Akamai SotI shows Mirai dips and Spike resurges, potential hope for IoT

CDN provider Akamai has published its latest State of the Internet report, which outlines the scale of hostile web traffic the company observed in the past quarter. The update’s findings saw the edge get taken off Mirai, a looming specter in IoT security, but Akamai warns that just because Mirai’s scale dipped, the war with the IoT botnet is far from over.

We last looked at Akamai’s quarterly report back in November, at a time when it looked like Mirai would prove the scourge of the internet. However, this new report paints a more optimistic view of Mirai and IoT botnets, with Akamai recording a big drop off in the scope of Mirai attacks. The company does warn that other Mirai-inspired attacks could come to the fore. The report can be downloaded here.

The ‘At a Glance’ page notes that in the past quarter, there has been a 16% decrease in total DDoS attacks and a 16% fall in level three and four infrastructure attacks too. Reflection attacks fell 9%, and there was a 37% reduction in attacks larger than 100Gbps – falling from 19 in Q3 to 12 in Q4.

Initially, that sounds like good news, but when compared to Q4 2015, the past three months show a 4% increase in total DDoS attacks, a 6% increase in layer three and four infrastructure attacks, a 22% rise in reflection attacks, and a whopping 140% increase in DDoS attacks over 100Gbps – growing from just 5 in Q4 2015 to the 12 seen in Q4 2016.

Akamai notes that the largest DDoS attack in the quarter was not carried out by an IoT botnet. It clocked in at a peak bandwidth of 517Gbps, and is attributed to the Spike DDoS toolkit – which is used by XOR and BillGates. Three of the seven DDoS attacks that exceeded 300Gbps in 2016 occurred in Q4. None of the Q4 IoT botnet attacks were larger than 300Gbps.

The report warns that while Mirai continues to be one of the largest threats in Q4 (seven of those 12 mega attacks according to the report), at least two other major IoT botnets are in use – but that it doesn’t know if they are variants of Mirai (like Hajime) or new and unrelated. It adds that Mirai appears to have originated back in May 2016, and not in July as widely thought.

Of the 37 attacks that Akamai attributed to Mirai, the average peak bandwidth was around 57Gbps – a fraction of the 623Gbps that Akamai saw when a Mirai attack was targeted at famed security researcher Brian Krebs. However, the report warns that “as vulnerable devices are added to IoT-based botnets, we expect a second surge in botnet capabilities and DDoS attack size.”

Akamai said that its Prolexic mitigation network dealt with 3,826 DDoS attacks in the quarter, and that web application attacks, when compared to Q4 2015, were down 19%. Akamai recorded a 53% reduction in attacks originating from outside the USA, but noted that SQL-injection attacks jumped 44%.

On a quarterly basis, Akamai said that Q4 2016 saw a 27% rise in total web application attacks, with a 72% increase in the non-US attacks, and a 33% rise in SQL-injection. Despite the quarterly rise, Akamai said that Q4 was relatively quiet this year, in terms of web application attacks – which was good news for retailers in the holiday period.

So what can the industry do to protect against these kinds of attacks? Well, Akamai’s response suggests that many just have to weather the storm – as “new attack types peak shortly after they appear. As these attacks gain popularity, competition for the resources needed to make them begins. While the number of attacks goes up, the size of individual attacks is pushed down, as there are fewer resources available for each of the botnets.”

Such is the murky world of cybercrime, but Akamai adds that while the above equilibrium is true for attacks vectors like NTP reflection, the growing number of IoT devices out in the wild means that this balancing process is going to take for IoT botnets.

The report notes that old malware still works fine when it comes to DDoS attacks, and that customizable toolkits like Spike allow attackers to build new botnets as old ones are mitigated or taken offline. Mirai was notable because later versions of the malware were observed taking measures to prevent the compromised devices they infected being seized by other botnet-owners – something of an arms race among cyber-criminals.

In terms of DDoS countries of origin, the USA took first place for Q4 2016, with 24% of all attacks, with the UK in second place on 9.7%, and Germany in third with 6.6%. China was in fourth place, with 6.2%, and Russia sat in fifth with 4.4%. As for the web application attacks, the USA took first place, with 28%, the Netherlands was in second, with 17%, and Germany took third, with 9%. Brazil and Russia rounded out the top five.

Akamai concludes that Q4 was a bit of surprise, given that it expected Mirai to continue to be the source of the largest DDoS attacks. It notes “that’s not to say that botnets like Mirai are no longer one of the biggest threats we face. The IoT is in its infancy. We expect to see many more vulnerable and compromised devices before devices become more secure.”

But rounding out its conclusions, Akamai adds that while attackers will be resourceful in their attempts to build better botnets and the IoT provides them with a ready supply of potential vulnerabilities, these resources are not infinite. “It is foreseeable that there will be a contention for resources amongst botnets, meaning we may see the number of attacks increasing, while the size of many attacks fall.” However, Akamai notes that this is not a system that will reach equilibrium in the short term.