Throughout the year of 2016, Zepko Analysts have observed huge increases in the volume of internet scanning against client perimeters. One client in the Legal sector in January 2016 had over 14,000 denied connection attempts to their public facing firewall, which when compared to the more than 80,000 denied connections seen in December 2016, shows an increase of 470% in just 12 months.

This activity increased gradually throughout the year as can be seen below with a visual representation of the events that included GeoIP information.

Map displaying geographical locations of denied connection attempts in January 2016


Map displaying geographical locations of denied connection attempts in July 2016


Map displaying geographical locations of denied connection attempts in December 2016


As seen above, we first observed that most of the connection attempts originated from Southeast Asia before a huge increase in attempts from North America, South America and Europe.

So why have these figures increased by so much?

To determine the cause of this rise in scanning activity, Analysts decided to correlate the number of denied connection attempts to the client’s firewall with real world InfoSec events that are relevant to this activity and created a timeline to display this.

Timeline of InfoSec events and number of denied connection attempts to a client

This timeline shows a clear correlation between when vulnerabilities in IoT and router targeting malware is released, and the number of denied connection attempts against the client’s firewall.

This trend suggests that more attackers are attempting to follow new trends such as the use of IoT malware botnets to utilize them in large scale DDoS attacks. An example of which is the Dyn DNS attack, in which hackers used huge IoT botnets thought to be associated with Mirai IoT malware to attack the DNS provider Dyn who were the DNS providers for online services such as Twitter, SoundCloud, Spotify and Reddit to name a few.

This caused huge outages, but the scariest part is that this was carried out with a botnet created using open source software, as the Mirai source code was released in early October along with instructions of use. This allows even beginner black hat hackers to relatively easily generate a botnet with thousands of infected hosts making DDoS attacks much easier to carry out.

The year of 2016 also saw record breaking DDoS attack sizes with the popular Information Security blog ‘‘ being victim of an attack featuring as much as 620Gbps in traffic which is also through to be the result of an IoT based botnet with reports of it originating from a series of vulnerable CCTV cameras.

How can we prevent this?

Protect internet facing devices

A huge prevention method for these activities, as simple as it sounds, would be to ensure that devices are not connected to the internet before the following actions have been complete:

  • Asses whether the device needs to be connected to the internet at all.
  • Change any default credentials to secure passwords and non-default users where possible.
  • Ensure the latest possible firmware and software is installed on the device.
  • Restrict device access using white-listing where possible.

The Mirai botnet heavily relies on the use of default telnet credentials to IoT enabled devices, meaning that the steps mentioned above would heavily hinder it.

Implement DDoS Mitigation

It is strongly recommended that websites and online services are protected against DoS and DDoS attacks via the use of one or more of the following methods:

  • On-premise DDoS mitigation appliance.
  • Purchase a DDoS mitigation service from your hosting or internet service provider.
  • Purchase a DDoS mitigation service from a specialized mitigation service (e.g. Zepko Web Defence/Cloud Flare).
  • Utilize a combination of the above.