The research by internet security firm Akamai, reveals a sharp increase in local sourced bots, using unsecured internet devices to launch large scale attacks on Australian sites.
“Many Australian organisations have typically blocked overseas attacks using geo-blocking techniques,” Akamai senior security analyst, Nick Rieniets, told a Cyber Leadership Briefing in Canberra last week.
This stopped any overseas users — good or bad — from accessing a local site, but effectively protected the site, while it continued for Australian located users
“This data suggests this strategy is now flawed. Most local ISP’s are not able to withstand the size of the Internet of things attacks from within Australia” Rieniets said.
Rieniets told attendees of the briefing the data means there is now a significant increase in the likelihood of a DDos attack. “Your ability to mitigate these attacks cannot rely on the past assumptions that underpin the Island Australian approach,” Rieniets said.
The data collected by Akamai from a variety of sources showed a sharp increase in the so called Mirai bot, a malicious piece of code that seeks out insecure devices and commands them to attack websites and logins. By taking over a large number of Internet of Things devices, Mirai is able to attack websites with far greater force than previous malware.
The Mirai bot took down several large websites in the US last year, with attacks exceeding 600 Gbs, far larger than any previous attack, and with a volume that could not be defended against by traditional ISP defences.
The Mirai software was then released for others to use, setting off more attacks around the world with reports of a French based attack exceeding 1 Tbs. This is two to three times the size of what had previously been the benchmark for so called “mega” attacks.
Data from the Australian Communications and Media Authority revealed a sharp increase in Australian based attacks shortly after the Mirai software was also detected in Australia. Whereas local attack traffic is typically less than one% of all attack traffic in Australia Akamai data showed locally sourced attack traffic jumping by as much as four times in the last quarter of 2016.
This was accompanied by a sharp increase in malicious IP addresses participating in attacks against Australian web sites. The IoT attacks have continued this year.
Rieniets said the Akamai data of the network sources of last years attacks, shows a pattern of sophisticated intervention from established offshore nodes, suggesting the attacks were more than the work of random hackers and were deliberately targeting the Australian region.
More broadly Akamai’s ability to geographically view threat data reveals how Mirai changed the geo-profile of attacks – not just in Australia, but across Europe, the Americas and other parts of Asia as well.
The data has been provided to financial sector players as evidence of the need to strengthen defences against large localised attacks. This requires a substantial upgrade in site protection, rather than relying on ISP’s to block malicious offshore traffic.
The evidence of the change in attack strategies should prompt a rethink of local defence solutions, especially for high profile local government and non government sites.
Rieniets says the data suggests local attacks are continuing as others seek to exploit the underlying weakness in what has till now been called the Island Australia defence.
“Australian banks can expect malicious and volumetric attacks to be launched from within Australia. It is not unreasonable to expect these attacks will be greater than 100 gbs,” Rieniets said.
“IOT botnets have not significantly increased the sophistication of the attacks but they have changed the geographic footprints of the bots that generate the attacks.”
“Your ability to mitigate these attacks cannot rely on the past assumptions that underpin the
Island Australian approach,” Rieniets said.
Akamai manages the delivery of many major internet sites here and overseas including many major US Government sites.
Locally Akamai supports all the major Australian banks and several high performance government web sites.
Through its network, Akamai has high visibility of the broader internet, which it uses to detect and repel attacks before they get close to target web sites.