New Leet Botnet Used in 650Gbps DDoS Attack

A new botnet has been discovered to almost rival Mirai. The Leet botnet is capable of performing DDoS attacks of at least 650 Gbps

2016 has seen an increase in DDoS attacks on organizations, not only in terms of frequency but also scale. The Mirai botnet was used to conduct massive DDoS attacks on a number of websites and online platforms towards the end of the year.

KrebsOnSecurity was attacked, with the DDoS assault registering 620 Gbps, and French hosting company OVH registered a 990Tbps attack – The largest ever DDoS attack reported. That was until the massive attack on DNS provider Dyn. That attack was reportedly 1.2 Tbps.

The Mirai botnet – a botnet consisting of thousands and thousands of compromised IoT devices – was used for all of the above DDoS attacks, yet was not even operating at full capacity. The attackers allegedly claim they have the capability to conduct attacks of more than 1.5 Tbps.

However, Mirai is not the only botnet in operation capable of being used for massive DDoS attacks. Over Christmas an attack of 650 Gbps was mitigated by the Imperva Incapsula network. However, this major DDoS attack was not performed with Mirai. There is now a rival to Mirai – The Leet botnet.

Imperva reports that the attack was not focused on one particular customer, but instead was performed on “several anycasted IPs.“ Since no single target was identified, Imperva researchers suggest that the attack was meant to be targeted, but that the attacker or attackers were unable to isolate the IP address used by the intended target as it was effectively masked by Imperva Incapsula’s proxies. Imperva believes the attacker then switched focus and attacked the company that was protecting the intended target.

The initial attack was considerable, although by the new standards set by Mirai it was relatively small: Just 400 Mbps. That initial attack lasted for 20 minutes. A second attack was performed with a DDoS flood of 650 Gbps which lasted for 17 minutes and involved a flood of more than 150 million packets per second (Mpps).

Imperva reports that the attacker used spoofed IP addresses for the attack and consequently it was not possible to locate the source of the attack. The attack involved two different SYN payloads: Regularly sized SYN packets of 44-60 bytes and abnormally large SYN packets in the range 799 to 936 bytes. The attacker also included a signature in the attack. The attacker included values in the TCP Options header of some of the regular sized SYN packets, which were arranged as 1337 – leetspeak for “Leet”.

Imperva notes that Mirai does not involve large SYN packets, that it uses hard-coded TCP options, and that Mirai generates its payloads from ransom strings rather than the contents of systems files on compromised devices. This confirmed that the Leet botnet is distinct from Mirai.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of