SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
State of the internet: DDoS attack activity soaring
Wed, 20th May 2015
FYI, this story is more than a year old

The first quarter of 2015 saw a significant increase in DDoS attacks, according to new research from content service firm Akamai Technologies.

Akamai Technologies has today released the findings of its Q1 2015 State of the Internet – Security Report, which provides analysis and insight into the global cloud security threat landscape.

The report analyses thousands of distributed denial of service attacks observed across the PLXrouted network as well as nearly millions of web application attack triggers across the Akamai Edge network, the company explains in a statement.

“By bringing in the web application attack data, along with in-depth reports from all of our security research teams, we're able to provide a more holistic view of the internet and the attacks that occur on a daily basis,” says John Summers, vice president, Cloud Security Business Unit, Akamai.

“This report provides an in-depth look at DDoS attacks, and sets a baseline for web application attack triggers, so we will be able to report on attack trends for both the network and application layers in our future reports.

Akamai says the report showed DDoS attack activity soared in the first quarter of 2015. Q1 2015 set a record for the number of DDoS attacks observed across the PLXrouted network – more than double the number recorded in Q1 2014 – and a jump of more than 35% compared to last quarter.

However, Akamai says the attack profile has changed. Last year, high bandwidth and short duration attacks were the norm, but in Q1 2015, the typical DDoS attack was less than 10 gigabits per second and endured for more than 24 hours.

The company says there were eight mega-attacks in Q1, each exceeding 100 Gbps. While that was one fewer mega-attack than in Q4 2014, such large attacks were rarely seen a year ago. The largest DDoS attack observed in Q1 2015 peaked at 170 Gbps.   During the past year, DDoS attack vectors have also shifted, Akamai says. This quarter, Simple Service Discovery Protocol (SSDP) attacks accounted for more than 20% of the attack vectors, while SSDP attacks were not observed at all in Q1 or Q2 2014.

SSDP comes enabled by default on millions of home and office devices—including routers, media servers, web cams, smart TVs and printers—to allow them to discover each other on a network, establish communication and coordinate activities. If left unsecured and/or misconfigured, these home-based, internet-connected devices can be harnessed for use as reflectors.   During Q1 2015, the gaming sector was once again hit with more DDoS attacks than any other industry, according to the report. Gaming has remained the most targeted industry since Q2 2014, consistently being targeted in 35% of DDoS attacks. The software and technology sector was the second most targeted industry in Q1 2015, with 25% of the attacks.   A look at seven common web application attack vectors

For the Q1 2015 report, Akamai concentrated its analysis on seven common web application attack vectors, which accounted for 178.85 million web application attacks observed on the Akamai Edge network. These vectors included SQL injection (SQLi), local file inclusion (LFI), remote file inclusion (RFI), PHP injection (PHPi), command injection (CMDi), OGNL Java injection (JAVAi) and malicious file upload (MFU).

During Q1 2015, more than 66% of the web application attacks were attributed to LFI attacks. This was fuelled by a massive campaign against two large retailers in March, targeting the WordPress RevSlider plugin.   SQLi attacks were also quite common, making up more than 29 percent of web application attacks. A substantial portion of the SQLi attacks was related to attack campaigns against two companies in the travel and hospitality industry. The other five attack vectors collectively made up the remaining five percent of attacks.   Accordingly, the retail sector was the hardest hit by web application attacks, followed by the media and entertainment and hotel and travel sectors.   The growing threat of booter/stresser sites The menu of easy-to-use attack vectors found in the DDoS-for-hire market can make it easy to dismiss the effectiveness of attackers who use them. A year ago, peak attack traffic using these tactics from booter/stresser sites typically measured 10-20 Gbps per second. Now these attack sites have become more dangerous, capable of launching attacks in excess of 100 Gbps. With new reflection attack methods being added continually, such as SSDP, the potential damage from these is expected to continue increasing over time.   IPv6 adoption brings new security risks IPv6 DDoS is not yet a common occurrence, but there are indications that malicious actors have started testing and researching IPv6 DDoS attack methods. A new set of risks and challenges associated with the transition to IPv6 are already affecting cloud providers as well as home and corporate network owners. Many IPv4 DDoS attacks can be replicated using IPv6 protocols, while some new attack vectors are directly related to the IPv6 architecture. Many of the features of IPv6 could enable attackers to bypass IPv4-based protections, creating a larger and possibly more effective DDoS attack surface. The Q1 security report outlines some of the risks and challenges that are ahead of us.   SQL injection attacks move beyond data theft While SQL injection attacks have been documented since 1998, their uses have grown. The effects of these malicious queries can extend well beyond simple data exfiltration, potentially causing more damage than a data breach would have. These attacks can be used to elevate privileges, execute commands, infect or corrupt data, deny service, and more. Akamai researchers analysed more than 8 million SQL injection attacks from Q1 2015 to uncover the most frequent methods and goals.   Website defacements and domain hijacking Hundreds of web hosting companies provide web hosting for as little as a few dollars a month. In those cases, the hosting company may host multiple accounts on the same server. This can result in hundreds of domains and sites running under the same server IP address, potentially allowing malicious actors to hijack multiple web sites at once. Once one site has been compromised, a malicious actor can potentially traverse the server's directories, potentially reading username and password lists, to access files from other customer accounts. This could include web site database credentials. With this information, attackers could gain the ability to change files on every site on the server. The Q1 security report includes an explanation of the vulnerability and recommended defensive measures.