akamai s [state of the internet] / security

Similar documents
DDoS attack patterns across the APJ cloud market. Samuel Chen CCIE#9607 Enterprise Security Architect, Manager - APJ

War Stories from the Cloud: Rise of the Machines. Matt Mosher Director Security Sales Strategy

State of the Internet Security Q Mihnea-Costin Grigore Security Technical Project Manager

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

The Presence and Future of Web Attacks

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Survey: Global Efficiency Held Back by Infrastructure Spend in Pharmaceutical Industry

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Cybersecurity. Anna Chan, Marketing Director, Akamai Technologies

Prolexic Attack Report Q4 2011

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

TechValidate Survey Report: SaaS Application Trends and Challenges

AKAMAI THREAT ADVISORY. Satori Mirai Variant Alert

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

CIO INSIGHTS Boosting Agility and Performance on the Evolving Internet

THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES

SOTI SUMMER [state of the internet] / security ATTACK SPOTLIGHT

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

AKAMAI CLOUD SECURITY SOLUTIONS

Global DDoS Threat Landscape

2nd SIG-NOC meeting and DDoS Mitigation Workshop Scrubbing Away DDOS Attacks. 9 th November 2015

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

DIGITAL TRANSFORMATION IN FINANCIAL SERVICES

Evidence-based protection of web resources a must under the GDPR. How the Akamai Intelligent Platform helps customers to mitigate risks

AKAMAI WHITE PAPER. Enterprise Application Access Architecture Overview

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Overview of Akamai s Personal Data Processing Activities and Role

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

Mitigating DDoS Attacks in Zero Seconds with Proactive Mitigation Controls

The Interactive Guide to Protecting Your Election Website

An Introduction to DDoS attacks trends and protection Alessandro Bulletti Consulting Engineer, Arbor Networks

Intelligent and Secure Network

Akamai Bot Manager. Android and ios BMP SDK

F5 Warsaw SOC. Kamil Woniak. Security Operations Manager, F5 Networks

Multi-vector DDOS Attacks

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

Arbor White Paper Keeping the Lights On

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

MULTIPLAYER GAMING SOLUTION BRIEF

DoS Cyber Attack on a Government Agency in South America- February 2012 Anonymous Mobile LOIC in Action

Imperva Incapsula Product Overview

Imperva Incapsula Website Security

CyberArk Privileged Threat Analytics

Incident Response Services

Q WEB APPLICATION ATTACK STATISTICS

HOW TO HANDLE A RANSOM- DRIVEN DDOS ATTACK

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

DNS SECURITY BENEFITS OF OUTSOURCING YOUR DNS TO AN IP ANYCAST+ PROVIDER

Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF

IoT - Next Wave of DDoS? IoT Sourced DDoS Attacks A Focus on Mirai Botnet and Best Practices in DDoS Defense

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Herding Cats. Carl Brothers, F5 Field Systems Engineer

DDoS MITIGATION BEST PRACTICES

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

NINE MYTHS ABOUT. DDo S PROTECTION

Enterprise D/DoS Mitigation Solution offering

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

Validating the Security of the Borderless Infrastructure

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Cloudflare Advanced DDoS Protection

( ) 2016 NSFOCUS

Comprehensive datacenter protection

Think You re Safe from DDoS Attacks? As an AWS customer, you probably need more protection. Discover the vulnerabilities and how Neustar can help.

Corero & GTT DDoS Trends Report Q2 Q3 2017

McAfee Labs Threat Report

Exit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz

Q WEB APPLICATION ATTACK STATISTICS

Q&A TAKING ENTERPRISE SECURITY TO THE NEXT LEVEL. An interview with John Summers, Enterprise VP and GM, Akamai

Cyber War Chronicles Stories from the Virtual Trenches

Neustar forms partnership with Limelight for turbocharged DDoS mitigation

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

Q&A TALKING CYBER SECURITY WITH THE BOARD OF DIRECTORS. An interview with Josh Shaul, VP, Web Security Products

2015 DDoS Attack Trends and 2016 Outlook

Vulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

May the (IBM) X-Force Be With You

The Trusted Choice for Online Business

SIEM (Security Information Event Management)

WHITE PAPER Hybrid Approach to DDoS Mitigation

Radware s Attack Mitigation Solution Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

haltdos - Web Application Firewall

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

DDOS DETECTION AND RESPONSE TRENDS IN THE ENTERPRISE: AN IANS CUSTOM REPORT

SIEM: Five Requirements that Solve the Bigger Business Issues

CONTENT-AWARE DNS. IMPROVING CONTENT-AWARE DNS RESOLUTION WITH AKAMAI DNSi CACHESERVE EQUIVALENCE CLASS. AKAMAI DNSi CACHESERVE

Global DDoS Threat Landscape

Akamai White Paper. FedRAMP SM Helps Government Agencies Jumpstart their Journey to the Cloud. FedRAMP. Federal Risk Authorization Management Program

RSA INCIDENT RESPONSE SERVICES

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Bomgar Discovery Report

The 2017 State of Endpoint Security Risk

Predators are lurking in the Dark Web - is your network vulnerable?

Transcription:

[Volume 2 / Number 2] akamai s [state of the internet] / security Q2 215 executive summary

The Security Report has five research sections: Quarter-over-quarter and year-ago quarterly attack statistics for distributed denial of service (DDos) attacks, plus q2 215 statistics for nine popular web application attack vectors Attack spotlight, with a focus on multi-vector mega attacks leveraging udp and syn floods Case study on the potential dangers of third-party WordPress plugins and themes, including 49 new vulnerabilities that were previously unreported Analysis of the potential risks of allowing traffic from Tor exit nodes A recap of attack techniques and vulnerabilities identified in q2 215, including RIPv1 reflection attacks and the rise of a new malicious hacking team, OurMine DDoS Attack Statistics / The number of DDoS attacks continued to increase substantially in q2 215, once again setting a record for the number of DDoS attacks observed over the Akamai Prolexic Routed network, more than doubling the number of attacks observed in q2 214. Average peak attack bandwidth and volume increased slightly in q2 215 compared to q1 215, but still remains significantly lower than the peak averages we saw in q2 214. However, the frequency of mega attacks has increased significantly. In q2 215, there were 12 attacks peaking at more than 1 Gigabits per second (Gbps) and five attacks peaking at more than 5 Million packets per second. q2 215 saw one of the highest packet rate attacks ever recorded across the Prolexic Routed network, peaking at 214 million packets per second (Mpps). That packet volume is capable of taking out tier 1 routers, such as those used by Internet service providers (ISPs). syn and Simple Service Discovery Protocol (ssdp) were the most common DDoS attack vectors this quarter each accounting for approximately 16% of DDoS attack traffic. The proliferation of unsecured home-based, Internet-connected devices using the Universal Plug and Play (UPnP) Protocol continues to make them attractive for use as ssdp reflectors. Practically unseen a year ago, ssdp attacks have been one of the top attack vectors for the past three quarters. syn floods have continued to be one of the most common vectors in all volumetric attacks, dating back to the first edition of these security reports in q3 211. Half of the q2 215 DDoS attacks employed multiple attack vectors, a trend that has continued for the past year. Multi-vector attacks typically leverage attack toolkits from the DDoS-forhire underground. Q2 215 Attacks > 1 Gbps Internet/Telecom Gaming 26 24 249 22 2 21 18 Gbps 16 14 12 1 144 16 19 144 118 157 145 126 121 8 6 4 2 3-Apr 13:12 4-Apr 4:58 8-Apr 5:32 9-Apr 3:4 11-Apr 3:3 18-Apr 4:44 24-Apr 3:25 25-Apr 14:15 3-Apr 6:3 1-May 14:25 4-May 6:51 18-May 2:15 115 Attacks Date and Starting Time (GMT) Figure 1: Ten of the mega attacks targeted the Internet and telecom industry state of the internet / security / Q2 215

Q2 215 Attacks > 5 Mpps High Tech / Consulting Gaming Internet/Telecom Web Application Attack Statistics / We first began reporting on web application attack statistics in q1 215. This quarter, we added two attack vectors to our analysis: Shellshock and cross-site scripting (xss). Akamai analyzed 352.55 million web application attacks observed on the Akamai Edge network. 22 2 18 16 214.35 In addition to Shellshock and xss, we looked at sql injection (SQLi), local file inclusion (lfi), remote file inclusion (rfi), php injection (PHPi), command injection (CMDi), ognl injection using ognl Java Expressing Language (JAVAi), and malicious file upload (mfu) attacks. Mpps 14 12 1 8 6 4 2 63.9 7-Apr 11:54 6.46 24-Apr 3:25 79.62 15-May 23:1 8-June 4:51 Attack Date and Start Time (GMT) 52.68 12-June 1:52 Figure 2: Several of the Q2 215 mega attacks specifically targeted the TCAM limitations in tier 1 ISP routers Shellshock, a Bash bug vulnerability first tracked in September 214, was leveraged in 49% of the web application attacks this quarter. However, 95% of the Shellshock attacks targeted a single customer in the financial services industry, in an aggressive, persistent attack campaign that endured for the first several weeks of the quarter. In fact, 95% of all attacks over https in April were attributed to the Shellshock vector. Since Shellshock attacks typically occur over https, this campaign shifted the balance of attacks over https vs. http. In q1 215, only 9% of attacks were over https; this quarter 56% were over https channels. Looking beyond Shellshock, SQLi attacks came in a distant second, accounting for 26% of all attacks, with more than 92 million attacks in the quarter. This represents a greater than 75% increase in SQLi alerts in the second quarter alone. Normalized SQLi and LFI Attacks by Industry, Q2 215 25, SQLi Attacks LFI Attacks 2, 15, 1, 5, B2B Goods/ B2C Goods/ Financial High Technology Hotel & Travel Media & Entertainment Figure 3: Retail and financial services sites were the most popular targets of web application attacks in Q2 215 Public Sector Retail www.stateoftheinternet.com

In contrast, lfi attacks dropped significantly this quarter. In the last week of q1, we saw nearly 75 million lfi alerts due to an attack on a pair of large retail customers, while in all of q2 we only saw 63 million alerts. All told, lfi accounted for 18% of alerts in q2 215. Shellshock, SQLi and lfi attacks combined accounted for 93% of all web application attacks in the second quarter, with the remaining six categories accounting for 7% in total. Removing the Shellshock attacks from the analysis, the most targeted industries for web application attacks in q2 215 were financial services and retail, as shown in Figure 3. Attack Spotlight / About half of all DDoS attack campaigns mitigated by Akamai use two or more attack vectors. One specific combination of vectors has appeared repeatedly in attacks greater than 1 Gbps: the use of syn and udp vectors with extra data padding. An extremely large attack of syn and udp vectors was used again in q2 215 this time with the addition of an ack flood. The attack analyzed in the spotlight reached a peak bandwidth of 245 Gbps and a peak packet per second rate of 46 Mpps. Large attacks of this sort take on a unique characteristic that sets them apart. Typically, attacks from the DDoS-for-hire market depend on reflection-based techniques. However, this attack appears to be a bot-based attack similar to Spike and IptabLes/IptabLex, which have produced similar padded payloads. Case Study / WordPress is the world s most popular website and blogging platform. Its ever-growing popularity makes it an attractive target for attackers who aim to exploit hundreds of known vulnerabilities to build botnets, spread malware and launch DDoS campaigns. Unfortunately, third-party plugins go through very little, if any, code vetting. For our analysis, we looked at 6 plugins and 722 themes, based on popularity. After testing 1,322 collective plugins and themes, we identified 25 individual plugins and themes that had at least one vulnerability and in some cases, multiple vulnerabilities totaling 49 potential exploits. Many organizations debate whether to allow traffic from Tor exit nodes. In order to assess the risks involved with allowing Tor traffic to websites, we observed web traffic across the Kona security customer base during a seven-day period. During that time, we collected relevant traffic data from thousands of web applications for approximately 3, Akamai customers, focusing on CMDi, lfi/pt, SQLi, xss attacks and web vulnerability scanning. We found that 99% of the attacks were sourced from non-tor IPs. However, due to the differences in traffic volume, we found that 1 out of 38 requests out of Tor exit nodes were malicious. In contrast, only 1 out of 11,5 requests out of non-tor IPs was malicious. That said, blocking Tor traffic could have a negative business affect. As can be seen from the conversion rates in Figure 4, while the Tor network presents very high risk to web sites from a security perspective, it also yields potential business benefits to some industries. Source Legitimate HTTP Requests to Commerce-Related Application Pages Q2 215 Cloud Security Resources / In q2 215, Akamai also tracked a number of new attack techniques, vulnerabilities and criminal operation campaigns that warranted the release of threat advisories. They include: An OurMine Team attack exceeding 117 Gbps The resurgence of RIPv1 reflection DDoS attacks Third-party WordPress plugin vulnerabilities The Logjam vulnerability Ongoing attacks from DD4BC Conversion Rate Non-Tor IPs 95,17,641 (1:834) Tor exit nodes 39,73 (1:895) Figure 4: Requests from Tor exit nodes remain valuable, as the conversion rates show The most common vulnerabilities were cross-site scripting (xss), local file inclusion (lfi) and path transversal (pt) exploits. We also saw a number of email header injection vulnerabilities in the themes. A full listing of the newly discovered vulnerabilities is included in the report, along with recommendations to harden your WordPress installs. To read the full Q2 215, State of the Internet / Security Report, go to www.stateoftheinternet.com/security-report Threat Evaluation / The Onion Router (Tor) project ensures the entry node to a network does not match the exit node, providing a cloak of anonymity for its users. While Tor has many legitimate uses, its anonymity makes it an attractive option for malicious actors. state of the internet / security / Q2 215

About Prolexic Security Engineering & Research Team (PLXsert) PLXsert monitors malicious cyber threats globally and analyzes these attacks using proprietary techniques and equipment. Through research, digital forensics and post-event analysis, PLXsert is able to build a global view of security threats, vulnerabilities and trends, which is shared with customers and the security community. By identifying the sources and associated attributes of individual attacks, along with best practices to identify and mitigate security threats and vulnerabilities, PLXsert helps organizations make more informed, proactive decisions. About Threat Research Team The Threat Research Team is responsible for the security content and protection logic of Akamai s cloud security products. The team performs cutting edge research to make sure that Akamai s cloud security products are best of breed, and can protect against the latest application layer threats. About Customer Security Incident Response Team (csirt) The Akamai Customer Security Incident Response Team (csirt) researches attack techniques and tools used to target our customers and develops the appropriate response protecting customers from a wide variety of attacks ranging from login abuse to scrapers to data breaches to Dns hijacking to distributed denial of service. It s ultimate mission: keep customers safe. As part of that mission, Akamai Csirt maintains close contact with peer organizations around the world, trains Akamai s PS and CCare to recognize and counter attacks from a wide range of adversaries, and keeps customers informed by issuing advisories, publishing threat intelligence and conducting briefings. Contact Twitter: @State_Internet Email: stateoftheinternet-security@akamai.com As the global leader in Content Delivery Network (cdn) services, Akamai makes the Internet fast, reliable and secure for its customers. The company s advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter. Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 57 offices around the world. Our services and renowned customer care are designed to enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on www.akamai.com/locations. 215 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice. Published 8/15.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback