polygraphus - Fotolia

Q2 DDoS attacks double in a year, says Akamai report

For the past three quarters, distributed denial of service attacks have doubled compared with the equivalent periods the year before, according to the latest Akamai security report

The number of distributed denial of service (DDoS) attacks in the second quarter of 2015 was double that in the same quarter in 2014, a report has revealed.

This is line with the previous two quarters, in which there was a doubling of the number of DDoS attacks compared with the equivalent periods the year before, according to the Akamai Q2 2015 State of the Internet Security Report.

And while attackers favoured less powerful but longer duration attacks during the second quarter of 2015, the number of dangerous “mega attacks” continued to increase, while the financial and retail sectors continued to be the most highly targeted by DDoS attacks, the report said.

In the April to June quarter, there were 12 DDoS attacks peaking at more than 100 Gigabits per second (Gbps) and five attacks peaking at more than 50 million packets per second (Mpps).

According to Akamai, very few organisations have the capacity to withstand such attacks on their own.

The largest DDoS attack of the quarter measured more than 240Gbps and lasted more than 13 hours, but the report said peak bandwidth is typically constrained to a one to two-hour window.

The quarter also saw one of the highest packet rate attacks ever recorded across the Prolexic Routed network, which peaked at 214Mpps.

That attack volume is capable of taking out tier 1 routers, such as those used by internet service providers (ISPs), the report said.

DDoS attack activity set a new record in the quarter, up 132% compared with the same quarter in 2014 and up 7% on the previous quarter.

Average peak attack bandwidth and volume increased slightly in the second quarter of 2015 compared with the previous quarter, but remained significantly lower than the peak averages observed in the second quarter of 2014, the report said.

SYN (synchronisation packets) and Simple Service Discovery Protocol (SSDP) were the most common DDoS attack vectors in the second quarter, each accounting for about 16% of DDoS attack traffic.

The proliferation of unsecured home-based, internet-connected devices using the Universal Plug and Play (UPnP) protocol continues to make them attractive for use as SSDP reflectors, the report said.

According to researchers, although SSDPs were virtually unseen a year ago, they have been one of the top attack vectors for the past three quarters.

SYN floods have continued to be one of the most common vectors in all volumetric attacks since the first Akamai state of the internet report for the third quarter of 2011.

Read more about DDoS attacks

Online gaming has remained the most targeted industry since the second quarter of 2014, consistently being targeted in about 35% of DDoS attacks.

Compared with the second quarter of 2014, there was a 122.22% increase in application layer DDoS attacks, a 133.66% rise in infrastructure layer attacks, and an 18.99% increase in the average attack duration.

However, there was an 11.47% decrease in average peak bandwidth and a 77.26% decrease in average peak volume. 

The report also highlighted several web application attack statistics, including the fact that exploitation of the Shellshock vulnerability was used in 49% of web application attacks in the quarter.

However, the report said 95% of the Shellshock attacks targeted a single customer in the financial services industry, in an aggressive, persistent campaign that endured for the first several weeks of the quarter.

Beyond Shellshock, SQL injection (SQLi) attacks accounted for 26% of all attacks, up 75% on the previous quarter.

In contrast, local file inclusion (LFI) attacks dropped significantly in the quarter, going from the top web application attack vector in the previous quarter to just 18% of attacks in the second quarter.

Remote file inclusion (RFI), PHP injection (PHPi), command injection (CMDi), OGNL injection using OGNL Java Expression Language (JAVAi), and malicious file upload attacks together accounted for just 7% of web application attacks.

“The threat posed by DDoS and web application attacks continues to grow each quarter,” said John Summers, vice-president, cloud security business unit at Akamai.

“Malicious actors are continually changing the game by switching tactics, seeking out new vulnerabilities and even bringing back old techniques that were considered outdated,” he said.

The Akamai report also highlighted the fact that popular website and blogging platform WordPress remains an attractive target for attackers who aim to exploit hundreds of known vulnerabilities to build botnets, spread malware and launch DDoS campaigns.

Third-party plugins go through very little, if any, code vetting, the report said. To better understand the threat, Akamai tested more than 1,300 of the most popular plugins and themes.

These tests found 25 individual plugins and themes that had at least one new vulnerability. In some cases, the plugin or theme had multiple vulnerabilities – totalling 49 potential exploits.

The Onion Router (TOR) project is a third area of risk highlighted by the report. Tor ensures the entry node to a network does not match the exit node, providing a cloak of anonymity for its users, and although Tor has many legitimate uses, its anonymity makes it attractive for malicious actors, the report said.

To assess the risks involved with allowing Tor traffic to websites, Akamai analysed web traffic across the Kona security customer base during a seven-day period.

The analysis showed that 99% of the attacks were sourced from non-Tor IP addresses (IPs). However, one out of 380 requests out of Tor exit nodes was malicious, compared with only one out 11,500 requests out of non-Tor IPs.

However, the report said that blocking Tor traffic could have a negative business effect and that legitimate HTTP requests to e-commerce-related pages showed that Tor exit nodes had conversion rates on a par with non-Tor IPs.

Read more on Hackers and cybercrime prevention