Arbor Networks Demonstrates High Level of Current Secure Shell / Telnet Scan Activity

7 February 2017

Arbor Networks Inc., the security division of NETSCOUT (NASDAQ: NTCT), announced today that it has enhanced its global honeypot network with additional cloud-based infrastructure to monitor scanning activities that could lead to Internet of Things device (IoT) compromises. These instances are present in Northeast Asia Pacific, Southeast Asia Pacific, Central EU, Western EU, Eastern South America, Eastern U.S. and Western U.S. regions.

IoT devices are ideal targets for attackers looking to build Distributed Denial of Service (DDoS) botnets because they have limited or non-existent security features. Some IoT devices utilize hard-coded default passwords. Many devices have unnecessary services running that can be exploited, and others have unprotected management interfaces. Most important for DDoS attackers, IoT devices offer high-speed connections that are always on, which allows for a large, predictable amount of attack traffic volume per compromised device.

Looking at the honeypot data during a two week period, Arbor saw a total of 1,027,543 login attempts, of which 819,198 failed, from a total of 92,317 unique source IP addresses.

Overall, Arbor witnessed a peak of 18,054 login attempts per hour during the monitoring period.
Telnet is being targeted more frequently than Secure Shell (SSH). The average rates show the overall trend clearly — 756 versus 2,762 attempts per hour for SSH and Telnet respectively.

Regional Differences

The hardware and software used in a large proportion of current IoT devices comes from a very small number of manufacturers based in Asia. In 2014, one of the major manufacturers issued a new software release that solved some security issues. However, these fixes were only made available for the English version of the software. A regional breakout of the data showed a variation in the rate of login attempts by geographic area, with the Asia-Pacific (APAC) and South America honeypots seeing higher average and maximum attempt rates, more than one per minute in some cases.

“On a broad regional level, this research from Arbor validates so much of what we have learned over this last year about the expected increase in massive DDoS attacks. It is becoming more and more critical that manufacturers of IoT devices integrate security by design, including update capabilities, into their products to reduce the likelihood of their devices being used in botnets,” said Ari Schwartz, Venable’s Managing Director of Cybersecurity Services and former Special Assistant to the President and Senior Director for Cybersecurity in the Obama administration.

“Arbor’s annual security report is always an authoritative source of data on the state of cybersecurity. The inclusion of a special section on IoT is particularly timely, as it’s coming onto a lot of folks’ radars as a new vector for DDoS and other types of cyberattacks,” said Ovum senior analyst Rik Turner.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development