Akamai this week shared additional details on the massive 665 gigabit per second (Gbps) distributed denial of service (DDoS) attack that targeted Brian Krebs’ website.
While Akamai confirmed that the Mirai botnet was part the attack, the company also said that Mirai was only “a major participant in the attack” and that at least one other botnet might have been involved, though they couldn’t confirm that the attacks were coordinated. The company also said that the 620+ Gbps DDoS attack registered on Sept. 20 was nearly double that of the previous peak attack on its platform.
Following the attack and a subsequent incident reported by hosting provider OVH, Mirai came to the spotlight, along with the issue of insecure Internet of Things (IoT) devices. Easy-to-guess default credentials and other vulnerabilities have made it easy for cybercriminals to create such IoT botnets. Furthermore, Mirai’s source code was released online several days ago.
Akamai says that the attack was indeed powered by an army of IoT devices, mainly security cameras and DVRs that have been used in “Small Office/Home Office” setups. “We've confirmed that many of these devices use either easily guessable (admin, password, 1234) usernames and passwords or the default passwords originally configured on the devices,” Daniel Shugrue, Director of Product Marketing at Akamai, explains.
He also reveals that “the attack included a substantial amount of traffic connecting directly from the botnet to the target.” Basically, the attackers didn’t rely on reflection and amplification to increase the amount of traffic to the target, although other DDoS attacks employ such techniques.
Akamai, he says, has been tracking the Mirai malware, which they refer to as Kaiten (PDF), for a few months, and has published a Threat Advisory to customers on August 8. The advisory detailed how the threat was using brute-force attacks to enslave devices that existed on a Public IP and had open ports for listening services such as Telnet, SSH, HTTP, and SMTP, and more.
The company observed that around 100,000 total login attempts were made on a vulnerable device from more than 1,800 IPs within 12 days, with China (64%), Colombia (13%), South Korea (6%), and Vietnam (6%) being the main sources of attack. SSH (57%) and Telnet (42%) were the most attacked protocols, while the top used usernames were root (75%), admin (10%), shell (6%), and sh (6%).
Similar attacks were recently observed targeting a vulnerable DVR and have been previously associated with various IoT malware families. Weak credentials or default root or admin accounts on IoT devices open the door for botnets such as Mirai or BASHLITE.
According to Akamai, 47% of the DDoS traffic observed during the attack on Sept. 20 came from the EMEA region, 31% percent from North America, and 22% from Asia-Pacific. The company analyzed two other attacks performed on Sept. 22, and says that EMEA was once again the region generating the largest amount of traffic.
The company also reveals that attacks that match the Mirai/Kaiten malware-generated traffic were observed several months ago, and that one attack mitigated in June reached almost 250 Gbps at its peak. In their Threat Advisory, Akamai stresses on the fact that botnets compromise vulnerable systems through large-scale scanning and brute forcing default usernames and passwords.
“Some of these systems are easily compromised with publicly available exploits and knowledge. They can also be weaponized using publicly available attack toolkits and malware. These trends and tactics are unlikely to go away and the relative ease of building and renting these botnets will continue to lower the bar even further for attackers,” Akamai also says.