F5 Labs Hunt For IoT Vol 2 Rev
F5 Labs Hunt For IoT Vol 2 Rev
F5 Labs Hunt For IoT Vol 2 Rev
TABLE OF CONTENTS
Executive Summary 04
Introduction 06
In This Report 06
What We Know Post-Mirai 06
The 2016 Hunt Volume 08
Hunting Countries and Destinations 10
Q3 Top 20 Threat Actor Source Countries 12
Q4 Top 20 Threat Actor Source Countries 12
Q3 Top 10 Attack Destination Countries 14
Q4 Top 10 Attack Destination Countries 14
Hunting Networks (ASNs) 15
Q3 Top 50 Threat Actor Networks (ASNs) 15
Q4 Top 50 Threat Actor Networks (ASNs) 17
Hunting IP Addresses 19
Q3 Top 50 Attacking IP Address ASNs 19
Q4 Top 50 Attacking IP Address ASNs 20
The Hunt by Industry 22
The Hunt by Operating Systems 22
Conclusion 23
ABOUT F5 LABS 25
ABOUT LORYKA 25
Appendix A: Attack Counts Per IP Launching Greater than 10K Attacks 26
Q3 ASNs with IP Addresses Launching Greater than 10K Attacks, by Country 26
Q4 ASNs with IP Addresses Launching Greater than 10K Attacks, by Country 29
TABLE OF FIGURES
LIST OF TABLES
Table 1: Q3 and Q4 IoT attack summary: attack count, unique IPv4s and ASNs 09
Table 2: Q3 and Q4 attack authentication summary: unique passwords, unique user names 09
Table 3: Q3 and Q4 count of attacks by top 10 source countries 13
Table 4: Q3 Top 50 attacking ASNs, including the number of unique IP addresses used in relation to attacks 15
Table 5: Q4 Top 50 attacking ASNs, including the number of unique IP addresses used in relation to attacks 17
Table 6: Top 50 IP addresses and their contribution to total attacks 19
Table 7: AS numbers and owners of top 50 attacking IP addresses in Q3 20
Table 8: AS numbers and owners of top 50 attacking IP addresses in Q3 21
Table 9: Q3 ASNs launching 10K attacks or greater from 1 IP addresslisted by country 26
Table 10: Q4 ASNs launching 10K or greater attacks from one IP addresslisted by country 29
EXECUTIVE SUMMARY
For over a year now, F5 Labs and our data partner,
Loryka, have been monitoring the ongoing hunt by
attackers to find vulnerable IoT devices they can
compromise. In our first report, DDoSs Newest
Minions: IoT Devices,i our research proved what
many security experts had long suspected: IoT
devices were highly vulnerable to exploit, the
level of interest in exploiting them was high, and
distributed denial-of-service (DDoS) attacks using
these devices were already occurring. Our findings
and conclusions in Volume 11 rang true, and the new
numbers show even steeper growth than we had
imagined.
1
Volume 1 of this series of reports covered roughly five and a half months of data collected between
mid-February and July 27, 2016. Volume 2 (this report) covers six months of data collected from July 1,
2016 through December 31, 2016.
Key findings:
Networks in China (primarily state-owned telecom companies and ISPs) headlined the threat
actor list, accounting for 44% of all attacks in Q3 and 21% in Q4 (that drop likely due to global
interest in Mirai).
Behind China, the top threat actors in Q3 were Vietnam and the US, and Russia and the UK in
Q4. Surprisingly, the UK jumped from number 15 in Q3 to number 3 in Q4, with most
activity coming from an online gaming network.
Most attacks were launched from Linux systems within hosting provider
and telecom companies.
INTRODUCTION
Since we published Volume 1 of this report, the world has A year ago, 60 Gbps was considered a large attack. In
ii
felt the stinging blow of the Mirai attacks on Krebs On June 2016, we published an articleiv predicting that 100
Security and OVH (in September 2016), and Dyn, Inc. (in Gbps DDoS attacks would be the new normal, with peaks
October 2016). When we began writing this report, we were in the 400500 Gbps range. Yet, like rapid fire, attack
still trying to wrap our heads around the startling allegation sizes rose astonishingly to Tbps with Mirai. And, because
that Dyns DNS service was attacked by tens of millions Mirais creator decided to release the source code, the
iii
of unique IP addresses that belonged to seemingly capability to launch IoT DDoS attacks is now in the hands
innocuous IoT devices (IP cameras). Even more startling of anyone with the skills to use it.
was that the Mirai attacks measured in the terabits-per-
second (Tbps).
Why this focus? A big reason many companies are caught by surprise is that, until now, most of our security controls have
focused solely on the attack and post-attack phasesboth of which occur months, if not years, after the attackers recon
phase. The recon phase is always followed by a build phase when attackers use the data theyve collected to plan an
attack. Afterward, they strike quickly and decisively, and then get out. By focusing on whats happening in the early and
intensive recon and build phases, we can provide valuable threat intelligence that organizations can use to anticipate and
prepare for attacks beforev they happen. When it comes to IoT, the high-volume hunt, plus the vast attacking capabilities
beyond just DDoSvi (IoT Bots of X), are the threats all businesses globally must pay attention to.
botnet.) This is why we believe that IoT attacks will soon be referred to as credential stuffing attacks.
Attackers used exactly this techniquescanning for Telnet ports and vendor default passwords on IoT devicesto create
the Mirai botnet. It might seem like these attacks happened overnight but, in reality, a bot herder had been slowly searching
Perimeter-less and identity-less, IoT devices are the perfect target for attackers
with world-routable IP addresses, lack of security controls, and ridiculously simple
default admin passwords that leave them virtually unprotected.
for, finding, and compromising vulnerable IoT devices for at least a year prior.
Heres what we know today about IoT threats in the shadow of Mirai:
1. IoT devices are critically vulnerable, and the scope is global. IoT devices have little capacity for securing
themselves. An end user can reboot a compromised IoT device to clear its memory of malware, but unless
the access issue is fixed (that is, default passwords are changed; security controls are added), the device
will just get compromised again. There are many Mirai botnets now, and theyre constantly scanning for new
devices.
2. IoT attacks can impact large targets, previously thought to be untouchable. The collective firepower of an
IoT botnet can be greater than terabits per second, and we dont yet know just how big they can get.
3. Bot operators arent afraid to turn their cyber weapons against some of the largest providers in the world.
We know that there are billions of IoT devices in use around the world todayvii, but we dont yet know what percentage are
vulnerable or already compromised. A billion IoT devices is at best a huge number of small things, but a lot of them require
more bandwidth to function then a teddy bear, toaster, or door knob, and some have outbound capabilities upwards of 200
megabytes (like DVRs and digital signage systems). If the spectrum of IoT devices by strength goes from a light bulb at the
low end to a DVR at the high end, Mirai was supposedly built with security cameras, which probably fall somewhere in the
middle of the spectrum. We are just beginning to see the tip of the iceberg of whats possible with IoT devices and their
attacks. The full threat hasnt been realized yet.
The IoT attack volume in Q4 spiked in October, most likely driven by interest in Mirai. While the number of attacks fell off
in November and December, the Q4 total was still significantly higher than in Q3, and the total volume in Q4 was 1.5 times
greater than the combined attacks across Q1, Q2, and Q3.
While the number of recorded events (IoT-based attacks) increased globally by 110% from Q3 and Q4, the networks
(autonomous system numbers, or ASNs) participating in these attacks stayed relatively flat at 10%. Meanwhile, the unique
IP addresses participating within those ASNs grew at a rate of 74%, indicating that threat actors are launching attacks from
within the same networks. This is the primary reason we decided to publish threat actor networks in this report. Note,
however, that we will not publish the source IP addresses of the recorded attack events (except to the ASNs to which the
subnets are delegated.)
Table 1. Q3 and Q4 IoT attack summary: attack count, unique IPv4 addresses and ASNs
Outside the scope of Telnet attacks, looking at SSH events can give us relevant insight into the capabilities of threat actors.
For instance, we see that the number of username and passwords attempted in SSH events decreased from Q3 to Q4,
indicating that threat actors are likely becoming smarterthat is, they already have the correct credentials.
Table 2. Q3 and Q4 attack authentication summary: unique passwords, unique user names
In the months leading up to Mirais Tbps attacks, brute force Telnet scanning grew at a steady pace (as one might expect),
and that activity was enough to create the Mirai botnet. The spike in early October after Mirai was released is consistent
with the increase in the number of ASNs participating in Telnet scans over the same period (see figure 9). This is likely due
to the botnet source becoming public and resulting in increased activity. While this spike was short-lived, the daily volume
didnt drop off to pre-Mirai levels, driving the large quarter-over-quarter growth.
Note: We are not showing attacks by day of week or daily average by month in this report because it doesnt provide any
deeper understanding of threat actor behavior.
Note: A large source of Frances Q3 traffic is from OVHs ASN, which was a victim of Mirai in early October 2016.
While Russia has moved up the numbered list of threat actor (source) countries (from number 8 in Q3 to number 2 in Q4),
it has consistently been the top target of attacks (destination country). In fact, throughout Q3 and Q4, the top 4 targeted
countries remained consistent, with the number of attacks sometimes almost doubling from fourth position to third, third to
second, and second to first.
Q3 TOP 10 ATTACK
DESTINATION
COUNTRIES
Russia is a top target from
virtually all countries on the
top 50 list. Russia outpaced
attacks received by Spain
(in the number 2 position) by
almost 2:1, and by 12:1 when
compared to Bulgaria in the
tenth position.
Q4 TOP 10 ATTACK
DESTINATION
COUNTRIES
Interest in Russia
increased in Q4, jumping
from 31% of total attacks to
40%. Colombia, Canada,
and Bulgaria were bumped
off the top 10 targets list
in Q4, replaced by the UK,
Netherlands, and Finland.
Two affiliated networks that didnt exist in Q3 jumped into top 10 positions; William Hill Organization, and WHG International.
These correspond to the top attacking IP addresses shown in Table 8.
Hunting IP AddresseS
As stated previously, were not disclosing the actual IP addresses publicly. We are, however, publishing the percentage that
the top 50 attacking IP addresses contributed to the total attack volume because it indicates whether attacks were initiated
by a large threat actor (or actors) in a network or a lot of smaller actors. It also provides clues as to whether those IP
addresses belonged to the same networks quarter over quarter, and whether they were the same IP addresses or attackers
quarter over quarter.
In Q3, the top 50 attacking IP addresses accounted for 26% of all attacks, the majority of which were from Chinanet. Q4
saw that number increase to 35%. That number likely would have been higher if it werent for the early October spike of
Mirai interest that caused a lot of new threat actor IP addresses to jump on the Top 50 list.
Q3 TOP 50 ATTACKING IP
ADDRESS ASNS
In Q3, 11 ASNs owned the top
50 IP addresses. This was
dominated by Chinese
state-owned telecom
companies, including
China Telecom, Chinanet,
and China Unicom. Note
the other 7 ASNs had 1 IP
address each on the top 50
attacking IP list, which are
standout threat actors that
they could likely track down.
Table 7 shows the ASN numbers and countries associated with the data shown in Figure 12.
IP Addresses on
ASN #/s ASN Owner Country Industry
Top 50 list
AS58543 China Telecom 20 China Telecom (State-Owned)
AS4134
Chinanet 16 China Telecom (State-Owned)
AS23650
AS4837 China Unicom 7 China Telecom (State-Owned)
AS8560 1&1 Internet 1 Germany Hosting
AS14061 Digital Ocean 1 US Hosting
AS36351 SoftLayer 1 US Hosting
AS29182 The First-RU 1 Russia Unknown
AS16276 OVH 1 France Hosting
AS50673 Serverius 1 Netherlands Hosting
AS9050 Telekom Romania 1 Romania Telecom
Table 8 lists the ASN numbers associated to the pie chart shown in Figure 12.
IP Addresses on
ASN #/s ASN Owner Country Industry
Top 50 list
AS58543 China Telecom 13 China Telecom (State-Owned)
AS4134
AS23650 Chinanet 11 China Telecom (State-Owned)
AS133774
AS14061 Digital Ocean 4 US Hosting
AS19531 Nodes Direct 2 US Hosting
AS29066 Velia.net 2 Germany Online Gaming
AS16276 OVH 2 France Hosting
AS49061
William Hill Organization 2 UK / Gibraltar Online Gambling
AS57002
AS9304 Hutchison Global 1 China Telecom
AS16509 AWS 1 US Hosting
AS36024 Colo4 LLC 1 US Hosting
AS46664 Volume Drive 1 US Hosting
AS262254 Dancom LTD 1 Belize Hosting
AS24940 Hetzner Online GmbH 1 Germany Hosting
AS20738 Host Europe GmbH 1 UK Hosting
AS49544 i3d B.V. 1 Netherlands Hosting
AS50113 MediaService Plus 1 Russia Unknown
AS24961 myLoc Managed IT AG 1 Germany Hosting
AS12876 Online SAS 1 France Hosting
AS56934 Sologigabit Spain Hosting
AS16125 UAB Cherry Servers 1 Lithuania Hosting
AS10429 Telefonica Data 1 Brazil Telecom
50
45
The Hunt By
40
35
IndustrY
As weve seen from the numerous
30
charts and tables already presented,
25
the top industries conducting attacks
20 are telecom companies, mainly Chinese
15 state-owned, followed by hosting
5 providers. The unknown are ASNs in
0 Russia.
Hosting Telecom Telecom Unknown Online Online
Provider (state-owned: Gaming Gambling
China)
Figure 12. Q3 and Q4 top 50 attacking IP
addresses by industry
Top 50 Attacking IPs by Industry Q3 Top 50 Attacking IPs by Industry Q4
Conclusion
Its fair to say that when it comes to IoT, we still havent fully grasped the impact of these enormous IoT DDoS attacks, nor do
we know what the global response effort will be. Needless to say, we no longer need to convince anyone of the vast threat
that IoT devices pose.
The vulnerability posture of IoT devices in general, combined with the expected growth and adoption rate of IoT devices,
make for an ever-expanding exploit surface. These factors, in conjunction with the highly active and growing huntalmost
1,400% increase in 2016!and subsequent Bots of X construction, make the threat of IoT attacks very real for all
businesses.
Over the course of 2017, we will continue to monitor and publish the IoT hunt and resulting botnets, as well as any new
IoT threat research, including but not limited to vulnerable chipsets and manufacturers, validating IoT device type attack
capabilities, the impact of Message Queue Telemetry Transport (MQTT), and the implications that the use of IPv6 addresses
could have on the overall IoT threat.
No doubt there will be hiccups over the next few years while DDoS attacks grow in size, scrubbing services grow in
bandwidth to accommodate multiple Tbps DDoS attacks, new IoT attack vectors are realized (while the industry scrambles
to mitigate them), and IoT device manufacturers and telecom companies, ISPs, and hosting providers come under
increasing pressure to deal with this problem. Right now, organizations and consumers have no choice but to get used to
this evolving threatlike all other major threats before this one.
Beyond just getting used to it, here are some steps security professionals can take, both personally and professionally:
1. Have a DDoS strategy. If you dont already have a DDoS strategy in place, now is the time for one, and
there are three good options:
a. On-premises equipment is great for customers who are routinely targeted with DDoS attacks (below
their network capacity) and have trained resources to effectively mitigate them on their own.
b. Hybrid on-premises and cloud scrubbing for customers that receive frequent DDoS attacks they
mitigate with their on-premises equipment and resources (because its not cost effective to outsource),
but who are also at risk of large attacks that exceed their capabilities and therefore need backup
DDoS scrubbing services.
c. Cloud scrubbing for companies that dont deal with DDoS on a regular basis and do not have
in-house expertise or equipment. This includes any company at risk of large scale attacks that exceed
their network capabilities (thats essentially every business on the Internet outside of service providers
and DDoS scrubbing services!).
2. Ensure critical services have redundancy. Consider that you are not always going to be the target, but
the services you use could be, in which case you are a potential downstream casualty. Have a business
continuity plan that includes disaster recovery for your critical services so you dont find yourself in the
same boat as Twitter, Github, and Spotify when Dyn DNS suffered a DDoS attack offlineor any other
company that solely leveraged OVH for hosting and was down when their network was attacked. Have
a dual strategy in place (or even a multi strategy, in the case of DNS) to protect yourself. Remember that
DNS can be your friend, too; Anycast your global data centers for replicated content to diffuse DDoS
attacks when they happen.
3. Dont buy IoT products known to be insecure or compromised. Money talks! Choosing not to spend
money on the products built by irresponsible manufacturers is a quick way to drive change, at both a
grassroots level personally with consumer products that become weapons against your business, and
professionally if you are an IoT implementer.
a. If you are a company that deploys but does not manufacture IoT devices, test and verify the safety of a
vendors products before you buy them.
b. If you are a security professional, the general public needs help knowing which devices are vulnerable
or compromised, so share your knowledge with your family and friends and encourage them to share,
as well. Social media is a powerful tool; so is security awareness training for your employees.
4. Share your knowledge. Security professionals around the world can chip away at this global problem by
communicating more with each other and sharing knowledge. Attackers are known for sharing information
with each other; they even shared the most powerful botnet to date! Security professionalseven among
competitorsneed to take a page from attackers playbooks by sharing more key information about
vulnerable devices, attacks and threat actors, mitigation efforts that are working, and potential solutions,
no matter how wild the ideas might seem.
ABOUT F5 LABS
F5 Labs combines the threat intelligence data
we collect with the expertise of our security
researchers to provide actionable, global
intelligence on current cyber threatsand to
identify future trends. We look at everything
from threat actors, to the nature and source of
attacks, to post-attack analysis of significant
incidents to create a comprehensive view of
ABOUT LORYKA
the threat landscape. From the newest malware
variants to zero-day exploits and attack trends, Loryka is a team of dedicated researchers that
F5 Labs is where youll find the latest insights monitor and investigate emerging attacks,
from F5s threat intelligence team. advanced persistent threats, and the organiza-
tions and individuals responsible. The team also
For more information, visit: www.f5.com/labs develops research tools to identify, investigate,
and track ongoing attacks and emerging
threats.
i
https://f5.com/labs/articles/threat-intelligence/ddos/ddoss-newest-minions-iot-devices-v1-22426
ii
https://f5.com/labs/articles/threat-intelligence/ddos/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-attack-on-ovh-22422
iii
http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/
iv
https://f5.com/labs/articles/threat-intelligence/ddos/are-you-ready-to-handle-100-gbps-ddos-attacksthe-new-normal-22627
v
https://f5.com/labs/articles/threat-intelligence/cyber-security/using-f5-labs-threat-intelligence-24665
vi
https://f5.com/labs/articles/threat-intelligence/cyber-security/iot-threats-a-first-step-into-a-much-larger-world-of-mayhem-24664
vii
http://www.gartner.com/newsroom/id/3165317
Table 10. Q4 ASNs launching 10K or greater attacks from one IP addresslisted by country