Liberia attacked by Mirai botnet

The country of Liberia has been attacked by the Mirai botnet, with security experts predicting that it is being used for experimenting with different attack methods.

Monrovia, Liberia's capital city
Monrovia, Liberia's capital city

Security experts have been helping the nation of Liberia to regain its internet access after it's single internet pipe was flooded with a DDoS attack by the Mirai botnet. It appears that the attackers are testing denial of service techniques.

It is believed the same person(s) who carried out this attack, also orchestrated the attack on DNS provider Dyn. The attack reached a staggering 1.1Tbps, more than double the attack a few weeks prior on security reporter Brian Krebs' website, which was about 620Gbps in size. Both attacks broke the record books and were successively crowned ‘the biggest DDoS attack to have ever happened'.   

A few weeks after the two attacks, the person who had written the malware which runs the Mirai botnet released it and made it open-source. This means that anyone anyone can use it now and spin their own botnet.

One of the many already out there, a new one had risen and named Botnet 14,  and swiftly began targeting the small African country of Liberia, which completely took it offline each time it was live. One transit provider said the attacks were over 500Gbps in size.

Commenting on this, Stephen Gates, chief research intelligence analyst at NSFOCUS, said "Researchers and analysts (like myself) have been warning organisations all over the world that this day would come, and now it's here. Since the attacks on Spamhaus in early 2013 that exceeded 300Gbps, taking a country offline in a DDoS attack became more of a reality. Doing the math, a 1Tbps DDoS attack can fill 100 – 10Gbps pipes. Many smaller countries don't have that much bandwidth serving their entire country.

Security architect Kevin Beaumont blogged, “Over the past week we've seen continued short duration attacks on infrastructure in the nation of Liberia. Liberia has one internet cable, installed in 2011, which provides a single point of failure for internet access.”

He added: “From monitoring we can see websites hosted in country going offline during the attacks — additionally, a source in country at a Telco has confirmed to a journalist they are seeing intermittent internet connectivity, at times which directly match the attack.”

Concluding, Beaumont said: “The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state.”

According to Beaumont, as of 1pm today UK time, the botnet continues to intermittently attack Liberia telecom providers who co-own the submarine cable.

Slawek Ligier, VP product development at Barracuda Networks said: "The proliferation of low cost internet-connected devices – thermostats, cameras, light bulbs, fridges and many more – makes our internet infrastructure significantly less secure. When a manufacturer develops their Wi-Fi enabled tennis racket or golf club, incremental cost is of the utmost importance. Security is secondary. The interest of device makers is in generating sales and profits while protecting themselves and their direct customers. They have much less interest in protecting the internet infrastructure on the whole. If they are concerned with security at all, the concern stops looking at what data is generated by the device and whether it needs to be protected – not how the device could be used to harm the vast ocean of the internet.”

Sign up to our newsletters