Akamai Diversity
Home > Bill Brenner

Recently by Bill Brenner

OpenSSL Vulnerability (CVE-2015-1793)

Akamai is aware of the OpenSSL vulnerability addressed in OpenSSL versions 1.0.2d and 1.0.1p on Thursday, July 9, 2015. Akamai does not use the vulnerable versions of OpenSSL and is therefore not affected.

The OpenSSL team advisory outlines the vulnerability and fixes. The advisory states:

During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This issue impacts any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.

The vulnerability was reported to OpenSSL on 24th June 2015 by Adam Langley/David Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project, and released by OpenSSL on July 9th, 2015.

Though Akamai is not affected, we recommend that if you run OpenSSL in your origin infrastructure, you consult your security advisory team to review the vulnerability and upgrade your software and/or address the vulnerability as necessary.

If you have any questions or concerns regarding this vulnerability and your Akamai services, please use our Community post dedicated to the subject. You may also contact your Akamai Representative, or call Customer Care at 1.877.4.AKATEC or 1.617.444.4699.

RIPv1 Reflection DDoS Making a Comeback

Akamai's Prolexic Security Engineering & Research Team (PLXsert) has been monitoring an uptick in a form of DDoS reflection thought to be mostly abandoned. This attack vector, which involves the use of an outdated routing protocol in RIPv1, began showing up in active campaigns again on May 16th after being dormant for more than a year. The latest attacks observed, as described later, are apparently making use of only a small number of available RIPv1 source devices.

RIPv1 was first introduced in 1988 under RFC1058, which is now listed as a historic document in RFC1923. The historic designation means the original RFC is actively deprecated. One main reason for this is that RIPv1 only supports classful networks. So if the network advertised by RIPv1 happens to be a class A network such as 10.1.2.0/24, this will be sent in an advertisement as 10.0.0.0/8. This among other things, further limits the usefulness for RIPv1 as a viable option for internal networks much less the internet.

In Akamai's most recent SOTI (State of the Internet) Security Report (Download the Q1 2015 report here), two areas of research focused on the most frequent attack types by target industry, and DDoS attack distribution between Q1 2014 and the same period a year later.


Since the report's release, we've delved deeper into the data and came up with two charts showing a more granular view based on Fig. 1-4 and 1-7 within that report.

By Richard Willey, Senior Program Manager - Adversarial Resilience


Akamai maintains a database that records information about different attacks it has observed.  The ongoing analysis of that database is captured each quarter in Akamai's State of the Internet Security Report. (Download the Q1 2015 report here.) But even after a report is released, researchers continue to dig deeper into the data and provide updates.


To that end, this article describes an exploratory data analysis exercise of attacks captured by PLX Routed and Proxy DDoS solution scrubbing centers between Q1 2013 and Q1 2015.


Akamai, Trustwave Form Strategic Alliance


Akamai has announced a new strategic alliance with Trustwave, designed to help businesses more effectively fight myriad threats through vulnerability assessment, denial-of-service prevention and incident response.
 
From the press release:

"Through this partnership, Akamai and Trustwave plan to make available to their respective customers select technology solutions and security services from each company's portfolio. The strategic relationship is intended to allow both companies to provide a broader set of cyber security protections to meet a wide range of customer requirements in a constantly changing cyber security threat landscape."

In a new bulletin released this morning, Akamai researchers outlined a threat in which malicious actors use vulnerabilities in third-party plug-ins to target the large websites that utilize them. Such exploits require little technical skill and are highly effective.

Instead of targeting a high-traffic website directly, attackers simply target the third-party advertising company, content network or provider used by the site.

High-profile sites are common targets and their security posture is tougher than the average site. But they also use third-party content providers whose security is less than ideal. Those who manage a major website put a lot of effort into fortifying the front entrance. But the third-party content they use are like open windows in the back of the building.

Akamai CSIRT Manager Mike Kun described the problem in this podcast recently.

In this episode, State of the Internet Security Podcast host Bill Brenner chats with Akamai CSO Andy Ellis about the findings in Akamai's Q1 2015 State of the Internet - Security Report.

Specifically, they discuss how:

  • Q1 2015 set a record for the number of DDoS attacks observed across the PLXrouted and proxy mitigation platforms - more than double the number recorded in Q1 2014 - and a jump of more than 35 percent compared to last quarter.
  • Simple Service Discovery Protocol (SSDP) attacks were the top attack vector Akamai mitigated, comprising more than 20 percent of DDoS attacks. This was an increase of 6 percent compared to the previous quarter.
  • The online gaming sector was once again hit with more DDoS attacks than any other industry.
  • Q1 2015 saw Akamai aggressively moving away from the use of SSL in favor of TLS. This is noteworthy, since SSL flaws were at the heart of some of the vulnerabilities Akamai has dealt with in recent months.
  • A majority of web application attacks in Q1 were attributed to LFI and SQLi exploits. The retail sector was hardest hit by those attacks, followed by media, entertainment, hotel and travel companies.

Listen to the episode.

Akamai Statement on the Logjam Vulnerability

In response to the Logjam vulnerability discussed in this disclosure, Akamai is continuing to analyze its production servers to determine if it supports the relevant Diffie-Hellman ciphers that would leave customers vulnerable to Logjam.

We have determined that Akamai hosts on our Free Flow and Secure Content Delivery Networks are not vulnerable. 

We do recommend customers check their origin. We also recommend that anyone using a web browser, running a server or developing relevant software read the "What should I do?" section of this advisory.

If our investigation uncovers additional risks, we will provide follow-up blog posts and Luna advisories to update customers on how we are affected and what we're doing about it.

Other resources
We recommend people read this OpenSSL post on upcoming changes related to Logjam and FREAK.
Today we release the Q1 2015 State of the Internet Security Report. You can grab it here, but we've been previewing it for the last few weeks in the Akamai Blog:

Q1 2015 SOTI Security Preview: 7 Attack Vectors

In this final preview before the report's release, we look at the most-used attack vectors for the quarter.

Coming Soon: The Q1 2015 State of the Internet Security Report

Among the Q1 2015 highlights:

  • We saw a record number of DDoS attacks recorded on the Prolexic network - more than double what was reported in Q1 2014.
  • The profile of typical attacks changed. 
  • Last year, high bandwidth, short-duration attacks were the norm. This time, the typical DDoS attack was less than 10 Gbps and lasted for more than 24 hours. 
  • SSDP attacks -- absent in Q1 2014 -- came on strongly in Q1 2015. 
  • The proliferation of unsecured home-based, Internet-connected devices using the Universal Plug and Play (UPnP) Protocol has made them attractive attack targets.

Q1 2015 SOTI Preview: Significance of a 100 GBPS Attack

Today, we look at the significance of a 100 GBPSattack.

Q1 2015 SOTI Preview: Website Defacements and DNS Hijacking

Today, we look at the continuing trend of website defacements and DNS Hijacking.

Q1 2015 SOTI Preview: IPv6 Security Challenges

The potential security risks of widespread IPv6 adoption.

Q1 2015 SOTI Security Preview: 7 Attack Vectors

We continue to preview sections of the Q1 2015 State of the Internet Security Report (SOTI Security) due out later this month. So far, we've told you about the continuing trend of website defacements and DNS Hijacking, the potential security risks of widespread IPv6 adoption, and the significance of a 100 GBPS attack. We've also given an overview of Q1 DDoS activity.