Akamai Diversity
Home > July 2015

July 2015 Archives

BIND DoS Vulnerability (CVE-2015-5477)

Akamai is aware of a recently disclosed critical vulnerability in BIND (CVE-2015-5477) that can be exploited to cause a denial of service.


How does the attack work?

An attacker can cause BIND to exit by using a constructed packet to trigger a REQUIRE assertion via defective handling of a TKEY query.


How is Akamai affected?

Akamai's Fast DNS / EDNS authoritative name servers do not run BIND and as such are not impacted by this CVE.

Further, Akamai continuously evaluates CVEs as they appear, and we continue to evaluate and patch relevant systems as necessary.


What can you do to protect yourself?

If you run BIND anywhere in your environment, upgrade to the patched release most closely related to your current version of BIND. These can be downloaded from http://www.isc.org/downloads.

OurMine Team Attack Exceeded 117 Gbps

A new hacking group has landed on the Akamai's PLXsert and CSIRT radar for taking responsibility for launching DDoS attacks against several of our customers in the financial services sector.


The entity calls itself the "OurMine Team" and if it is to be believed, it has gained access to one customer's $500,000 account. The group has announced it will give that money to the poor.


From a user experience perspective, in an ideal world every page would load in less than a second, we'd zip through a transaction in moments, and boom, we'd be done.

But as I've written about in the past, not all web pages are created equal. People react differently to slowdowns on different pages in the conversion funnel, which means you need to approach each page differently. While it would be wonderful if we could optimize every single page of our websites, most site owners have only a finite amount of optimization resources. You need to focus those resources on optimizing the pages that matter most to your bottom line.

How to Tell a Landscaper From a Thief

If I can see a person standing in front of a neighboring house inspecting the windows and the doors, should I call the police?

Maybe it is the air-condition technician looking for the best place to install a new air-condition unit, or maybe it is a robber doing reconnaissance and checking what is the easiest way to get into the house. It is hard to tell!

Now what if I can see a user sending requests to non-existing pages in my application?

Maybe these are broken links created mistakenly by that user, or maybe these are attack reconnaissance, pre-attack activity done by a malicious user. It is also hard to tell!

Continue reading on InfoSec Island!

Mobile Browser Usage in Q1 2015

In June 2012, Akamai launched the Akamai Internet Observatory (IO) destination site that highlights browser usage across desktop and other connected devices. The data presented in the full Q1 2015 State of the Internet ReporBe and this blog post are derived from the Akamai IO site.

One Extra Hour - What Do You Do With It?

The number of hours that Americans sleep at night is down more than an hour from what it was in 1942. Does this mean that we've gained an hour more to do other, more productive things? Or, an hour more to do things like read and spend time with our family?

Challenging the WAF Status Quo

Akamai is proud to have recently improved its position in the "Challengers" quadrant of Gartner, Inc.'s Magic Quadrant for Web Application Firewalls*.

Gartner states: "By year-end 2020, more than 60% of public Web applications protected by a Web application firewall (WAF) will use WAFs delivered as a cloud service or Internet-hosted virtual appliance -- up from less than 15% today."
HTTP is ubiquitous. Seems like everything today is being served from the web. We are using smartphones to do everything from answering our doorbells while we are at work to remotely controlling SUV's. All of this, happening on a platform we call the World Wide Web. Websites are delivering richer and more personalized content than ever before, creating user experiences that were never conceived of. This means, more than ever, size matters.

A roundup of attack activity, vectors and those responsible, based on PLXSert/CSIRT advisories issued in recent weeks:

DD4BC: Operation Update and FAQ
DD4BC, the malicious group responsible for several Bitcoin extortion campaigns last year, continues to expand attacks against Akamai customers. Researchers from Akamai's PLXsert and CSIRT teams continue to investigate attack activity related to the group.

RIPv1 Reflection DDoS Making a Comeback
Akamai's Prolexic Security Engineering & Research Team (PLXsert) has been monitoring an uptick in a form of DDoS reflection thought to be mostly abandoned. This attack vector, which involves the use of an outdated routing protocol in RIPv1, began showing up in active campaigns again on May 16th after being dormant for more than a year. The latest attacks observed, as described later, are apparently making use of only a small number of available RIPv1 source devices.

Mobile Connectivity in Q1 2015

The Q1 2015 State of the Internet Report records usage from: smartphones, tablets, computers, and any other device that connects to the Akamai Intelligent Platform via a mobile network provider. Usage is then aggregated at a country/region level. To qualify for inclusion in the report (and this blog post), a minimum of 25,000 unique IP addresses from a country/region are required to connect to Akamai's network. In total, 62 countries/regions qualified for inclusion in the first quarter of 2015, up from 50 qualifying countries/regions in the previous quarter.

DD4BC: Operation Update and FAQ

DD4BC, the malicious group responsible for several Bitcoin extortion campaigns last year, continues to expand attacks against Akamai customers. Researchers from Akamai's PLXsert and CSIRT teams continue to investigate attack activity related to the group.

In recent weeks, the frequency of customers receiving ransom emails from this band of chaotic actors has steadily grown. DD4BC continues to inform victims that they will launch a DDoS attack of 400-500 Gbps against them. To date, DD4BC attack campaigns mitigated by Akamai have not exceeded 50 Gbps in size. That's up from the high of 15-20 Gbps observed in early May. (A full history of the group's exploits and firepower can be found in this advisory from April.)

 

Below are the most commonly asked questions we've received from customers, along with some answers.

What is new since the last update?

The group can now attack with firepower of up to 50 gigabits per second. Additionally, they now threaten exposure to a targeted organization via social media in addition to the DDoS attack itself. The goal is to publicly embarrass the target via social media, thus harming the company's reputation and to garner additional attention towards credibility for the service disruption. Their methodology has also changed in that they are utilizing multi-vector campaigns more readily as well as in some instances re-visiting previous targets that experienced some level of impact during the initial event. We have also observed this group incorporating a Layer 7 attack as part of the multi-vector attack. 

website monitoring for mobile devices

Last month I covered the topic of page bloat -- more specifically, calling attention to the fact that the web has reached a brand-new (if ignominious) milestone: the average home page is now more than 2 MB in size.

As a professional marketer, it can be a little ironic how often you're frustrated when people you care about are influenced by marketing in ways that can't possibly be good for them. Everybody knows that marketers do nothing but lie all day - or "spin" as they call it. And as far as the profession goes, there's probably some truth to that. But there are plenty of marketers out there that have a good deal of integrity, and there are few things more frustrating than when people fall for marketing "spin".

This week, I joined SOASTA as Senior Vice President of Performance Analytics. Given my background in cloud computing and distributed systems operations -- you may have read my blogs on CNET or GigaOm -- this may surprise you, but I want to explain why this is the perfect time to take on this opportunity with this team.

Late last month I attended the Future Stores 2015 conference in Seattle. If you haven't heard of Future Stores before, here's some brief background: it's held by Worldwide Business Research and brings together retail operators, omni-channel, customer experience and IT execs to focus on in-store innovation and how to bridge the digital and physical retail environments. As Chief Strategist of Commerce at Akamai, I was excited to learn how future-thinking stores are innovating, and better understand how Akamai fits into the picture. This is the first of two follow up posts. I'll start by recapping some of the innovations retailers have already started putting into practice.

Situational Performance in Q1 2015

In June 2013, Akamai announced the latest release of Ion. Ion is designed to meet the unique challenges of optimizing the desktop and mobile Web experience. One feature of Ion is a capability known as Real User Monitoring (RUM). RUM takes performance measurements from real Web users to provide developers with insights into performance across a multitude of devices and networks. Ideally, RUM is used in tandem with synthetic testing to generate a comprehensive picture of a user's Web experience to help developers best calibrate their applications.

Week 1 update on Akamai's Girls Who Code

After months of planning & preparation, Akamai's Girls Who Code Summer Immersion Program is now underway! This past Monday July 6th, we welcomed 20 high school girls to Akamai's Cambridge headquarters, where they will spend seven weeks learning coding fundamentals and mingling with real-world techies.
In late June I came across a news article on the online marketing company Criteo's "State of Mobile Commerce" Q2 2015 report. According to this report mobile transactions now accounts for 30% of all online transactions. This shouldn't be a surprise to anyone; everybody knows that the world has gone mobile and the move continues with the latest developments such as Pinterest adding a "Buy" button, Google announcing Android Pay and a "Buy" button on mobile ads and Twitter letting marketers target consumers based on their mobile apps.

OpenSSL Vulnerability (CVE-2015-1793)

Akamai is aware of the OpenSSL vulnerability addressed in OpenSSL versions 1.0.2d and 1.0.1p on Thursday, July 9, 2015. Akamai does not use the vulnerable versions of OpenSSL and is therefore not affected.

The OpenSSL team advisory outlines the vulnerability and fixes. The advisory states:

During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This issue impacts any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.

The vulnerability was reported to OpenSSL on 24th June 2015 by Adam Langley/David Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project, and released by OpenSSL on July 9th, 2015.

Though Akamai is not affected, we recommend that if you run OpenSSL in your origin infrastructure, you consult your security advisory team to review the vulnerability and upgrade your software and/or address the vulnerability as necessary.

If you have any questions or concerns regarding this vulnerability and your Akamai services, please use our Community post dedicated to the subject. You may also contact your Akamai Representative, or call Customer Care at 1.877.4.AKATEC or 1.617.444.4699.

Customer expectations are driving ever increasing demands on website performance. Delays are now measured in milliseconds, not seconds, and cause direct financial impact to the business. And yet, despite these pressures for each business to have lightning fast websites and large budgets being spent on performance, most businesses are still plagued with slow sites. The median page load time for the largest 1000 websites is a whopping 6.4 seconds, more than double what most users will tolerate before risks of abandonment! (*According to httparchive.org)

Internet Penetration in Q1 2015

Through Akamai's globally deployed Intelligent PlatformTM, and by nature of servicing roughly two trillion requests for Web content on a daily basis, Akamai has unique insight into Internet penetration around the globe. In the first quarter of 2015, over 812 million unique IPv4 addresses from 243 unique countries/regions connected to the Akamai Intelligent PlatformTM--a 1.2% increase from the previous quarter.

RIPv1 Reflection DDoS Making a Comeback

Akamai's Prolexic Security Engineering & Research Team (PLXsert) has been monitoring an uptick in a form of DDoS reflection thought to be mostly abandoned. This attack vector, which involves the use of an outdated routing protocol in RIPv1, began showing up in active campaigns again on May 16th after being dormant for more than a year. The latest attacks observed, as described later, are apparently making use of only a small number of available RIPv1 source devices.

RIPv1 was first introduced in 1988 under RFC1058, which is now listed as a historic document in RFC1923. The historic designation means the original RFC is actively deprecated. One main reason for this is that RIPv1 only supports classful networks. So if the network advertised by RIPv1 happens to be a class A network such as 10.1.2.0/24, this will be sent in an advertisement as 10.0.0.0/8. This among other things, further limits the usefulness for RIPv1 as a viable option for internal networks much less the internet.