Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security The Internet

More Than 40% of Global Log-in Attempts Are Malicious (infosecurity-magazine.com) 61

More than 40% of global log-in attempts are malicious thanks to bot-driven credential stuffing attacks, according to the latest report from Akamai. From a report: The cloud delivery provider's latest State of the Internet/Security report for Q4 2017 comprised analysis from over 7.3 trillion bot requests per month. It claimed that such requests account for over 30% of all web traffic across its platform per day, excluding video streaming. However, malicious activity has seen a sharp increase, as cyber-criminals look to switch botnets from DDoS attacks to using stolen credentials to try to access online accounts. Of the 17 billion login requests Akamai tracked in November and December, over two-fifths (43%) were used for credential abuse. The figure rose to a staggering 82% for the hospitality industry.
This discussion has been archived. No new comments can be posted.

More Than 40% of Global Log-in Attempts Are Malicious

Comments Filter:
  • I'm sorry (Score:3, Funny)

    by Anonymous Coward on Friday February 23, 2018 @01:15PM (#56176585)

    I keep losing my post-it notes.

    • by mark-t ( 151149 )
      There's nothing wrong with using post-it notes or a journal to remember passwords that appears entirely human readable, but one should write down all passwords using a code that they invent themselves. There are practically unlimited variations on the kinds of codes can be employed, and so while a code may be extremely easy to remember, it can still be virtually impossible for anyone to actually guess simply because of the size of the space of possible code combinations (don't believe me? try and enumera
  • by Anonymous Coward

    These figures don't paint the full picture. One brute force attack can account for multiple lifetime logins for a single application. We should be measuring by frequency of attack, per application - or find another metric that tells a more wholesome story.

    • This is why I love the Cloud so much! Let put everything in the Cloud, and nothing in safe private networks behind good firewalls.
    • Once upon a time close to 50â... of adult sites which had logins used my login system I designed. These days it's probably down to 20â... or so, but still a lot of sites. What exactly would you like to know?

      Bottom line is this - sites are attacked all day every day.

  • 99% on my vm (Score:5, Informative)

    by imidan ( 559239 ) on Friday February 23, 2018 @01:20PM (#56176615)
    I have a VM with a hosting service where I run Ubuntu to host some things like svn and other small services. According to the ssh logs, where bots are trying to log in constantly, and the apache logs, where bots are constantly trying to access admin pages for services I don't run, I'd say that more than 99% of login attempts are malicious on that host. That's without advertising the IP or hostname anywhere; the bots just found it over time. I do run fail2ban, so they eventually get blocked, but there's an endless supply of them.
    • by Anonymous Coward
      Just set it so a failed login blocks additional logins from that IP for 30 seconds.
      • Re:99% on my vm (Score:4, Insightful)

        by cream wobbly ( 1102689 ) on Friday February 23, 2018 @01:37PM (#56176771)

        Did you miss the bit where he said he's running fail2ban?

        The point of his comment isn't to ask for advice, it's that he is seeing a far higher rate of malicious login attempts than described in TFS.

        • The rate of malicious logins is likely a constant so the ratio is entirely affected by the rate of real logins. Popular services with a lot of real logins have lower rations. But every IP is probably seeing a constant stream.
    • I got sick of the spam in my ssh and http logs and also installed fail2ban. It doesn't totally make the problem go away, but it did cut way down on my log file growth rate. I also found increasing the duration of the ban and lowering the number of failed attempts helps, and using a white list for known system admin.

      The servers that I have on Comcast IP block get hit harder than the ones I have on Hurricane Electric (co-location business), so it seems likely that these bots/zombies are scanning some ranges o

    • Same problem . My mail server sees over 99% of logins as malicious, and fail2ban is very busy. Some of the credentials move from IP to IP within milliseconds, not simultaneous attacks, but sequential from one host to another. My web server logs 8 WordPress login attempts per hour from a specific country, changing every few days. They are fairly clever with the credential tries, but I use a surprising admin login name which I thought would be discreetly obvious, and so far not. General web server attacks are

      • by imidan ( 559239 )
        I used to have a fail2ban config that would block IPs based on their requesting certain things over http... phpmyadmin, wordpress, a few other things. I had a hard drive failure and lost that stuff, and I haven't yet bothered to rebuild. Since I don't run any of those items, there doesn't seem to be a great risk in ignoring the requests, although it does pollute the logs.
    • by eth1 ( 94901 )

      Well, any personal use device is going to have a small number of legitimate logins, so of course it will be utterly swamped by malicious ones in comparison. I see the same thing, but I don't allow passwords for SSH (must have RSA key), and my firewall limits things down to the few places I normally log in from. Everything else is tunneled over SSH.

      • by imidan ( 559239 )
        I should probably change to key authentication for ssh, because although I travel a fair amount, I'm typically using my own laptop to connect. I've resisted whitelisting because of travel. I guess another option would be to get a VPN service and then whitelist my home IPs and the VPN, and just always use the VPN while traveling.
      • I run login nodes for an HPC system at work and it is just like my personal severs frankly. Fail2ban cuts it down a lot, but I now rate limit the number of new SSH connections from an IP address at the firewall.

    • Same thing at home on my Tomato router... even if I change the SSH port to some random number, quickly there is dozens of try per day, from bots, strangely enough about all the IP addresses comes from USA.

    • If you want some peace (and peace of mind), restrict SSH logins by IP range. Even if your address is dynamic, your ISP only has a certain range of addresses. Find out what that range is, and set your server to only accept login attempts from those addresses. With AWS, this is part of the security setting outside the VM. Your hosting service may differ, of course...

      • Restricting by IP range is a great idea - as long as you'll still have a way in when your ISP suddenly gives you a completely different range.

        Also, in theory, attackers could try all ports, so it doesn't matter which port you use. In the real world, most attackers use the standard ports, so choosing a random port below 1024 greatly reduces the number of attacks. That doesn't work against theoretical attackers, but it works against most real ones.

        • Is port knocking still a thing?

          • People still use it. It's effective, despite the fact that theory says attackers *could* try combinations of ports. Personally, I don't use it. Non-standard ports get most of the benefit - reduced attack attempts, and either way it still needs to be secure after an attacker connects to the port.

  • Well, duh... (Score:5, Informative)

    by bradley13 ( 1118935 ) on Friday February 23, 2018 @01:23PM (#56176645) Homepage

    Create a new AWS account, and create a new AWS instance. Allow normal login (not just SSH), and don't do any sort of IP restriction. Watch your logs. Your instance will be noticed very quickly, and will be flooded by bots attempting to brute-force a login. FWIW, the bots are all from Eastern Europe and Asia, or at least they were the last time I tried this (a few years ago). It's pretty crazy.

    I don't know about other cloud services, but I wonder about AWS policies. You can set a warning when your monthly spend exceeds a threshold, but you cannot actually set a hard spending limit. This means that, if someone manages to hack into one of your servers (or, better, into your account), they can use as many resources as they want, until you notice and stop them. If you don't notice, they can run up massive bills, which AWS will want you to pay. Seems like a good racket, no wonder those bots are lurking...

    • Pretty much Eastern Europe, Poland has been hitting me lately, but I'm sure these are compromised or rented hosts. Asian hosts are so bad I've got permabans on most of the .cn allocations, since I have virtually no legitimate China demand. EU hosts are random. US hosts are surprisingly infrequent, and the rest of the world seems to not even try much, 2% maybe.

      I once permabanned .ru, .by, .cz, .ee, .ht, .mk, .pl, .rs, .si, .sk, and .ua. I turn these off occasionally to see what is actively obnoxious and upda

  • That high? (Score:5, Interesting)

    by Obfuscant ( 592200 ) on Friday February 23, 2018 @01:24PM (#56176649)
    I should send these guys my log files. I'm sitting here watching a site in China trying to ssh connect to just one of mine every few minutes, even though it has always gotten a connection refused response. I have other sites where the logs are almost nothing but failed login attempts from the same site, with an hourly DHCP lease renewal thrown in just to break the monotony.

    I'd say more like 99% of attempts are malicious.

    • Yup. I wrote a script to spot those slow attackers trying to stay under the threshold and hit me every 30 seconds or so. Some did it for months, 24x7. Sort of like the old war dialers, trying not to trigger a response.

      These are annoying, but also predictably using dictionary and alphabetic attacks. I'm not worried, of these attackers, 1% ever guess a nonobvious login name, much less password, and I've toyed with fiddling with scripts and trying to encourage attacks on nonexistent credentials just to keep th

  • I don't know how the number could possibly be that low. A bot can iterate through many accounts per second. Oh, sure, timeouts, but any competent bot must surely try to log into many different places while waiting for timers to count down on the ones it has already tried.

    • In that situation it is actually very very hard to hold as many idle connections as you could create. Even if you build a custom linux kernel to handle that many, it won't be reliable. Intermediate routers will also turn out to have per-host cache tables, and they'll start silently dropping your connections if you have that many.

      In reality I can just look at my logs and see the pattern; each IP only does a few tries per minute, and usually appears to be part of a cluster of IPs that schedule attempts togeth

  • by rnturn ( 11092 ) on Friday February 23, 2018 @01:33PM (#56176725)
    I see all sort of attempts to login through my firewall---even attempts via telnet, of all things.
  • by Anonymous Coward

    Typically a user will make 1-3 login attempts per log in (>1 only if they have trouble typing) where as malicious login attempts would be much greater when trying to brute force/ use password lists. So is this 40% distinct IP attempts? If not I would expected a much higher percentage.

  • I turned on all email notifications for fail2ban and I was receiving some 3 to 4000 emails a day.

    Then I moved my imap, smtp, and ssh servers over to non-standard ports, and I receive maybe an email a week from fail2ban.

  • by Anonymous Coward

    Of the 17 billion login requests Akamai tracked in November and December, over two-fifths (43%) were used for credential abuse.

    And who the fuck gave Akamai permission to track this? The users sure as hell didn't -- which is why the Akamai stuff is on my blocklists in my browsers.

    And 40%? That sounds like an incredibly low number, since by now the only reasonable conclusion is the interwebs are populated with millions of assholes all trying to break into things.

    The hackers you can't really stop, but the en

  • We walk around all day in an environment filled with various organisms and diseases that are all trying to feed on us. That's why we have skin ( think firewall ), and an immune system, as well as other defenses. All computing systems should be built such that they could survive and do their jobs safely while directly connected to the Internet. Even though we put them behind firewalls, we should understand that it's a jungle out there. Build them to trust only them selves, and then have a backup defense.
    • Obligatory XKCD. [xkcd.com] I think Steve Gibson called this "Internet background radiation," which always seemed like a fairly good way to describe the constant noise of scanners and probes that anyone can see attacking *every* system on the net, non-stop.

  • I think this headline should have been:

    "Only 40% of Global Log-in Attempts Are Malicious"

I'm always looking for a new idea that will be more productive than its cost. -- David Rockefeller