Akamai Diversity

The Akamai Blog

Akamai SIRT details a timeline of DDoS campaigns against MIT

Akamai SIRT has published a new case study detailing a series of DDoS attack campaigns against the MIT (Massachusetts Institute of Technology) network. So far in 2016, MIT has received more than 35 DDoS campaigns against several different targets which have been mitigated by at least one of our cloud solutions.

The new case study authored by Wilber Mejia outlining the DDoS campaigns and attack methods utilized can be downloaded here.


Further investigation by Akamai SIRT revealed that close to 43% of attack vectors leveraged during these campaigns included DDoS reflection and amplification attack vectors. The full vector list consisted of 14 unique floods throughout the course DDoS attacks against the institution. Attackers targeted multiple destination IPs within the MIT network during the campaigns. Attacks originated from a combination of devices vulnerable to reflection abuse and spoofed IP sources.

The analysis is based on fingerprinted signatures collected from attack reports as well as the source IPs from our mitigation devices. The largest attack campaign peaked at 295 Gbps consisting of only a UDP flood signature which is believed to be part of a malware variant known as STD/Kaiten. Prior to that, the largest attack peaked at 89.35 using a combination of UDP flood, DNS flood, and UDP fragment attack vectors. During this campaign attackers targeted a total of three destination IP addresses. These attack types have commonly been included in sites offering so called booter or stressor services.

Listed below are some campaign highlights:

●      Event Time Start: Jun  7, 2016 22:48:55 UTC

●      Event Time End: Jun  8, 2016 17:04:04 UTC

●      Peak bandwidth: 295 Gigabits per second

●      Peak packets per second: 58.6 Million Packets per second

●      Attack Vector: UDP Flood, UDP Fragment, DNS Flood

●      Source port: randomized

●      Destination port: 80

A good portion of these attacks used reflection based attack vectors. These reflectors are not necessarily owned or acquired by the malicious actors rather they are abused for use in these attacks. For attacks against MIT, the reflector population was mostly concentrated in China. In figure 5 the distribution shown is based on 18,825 unique sources of reflectors observed during MIT attacks and their country of origin. China alone had the highest number of reflectors per a single country in relation to all other countries where reflectors were sourcing from.

Customers who believe they are at risk and need additional direction can contact Akamai directly through CCare at 1- 877-4-AKATEC (US And Canada) or 617-444-4699 (International), they're Engagement Manager, or their account team.

Non-customers can submit inquiries through Akamai's hotline at 1.877.425.2624, the contact form on our website at http://www.akamai.com/html/forms/sales_form.html, the chat function on our website at http://www.akamai.com/ or on twitter @akamai.

To access other white papers, threat advisories and research publications, please visit our Security Research and Intelligence section on Akamai Community.