First off, full disclosure, I work for Akamai as my day job. I don’t want any illusion on the point as I discuss the latest State of the Internet report that I was fortunate enough to be a part of creating. That being said, it was an interesting quarter.
Last quarter shed some light on some interesting developments with regards to Distributed Denial of Service (DDOS) as attackers tried their hand at various different approaches. We hear. time and again, about DDoSdistributed denial of service attacks and theis last most recent quarter gave rise to one of significant volume. This example was a rather significant attack that was a confirmed 363 Gbps of attack traffic against a media organization customer in Europe. Nothing to sneeze at to be certain. Is your organization in a position to sustain operations while weathering an attack of this magnitude?
As we have seen more frequently of late, this was a multi vector attack. Tto put a fine point on it, this attack made use of multiple different vectors in the attacker’s futile attempt to take down their intended target. They made their attempt using the following vectors: SYN, UDP fragments, push, tcp, DNS and UDP floods. The only thing they forgot to throw in was the kitchen sink.
Over the last few quarters Akamai has noticed an uptick in the number of attacks against sites that have DNSSEC configured domains. DNS open resolvers continue to rise and attackers are taking advantage of this by capitalizing on them to amplify their attack traffic. A great deal of this can be traced back to botnets that have been built out as the commoditization of DDoS continues to spread.
Now, in addition to this type of attack, we also see that the criminal element has been leveraging tactics to obfuscate their origin and identity when launching web attacks to obfuscate their origin and identity. These attackers have been demonstrating an increased use of anonymization services to help to cover their digital footprints in the binary sand. Like with any criminal with a lick of ny sense about them, the last thing attackers they want is to get pinched by law enforcement. Subsequently we have seen an increased amount of use of attackers leveraging virtual private networks (VPNs) and proxies when launching web application attacks.
There are differences between the traditional VPN services and anonymizing ones. Traffic from between the client and the VPN service is encrypted and the IP address of the client is masqueraded. Pretty standard, but, when you look at an anonymization service they will promise any number of things, the most basic being like not storing any logging information on their customers. This is not always the case as one Lulzsec member discovered in September 2011 when his VPN provider was served with a court order to turn over logs, which they claimed they didn’t keep.
Another thing that attackers have to contend with is the throttling of bandwidth over anonymization services. As a result, they leverage third party booted and stressor platforms to launch their attacks. These services would be paid for with Bitcoin in an effort to further obfuscate their identity and avoid detection.
Be sure to check out the latest copy of the State of the Internet Report which is out today September 14, 2016. for more in-depth discussion on denial of service attacks and anonymization efforts of the attackers.