Additional analysis and research provided by Principal Architect, Tom Emmons
Earlier this year, Akamai celebrated the fifth anniversary of the Prolexic acquisition. The merger was officially completed in February of 2014, and a lot has happened since then. In this post, we want to spend a moment reflecting on the last five years and look at what's ahead.
As one of the largest DDoS protection vendors on the web, Akamai's Prolexic service is defending some of the world's largest enterprises. With high-visibility into these frequently-targeted networks, we've seen high-watermark attacks, new and evolving tactics, and emerging threats. We've also seen botnets and state-sponsored entities rise to prominence and then fall off the radar, as well as attack sources that migrate towards Internet of Things (IoT)devices (e.g., Mirai) and onto Cloud Service Providers.
Now as a Product Manager, my instinct is to wax philosophical about the cool new detection abilities, mitigation methods, and capacity growth to stay ahead of both attackers and our competition. However, you can hear that points in our sales presentations. I wanted to take a deeper look at how attacks against customers on the Prolexic platform have shifted in the last five years.
Let's Explore the Statistics.
In five years, Prolexic has mitigated a total of 171,421,238,428,571 bytes per second and 46,608,363,047 packets per second of peak attack traffic.
Since the Prolexic acquisition, Akamai has fought 38,905 separately trackable DDoS attack events launched across every industry. This averages out to about twenty major DDoS attacks per day on our platform, and this constant bombardment ensures a thoroughly battle-tested platform and staff. There have been 17,729 unique attacks as defined by pairing destination with vector.
Furthermore, attackers tend to mix and match classic attack vectors. We have seen 1,335 combinations of vectors in the past five years. For example, a recent attack opened with fragmented UDP to stress the routers. The attacker then moved to variations of SYN -ACk flood to exhaust connections, During the whole attack, the attackers were bouncing traffic off of Memcached, CLDAP, and NTP reflectors using amplification.
The Vectors, are a Changing
With many of the world's largest and most-known brands on our platform, we've seen some very creative and sophisticated attacks. Attack vectors come and go. Most vectors drop off due to improvements in network security, while others appear quickly because an attacker is motivated by a new vulnerability.
Back in 2015, Prolexic didn't see nearly as many reflection based attacks (CLDAP, DNS, NTP, SSDP), and we're still seeing a fair amount of Layer 7 attacks (Get/Push/Post floods). Most of the Layer 7 workload has been effectively offloaded to our web application specific Akamai Kona solution.
Headline grabbers like Memcached had a brief shining moment and were able to kick out some pretty impressive BPS stats, but didn't stay around for too long. However, some vectors have had a perennial presence, as SYN Floods, DNS Floods, and UDP Floods have never really gone out of style. UDP Frags and CLDAP seem to have long been a preferred vector and appear to be increasing. SSDP was almost unseen until mid 2014, but it quickly grew to be a rather popular vector, but it has since receded to a small fraction of what we see.
Even with the evolution we've seen, we're fighting more attacks proactively by understanding customers traffic profiles, and preemptively blocking traffic from known attack vectors. As a result, we now employ proactive mitigation in more than 85% of the attacks we see, and in most cases we're blocking attack traffic even before our customers see an impact. For the remaining 15%, our SOC can bring the full force of our mitigation technologies to remove malicious traffic on any advanced vectors or emerging methods.
The Market has Spoken
While it's hard to measure exactly how much of the internet we're protecting, I've seen two main approaches to this. One is name dropping, and for that I will once again direct you to your nearest sales rep. (Spoiler Alert: It's a huge portion of the biggest enterprises.)
The other is to try to look at the number of subnets routed through our scrubbing network. Using BGP lookup, we can confirm that we have three times as many IPv4 subnets routed through us as our nearest competitor. We also have more subnets routed through us than all of our competition combined. While this number alone is impressive, once you pair the number of subnets with the type of businesses we protect, you know we'll continue to see persistent threats from motivated parties.
In this industry, there will always be larger numbers of attacks to contend with and new, more sophisticated threat actors. Akamai and Prolexic are invested in making sure we are in the best position possible to handle whatever attacks tomorrow brings.