Today we've launched the first all-security edition of the State of the Internet report. State of the Internet also has its own website now, where readers can delve into Akamai's threat intelligence, threat advisories, data visualizations and more.
Highlights of the security edition for Q3 2014 include a four-fold year-over-year increase in DDoS attack size and volume; new attacks targeting hand-held devices and the proliferation of easy-to-use attack tools.
- Akamai mitigated 17 attacks greater than 100 gigabits-per-second in Q3 2014, with the largest at 321 Gbps. That's compared to none of that size in the same quarter a year ago and only six last quarter.
- These mega-attacks each used multiple DDoS vectors to deliver large bandwidth-consuming packets and at an extremely high rate of speed.
- Multi-vector attacks have been fueled by the increased availability of attack toolkits with easy-to-use interfaces as well as a growing DDoS-for-hire criminal industry.
- PLXsert has observed botnet-building efforts in which malicious actors sought to control systems by gaining access through vulnerable web applications on Linux-based machines and have expanded to a new class of device including smartphones and embedded devices, including the Internet of Things (IoT).
- During Q3, another kind of attack also gained momentum - phishing attacks. Multiple phishing attacks targeted Google Enterprise users in order to harvest user credentials and gain access to confidential information.
Case Study: DDoS botnets built from devices other than PCs and servers
- Malicious actors are shifting their focus to embedded devices, ARM-based devices and Internet-enabled devices beyond the commonly-targeted PCs and servers.
- The shift to employing DDoS bots from this class of devices is expected to bring more complex attacks, higher bandwidth volume and connection ratios in DDoS campaigns. It will also bring new types of attacks.
- PLXSert has observed a new reflection attack based on UPnP - the SSDP protocol (Simple Service Discovery Protocol). SSDP allows attackers to craft malicious requests that result in reflected and amplified traffic directed against designated targets.
- Most of these devices are unmanaged and unpatched, with outdated software and firmware - providing fertile ground for exploitation.PLXSert has identified about 11 million devices with SSDP-enabled devices - and roughly 40 percent of them are potentially exploitable. Malicious actors could have extensive resources to produce DDoS campaigns.
DDoS mitigation for these types of attacks will require the following:
- Coordinated security community efforts to discover, manage and mitigate vulnerabilities in these devices and to prevent further expansion of these malicious campaigns.
- Hardware vendors and software developers will need to address the cleanup, mitigation and management of current and potential vulnerabilities during the lifecycle of these devices.
- For currently deployed devices, administrators need to take corrective security measures by implementing best practices.
Statistics: Q3 2014 DDoS attacks
Compared to Q3 2013
- 22 percent increase in total DDoS attacks
- 389 percent increase in average attack bandwidth
- 366 percent increase in average peak packets per second
- 44 percent decrease in application layer attacks
- 43 percent increase in infrastructure layer attacks
- 5 percent increase in average attack duration
- 9 percent increase in multi-vector attacks
Compared to Q2 2014
- 2 percent increase in total DDoS attacks
- 80 percent increase in average attack bandwidth
- 10 percent increase in average peak packets per second
- 2 percent increase in application layer attacks
- 2 percent increase in infrastructure layer attacks
- 29 percent increase in average attack duration
- 11 percent increase in multi-vector attacks
- 183 percent increase in high bandwidth (100+ Gbps) attacks: 17 vs. 6