August 14, 2022
Mantis botnet is tracked behind Cloudflare June DDoS attacks

In June 2022, Cloudflare reported the largest HTTPS DDoS attack that originated from the Mantis botnet. 

The record-breaking distributed denial-of-service (DDoS) attack that Cloudflare mitigated last month originated from a new botnet called Mantis.

Mantis botnet that sends 26 million requests per second attack is the most significant attack on record that came from 5,067 devices. 

Previously it was recorded by the Mēris botnet, which launched an attack at a rate of 21.8 million requests per second.

Since then, Cloudflare has been tracking this botnet, which they called “Mantis”, and the attacks it has launched against almost a thousand Cloudflare customers.

Generating 26M HTTP requests is hard enough to do without the extra overhead of establishing a secure connection, but Mantis did it over HTTPS. HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection. This stands out and highlights the unique strength behind this botnet.

Mantis targets focus on servers and virtual machines, which come with significantly more resources.

Mantis is the next evolution of the Meris botnet. The Meris botnet relied on MikroTik devices, but Mantis has branched out to include a variety of VM platforms and supports running various HTTP proxies to launch attacks. 

Mantis botnet is tracked behind Cloudflare June DDoS attacks
Mantis botnet that sends 26 million requests per second (Cloudflare)

Mantis Targets

Mantis targets entities in the IT and telecom (36%), news, media, and publications (15%), finance (10%), and gaming (12%) sectors. Over the past 30 days, Mantis launched 3,000 DDoS attacks against almost a thousand Cloudflare customers, the company notes.

When we look at these companies’ locations, we can see that over 20% of the DDoS attacks targeted US-based companies, over 15% Russia-based companies, and less than five percent included Turkey, France, Poland, Ukraine, and more.

Cloudflare named the botnet that launched the 26M rps (requests per second) DDoS attack “Mantis” as it is also like the Mantis shrimp, small but very powerful. Mantis shrimps, also known as “thumb-splitters”, are very small; less than 10 cm in length, but their claws are so powerful that they can generate a shock wave with a force of 1,500 Newtons at speeds of 83 km/h from a standing start. Similarly, the Mantis botnet operates a small fleet of approximately 5,000 bots, but with them can generate a massive force — responsible for the largest HTTP DDoS attacks Cloudflare has ever observed.

Leave a Reply

Your email address will not be published.