76 million devices, the incident reported by Cloudflare provided a different perspective, focusing on the substantial bandwidth used in DDoS assaults. Each case illustrates a unique dimension of the growing DDoS threat landscape; one emphasizes the scale of compromised devices, while the other highlights the extraordinary bandwidth attackers can leverage.
In this context, several MITRE ATT&CK adversary tactics may be relevant, including initial access through device compromise, persistence through the maintenance of control over the botnet, and exploitation of vulnerability to achieve privilege escalation. Understanding these techniques can provide better insight into how such extensive DDoS operations are orchestrated.
The evolving nature of this threat underscores the imperative for organizations, especially those in vulnerable sectors like government, to bolster their cybersecurity measures. Enhanced monitoring, robust DDoS mitigation strategies, and a comprehensive understanding of potential attack vectors are essential for an effective defense against similar future incidents.
