Q3 2014 Global DDoS Attack Report – Attack Spotlight Selected excerpts

Akamai’s Prolexic Security Engineering and Research Team’s (PLXsert’s) Q3 2014 State of the Internet Security Report spotlights a record-setting distributed denial of service (DDoS) attack. The attack was just one of a series of attack campaigns that targeted one Akamai customer in the entertainment industry during a week-long period.

Most of the attacks observed during these campaigns contained SYN flood traffic. A typical TCP connection to a website requires a TCP three-way handshake: The host sends out an initial SYN request, the server responds with a SYN-ACK response, and the host sends another ACK response, and then communication begins.

DDoS attackers often craft malformed packets when launching SYN floods. These packets deliberately violate the normal workflow of a TCP/IP connection in an attempt to overwhelm the target system with abnormal requests—either with a very large volume of traffic or with many simultaneous connection attempts.

Another attack vector used in this campaign was a UDP flood attack. The UDP protocol does not require a handshake for communication to take place, making it an ideal protocol for low-latency applications such as voice-over-IP (VoIP) and online video games. Attackers craft large UDP packets and blast them at a target IP address.

Without the handshake requirement, attackers can send malicious UDP packets that spoof the source IP address, making DDoS mitigation more difficult. Often, attackers will use source addresses that are not RFC-compliant for Internet traffic (private LAN IPs) or IP addresses from service providers that the target would be less likely to block. Some DDoS attack toolkits support randomization of source IPs and customizable destination ports.

In total, attackers launched 10 distinct attack campaigns against Akamai and its customer. The first three attacks were directed at the customer’s web server and, with the exception of the second attack, exceeded 100 Gbps each. After the third campaign, the attackers realized their target was under Akamai’s DDoS protection. At that point, they moved to attack network blocks owned by Akamai. An attack targeting that network block reached a record-breaking peak of 321 Gbps.

A typical company with a standard web server would normally have less than 1 Gbps of bandwidth available at a single datacenter, and the level of attack volume observed in these attacks would result in all services hosted at the target location becoming unavailable.

One of the attacks contained a combination of SYN flood, GET flood, ICMP flood and RESET floods. A GET flood is a TCP-based attack that requires a three-way handshake. This type of DDoS attack is effective because it can deliver a large number of simultaneous connection requests to a web server, consuming server resources and then crashing the website.

Unlike spoofed UDP-based or TCP SYN flood attacks, a GET flood attack usually reveals the

true source IPs of the attack. The United States, Germany and China were the primary sources of originating malicious traffic in these DDoS attacks. Intelligence sources indicate the attacks were launched by a collection of bots reporting to a command-and-control host, a classic botnet topology.

With record-breaking attack statistics and a mixture of layer 7 and layer 3 attack vectors, this botnet produced significant attack campaigns against the entertainment sector in Asia. Attackers also targeted specific IP blocks in the Akamai infrastructure where their intended victims had been placed for DDoS protection.

Threat intelligence indicates that organized crime could be behind these DDoS campaigns. Attackers are building this botnet by targeting web servers (mainly Linux-based) coupled with client-based infection methods—a number of customer-premises equipment (CEP) devices were also identified during campaign forensic analysis. The attacks were successfully mitigated and non-spoofed IP source addresses are being monitored within Akamai’s DDoS mitigation platform.

Get the full Q3 2014 State of the Internet – Security Report with all the details

Each quarter Akamai produces a quarterly Internet security report. Download the Q3 2014 State of the Internet – Security Report for:

Analysis of DDoS attack trends Bandwidth (Gbps) and volume (Mpps) statistics Year-over-year and quarter-by-quarter analysis Application layer attacks Infrastructure attacks Attack frequency, size and sources Where and when DDoSers strike How and why attackers are building DDoS botnets from devices other than PCs and

servers Details of a record-breaking 321 Gbps DDoS attack Syrian Electronic Army (SEA) phishing attacks target third-party content providers

The more you know about cybersecurity, the better you can protect your network against cybercrime. Download the free the Q3 2014 State of the Internet – Security Report at http://www.stateoftheinternet.com/security-reports today.

About stateoftheinternet.com StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats. Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to help put context around the ever-changing Internet landscape.