[Q3 2014] Spotlight on a 321 Gbps Attack
stateoftheinternet.com
= high-bandwidth attack on entertainment firm • 10 distinct attacks over a one-week period • 8 of 10 attack campaigns were high-bandwidth (100+ Gbps) • Peak bandwidth of the largest attack: 321 Gbps (a record)
• This multi-vector attack hit: ⁄ ⁄
Layer 7 (application layer) Layer 3 (infrastructure layer)
• All attacks were successfully mitigated by Akamai • Source IP addresses remain under watch
2 / [state of the internet] / security (Q3 2014)
= timeline of attacks • Attackers targeted an Akamai customer and Akamai’s DDoS mitigation infrastructure • First attacks hit a customer’s web server ⁄
First and third attacks exceeded 100 Gbps
• Next attack targeted an Akamai-owned network block protecting
the target ⁄
•
Peak 321-Gbps attack aimed at bypassing DDoS mitigation technology or causing it to fail
After failing to bypass DDoS protections, attacks resumed on
the customer’s website •
Attacks persisted from July 12 to July 20, averaging 90 hours
3 / [state of the internet] / security (Q3 2014)
= botnet topology • The attacks were launched by a collection of bots reporting to a command-and-control (C2) host • The source IP sending commands was located in Asia • Bots were worldwide ⁄ ⁄
Most traffic originated in U.S., Germany and China Another botnet sending attack payloads was located in Korea
• Botnets were built by targeting: ⁄ ⁄
Linux-based servers Customer-premises equipment
4 / [state of the internet] / security (Q3 2014)
= attack vectors Multi-vector attacks used multiple types of flood: • SYN flood • UDP flood • ICMP flood
• RESET flood • GET flood ⁄
Note: GET flood attacks usually reveal the actual source IP addresses
• Attackers used mostly SYN flood and UDP flood traffic, often together
5 / [state of the internet] / security (Q3 2014)
= about SYN floods • Subvert the normal Transmission Control Protocol (TCP) used to establish a valid connection • Send multiple requests at a rapid rate or send extra large packets • Can render an unprotected server unable to respond to legitimate requests
6 / [state of the internet] / security (Q3 2014)
= about UDP floods • Exploit the User Datagram Protocol (UDP) • Are a common protocol in voice-over-IP (VoIP) and online games • Do not require establishing a verified connection to initiate
communication • Make spoofing a source IP easy • Subvert mitigation efforts with spoofed addresses
7 / [state of the internet] / security (Q3 2014)
= attack statistics • Attack averages ⁄ ⁄ ⁄
154 Gbps 54 Mpps 90 hours
• Peak attack stats: ⁄ ⁄
321 Gbps 169 Mpps
• Top three non-spoofed source IP origins ⁄ ⁄ ⁄
U.S.: 49% Germany: 21% China: 19%
8 / [state of the internet] / security (Q3 2014)
= Q3 2014 state of the internet – security report Download the Q3 2014 State of the Internet – Security Report, which includes: •
Analysis of DDoS attack trends
•
Bandwidth (Gbps) and volume (Mpps) statistics
•
Year-over-year and quarter-by-quarter analysis
•
Application layer attacks and infrastructure attacks
•
Attack frequency, size and sources
•
Where and when DDoSers strike
•
How and why attackers are building DDoS botnets from devices other than PCs and servers
•
Details of a record-breaking 321 Gbps DDoS attack
•
Syrian Electronic Army (SEA) phishing attacks
• More at www.stateoftheinternet.com/security-reports
9 / [state of the internet] / security (Q3 2014)
= about stateoftheinternet.com •
StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats.
•
Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to put context around the ever-changing Internet landscape.
10 / [state of the internet] / security (Q3 2014)