- Vulnerable U
- Posts
- Mirai IoT Botnet Behind Record-Breaking DDoS Attack
Mirai IoT Botnet Behind Record-Breaking DDoS Attack
Cloudflare, which mitigated the attack, said it targeted an Internet service provider (ISP) in Eastern Asia in 2024 and lasted 80 seconds

Cloudflare revealed this week that it detected and blocked the largest distributed denial-of-service (DDoS) attack ever reported, which occurred in October 2024.
Key Details:
The DDoS attack was 5.6 terabits per second (Tbps). For context, before this attack the previously largest recorded DDoS attack, also detected by Cloudflare in 2024, was 3.8 Tbps
The attack targeted an Internet service provider (ISP) in Eastern Asia and lasted 80 seconds
The UDP DDoS attack originated from a botnet that was made up of over 13,000 Internet of Things (IoT) devices. In UDP-based DDoS attacks, a large number of User Datagram Protocol (UDP) packets are sent to servers in order to overwhelm them
The Background: The DDoS attack originated from a Mirai-variant botnet, showing the continuous issue of Mirai variants in the threat landscape. Mirai, which first appeared in 2016 and is utilized to control compromised vulnerable devices, was behind several massive denial-of-service attacks (including the infamous one against Dyn DNS in 2016). After the Mirai source code became available online in 2016, many different variants of the malware emerged. That includes a variant recently highlighted by Qualys researchers called Murdoc, which is behind a large-scale campaign targeting AVTECH cameras and Huawei HG532 routers.
Vulnerable connected devices also played a significant role in this attack, as the botnet was made up of 13,000 IoT devices. Mirai variants have targeted weaknesses in connected devices, including default credentials, as well as known vulnerabilities.
Overall, “threat actors often avoid using uncommon user agents, favoring more common ones like Chrome to blend in with regular traffic,” said Cloudflare researchers in a Tuesday blog post. “The presence of the HITV_ST_PLATFORM user agent, which is associated with smart TVs and set-top boxes, suggests that the devices involved in certain cyberattacks are compromised smart TVs or set-top boxes. This observation highlights the importance of securing all Internet-connected devices, including smart TVs and set-top boxes, to prevent them from being exploited in cyberattacks.”
The Big Picture: Overall in 2024, researchers said Cloudflare blocked 21.3 million DDoS attacks - a 53 percent increase compared to 2023. The company blocked 4,870 DDoS attacks every hour in 2024, on average.
“In 2024 Q4 alone, Cloudflare mitigated 6.9 million DDoS attacks. This represents a 16% increase quarter-over-quarter (QoQ) and 83% year-over-year (YoY),” according to Cloudflare.
Researchers said that Indonesia was the largest source of DDoS attacks globally in the last quarter of 2024, followed by Hong Kong and Singapore. Finally, in the fourth quarter of 2024, researchers observed an increase in ransom DDoS attacks, where attackers attempt to extort money by threatening to take down targets’ networks or web properties.
“This spike was predictable, given that Q4 is a prime time for cybercriminals, with increased online shopping, travel arrangements, and holiday activities,” said researchers. “Disrupting these services during peak times can significantly impact organizations' revenues and cause real-world disruptions, such as flight delays and cancellations.”