Q3 2014 State of the Internet: Security Report Case Study
Botnets of New Types of Devices • As system hardening tactics and protection for PCs and servers have strengthened, attackers have shifted their attention to a new class of devices for building DDoS botnets: • • • • •
Commercial routers Customer-premise equipment (CPEs) Mobile handheld devices Video conference devices Internet of Things (IoT) devices
• A DDoS botnet can leverage thousands of low-bandwidth devices for a large attack
©2014 AKAMAI | FASTER FORWARDTM
Unmanaged and Unmonitored Devices • Several factors make Internet-enabled embedded devices vulnerable to abuse: • • • • •
Insecure configurations Outdated firmware Lack of management and user interface to correct and update security issues Lack of detection mechanisms Unrestricted uploads
• With more than160 million wireless access points worldwide, these vulnerabilities represent a significant risk
©2014 AKAMAI | FASTER FORWARDTM
SSDP Reflection Attacks • A recently discovered botnet development tool crafted to probe and find devices using the Simple Service Discovery Protocol (SSDP) reveals a powerful new attack vector: • • •
SSDP permits networked devices to find each other and establish a network connection Scans have discovered more than 17 million SSDP-enabled devices Malicious actors target these devices for reflection and amplification attacks
©2014 AKAMAI | FASTER FORWARDTM
Devices Using SSDP • SSDP is the basis of the discovery protocol of Universal Plug and Play (UPnP) • SSDP is enabled on millions of Internet-connected devices: • • • • •
Routers Network cameras Smart TVs Desktop computers Laptops
• Akamai research reveals that 38 percent of such devices in use may be susceptible to abuse
©2014 AKAMAI | FASTER FORWARDTM
Highlighted Campaign • This new class of devices supports larger, more complex attacks • • •
High bandwidth consumption: 215 Gbps Processing power consumption: 150 Mpps Geographical distribution: U.S., Europe, and Asia
• Almost 10 percent of IP addresses involved customer premises equipment devices (CPEs) with payloads that matched the Spike DDoS Toolkit
©2014 AKAMAI | FASTER FORWARDTM
Geographical Dispersion of Source IPs
This figure shows the distribution of source IPs from a Q3 2014 attack. The new class of devices allows wider geographic distribution of attack sources, which creates greater complexity when mitigating DDoS campaigns. Š2014 AKAMAI | FASTER FORWARDTM
DDoS Mitigation and Community Action • Mitigation is needed at both the device level and the administrator level • Security must be a fundamental part in the development of device firmware and applications • Mechanisms must be available to update and patch systems that will eventually fall vulnerable over their lifecycle • Industrywide collaboration is necessary to address this growing threat • Hardware vendors and software developers are needed to address the cleanup, mitigation and management of current and potential vulnerabilities during the lifecycle of these devices
©2014 AKAMAI | FASTER FORWARDTM
Q3 2014 State of the Internet – Security Report Download the Q3 2014 State of the Internet – Security Report, which includes: • • • • • • • • • •
Analysis of DDoS attack trends Bandwidth (Gbps) and volume (Mpps) statistics Year-over-year and quarter-by-quarter analysis Application layer attacks and infrastructure attacks Attack frequency, size and sources Where and when DDoSers strike How and why attackers are building DDoS botnets from devices other than PCs and servers Details of a record-breaking 321 Gbps DDoS attack Syrian Electronic Army (SEA) phishing attacks More at www.stateoftheinternet.com/security-reports
©2014 AKAMAI | FASTER FORWARDTM
About stateoftheinternet.com • StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats. • Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to put context around the ever-changing Internet landscape.
©2014 AKAMAI | FASTER FORWARDTM