Skip links

Meet Mantis, the tiny shrimp that launched 3,000 DDoS attacks

The botnet behind the largest-ever HTTPS-based distributed-denial-of-service (DDoS) attack is now named after a tiny shrimp.

Cloudflare said it thwarted the 26 million request per second (rpm) attack last month, and we’re told the biz has been tracking the botnet ever since. Now, the internet infrastructure company has given the botnet a name — Mantis — and said it’s the next phase in the evolution of Meris.

“The name Mantis was chosen to be similar to ‘Meris’ to reflect its origin, and also because this evolution hits hard and fast,” Cloudflare Product Manager Omer Yoachimik wrote in a blog post this week. “Over the past few weeks, Mantis has been especially active directing its strengths towards almost 1,000 Cloudflare customers.”

While Mantis initially launched its network-flooding-traffic attack over HTTPS, in the month since its discovery, Mantis has launched more than 3,000 HTTP DDoS attacks against the firm’s customers, Yoachimik added.

In addition to sounding similar to Meris, Mantis is also a “small but powerful” shrimp. The tiny crustaceans are about only about 10 cm in length, but their “thumb-splitter” claws can inflict serious damage against prey or enemies — and can strike with a force of 1,500 newtons at speeds of 83 km/h from a standing start.

Likewise, the Manis botnet operates a small fleet of bots (a little over 5,000), but uses them to cause massive damage: specifically, a record-breaking attack.

“That’s an average of 5,200 HTTPS rps per bot,” Yoachimik explained. “Generating 26M HTTP requests is hard enough to do without the extra overhead of establishing a secure connection, but Mantis did it over HTTPS.” 

These HTTPS-based attacks are more expensive than their HTTP counterparts because it costs more in compute resources to establish a secure TLS connection. And because of this, instead of using hijacked IoT devices (like DVRs or cameras) to form its bot army, Mantis uses virtual machines and servers.

As the company’s security team has been following Mantis’ targets, we’re told most of the attacks attempted to strike internet and telecommunications’ firms, with 36 percent of attack share. News, media and publishing companies came in second, at about 15 percent, followed by gaming and finance with about 12 percent of attack share.

Additionally, most of the DDoS attacks’ targets are based in the United States (more than 20 percent), with about 15 percent putting Russian-based companies in the crosshairs, and less than 5 percent targeting organizations in Turkey, France, Poland, Ukraine, the UK, Canada, China and other countries.

It’s worth noting that in April, just months before mitigating Mantis, Cloudflare said it stomped another HTTPS DDoS attack that reached a peak of 15.3 million rps. At the time it was the largest-ever on record. 

These attacks are not only severely disruptive to business — by flooding the network with junk traffic, they effectively make it impossible for legitimate users to access an organization’s website — but they are also becoming more frequent, according to Cloudflare and other security firms’ research. 

Cybersecurity outfit Kaspersky recently reported this type of assault was up 46 percent year-over-year due, in large part, to DDoS attacks associated with Russia’s invasion of Ukraine. ®