14 DAY TRIAL // With all the infosec community impatiently waiting for more details on the huge DDoS attack that hit the KrebsOnSecurity blog, Akamai has now released its official post-mortem report on the aforementioned incident.
The Krebs DDoS attacks, which came after journalist Brian Krebs exposed a DDoS-for-hire service, forced mainstream media to acknowledge the problem that IoT botnets pose for online free speech, and how a low-skilled attacker with a minimal budget can silence any media outlet with enough patience.
Akamai was in the perfect position to observe these attacks, as they were providing the journalist with free DDoS protection via Prolexic, a company they acquired, and which had a previous arrangement with Krebs.
While Akamai suffered the brunt of the attack, they eventually had to unload Krebs' website from their network, after the attacks started affecting its paying customers. Krebs didn't hold a grudge and had only positive things to say about the provider.
Akamai confirms initial findings by other vendors
As Krebs moved his website to Google's Project Shield, other investigators looking into the DDoS traffic determined that attackers had used a botnet created with the Mirai malware.
Discovered by MalwareMustDie in September, the researcher said this malware is vaguely related to the Gafgyt malware family tree (also known as Lizkebab, BASHLITE, Bash0day, Bashdoor, and Torlus).
According to Akamai's own investigation, the malware is also related to the Kaiten malware, which, just like Gafgyt, targets smart IoT devices. Akamai says its researchers had been tracking this Kaiten variant (identified as Kaiten/STD) since January this year.
Akamai's analysis of Kaiten/STD is identical with MalwareMustDie's Mirai findings, so there's nothing new to surprise us in relation to the malware's mode of operation, which consists of brute-forcing Telnet and SSH ports left open on IoT devices, mainly on IP cameras, CCTV and DVR systems.
Once compromised, these devices serve as bots in the Mirai botnet, who's been slowly dissolving since the Krebs attacks. In fact, Mirai's creator recently open-sourced Mirai's source code, in an attempt to flood the market with Mirai botnet clones, and cover his tracks, following intense scrutiny from security firms and law enforcement investigators.
Krebs DDoS attack came mainly from Mirai bots in Europe
In its post-mortem report, Akamai revealed that the September 20 DDoS attack on KrebsOnSecurity almost doubled the previous all-time DDoS record detected against its infrastructure. That event was against a European media organization and took place on June 20, reaching 363 Gigabits per second (Gbps) and 57 Million packets per second (Mpps).
According to Akamai's official numbers, the Krebs DDoS attack reached 620 Gbps, as Krebs tweeted himself, and also involved an additional, smaller botnet, outside of Mirai.
Akamai also confirmed that the Mirai botnet was mainly comprised of security cameras and DVRs, as initially rumored. Around half of the bots were located in the EMEA (Europe, Middle East, and Africa) region, while North America and the APJ (Asia-Pacific and Japan) region accounted for around a quarter each.
Mirai DDoS attacks were direct packet floods, no redirection or amplification
"The attack included a substantial amount of traffic connecting directly from the botnet to the target, rather than reflected and/or amplified traffic, as seen in recent large attacks using NTP and DNS vulnerabilities," Daniel Shugrue explained.
This is another crucial detail that Akamai confirmed, and one that baffled security experts when preliminary technical details about the attack started to surface.
Previously, large-scale DDoS attacks have all been reached via reflection DDoS attacks, and not by slinging junk traffic directly at a target.
Security researchers thought this type of direct packet flood DDoS attack to be impossible, mainly because it required the attacker to control a huge number of bots.
The "Internet of (Insecure) Things" made this attack possible, and the proliferation of more improperly configured devices will likely facilitate similarly gigantic DDoS attacks in the future.