The Leet botnet was discovered on December 21, 2016 by cybersecurity firm, Imperva, that reported its Incapsula network suffering a DDoS attack beginning approximately 10:55 AM that day. The company believes that those behind the Leet attack were most likely interested in targeting the website of an Imperva customer but were not able to resolve an IP address beyond those of the Incapusla proxies. Leet attacked Imperva’s network twice – the first time lasted 20 minutes at 400 Gbps and the second lasted 17 minutes at 650 Gbps. Both attacks failed to bring down Imperva’s network. Imperva analyzed the network traffic generated from the attack and determined that the attackers used spoofed IP addresses and generated the payload content using shredded and scrambled IP lists which they describe as “a mishmash of pulverized system files from thousands upon thousands of compromised devices.” They named this botnet after they discovered that the TCP Options header of the regular-sized SYN packets used in the attack were arranged to spell “1337,” or “leet,” a term used in hacker communities meaning “elite.” Imperva noted there are drastic differences between Leet and Mirai, despite them both being capable of 650 Gbps attacks and suggested that Leet is brand new and not based on any previous botnet build.

Reporting and Technical Details

  • December 2016: 650Gbps DDoS Attack from Leet Botnet Rivals Mirai Attacks (Bleeping Computer)
  • December 2016: 650Gbps DDoS Attack from the Leet Botnet (Incapsula)