Akamai Technologies, Inc., the global leader in content delivery network (CDN) services, today announced the availability of the Q2 2015 State of the Internet – Security Report. This quarter’s report, which provides analysis and insight into the global cloud security threat landscape, can be downloaded at www.stateoftheinternet.com/security-report.
“The threat posed by distributed denial of service (DDoS) and web application attacks continues to grow each quarter,” said John Summers, vice president, Cloud Security Business Unit, Akamai. “Malicious actors are continually changing the game by switching tactics, seeking out new vulnerabilities and even bringing back old techniques that were considered outdated. By analyzing the attacks observed over our networks, we’re able to identify emerging threats and trends and provide the public with the information to harden their networks, websites and application and improve their cloud security profiles.”
“For example, for this report, we not only added two web application attack vectors to our analysis, we also examined the perceived threat posed by the onion router (Tor) traffic and even uncovered some new vulnerabilities in third-party WordPress plugins which are being published as CVEs,” he said. “The more you know about cyber security threats, the better you can defend your enterprise.”
DDoS attack activity at a glance
For the past three quarters, there has been a doubling in the number of DDoS attacks year over year. And while attackers favored less powerful but longer duration attacks this quarter, the number of dangerous mega attacks continues to increase. In Q2 2015, there were 12 attacks peaking at more than 100 Gigabits per second (Gbps) and five attacks peaking at more than 50 Million packets per second (Mpps). Very few organizations have the capacity to withstand such attacks on their own.
The largest DDoS attack of Q2 2015 measured more than 240 gigabits per second (Gbps) and persisted for more than 13 hours. Peak bandwidth is typically constrained to a one to two hour window. Q2 2015 also saw one of the highest packet rate attacks ever recorded across the Prolexic Routed network, which peaked at 214 Mpps. That attack volume is capable of taking out tier 1 routers, such as those used by Internet service providers (ISPs).
DDoS attack activity set a new record in Q2 2015, increasing 132% compared to Q2 2014 and increasing 7% compared to Q1 2015. Average peak attack bandwidth and volume increased slightly in Q2 2015 compared to Q1 2015, but remained significantly lower than the peak averages observed in Q2 2014.
SYN and Simple Service Discovery Protocol (SSDP) were the most common DDoS attack vectors this quarter – each accounting for approximately 16% of DDoS attack traffic. The proliferation of unsecured home-based, Internet-connected devices using the Universal Plug and Play (UPnP) Protocol continues to make them attractive for use as SSDP reflectors. Practically unseen a year ago, SSDP attacks have been one of the top attack vectors for the past three quarters. SYN floods have continued to be one of the most common vectors in all volumetric attacks, dating back to the first edition of the security reports in Q3 2011.
Online gaming has remained the most targeted industry since Q2 2014, consistently being targeted in about 35 percent of DDoS attacks. China has remained the top source of non-spoofed attack traffic for the past two quarters, and has been among the top three source countries since the very first report was issued in Q3 2011.
At a glance
Compared to Q2 2014
- 132.43% increase in total DDoS attacks
- 122.22% increase in application layer (Layer 7) DDoS attacks
- 133.66% increase in infrastructure layer (Layer 3 & 4) attacks
- 18.99% increase in the average attack duration: 20.64 vs. 17.35 hours
- 11.47% decrease in average peak bandwidth
- 77.26% decrease in average peak volume
- 100% increase in attacks > 100 Gbps: 12 vs. 6
Compared to Q1 2015
- 7.13% increase in total DDoS attacks
- 17.65% increase in application layer (Layer 7) DDoS attacks
- 6.04% increase in Infrastructure layer (Layer 3 & 4) attacks
- 16.85% decrease in the average attack duration: 20.64 vs. 24.82 hours
- 15.46 increase in average peak bandwidth
- 23.98% increase in average peak volume
- 50% increase in attacks > 100 Gbps: 12 vs. 8
- As in Q1 2015, China is the quarter’s top country producing DDoS attacks
Web application attack activity
Akamai first began reporting web application attack statistics in Q1 2015. This quarter, two additional attacks vectors were analyzed: Shellshock and cross-site scripting (XSS).
Shellshock, a Bash bug vulnerability first tracked in September 2014, was leveraged in 49% of the web application attacks this quarter. However, 95% of the Shellshock attacks targeted a single customer in the financial services industry, in an aggressive, persistent attack campaign that endured for the first several weeks of the quarter. Since Shellshock attacks typically occur over HTTPS, this campaign shifted the balance of attacks over HTTPS vs. HTTP. In Q1 2015, only 9% of attacks were over HTTPS; this quarter 56% were over HTTPS channels.
Looking beyond Shellshock, SSQL injection (SQLi) attacks accounted for 26% of all attacks. This represents a greater than 75% increase in SQLi alerts in the second quarter alone. In contrast, local file inclusion (LFI) attacks dropped significantly this quarter. While it was the top web application attack vector in Q1 2015, LFI only accounted for 18% of alerts in Q2 2015. Remote file inclusion (RFI), PHP injection (PHPi), command injection (CMDi), OGNL injection using OGNL Java Expressing Language (JAVAi), and malicious file upload (MFU) attacks combined accounted for 7% of web application attacks.
As in Q1 2015, the financial services and retail industries were attacked most frequently.
The threat of third-party WordPress plugins and themes
WordPress, the world’s most popular website and blogging platform, is an attractive target for attackers who aim to exploit hundreds of known vulnerabilities to build botnets, spread malware and launch DDoS campaigns.
Third-party plugins go through very little, if any, code vetting. To better understand the threatscape, Akamai tested more than 1,300 of the most popular plugins and themes. As a result, 25 individual plugins and themes that had at least one new vulnerability were identified. In some cases, the plugin or theme had multiple vulnerabilities – totaling 49 potential exploits. A full listing of the newly discovered vulnerabilities is included in the report, along with recommendations to harden WordPress installs.
The pros and cons of Tor
The Onion Router (TOR) project ensures the entry node to a network does not match the exit node, providing a cloak of anonymity for its users. While Tor has many legitimate uses, its anonymity makes it an attractive option for malicious actors. In order to assess the risks involved with allowing Tor traffic to websites, Akamai analyzed web traffic across the Kona security customer base during a seven-day period.
The analysis showed that 99% of the attacks were sourced from non-Tor IPs. However, 1 out of 380 requests out of Tor exit nodes were malicious. In contrast, only 1 out 11,500 requests out of non-Tor IPs was malicious. That said, blocking Tor traffic could have a negative business affect. However, legitimate HTTP requests to e-commerce related pages showed that Tor exit nodes had conversion rates on par with non-Tor IPs.
Download the report
A complimentary copy of the Q2 2015 State of the Internet – Security Report is available as a free PDF download at www.stateoftheinternet.com/security-report.