1

akamai’s [state of the internet] /

Q1 2015 State of the Internet Security Report – Statistics and Trends Selected excerpts

DDoS attacks are on the rise, according to the Q1 2015 State Of The Internet - Security Report, with Akamai reporting a record number of DDoS attacks recorded on the PLXrouted network – more than double the number reported in the first quarter of 2014. However, the profile of the typical attack has changed, with attackers favoring relatively low-bandwidth attacks (typically less than 10 Gbps) but long durations (typically more than 24 hours). Despite this, the largest attack of Q1 measured nearly 170 Gbps – a significant increase from the largest attack of Q4 2014. Total DDoS attacks rose by over 35 percent in Q1 2015 compared to the previous quarter, with duration increasing 15 percent to more than 29 hours on average. Infrastructure attacks rose by nearly 37 percent, while application layer attacks increased by 22 percent. Average peak bandwidth and peak volume have slightly dropped, with peak bandwidth slightly decreasing from 6.41 Gbps in Q4 to 5.95 Gbps and peak volume dropping from 2.31 Mpps to 2.21 Mpps. (However, this represents a substantial decline from the peak of Q1 2014, where average bandwidth and volume rested at 9.70 Gbps and a record-setting 19.8 Mpps) The largest attack of Q1 2015 so far – one of eight mega-attacks peaking at more than 100 Gbps – measured nearly 170 Gbps of peak bandwidth. Of these eight attacks, all but one contained a SYN flood, and all but one were targeted at the gaming industry (five indirectly, by attacking networks that hosted gaming sites.) Infrastructure-layer attacks continued to account for the lion’s share (91 percent) of DDoS activity in the first quarter. The new infrastructure-layer vector of Simple Service Discovery Protocol (SSDP) attacks, first observed in Q3 of 2014, continued to see increased use. SSDP attacks represented more than 20 percent of all DDoS attacks observed in Q1 2015, passing SYN floods (the top vector of the previous quarter) which accounted for 16 percent of attacks. However, as the mega-attacks show, SYN floods play a major role in larger attacks. The top application-layer vector was HTTP GET, coming in at 7 percent. China again topped the list of source countries for DDoS attacks, making up roughly 23 percent of traffic in Q1 2015. Germany rose to take second place with 17 percent, with the US falling to third at 12 percent. Gaming remained the most-attacked industry this quarter, accounting for 35 percent of all attacks. This quarter, Akamai also published analysis of web application firewall activity. Local File Include (LFI )attacks accounted for the majority, at more than 66 percent of analyzed web application attacks. This is primarily due to a massive, volumetric campaign against two large retailers, in an attempt to discover an LFI vulnerability targeting a WordPress plugin.

2

akamai’s [state of the internet] /

In one week alone, we saw nearly 75 million LFI attacks – nearly two-thirds of all such attacks observed this quarter. Akamai also observed more than 52 million SQL injection (SQLi) attacks, representing nearly 30 percent of web application attacks. A substantial portion of these attacks were related to attack campaigns against two companies in the service and hospitality industry, mostly originating from Ireland. The retail and media/entertainment verticals were the subjected to the greatest number of application-layer attacks. After a number of high-profile retail and media breaches in 2014 alerted malicious actors to these sector’s weaknesses, many attackers began probing them for vulnerability and exploitation. LFI and SQLi attacks most commonly targeted these industries, with retail companies attracting the most SQLi attacks. Malicious File Upload (MFU) attacks were third most commonly used and were directed at the hotel and travel industry more than any other vertical. Remote File Include (RFI) attacks were fourth most common, and most often targeted media/entertainment, high tech, and retail industries. Get the full Q1 2015 State of the Internet – Security Report with all the details

Each quarter Akamai produces a quarterly Internet security report. Download the Q1 2015 State of the Internet – Security Report for:

• Analysis of DDoS and web application attack trends • Bandwidth (Gbps) and volume (Mpps) statistics • Year-over-year and quarter-by-quarter analysis • Attack frequency, size, types and sources • Security implications of the transition to IPV6 • Mitigating the risk of website defacement and domain hijacking • DDoS techniques that maximize bandwidth, including booter/stresser sites • Analysis of SQL injection attacks as a persistent and emerging threat

The more you know about cybersecurity, the better you can protect your network against cybercrime. Download the free the Q1 2015 State of the Internet – Security Report at http://www.stateoftheinternet.com/security-reports today.

About stateoftheinternet.com StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats. Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to help put context around the ever-changing Internet landscape.