Last September, CloudFlare detected a large-scale browser-based L7 flood. Over the course of the distributed denial of service (DDoS) attack, 650,000 IP addresses sent out a total of 4.5 billion HTTP requests, with the campaign peaking at 250,000 requests per second. After investigating the incident, the security company concluded that the attack likely occurred as a result of a mobile user being served an iframe containing malicious Javascript. The campaign described above illustrates the fact that malicious actors continue to use and modify DDoS attacks for nefarious purposes. This observation has not been lost on Akamai Technologies, a cloud services provider which released its Q3 2015 State of the Internet Security Report last month. Below we present some of the main findings of that study.
DDoS Attacks – Greater Number, Smaller Punch
In the third quarter of 2015, Akamai observed 1,510 individual DDoS attacks. This record-setting figure constitutes an increase of 180% compared to the same period in 2014, and a 23% increase over Q2 of last year. Along with a growth in the number of attacks, however, the cloud services provider also observed decreases in attack duration (18.86 hours down from 22.36 hours) and a drop in peak attack volume by 89 percent.
"There are several variables as it relates to the customer posture with regard to always on vs. on demand which allows for mitigation to be applied faster and in some instances more proactively, the other variable is that the actors seem to be doing more probing of the customer environment which means shorter attack duration to potentially identify vulnerabilities," Lisa Beegle, information security manager for Akamai, told SCMagazine.com in an email.
One of the chief factors for those decreases is the proliferation of booter-stressers, such as the DDoS-for-rent service launched by LizardSquad in late 2014. These tools lack the resilience of a botnet-based DDoS attack to the extent that most services advertise the ability to launch a campaign that lasts only up to one hour. The fact that customers must pay to use booter-stressers also hinders more large-scale, persistent attacks. That's not to say that larger DDoS campaigns don't exist anymore. In total, Akamai detected some eight mega attacks registering at greater than Gigabits per second (Gbps) in Q3 2015 – a drop from 12 the previous quarter. Five of those campaigns were measured at over 30 Million packets per second (Mpps). The largest of them used a SYN flood as its attack vector, peaking at 145 Gbps and 222 Mpps. A review of the total number of DDoS attacks in Q3 2015 reveals that 26% of them, both large and small, originated from the United Kingdom. China was responsible for just over one-fifth (21%) of the observed attacks, followed by the United States at 17% and India and Spain at both 7%. Half of those recorded campaigns targeted the gaming industry, which no doubt reflects the efforts of several DDoS to gain notoriety on par with LizardSquad after it used an attack to bring down both Xbox Live and PlayStation Network on Christmas Day in 2014. Software and technology received 23% of the attacks, whereas DD4BC led the way in targeting the financial services industry at eight percent.
Given the report's findings, organizations can expect to see attacks that on average vary in size between 400 Mbps and 5 Gbps. Enterprises are encouraged to take this range into consideration when preparing their DDoS defenses.
Web Application Attacks: HTTP vs. HTTPS
Compared to the second quarter of last year, Q3 2015 saw a 96.36% increase in HTTP web application attacks and a 79.02% decrease in HTTPS web application attacks. This drop in HTTPS-based events, which account for 12% of the total number of web app attacks over last year's third quarter, represents a dramatic decrease after attackers had been using Shellshock prolifically earlier in the year. Even so, unlike HTTP, encrypted connections do not offer any additional protective measures for web applications. Akamai, therefore, believes that attackers will eventually shift to HTTPS in order to follow vulnerable applications. To a certain extent, we are already beginning to see this development, as the cloud services provider detected a trend of stealthier attacks over encrypted connections (particularly TLS as opposed to SSL) in Q3 2015.
"With more Internet sites adopting TLS-enabled traffic as a standard security layer, attackers may follow suit. Or, it could be that attackers aren’t looking solely to penetrate a site but to target a back-end database, which is most likely accessed via HTTPS," Akamai explains.
Malicious actors based mostly in the United States (59% of the recorded attacks) primarily used local file inclusion and SQLi as attack vectors. Interestingly, these attacks mainly targeted the United States (75% of all attacks), with the retail industry having suffered the most at 55 percent. This is because companies in that sector have large databases full of valuable customer information and large numbers of customers who could lose trust in a retailer if their website is defaced. By comparison, the financial services industry was a distant second at 15%.
Source: Akamai Technologies
Predictions for the Future
Looking ahead, Akamai anticipates that groups like DD4BC and Armada Collective will continue to launch attacks, that the gaming industry will continue to experience DDoS campaigns at the hands of PhantomSquad and others, and that the retail industry will continue to see the vast majority of web application attacks. For more information on the DDoS, web application, firewall, and cloud security threat activity in Q3 2015, please read Akamai's report in full here. Title image courtesy of ShutterStock