Akamai Diversity

The Akamai Blog

620+ Gbps Attack - Post Mortem

On Tuesday, September 20, Akamai successfully defended against a DDoS attack exceeding 620 Gbps, nearly double that of the previous peak attack on our platform.

That attack and the recent release of the Mirai source code have generated a lot of interest in, and speculation about, the role of IoT devices in DDoS attacks. For several months, Akamai researchers have been looking into the code that is now known as Mirai. Much of that research was based on reverse engineering of the binary prior to the actual source code being released.

Based on that investigation and what we know from the DDoS attack from September 20th, we can confirm that the Mirai botnet was a major participant in the attack.  While there may have been at least one other botnet involved, we cannot confirm that the attacks were coordinated.

We have been tracking Mirai for some time, and published a Threat Advisory on what we called Kaiten (and the world now knows as Mirai) to customers on August 8. The Threat Advisory detailed our examination of a known-vulnerable device in order to analyze trends in brute force login attacks on the Internet.  The device existed on a Public IP and had open ports for listening services such as Telnet, SSH, HTTP, and SMTP, and more.  The first thing we observed was bots using default credentials associated with IoT and then we noticed commands that showed them attempting to load the malware.  In other words, within hours we saw how the Kaiten/Mirai botnet was growing.  Within 12 days we had made the following observations:

  • Roughly 100,000 total login attempts were made from more than 1,800 IP's

  • The top source countries were China (64%), Colombia (13%), South Korea (6%), and Vietnam (6%)

  • The most attacked protocols were SSH (57%) and Telnet (42%)

  • The top usernames were root (75%), admin (10%), shell (6%), and sh (6%)

  • The most common login attempts were for Internet ­connected surveillance cameras and associated DVR units

After the first day of massive attacks on September 20, the Mirai botnet and other botnets continued to attack in the days following.  Here's a sampling of where some of the attacks came from:

Tuesday (9/20)

GEO (Percent of traffic)

  • APJ (22%)
  • EMEA (47%)
  • NA (31%)

Thursday's (9/22) attacks had different breakdowns:

Attack (1) Attack Start: Sep 22

GEO (Percent of traffic)

  • APJ (15%)
  • EMEA (51%)
  • NA (34%)

Attack (2) Attack Start: Sep 22

GEO (Percent of traffic)

  • APJ (26%)
  • EMEA (46%)
  • NA (28%)

While this was the largest attack Akamai has recorded to date, there are additional factors that set it apart from a "standard DDoS." Most significantly, the attack was generated by a botnet that was comprised primarily of "Internet of Things" (IoT) devices. The majority of these devices were identified as security cameras and DVRs and were used in "Small Office/Home Office" setups.  We've confirmed that many of these devices use either easily guessable (admin, password, 1234) usernames and passwords or the default passwords originally configured on the devices. Additionally, the attack included a substantial amount of traffic connecting directly from the botnet to the target, rather than reflected and/or amplified traffic, as seen in recent large attacks using NTP and DNS vulnerabilities.

We continue to research the particulars of this attack as well as our security posture.  We'll continue to share significant details as they become available.

Thanks to Martin Mckeay (@mckeay) and Danny Wasserman for contributing research to this post.