Akamai Diversity

The Akamai Blog

What a web attack looks like to Akamai's Professional Services team: Lessons from the defense of a recent attack

The job of security professionals is becoming tougher by the day. While we work hard to ensure that vulnerabilities are covered, an attacker simply needs to find the weakest link. Not a pleasing thought, but often attackers have the time and resources on their side while the "good guys" work under a whole different set of pressures.

But it's not all doom and gloom out there. Security professionals have a lot of successes in protecting web sites and applications. Unfortunately, it's not the successes that make the headlines. In this post, I will share an experience Akamai's professional services security team went through recently that resulted in one of those successes. This was a real attack - but we've elected not to share the name of the target to protect their privacy.

So, what did Akamai's professional services security team have to face in defending against this recent attack?

DDoS led the way: The major chunk of attack traffic as seen by Akamai was Volumetric/DDoS attacks, a typical tactic seen during past hacktivists campaigns across the globe. In this particular attack however we noticed a new element. The attackers added in traffic generated by a Slow DoS (R-U-D-Y style) attack combined with traditional HTTP GET/POST floods (which still constitute majority of the DDoS traffic).

In addition, the DDoS attack was supplemented by other attacks targeting potential application vulnerabilities such as cross-site scripting, SQL injection, system command injection etc. We will discuss the details of such application layer attacks later on in this article.

Attack Trends - Aseem Blog.png
But what exactly did we see? At the peak of the attack, we observed close to 4000 hits/second using standard HTTP GET/POST Flood originating from several hundreds of IP's distributed geographically. On the surface, this may not look big, but several hundred of these IP's generated more than 70 million hits in a short period of time. In general, the attackers targeted both static and dynamic content for different targets. While static content was served from Akamai servers with no impact on origin web servers, properly tuned IP rate controls helped mitigate against the high volume traffic that targeted dynamic content.

The map below shows the distributed nature of the attack traffic, the higher color intensity represents higher hit rate/second.

Picture 2 - Aseem Blog.png
We also analyzed the traffic in order to narrow down on the origin of such attacks. The graph below indicates the top sources of such volumetric attacks. As you can see, a majority of the attack traffic was either from or routed though the Asia region.

Picture 3 Aseem Blog.png
As for Tools used during these attacks, previously popular LOIC/HOIC didn't seem to be the choice this time. One reason for this shift may be because the traffic patterns from such tools recently have been easily detected by good DDoS mitigation solutions. What we did see was that instead of LOIC/HOIC being the tool of choice, attackers turned to the Dirt jumper attack toolkit family, with a majority being a Type 4 attack with a huge amount of HTTP POST Floods targeting victims. 

Picture 4 Aseem Blog.png
Note 1: The above-mentioned distribution is not for the entire DDoS traffic that we witnessed but the traffic that was readily captured by our security system configured to detect such known tools. For other DDoS attack traffic that didn't qualify under these tools, our IP rate control mechanism still provided protection.

While HTTP Flood can readily be detected/prevented by IP rate controls, what about Slow DoS attacks such as R-U-D-Y? Thankfully, the Slow POST protection feature of Akamai WAF came handy during this situation. When tuned properly, this feature can detect and abort such slow connections from an attacker.

Note 2: Akamai's distributed platform inherently protects against Slowloris and Slow TCP read type of attacks. To know more about such attacks and our solutions, please click here.

We've just discussed a lot about the DDoS traffic that comprised a majority of the attack traffic we received during this series of attacks. But what about other application layer attacks?

The graph below represents the different attack vectors that we experienced:

Picture 5 Aseem Blog.png
Interestingly, when it came to application layer attacks "Remote file access attempt" took the lead. A majority of hits using this vector originated from an anonymous proxy (which our WAF solution detected) and it was all automated attempts to access remote system files such as "/etc/passwd" and "boot.ini" to name a few. As for SQL injection, we saw both standard and blind SQL injection attempts.

And while we didn't see too many cross-site scripting attack attempts, our data analysis indicated that the XSS attacks we did protect against primarily used Reflected XSS technique. And yet again, the application layer controls of the Akamai WAF were able to detect and defend against such attacks.

Looking through the widely varied nature of the attack techniques and tools that were used during this incident, we recommend that the best defense during a hacktivist attack is to use holistic protections such as rate controls with specific signature-based rules.