Akamai Diversity

The Akamai Blog

Q2 2015 State of the Internet Security Report Released

Akamai has released the Q2 2015 State of the Internet Security Report. This quarter's report, which provides analysis and insight into the global cloud security threat landscape, can be downloaded here.

Previews for the Q2 State of the Internet Security Report:

DDoS attack activity at a glance
For the past three quarters, there has been a doubling in the number of DDoS attacks year over year. And while attackers favored less powerful but longer duration attacks this quarter, the number of dangerous mega attacks continues to increase. In Q2 2015, 12 attacks peaked at more than 100 Gigabits per second (Gbps) and five attacks peaked at more than 50 Million packets per second (Mpps). Very few organizations have the capacity to withstand such attacks on their own.

The largest DDoS attack of Q2 2015 measured more than 240 gigabits per second (Gbps) and persisted for more than 13 hours. Q2 2015 also saw one of the highest packet rate attacks ever recorded across the Prolexic Routed network, which peaked at 214 Mpps. That attack volume is capable of taking out tier 1 routers, such as those used by Internet service providers (ISPs).

SYN and Simple Service Discovery Protocol (SSDP) were the most common DDoS attack vectors this quarter - each accounting for approximately 16% of DDoS attack traffic. The proliferation of unsecured home-based, Internet-connected devices using the Universal Plug and Play (UPnP) Protocol continues to make them attractive for use as SSDP reflectors. Practically unseen a year ago, SSDP attacks have been one of the top attack vectors for the past three quarters. SYN floods have continued to be one of the most common vectors in all volumetric attacks, dating back to the first edition of the security reports in Q3 2011.

Online gaming remains the most targeted industry since Q2 2014, consistently being targeted in about 35 percent of DDoS attacks. China has remained the top source of non-spoofed attack traffic for the past two quarters, and has been among the top three source countries since the very first report was issued in Q3 2011.

At a glance
Compared to Q2 2014
• 132.43% increase in total DDoS attacks
• 122.22% increase in application layer (Layer 7) DDoS attacks
• 133.66% increase in infrastructure layer (Layer 3 & 4) attacks
• 18.99% increase in the average attack duration: 20.64 vs. 17.35 hours
• 11.47% decrease in average peak bandwidth
• 77.26% decrease in average peak volume
• 100% increase in attacks > 100 Gbps: 12 vs. 6

Compared to Q1 2015
• 7.13% increase in total DDoS attacks
• 17.65% increase in application layer (Layer 7) DDoS attacks
• 6.04% increase in Infrastructure layer (Layer 3 & 4) attacks
• 16.85% decrease in the average attack duration: 20.64 vs. 24.82 hours
• 15.46 increase in average peak bandwidth
• 23.98% increase in average peak volume
• 50% increase in attacks > 100 Gbps: 12 vs. 8
• As in Q1 2015, China is the quarter's top country producing DDoS attacks

Web application attack activity
Akamai first began reporting web application attack statistics in Q1 2015. This quarter, two additional attacks vectors were analyzed: Shellshock and cross-site scripting (XSS).

Shellshock, a Bash bug vulnerability first tracked in September 2014, was leveraged in 49% of the web application attacks this quarter. However, 95% of the Shellshock attacks targeted a single customer in the financial services industry, in an aggressive, persistent attack campaign that endured for the first several weeks of the quarter. Since Shellshock attacks typically occur over HTTPS, this campaign shifted the balance of attacks over HTTPS vs. HTTP. In Q1 2015, only 9% of attacks were over HTTPS; this quarter 56% were over HTTPS channels.

Looking beyond Shellshock, SSQL injection (SQLi) attacks accounted for 26% of all attacks. This represents a greater than 75% increase in SQLi alerts in the second quarter alone. In contrast, local file inclusion (LFI) attacks dropped significantly this quarter. While it was the top web application attack vector in Q1 2015, LFI only accounted for 18% of alerts in Q2 2015. Remote file inclusion (RFI), PHP injection (PHPi), command injection (CMDi), OGNL injection using OGNL Java Expressing Language (JAVAi), and malicious file upload (MFU) attacks combined accounted for 7% of web application attacks.

As in Q1 2015, the financial services and retail industries were attacked most frequently.

The threat of third-party WordPress plugins and themes
WordPress, the world's most popular website and blogging platform, is an attractive target for attackers who aim to exploit hundreds of known vulnerabilities to build botnets, spread malware and launch DDoS campaigns.

Third-party plugins go through very little, if any, code vetting. To better understand the threatscape, Akamai tested more than 1,300 of the most popular plugins and themes. As a result, 25 individual plugins and themes that had at least one new vulnerability were identified. In some cases, the plugin or theme had multiple vulnerabilities - totaling 49 potential exploits. A full listing of the newly discovered vulnerabilities is included in the report, along with recommendations to harden WordPress installs.

The pros and cons of Tor
The Onion Router (TOR) project ensures the entry node to a network does not match the exit node, providing a cloak of anonymity for its users. While Tor has many legitimate uses, its anonymity makes it an attractive option for malicious actors. In order to assess the risks involved with allowing Tor traffic to websites, Akamai analyzed web traffic across the Kona security customer base during a seven-day period.

The analysis showed that 99% of the attacks were sourced from non-Tor IPs. However, 1 out of 380 requests out of Tor exit nodes were malicious. In contrast, only 1 out 11,500 requests out of non-Tor IPs was malicious. That said, blocking Tor traffic could have a negative business affect. However, legitimate HTTP requests to e-commerce related pages showed that Tor exit nodes had conversion rates on par with non-Tor IPs.