Akamai Technologies, Inc. announced the availability of the Q1 2015 State of the Internet – Security Report. The quarter’s report provides analysis and insight into the global cloud security threat landscape.

DDoS attack activity soars

Q1 2015 set a record for the number of DDoS attacks, as observed across Akamai PLXrouted network, more than double the number recorded in Q1 2014, a jump of more than 35% compared to last quarter.

However, the attack profile has changed. Last year, high bandwidth and short duration attacks were the norm. But in Q1 2015, the typical DDoS attack was less than 10 gigabits per second (Gbps) and endured for more than 24 hours. There were eight mega-attacks in Q1, each exceeding 100 Gbps. While that was one fewer mega-attack than in Q4 2014, such large attacks were rarely seen a year ago. The largest DDoS attack observed in Q1 2015 peaked at 170 Gbps.

During the past year, DDoS attack vectors have also shifted. This quarter, Simple Service Discovery Protocol (SSDP) attacks accounted for more than 20% of the attack vectors, while SSDP attacks were not observed at all in Q1 or Q2 2014. SSDP comes enabled by default on millions of home and office devices including routers, media servers, web cams, smart TVs and printers to allow them to discover each other on a network, establish communication and coordinate activities. If left unsecured and/or misconfigured, these home-based, Internet-connected devices can be harnessed for use as reflectors.

During Q1 2015, the gaming sector was once again hit with more DDoS attacks than any other industry. Gaming has remained the most targeted industry since Q2 2014, consistently being targeted in 35% of DDoS attacks. The software and technology sector was the second most targeted industry in Q1 2015, with 25% of the attacks.

Compared to Q1 2014

  • 5% increase in total DDoS attacks
  • 83% increase in application layer (Layer 7) DDoS attacks
  • 69% increase in infrastructure layer (Layer 3 & 4) DDoS attacks
  • 8% increase in the average attack duration: 24.82 vs. 17.38 hours

Compared to Q4 2014

  • 24% increase in total DDoS attacks
  • 22% increase in application layer (Layer 7) DDoS attacks
  • 74% increase in infrastructure layer (Layer 3 & 4) DDoS attacks
  • 37% decrease in average attack Duration: 24.82 vs. 29.33 hours

A look at seven common web application attack vectors

For the Q1 2015 report, Akamai concentrated its analysis on seven common web application attack vectors, which accounted for 178.85 million web application attacks observed on the Akamai Edge network. These vectors included

  1. SQL injection (SQLi)
  2. Local file inclusion (LFI)
  3. Remote file inclusion (RFI)
  4. PHP injection (PHPi)
  5. Command injection (CMDi)
  6. OGNL Java injection (JAVAi)
  7. Malicious file upload (MFU)

During Q1 2015, more than 66% of the web application attacks were attributed to LFI attacks. This was fueled by a massive campaign against two large retailers in March, targeting the WordPress RevSlider plugin.

SQLi attacks were also quite common, making up more than 29% of web application attacks. A substantial portion of the SQLi attacks was related to attack campaigns against two companies in the travel and hospitality industry. The other five attack vectors collectively made up the remaining five% of attacks.

The retail sector was the hardest hit by web application attacks, followed by the media and entertainment and hotel and travel sectors 

The growing threat of booter/stresser sites

The menu of easy-to-use attack vectors found in the DDoS-for-hire market can make it easy to dismiss the effectiveness of attackers who use them. A year ago, peak attack traffic using these tactics from booter/stresser sites typically measured 10-20 Gbps per second. Now these attack sites have become more dangerous, capable of launching attacks in excess of 100 Gbps. With new reflection attack methods being added continually, such as SSDP, the potential damage from these is expected to continue increasing over time.

IPv6 adoption brings new security risks

IPv6 DDoS is not yet a common occurrence, but there are indications that malicious actors have started testing and researching IPv6 DDoS attack methods. A new set of risks and challenges associated with the transition to IPv6 are already affecting cloud providers as well as home and corporate network owners. Many IPv4 DDoS attacks can be replicated using IPv6 protocols, while some new attack vectors are directly related to the IPv6 architecture. Many of the features of IPv6 could enable attackers to bypass IPv4-based protections, creating a larger and possibly more effective DDoS attack surface. The Q1 security report outlines some of the risks and challenges that are ahead of us.

SQL injection attacks move beyond data theft

While SQL injection attacks have been documented since 1998, their uses have grown. The effects of these malicious queries can extend well beyond simple data exfiltration, potentially causing more damage than a data breach would have. These attacks can be used to elevate privileges, execute commands, infect or corrupt data, deny service, and more. Akamai researchers analyzed more than 8 million SQL injection attacks from Q1 2015 to uncover the most frequent methods and goals.

Website defacements and domain hijacking

Hundreds of web hosting companies provide web hosting for as little as a few dollars a month. In those cases, the hosting company may host multiple accounts on the same server. This can result in hundreds of domains and sites running under the same server IP address, potentially allowing malicious actors to hijack multiple web sites at once. Once one site has been compromised, a malicious actor can potentially traverse the server’s directories, potentially reading username and password lists, to access files from other customer accounts. This could include web site database credentials. With this information, attackers could gain the ability to change files on every site on the server.