Akamai Diversity

The Akamai Blog

Akamai State of the Internet Report: DDoS Trends

Yesterday, I shared details from the latest Akamai "State of the Internet" report regarding attack traffic and where it's coming from. Today, we look at what the report has to say about DDoS attacks.

The full report can be downloaded here.

We have quite a vantage point here at Akamai. Our globally-distributed Intelligent Platform helps us gather huge piles of data on everything from connection speeds, attack traffic, network connectivity/availability/latency problems, and IPv6 growth/transition progress, as well as traffic patterns across leading Web sites and digital media providers. It also gives us a look at DDoS attacks as they happen.

Here's an excerpt from the report:

The fourth quarter of 2012 saw 200 reported attacks, while 208 attacks were reported in the first quarter of 2013, representing a slight (4%) increase in the number of attacks reported.  In the third and fourth quarters of 2012, a significant number (72) of DDoS attacks were attributed to the Izz ad-Dim al-Qassam Cyber Fighters (aka QCF) and Operation Ababil.  

In the first quarter of 2013, the tactics of these attacks changed, with the QCF no longer announcing their targets prior to the attacks.  Additionally, the attacks ceased as of March 5, in theory to support a planned operation known as "OpUSA" originating from members of the group "Anonymous".  However it is unknown if this was truly the case, or if the forces behind the QCF were merely pausing to regroup for future attacks.

Figure 03 Q1 2013.jpg

As illustrated in Figure 3, enterprise clients received a substantially greater percentage of attacks in the first quarter of 2013, accounting for 34% of all attacks (67 total), up 14% quarter over quarter.  

The commerce and media verticals stayed relatively close to their 2012 percentages, at 32% vs. 34% for commerce and 21% versus 22% for media.  At the same time, high tech and public sector customers were targeted by substantially fewer attacks as a percentage, at 7% and 4% of total attacks respectively.  

Figure 04 Q1 2013.jpg

As a percentage, first quarter attacks targeting the commerce sector remained relatively stable in comparison to the attacks reported in 2012.   While the distribution of the attacks remained nearly the same, the actual targets were more varied, again following the overall trend of spreading the targets of attacks across multiple sites. 

As highlighted in Figure 4, retail organizations continue to be tempting targets, primarily because they rely so heavily on the Internet for sales and marketing and can be severely impacted if their customers cannot reach their sites.

Figure 05 Q1 2013.jpg

As shown in Figure 5, at the beginning of 2013, financial services customers continued to bear the brunt of the attacks against the enterprise vertical, suffering from 50% of all attacks in this vertical. This is directly related to the attacks performed by the QCF, as it was in 2012.  What is not apparent from the number of attacks is the fact that a number of shorter, less impactful attacks were performed in the first quarter, comprised of probes, rather than full-on DDoS attacks.  

Due to poor Internet hygiene by many ISPs and the lack of enforcement of BCP 38, forged DNS requests are allowed to continue to the name servers, rather than being filtered by the attacker's ISP as they should be.  

For more information on this topic, please refer to the DNS Reflection Defense blog post by Akamai's CSO, Andy Ellis at https://blogs.akamai.com/2013/06/dns-reflection-defense.html.

1 Comment

Thanks for this report, can not wait to see what attacks are...