{
	"id": "59e956a3-81e1-404a-933e-63de4d39a4a6",
	"created_at": "2026-04-10T03:20:46.648286Z",
	"updated_at": "2026-04-10T03:22:18.363066Z",
	"deleted_at": null,
	"sha1_hash": "155d59789eabb2fd57492eb672be635015c0f155",
	"title": "New Mirai Variant Launches 54 Hour DDoS Attack against US College",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50501,
	"plain_text": "New Mirai Variant Launches 54 Hour DDoS Attack against US\r\nCollege\r\nBy Dima Bekerman\r\nPublished: 2017-03-29 · Archived: 2026-04-10 02:40:43 UTC\r\nNew Mirai Variant Launches 54 Hour DDoS Attack against US College\r\nUpdate (3/30/2017):\r\nFollowing a media inquiry, we drilled down into our data and discovered that 56 percent of all IPs used in the\r\nattack belonged to DVRs manufactured by the same vendor. We have contacted the vendor with an offer to share\r\nour information and assist with resolving the issue.\r\nSince the Mirai malware was discovered last August, we’ve seen it used in a number of high profile DDoS attacks,\r\nincluding the September assault on cybersecurity expert Brian Krebs and October’s takedown of Dyn DNS\r\nservices.\r\nGiven the success of those attacks, along with the public availability of the Mirai source code, it was clearly only\r\na matter of time before botnet herders began experimenting with new versions of the malware.\r\nLast December, we wrote about a variant that exploited a TR-069 network router protocol vulnerability to infect\r\nTalkTalk Telecom home routers. And earlier this year we saw the emergence of a repurposed Windows botnet\r\ncapable of spreading Mirai bots to Linux systems.\r\nOne thing the above variants have in common is they’ve mostly been used to launch network layer DDoS attacks.\r\nA few weeks ago, however, what could be another version of Mirai–this one more adept at launching application\r\nlayer assaults–popped up on our radar.\r\nAttack Description\r\nThe attack, which started on February 28 and ran for 54 hours straight, targeted one of our customers, a US\r\ncollege.\r\nThe average traffic flow came in at over 30,000 RPS and peaked at around 37,000 RPS—the most we’ve seen out\r\nof any Mirai botnet. In total, the attack generated over 2.8 billion requests.\r\nMirai_variant_request\r\nBased on a number of signature factors, including header order, header values and traffic sources, our client\r\nclassification system immediately identified that the attack emerged from a Mirai-powered botnet.\r\nOur research showed that the pool of attacking devices included those commonly used by Mirai, including CCTV\r\ncameras, DVRs and routers. While we don’t know for sure, open telnet (23) ports and TR-069 (7547) ports on\r\nhttps://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html\r\nPage 1 of 3\n\nthese devices might indicate that they were exploited by known vulnerabilities.\r\nWe also noticed that the DDoS bots used in the attack were hiding behind different user-agents than the five\r\nhardcoded in the default Mirai version. This–and the size of the attack itself–led us to believe that we might be\r\ndealing with a new variant, which was modified to launch more elaborate application layer attacks.\r\nOverall, in the course of the attack, we spotted the following 30 user-agent variants:\r\nMozilla/5.0 (Windows NT 6.0; rv:13.0) Gecko/20100101 Firefox/13.0.1\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)\r\nMozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0.1\r\nMozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0\r\nMozilla/5.0 (Windows NT 5.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11\r\nMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7\r\nMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7\r\nMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/\r\nMozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\r\nMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0) Gecko/20100101 Firefox/13.0.1\r\nMozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02\r\nMozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506\r\nMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\nMozilla/5.0 (Linux; U; Android 2.2; fr-fr; Desire_A8181 Build/FRF91) App3leWebKit/53.1 (KHTML, like G\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.5 (KHTML, like Gecko) Version/5.1.7\r\nMozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1\r\nMozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Versio\r\nMozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6\r\nMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/\r\nMozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0\r\nMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MRA 5.8 (build 4157); .NET CLR 2.0.50727; Ask\r\nWe also saw attack traffic originating from 9,793 IPs worldwide:\r\nmirai_variant_map\r\nOut of these, over 70 percent are located in following ten countries:\r\nCountry % of botnet IPs\r\nUnited States 18.4%\r\nIsrael 11.3%\r\nhttps://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html\r\nPage 2 of 3\n\nTaiwan 10.8%\r\nIndia 8.7%\r\nTurkey 6%\r\nRussia 3.8%\r\nItaly 3.2%\r\nMexico 3.2%\r\nColombia 3.0%\r\nBulgaria 2.2%\r\nLess than a day after the initial assault ended, another one began that lasted for an hour and a half with an average\r\ntraffic flow of 15,000 RPS.\r\nBased on our experience, we expect to see several more bursts before the offender(s) finally give up on their\r\nefforts.\r\nAfterthoughts\r\nEver since the Mirai source code was made public last year, we’ve seen offenders continue to evolve the\r\nmalware’s capabilities to expand its range and launch more elaborate and impactful assaults.\r\nLooking at the bigger picture, this variant of Mirai might be a symptom of the increased application layer DDoS\r\nattack activity we saw in the second half of 2016.\r\nThat said, with over 90 percent of all application layer assaults lasting under six hours, an  attack of this duration\r\nstands in a league of its own.\r\nTry Imperva for Free\r\nProtect your business for 30 days on Imperva.\r\nStart Now\r\nSource: https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html\r\nhttps://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html"
	],
	"report_names": [
		"new-mirai-variant-ddos-us-college.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775791246,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/155d59789eabb2fd57492eb672be635015c0f155.pdf",
		"text": "https://archive.orkl.eu/155d59789eabb2fd57492eb672be635015c0f155.txt",
		"img": "https://archive.orkl.eu/155d59789eabb2fd57492eb672be635015c0f155.jpg"
	}
}