Should You Fear the Reaper Botnet?

Andrew Hickey
November 15, 2017

Should You Fear the Reaper?

Move over Mirai botnet. There’s a new monstrous botnet in town.

The newly-discovered botnet, dubbed “Reaper” or “IoTroop,” appears to be a more powerful strain of Internet of Things (IoT) attack malware than Mirai, the previous holder of the IoT botnet crown.

And while there are no confirmed reports that Reaper has been used to launch an attack, security researchers warn that it may only be a matter of time.

Researches from Check Point announced their discovery of Reaper on Oct. 19, claiming that it may have already infected “an estimated million organizations” and could potentially “take down the internet.”  The new malware, Check Point wrote, is “evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016.”

Where Mirai used factory-default or hard-coded usernames and passwords to infiltrate and eventually take control of IoT devices, Reaper exploits known security vulnerabilities across IoT devices makers, such as AVTECH, D-Link, Netgear, Linksys and more, according to KrebsOnSecurity. Netlab 360 listed the vulnerabilities Reaper exploits in a blog post.

The Reaper worm is designed to spread from one infected device to another.

Reaper and Other IoT-based DDoS Attacks

What makes Reaper and other IoT-based attacks particularly scary is their breadth and sophistication. For example, IoT attacks don’t rely on spoofing to create wide attacks, instead, they are real endpoints with real IP addresses, making it more difficult to block each individual device that is sending attack traffic. Additionally, IoT attacks are widely distributed globally and each IP has to be treated differently – an organization can’t just block a network segment or a country’s IP range to defend against it.

And IoT attacks can have wider breath of attacking capabilities than traditional attack strategies. For example, previous huge volume attacks used reflection (such as DNS or NTP) to create volume, meaning thousands of open resolvers (DNS reflection case) would be tricked into generating a huge traffic load. IoT attacks, on the other hand, have a vast swath; millions of IoT devices can each generate individual traffic that can swell into gargantuan attacks – think of it as a wake building into a tidal wave.

So far, there have been no confirmed reports of Reaper being used to carry out an attack, but the potential for DDoS attacks looms, especially considering that Mirai was used to launch some of largest DDoS attacks on record, including attacks up to and exceeding 1 Tbps.

“It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organizations make proper preparations and defense mechanisms are put in place before an attack strikes,” Check Point wrote.

Protect Yourself Against DDoS

Should Reaper take the same track as Mirai and be leveraged to launch IoT-fueled DDoS attacks, it’s important to be protected.

High-performance DDoS protection are must-haves in the battle against IoT botnets and the sophisticated multi-vector DDoS attacks they power. Organizations need swift, surgical detection and rapid mitigation to ensure services aren’t disrupted and that legitimate traffic can still get through during wartime.

It is imperative for DDoS defense solutions to understand traffic patterns and behaviors to block anomalous traffic while allowing real user traffic to continue to pass through. Identifying and analyzing threats quickly is also necessary.

And for additional real-time protection, organizations should implement a hybrid DDoS protection model that combines the power of on-premise DDoS defense with cloud capabilities to combat high-volume DDoS attacks.

Update IoT Devices

Another preventative measure is to update your devices. Updating IoT devices with new code and turning off features that involve WAN-based administration can help protect devices from Reaper, should it become active.

While Mirai was primed with a list of default usernames and passwords of devices throughout the internet, Reaper uses a set of exploits seen in various devices, meaning that without any knowledge of a username or password, someone may be able to get in by leveraging one of these exploits.

Failing to update devices and turn off WAN-style features could leave your admin password exposed, regardless of how complex it is.

Defend Against Current and Future Cyberthreats

A10 Thunder TPS is the world’s highest-performance DDoS defense solution. It detects and mitigates megabit to terabit DDoS attacks at the network edge. TPS can process more than 500,000 flows per second and can scale up to 2.4 Tbps with a list synchronization cluster.

Thunder TPS is unrivaled, delivering an industry-leading 300 Gbps with 440 Mpps in a single appliance — offering up to 11 times the performance of legacy solutions.

And it goes beyond traditional DDoS protection.

Thunder TPS can track up to 128 million individual IP addresses – whether IoT device IP addresses or legitimate users – to defend against the breadth that makes IoT attacks so devastating. Also, Thunder TPS leverages a massive Class-list size of 96 million entries with integrated threat intelligence to identify and block known infected IoT devices at internet scale.

A10 also offers the A10 Threat Intelligence Service, in partnership with ThreatSTOP, which is constantly updated with the latest threat information to blacklist and whitelist traffic to ensure bad traffic is blocked before it can enter the network and wreak havoc.

It works by continuously charting potential threats and intruders and empowers customers to leverage global knowledge to block traffic that is considered malicious to prevent zero-day attacks, block command and control computers from communicating with your network and to cloak your network from known cybercriminal scans. It instantly recognizes and blocks traffic in real-time from known attack sources to protect networks from new and future threats.

Thunder TPS’s on-premise protection also integrates with Verisign’s cloud-based DDoS Protection Services to deliver cloud-bursting capabilities that offload attack mitigation to the cloud. The Verisign service is backed by global points of presence and multiple terabits per second of global capacity. It ensures your network won’t collapse under the weight of a high-volume attack.

And for an additional layer of defense A10’s DDoS Security Incident Response Team (DSIRT) puts a team of DDoS fighting experts at your fingertips 24×7 to provide assistance in mitigating attacks in real-time, as they’re happening. That means a team of DDoS defenders has your back day in, day out.

A strong DDoS protection solution, like A10’s Thunder Threat Protection System (TPS), can help protect against threats now and threats that could spring up in the future. So if Reaper starts launching DDoS attacks, or researchers uncover the next big botnet, you’re covered, and you won’t have to fear the Reaper.


Andrew Hickey
November 15, 2017

About Andrew Hickey

Andrew Hickey serves as A10's editorial director. Andrew has two decades of journalism and content strategy experience, covering everything from crime to cloud computing and all things in between. Read More

Seeing is believing.
Schedule a live demo today.

Get a Product Demo