Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Than 40% of Global Log-in Attempts Are Malicious (infosecurity-magazine.com)

Posted by msmash on from the security-woes dept.

More than 40% of global log-in attempts are malicious thanks to bot-driven credential stuffing attacks, according to the latest report from Akamai. From a report: The cloud delivery provider's latest State of the Internet/Security report for Q4 2017 comprised analysis from over 7.3 trillion bot requests per month. It claimed that such requests account for over 30% of all web traffic across its platform per day, excluding video streaming. However, malicious activity has seen a sharp increase, as cyber-criminals look to switch botnets from DDoS attacks to using stolen credentials to try to access online accounts. Of the 17 billion login requests Akamai tracked in November and December, over two-fifths (43%) were used for credential abuse. The figure rose to a staggering 82% for the hospitality industry.

10 of 61 comments (clear)

  1. I'm sorry by Anonymous Coward · · Score: 3, Funny

    I keep losing my post-it notes.

    1. Re:I'm sorry by DontBeAMoran · · Score: 2

      Post-it notes cannot be hacked via the internet.

      --
      #DeleteFacebook
  2. 99% on my vm by imidan · · Score: 4, Informative

    I have a VM with a hosting service where I run Ubuntu to host some things like svn and other small services. According to the ssh logs, where bots are trying to log in constantly, and the apache logs, where bots are constantly trying to access admin pages for services I don't run, I'd say that more than 99% of login attempts are malicious on that host. That's without advertising the IP or hostname anywhere; the bots just found it over time. I do run fail2ban, so they eventually get blocked, but there's an endless supply of them.

  3. Well, duh... by bradley13 · · Score: 4, Informative

    Create a new AWS account, and create a new AWS instance. Allow normal login (not just SSH), and don't do any sort of IP restriction. Watch your logs. Your instance will be noticed very quickly, and will be flooded by bots attempting to brute-force a login. FWIW, the bots are all from Eastern Europe and Asia, or at least they were the last time I tried this (a few years ago). It's pretty crazy.

    I don't know about other cloud services, but I wonder about AWS policies. You can set a warning when your monthly spend exceeds a threshold, but you cannot actually set a hard spending limit. This means that, if someone manages to hack into one of your servers (or, better, into your account), they can use as many resources as they want, until you notice and stop them. If you don't notice, they can run up massive bills, which AWS will want you to pay. Seems like a good racket, no wonder those bots are lurking...

    --
    Enjoy life! This is not a dress rehearsal.
  4. That high? by Obfuscant · · Score: 4, Interesting
    I should send these guys my log files. I'm sitting here watching a site in China trying to ssh connect to just one of mine every few minutes, even though it has always gotten a connection refused response. I have other sites where the logs are almost nothing but failed login attempts from the same site, with an hourly DHCP lease renewal thrown in just to break the monotony.

    I'd say more like 99% of attempts are malicious.

  5. Believable... by rnturn · · Score: 2

    I see all sort of attempts to login through my firewall---even attempts via telnet, of all things.

    --
    CUR ALLOC 20195.....5804M
  6. Comment removed by account_deleted · · Score: 3, Insightful

    Comment removed based on user account deletion

  7. Re:The Internet is like the environment by Dutch+Gun · · Score: 2

    Obligatory XKCD. I think Steve Gibson called this "Internet background radiation," which always seemed like a fairly good way to describe the constant noise of scanners and probes that anyone can see attacking *every* system on the net, non-stop.

    --
    Irony: Agile development has too much intertia to be abandoned now.
  8. Restrict SSH by IP by bradley13 · · Score: 2

    If you want some peace (and peace of mind), restrict SSH logins by IP range. Even if your address is dynamic, your ISP only has a certain range of addresses. Find out what that range is, and set your server to only accept login attempts from those addresses. With AWS, this is part of the security setting outside the VM. Your hosting service may differ, of course...

    --
    Enjoy life! This is not a dress rehearsal.
  9. Also in the real world non-standard ports work by raymorris · · Score: 2

    Restricting by IP range is a great idea - as long as you'll still have a way in when your ISP suddenly gives you a completely different range.

    Also, in theory, attackers could try all ports, so it doesn't matter which port you use. In the real world, most attackers use the standard ports, so choosing a random port below 1024 greatly reduces the number of attacks. That doesn't work against theoretical attackers, but it works against most real ones.