Q3 2014 State of the Internet Security Report – Case Study Selected excerpts Prolexic Security Engineering and Response Team (PLXsert) recently released the Q3 2014 State of the Internet Security Report, which spotlights the use of devices other than PCs and servers to build botnets used in distributed denial of service (DDoS) attacks. The case study described in the report is a good example of how the addition of a new class of devices makes attacks more complex, more powerful and more resistant to mitigation. Malicious actors continually seek ways to expand their resources and create new DDoS attack vectors. They want the capacity to produce large bandwidth attacks, the ability to make multiple simultaneous connections and the ability to use geographically dispersed resources. Employing these capabilities makes it more difficult for defenders to mitigate DDoS attacks and may cause the defenders to block legitimate traffic and thus suffer collateral damage from large attacks. As a result, malicious actors are involving new types of devices and platforms in their DDoS botnets. Community efforts to harden and protect PCs and servers from infection by bot malware has resulted in an increase in the time and level of skill required of malicious actors to bypass protections and produce effective exploits. As a result, across many campaigns PLXsert has observed attack signatures that do not match commonly used PC and server bots. This trend has increased over the last two years. The new signatures come from devices such as commercial routers, customer premise equipment (CPE), mobile handheld devices, video conference devices and Internet of Things (IoT) devices. Some of these devices are thought of as low-consumption and lowbandwidth devices, but in a DDoS botnet, leveraging thousands of such devices contributes significant power. There is a commonality among most embedded devices: They appear transparent to the end user or require above-average skill to access and manage. As a result, they are often unmanaged and unmonitored for lengthy periods of time. Often access to these unmanaged devices is left open with default credentials or credentials that are exposed to the Internet. Another sign of malicious actors seeking to expand their range of resources is the appearance of botnet development tools crafted to probe and find specific signatures and banners of new types of devices. An example of this trend is the scanner tools available on the Internet to identify devices using the Simple Service Discovery Protocol (SSDP). Once these devices have been identified, they are targeted for remote exploitation or reflection abuse. These attacks use devices with open ports and protocols to amplify responses against designated targets, allowing attackers to generate a higher attack volume with fewer resources. Malicious actors’ focus on Internet-enabled devices suggests the transitioning into a scenario where a DDoS botnet may not be principally composed of PCs or servers.
Highlighted campaign The DDoS attack campaign illustrated in the Q3 2014 State of the Internet Security Report was observed during Q3 2014 using ARM-based payloads. The attack peaked at 215 Gbps and 150 Mpps, and source IPs were identified in countries including the U.S., China, Japan, Korea and Germany. Close to 10 percent of attacking IP addresses involved customer premise devices (CPE) with payloads matching the Spike toolkit, which is discussed in the Spike DDoS Toolkit Threat Advisory from PLXsert. DDoS mitigation and community action Mitigation is needed at both the device level and the administrator level. OEM manufacturers and platform and application developers must take greater care when developing software and firmware for these devices, making security a fundamental part in the development of firmware and applications. Mechanisms must be available to update and patch systems that will eventually fall vulnerable over their lifecycle. Industrywide collaboration is necessary to address this growing threat. Hardware vendors and software developers need to address the cleanup, mitigation and management of current and potential vulnerabilities during the lifecycle of these devices. Get the full Q3 2014 State of the Internet – Security Report with all the details Each quarter Akamai produces a quarterly Internet security report. Download the Q3 2014 State of the Internet – Security Report for: Analysis of DDoS attack trends Bandwidth (Gbps) and volume (Mpps) statistics Year-over-year and quarter-by-quarter analysis Application layer attacks Infrastructure attacks Attack frequency, size and sources Where and when DDoSers strike How and why attackers are building DDoS botnets from devices other than PCs and servers Details of a record-breaking 321 Gbps DDoS attack Syrian Electronic Army (SEA) phishing attacks target third-party content providers The more you know about cybersecurity, the better you can protect your network against cybercrime. Download the free the Q3 2014 State of the Internet – Security Report at http://www.stateoftheinternet.com/security-reports today. About stateoftheinternet.com
StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats. Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to help put context around the ever-changing Internet landscape.