Mega DDoS attack activity has skyrocketed in the last year.
During Q1, Akamai mitigated more than 4,500 DDoS attacks, which is a 125% increase compared with Q1 2015. Akamai Technologies’ Q1 2016 State of the Internet – Security Report, the vast majority of these attacks were based on reflection attacks using stresser/booter-based tools.
These tools bounce traffic off servers running vulnerable services such as DNS, CHARGEN and NTP, and amplify the amount of traffic being used. In fact, 70% of the DDoS attacks in Q1 used the reflection-based DNS, CHARGEN, NTP or UDP fragment vectors.
Using firewall data from the perimeter of the Akamai Intelligent Platform, the analysis showed a 77% growth in active Quote of the Day (QOTD) reflectors, a 72% increase in NTP reflectors and a 67% increase in CHARGEN reflectors compared to Q4 2015. Active SSDP reflectors declined by 46%.
So perhaps it’s not surprising that Q1 2016 also set a record for the number of DDoS attacks exceeding 100Gbps: 19. The largest of these mega attacks mitigated by Akamai peaked at 289Gbps. Fourteen attacks relied on DNS reflection methods. To put things in perspective, last quarter, there were only five mega attacks; the previous record was 17, set in Q3 2014.
“We have continued to witness significant growth in the number and frequency of DDoS and web application attacks launched against online assets, and Q1 2016 was no exception,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “Interestingly, nearly 60% of the DDoS attacks we mitigated used at least two attack vectors at once, making defense more difficult. Perhaps more concerning, this multi-vector attacks functionality was not only used by the most clever of attackers, it has become a standard capability in the DDoS-for-hire marketplace and accessible to even the least skilled actors.”
More than half of the attacks (55%) targeted gaming companies, with another 25% targeting the software and technology industry.
During Q4 2015, repeat DDoS attacks became the norm, with an average of 24 attacks per targeted customer in Q4. The trend continued this quarter; targeted customers were attacked an average of 39 times each. One customer was targeted 283 times—an average of three attacks per day.
Web application attacks meanwhile increased nearly 26% compared with Q4 2015. As in past quarters, the retail sector remained the most popular attack target, targeted in 43% of the attacks. But in a shift from last quarter, Akamai saw a 2% decrease in web application attacks over HTTP and a 236% increase in web application attacks over HTTPS. There was also an 87% increase in SQLi attacks compared with the previous quarter.
As in recent quarters, the US was both the most frequent source of web application attack traffic (43%) and the most frequent target (60%). Also, in tracking and analyzing more than two trillion bot requests, so-called good bots represented 40% of the bot traffic, while 50% of the bots were determined to be malicious and were engaged in scraping campaigns and related activity.
Photo © Profit_Image