Longer attacks and more bandwidth consumption were a leading DDoS trend in Q3 2014. View this short presentation about a major DDoS attack campaign that exemplifies this DDoS trend, and then get all the details from the full Q3 2014 State of the Internet – Security report.
2. = high-bandwidth attack on entertainment firm
• 10 distinct attacks over a one-week period
• 8 of 10 attack campaigns were high-bandwidth (100+
Gbps)
• Peak bandwidth of the largest attack: 321 Gbps (a record)
• This multi-vector attack hit:
⁄ Layer 7 (application layer)
⁄ Layer 3 (infrastructure layer)
• All attacks were successfully mitigated by Akamai
• Source IP addresses remain under watch
2 / [state of the internet] / security (Q3 2014)
3. = timeline of attacks
• Attackers targeted an Akamai customer and Akamai’s DDoS
mitigation infrastructure
• First attacks hit a customer’s web server
⁄ First and third attacks exceeded 100 Gbps
• Next attack targeted an Akamai-owned network block protecting
the target
⁄ Peak 321-Gbps attack aimed at bypassing DDoS mitigation technology or
causing it to fail
• After failing to bypass DDoS protections, attacks resumed on
the customer’s website
• Attacks persisted from July 12 to July 20, averaging 90 hours
3 / [state of the internet] / security (Q3 2014)
4. = botnet topology
• The attacks were launched by a collection of bots
reporting to a command-and-control (C2) host
• The source IP sending commands was located in Asia
• Bots were worldwide
⁄ Most traffic originated in U.S., Germany and China
⁄ Another botnet sending attack payloads was located in Korea
• Botnets were built by targeting:
⁄ Linux-based servers
⁄ Customer-premises equipment
4 / [state of the internet] / security (Q3 2014)
5. = attack vectors
Multi-vector attacks used multiple types of flood:
• SYN flood
• UDP flood
• ICMP flood
• RESET flood
• GET flood
⁄ Note: GET flood attacks usually reveal the actual source IP addresses
• Attackers used mostly SYN flood and UDP flood traffic,
often together
5 / [state of the internet] / security (Q3 2014)
6. = about SYN floods
• Subvert the normal Transmission Control Protocol (TCP)
used to establish a valid connection
• Send multiple requests at a rapid rate or send extra large
packets
• Can render an unprotected server unable to respond to
legitimate requests
6 / [state of the internet] / security (Q3 2014)
7. = about UDP floods
• Exploit the User Datagram Protocol (UDP)
• Are a common protocol in voice-over-IP (VoIP) and online
games
• Do not require establishing a verified connection to initiate
communication
• Make spoofing a source IP easy
• Subvert mitigation efforts with spoofed addresses
7 / [state of the internet] / security (Q3 2014)
9. = Q3 2014 state of the internet – security report
Download the Q3 2014 State of the Internet – Security Report,
which includes:
• Analysis of DDoS attack trends
• Bandwidth (Gbps) and volume (Mpps) statistics
• Year-over-year and quarter-by-quarter analysis
• Application layer attacks and infrastructure attacks
• Attack frequency, size and sources
• Where and when DDoSers strike
• How and why attackers are building DDoS botnets from devices other than PCs
and servers
• Details of a record-breaking 321 Gbps DDoS attack
• Syrian Electronic Army (SEA) phishing attacks
• More at www.stateoftheinternet.com/security-reports
9 / [state of the internet] / security (Q3 2014)
10. = about stateoftheinternet.com
• StateoftheInternet.com, brought to you by Akamai, serves as the home
for content and information intended to provide an informed view into
online connectivity and cybersecurity trends as well as related metrics,
including Internet connection speeds, broadband adoption, mobile
usage, outages, and cyber-attacks and threats.
• Visitors to www.stateoftheinternet.com can find current and archived
versions of Akamai’s State of the Internet (Connectivity and Security)
reports, the company’s data visualizations, and other resources
designed to put context around the ever-changing Internet landscape.
10 / [state of the internet] / security (Q3 2014)