Content delivery network Akamai has been under the microscope lately for seemingly abandoning security writer Brian Krebs, whose site suffered a huge distributed denial of service attack last month.
The site had been getting free DDoS mitigation protection from Akamai and its sister company, Prolexic, but after taking a pounding of over 620 Gbps from two botnets of Internet of Things devices, Akamai let Krebs know he had two hours to shift off its network. Generously, Krebs doesn’t fault the provider, given that the mitigation was starting to cause trouble for paying customers.
This week Akamai published a small defence of its action, but more importantly described one of the botnets, known either as Kaiten or Mirai, which offers lessons not only for CISOs but also companies that make anything that connects to the Internet. “The majority of these devices were identified as security cameras and DVRs and were used in “Small Office/Home Office” setups,” says Akamai. “We’ve confirmed that many of these devices use either easily guessable (admin, password, 1234) usernames and passwords or the default passwords originally configured on the devices. Additionally, the attack included a substantial amount of traffic connecting directly from the botnet to the target, rather than reflected and/or amplified traffic, as seen in recent large attacks using NTP and DNS vulnerabilities.”
These botnets get assembled by attackers with automated scanners that roam the Internet looking for insecure devices.
An earlier report on Mirai found that roughly 100,000 total login attempts were made from more than 1,800 IP’s around the world, mainly in China (64 per cent), Colombia (13 per cent) and South Korea and Vietnam (six per cent). The most attacked protocols were SSH (57 per cent) and Telnet (42 per cent). The top usernames were root (75 per cent), admin (10 per cent), shell and sh (six per cent each).
But the huge attacks last month showed a different spread of sources, with upwards of one-third of the traffic coming from North America and roughly half from Europe, the Middle East and Asia.
The most common login attempts were for Internet connected surveillance cameras and associated DVR units.
DDoS attacks used to be thought of as largely a nuisance. But Krebs points out they can be used to run someone off the Internet and therefore be a tool for censorship. In the hands of a malicious person or group, these attacks can also put a company out of business.
So again the call goes out for manufacturers of ANY device that connects to the Internet to find ways to ensure users can’t use default or simple passwords on devices. The problem of re-using passwords on multiple sites is a matter of persistent user education.
More bad news: The source code for the Mirai botnet has been published, which, as Krebs notes, guarantees that more attacks from insecure devices are coming.