Akamai Diversity

The Akamai Blog

Q2 SOTI Security Preview: Attackers Focus on SYN and UDP Vectors

The Q2 2015 State of the Internet Security Report (SOTI Security) is due out in the next couple of weeks, and today we continue previewing various sections.

Yesterday we told you about security risks that come into play when third-party plug-ins are used with Wordpress. Today we look at attack vectors the bad guys favored in Q2.

About half of all DDoS attack campaigns mitigated by Akamai use two or more attack vectors. One specific combination of vectors has appeared repeatedly in attacks greater than 100 Gbps: the use of SYN and UDP vectors with extra data padding. An extremely large attack of SYN and UDP vectors was used again in Q2 2015 - this time with the addition of an ACK flood.

The Q2 attack described here reached a peak bandwidth of 245 Gbps and a peak packet per second rate of 46 Mpps. The padding of the UDP data appeared to be the same as in earlier attacks. The SYN flood appeared to contain data referring to a particular torrent file.

Large attacks of this sort take on a unique characteristic that sets them apart. Typically, attacks from the DDoS-for-hire market depend on reflection-based techniques. However, this attack appears to be a bot-based attack similar to Spike and IptabLes/IptabLex , which have produced similar padded payloads.

Multi-vector SYN and UDP attacks continue to produce some of the largest bandwidth DDoS attacks. Regardless of how SYN and ACK are handled by a server or a firewall, these distributed attacks are likely to overwhelm the target network.

UDP attacks in particular require less overhead to launch and can produce high bandwidth or high packet rates; one UDP attack this quarter peaked at more than 200 Mpps. Yet the UDP payloads in this attack contained 1-byte payloads.

Bot-based attacks pose difficulties for attackers, as it is difficult to maintain an army of infected hosts. Administrators will eventually notice their server is consuming an inordinate amount of outbound bandwidth. Once discovered, the administrator can rebuild the server or eliminate the threat. The infection methods used by DDoS malware also allow administrators to take proactive measures to ensure their servers aren't affected. Once the word gets out about a malware threat spreading - and how it spreads, new mitigation tactics can be applied. After that, there won't be much room left for the malware to spread and infect new hosts.

DDoS-for-hire tools are often more difficult to combat since many are based on methods of reflection. SSDP and DNS reflection attacks will likely be around for some time, while new vectors like RIPv1 lend flexibility to the attacker's arsenal.

To read the full story, pre-register for your copy of the Q2 2015 State of the Internet Security Report.