Akamai Diversity

The Akamai Blog

Highlights of Prolexic Attack Report for Q2 2014

As attacks go, the second quarter of 2014 was quieter than the first. But when you compare the numbers to this time last year, that's of little comfort. According to Prolexic's newly-released attack report for Q2 2014, the rate of DDoS attacks rose 22 percent over the second quarter of 2013.

The report is now available for download HERE.

Here are some of the trends we observed:

--Digital miscreants using server-side botnets targeted Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) vendors with server instances running software with known vulnerabilities, such as versions of the Linux, Apache, MySQL, PHP (LAMP) stack and Microsoft Windows server operating systems. They also targeted vulnerable versions of common web Content Management Systems (CMS) such as WordPress and Joomla or their plugins.

--While the use of server-based botnets has increased, the Brobot botnet, also based on server infection, has remained a threat. Attacks in the second quarter of 2014 suggest the botnet is still in place from its earlier use in the Operation Ababil attacks against financial institutions in 2011-2013.

--Reflection and amplification attacks were more popular in the second quarter of 2014, compared to the same period in 2013, representing more than 15 percent of all infrastructure attacks. These attacks take advantage of the functionality of common Internet protocols and misconfigured servers. While the use of NTP reflection attacks was down significantly in the second quarter of 2014, likely due to community cleanup work, SNMP reflector attacks surged during the quarter, filling the void.

"DDoS attacks have continued in high numbers and with high average and peak bandwidths. They can take out an entire data center by overwhelming network bandwidth," said Stuart Scholly, senior vice president and general manager of Security at Akamai Technologies. "Behind these powerful attacks are changing tactics to build, deploy and conceal powerful botnets. Server-side botnets are preying on web vulnerabilities and reflection and amplification tactics are allowing attackers to do more with less."

At a glance
Compared to Q2 2013

• 22 percent increase in total DDoS attacks

• 72 percent increase in average attack bandwidth

• 46 percent increase in infrastructure (layers 3 and 4) attacks

• 54 percent decrease in average attack duration: 38 vs.17 hours

• 241 percent increase in average peak bandwidth

Compared to Q1 2014

• 0.2 percent decrease in total DDoS attacks

• 14 percent decrease in average attack bandwidth

• 15 percent decrease in application (layer 7) attacks

• 0.2 percent decrease in average attack duration: 17.38 vs. 17.35 hours

• 36 percent decrease in average peak bandwidth

Meanwhile, Q2 2014 saw the introduction of SNMP reflection attacks, which represented 3 percent of total attacks. Application-layer attacks continued to decline this year, accounting for 11 percent of total attacks in Q2 compared to 13 percent in Q1. In Q2 of last year, application-layer attacks represented a much larger percentage of attacks: 25 percent. This declining trend in application-layer attacks may halt if the Brobot botnet makes a resurgence.

SYN floods made a significant comeback in Q2 compared to Q1, accounting for almost 26 percent of attacks, although this is lower than the 31 percent recorded a year ago. This reduction may be attributed to Q2 attackers switching attack vectors -- the current favorite being reflection-based UDP attacks. This often coincides with the development of new DDoS toolkits or the discovery of open or vulnerable servers that can be used in amplification and reflection attacks.

PLXsert expects continued use of the SNMP flood attack vector. Malicious actors have favored the use of powerful reflection-based DDoS attacks using openly available sources, which are relatively easy to acquire and use. 

For example, attackers will often scan the Internet for SNMP hosts that accept the public community string and use those as attack sources. In fact, SNMP may fill the void being left by the decline of open exploitable NTP servers; community clean-up efforts have greatly reduced the number of NTP servers that remain vulnerable to the monlist exploit. NTP floods represented 17 percent of total attacks in Q1 but only 7 percent in Q2.