By Akamai SIRT
Two quarters ago, we introduced Sankey diagrams to the State of the Internet: Security Report. Sankey graphs help visualize energy, material, or cost transfers between processes.
The Sankey graph below shows how DDoS reflection attacks have trended during the past five quarters. We tracked ten infrastructure-layer DDoS-reflection vectors. The most used vectors seem to correlate with the number of Internet devices that use these specific service protocols for legitimate purposes.
Title: Reflection DDoS Attacks, Q1 2015-Q1 2016
Figure: 2-12: SSDP, NTP, DNS, and CHARGEN have consistently been used as the most common reflection attack vectors, as shown on the left axis, and the use of reflection attacks has increased dramatically since Q1 2015, as shown on the right axis
On the left, as indicated by the height of the label, we see that SSDP, NTP, DNS, and CHARGEN are the most used reflection DDoS vectors. DNS surpassed SSDP as the top vector. The use of SSDP reflection was most prevalent in Q1 2015 followed by Q3 2015, it has since dropped off.
SSDP, NTP, DNS, and CHARGEN have consistently been used as the most common reflection attack vectors, as shown on the left axis. Additionally, the use of reflection attacks has increased dramatically since Q1 2015, as shown on the right axis.
A lot of this is because Internet of Things (IoT) devices are coming to market faster than is sustainable from a security perspective. Many IoT devices, such as printers, are shipped with little or no due diligence when it comes to security. These devices are home-based and cannot be effectively updated or managed by the end user. Security vulnerabilities like these can make it easier for malicious actors to incorporate IoT devices into their distributed attack platforms.
Looking on the right, from top to bottom, shows a steady increase in the use of reflection-based DDoS attacks each quarter. A big takeaway from the Sankey graph is that malicious actors are finding it more profitable to choose reflection over infection.
Instead of spending time and effort to build and maintain DDoS botnets, it is far easier for attackers to exploit network devices and unsecured service protocols. This methodology of the commoditization of DDoS has been applied to the DDoS-for-hire ecosystem.
The full State of the Internet: Security Report will be released June 7, 2016.