Yesterday, Akamai released the Q4 2015 State of the Internet Security (SOTI Security) Report (download here). I'll write posts throughout the week focusing on specific parts of the report. For this installment, let's take a look at mega-DDoS attacks from last quarter.
- Q4 2015 SOTI Security presentations at RSA Conference 2016
- Q4 2015 SOTI Security Infographic
- Video: SOTI Security in 60 Seconds with Akamai CSO Andy Ellis
In Q4, five DDoS attacks registered more than 100 Gbps. This number was down from the eight we saw in Q3 2015, and still more of a drop from the record-setting 17 mega attacks of Q3 2014.
The largest DDoS attack measured 309 Gbps, a sizeable jump in bandwidth from the largest attack in the previous quarter (149 Gbps).
Of the five mega- attacks, the software and technology sector received the largest share, including the second-largest attack of the quarter (203 Gbps). These top two attacks were both sourced from a DDoS botnet.
Another interesting attack occurred on Dec. 24. This booter attack consisted only of dns reflection and udp fragments. The fragmenting occurred due to the oversized dns responses from the abused victim domain. For a single-vector attack, 135 Gbps is a significant achievement using a minimum of attack resources, as compared to a full DDoS botnet.
There were four DDoS attacks in Q4 that exceeded 30 Mpps and two attacks peaked at more than 50 Mpps. The packet rate affects some routers and networks more than the number of bytes because packets require more memory to track, tying up resources. As a residual effect, it can result in packet loss within these routers and potentially cause collateral damage.
The Dec. 30 attack accounted for both the highest traffic (309 Gbps) and the greatest number of packets (202 Mpps) against an Akamai customer. The Dec. 9 and Dec. 30 attacks represent a departure from reliance on stresser-booter services and reflection attacks, with the exception of a low-rate ntp reflection attack.
By comparison, last quarter five DDoS attacks exceeded 30 Mpps and only one attack peaked at more than 50 Mpps, although that attack registered an extremely large 222 Mpps. Contrast that to Q2 2015, when, there were 18 attacks of 30+ Mpps.
In tomorrow's post, we'll look at the most notable web application attacks of the quarter.