The Q3 2015 State of the Internet Security Report is now available for download at www.stateoftheinternet.com/security-report. Among the highlights: a continued upward trend in DDoS attacks, and attacks fueled by the easy availability of DDoS-for-hire sites that identify and abuse exposed Internet services, such as SSDP, NTP, DNS, CHARGEN, and even Quote of the Day.
DDoS attack activity at a glance
DDoS attack activity across the Akamai routed network jumped 23% this quarter from already record levels to 1,510 attacks, an increase of 180% over Q3 2014. Although there were substantially more attacks, on average the attacks were shorter with lower average peak bandwidth and volume. Mega attacks (greater than 100 Gbps) were fewer: eight were recorded in Q3 compared to 12 in Q2 and 17 in Q3 a year ago. The largest bandwidth DDoS attack in Q3 - leveraging the XOR DDoS botnet - measured 149 Gbps. This was down from the peak 250 Gbps DDoS attack last quarter. Of the eight mega attacks, the media and entertainment sector was targeted most frequently, with three attacks.
While attack bandwidth was down, Q3 hit a record by a different measure of attack size. A firm in the media and entertainment industry was hit by a record-breaking 222 million packets per second (Mpps) DDoS attack, a small increase over a record-breaking attack of 214 Mpps in Q2. This large attack can be compared to an average peak volume of 1.57 Mpps for all DDoS attacks observed by Akamai in Q3. An attack of this size could bring down a tier 1 router, such as those used by Internet service providers (ISPs).
The online gaming sector was hit particularly hard by DDoS attacks in Q3 2015, accounting for 50% of the recorded DDoS attacks. Gaming was followed by software and technology, which suffered 25% of all attacks. Online gaming has been the most targeted industry for more than a year.
Reflection-based DDoS attacks are proving more popular than infection-based DDoS. Instead of spending time and effort to build and maintain DDoS botnets as they did in the past, more DDoS attackers have been exploiting the existing landscape of exposed network devices and unsecured service protocols. Whereas reflection DDoS attacks accounted for only 5.9% of all DDoS traffic in Q3 2014, these attack vectors accounted for 33.19% of DDoS traffic in Q3 2015.
Akamai Edge Firewall, a new source for DDoS attack data
For the first time, the security report also includes attack activity observed across the Akamai Edge Firewall, our global platform perimeter. Edge Firewall data sets provide a broad look at attack activity at the global platform perimeter--with information on attack traffic coming from more than 200,000 servers outfitted with Akamai technology. We identified that the top 10 source ASNs of attack traffic originated primarily from China and other Asian countries, while reflectors in the US and Europe were more commonly leveraged in a distributed manner.
Compared with Q3 2014
• 179.66% increase in total DDoS attacks
• 25.74% increase in application layer (Layer 7) DDoS attacks
• 198.1% increase in infrastructure layer (Layer 3 & 4) DDoS attacks
• 15.65% decrease in average attack duration: 18.86 vs. 22.36 hours
• 65.58% decrease in average peak attack bandwidth
• 88.72% decrease in average peak attack volume
• 462.44% increase in reflection attacks
• 52.94% decrease in attacks > 100 Gbps: 8 vs. 17
Compared with Q2 2015
• 22.79% increase in total DDoS attacks
• 42.27% decrease in application layer (Layer 7) DDoS attacks
• 30.21% increase in infrastructure layer (Layer 3 & 4) DDoS attacks
• 8.87% decrease in average attack duration: 18.86 vs. 20.64 hours
• 25.13% decrease in average peak attack bandwidth
• 42.67% decrease in average peak attack volume
• 40.14% increase in reflection attacks
• 33.33% decrease in attacks > 100 Gbps: 8 vs. 12
Web application attack activity
In Q2 2015, the Shellshock vulnerability dominated web application attacks utilizing HTTPS, but this was not the case in Q3. As a result, the percentage of web application attacks sent over HTTP vs. HTTPS returned to a more typical level (88% via HTTP, 12% via HTTPS). The use of web application attacks over HTTPS is likely to rise as more sites adopt TLS-enabled traffic as a standard security layer. Attackers may also use HTTPS in an attempt to penetrate back-end databases, which are typically accessed from applications served via HTTPS.
As in previous quarters, local file inclusion (LFI) and SQL injection (SQLi) attacks were by far the most prevalent web application attack vectors of those ranked. The retail industry was hit hardest, receiving 55% of web application attacks, with the financial services industry a distant second, receiving 15% of attacks. Web application attacks relied heavily on botnets that take advantage of unsecured home-based routers and devices.
The third quarter was also notable for an increase in WordPress plugin attack attempts, not only for popular plugins but also for less-known vulnerable plugins.
In Q3 2015, the US was the main source of web application attacks, accounting for 59% of attack origin traffic, and was also the target of 75% of these attacks. The top three attacking Autonomous System Number (ASNs) were associated with virtual private systems (VPS) owned by well-known cloud providers in the US. Many of the cloud-based virtual servers that are launched each day lack sufficient security and are compromised and used in a botnet or other attack platform.
A look at website scrapers
A scraper is a specific type of bot whose purpose is to acquire data from targeted websites, store and analyze it, and then sell or use the data. One example of a benign scraper is a search engine bot. Other examples are rate aggregators, resellers and SEO analytics services. A section of the security report discusses scrapers and provides an easy way to identify them.
Web application attack metrics
Compared with Q2 2015
• 96.36% increase in HTTP web application attacks
• 79.02% decrease in HTTPS web application attacks
• 21.64% increase in SQLi attacks
• 204.73% increase in LFI attacks
• 57.55% increase in RFI attacks
• 238.98% increase in PHPi attacks