Woohoo! The World Cup is coming! That\u2019s what I would say if I wasn\u2019t a stereotypical American who knows almost nothing about football (soccer to us Americans). Or a stereotypical security geek who knows almost nothing about our own handegg sporting events. I\u2019m not really interested in either form of football. However, I am interested in understanding an event that draws interest from around the Internet and what it means to the security of the event, the organizations supporting it, and all the properties that have nothing to do with the event, yet somehow draw an attacker\u2019s ire anyway.Looking back at the 2014 World Cup, we saw five attacks that showed strong indicators that the event was influencing attack traffic at a national level. The day of the Brazil vs. Croatia match, attack traffic originating from Croatia was nearly eight times higher, specifically targeting a Brazilian financial institution. Most of the traffic came in the form of SQL injection. Maybe the attackers were hoping the Security personnel would be more interested in watching the game than their computer screens and they\u2019d slip through?\u00a0The Spain vs. Netherlands game drove a different sort of attack, most likely by an unhappy fan. The target was actually the sports page of a Dutch newspaper, specifically the story covering the Dutch team\u2019s win. If no one can read the news, did it actually happen? Sorry, but yes, it did.But even geeks sometimes watch football. Both the Chile vs. Australia and Cote D\u2019Iviore vs. Japan matches saw an initial down turn in general web traffic, followed by a wave of DDoS and application attacks, once it was clear who the winner would be. If you can\u2019t distract the other team using a vuvuzela, I guess taking your enemy\u2019s site off-line is the next best thing.Enough about the past, what do we expect to see in the future? The location of the World Cup and any politics related to the region always influence attack traffic. There was evidence of politically motivated DDoS attacks during the event in Brazil, and there is little reason to believe this would be any different for an event in Russia. It\u2019s very hard to track the actual source of these sort of attacks; we can tell where the traffic came from, but it\u2019s nearly impossible to pinpoint where the attacker is without considerable effort.Game time distractions onlineWe predict enthusiastic fans will attack the web sites of their opponents this World Cup too, especially as we get closer to the finals. There are numerous DDoS-for-hire sites available, which means that someone with little technical skill, but a fat bitcoin wallet can rent a volumetric DDoS attack for the duration of a game, if they want -- with little trouble. Though they might want to be careful, as Europol and other law enforcement organizations have recently taken down the Webstressor service and are following up with some of its customers in person.\u00a0The United States has long been the biggest target and generator of all types of attacks on the Internet, whether it\u2019s DDoS or application attacks, but we don\u2019t have a team in this year\u2019s competition. Does this mean that attack traffic will be diverted from the U.S. to other targets related to the World Cup? Well, yes and no. It is likely that there will be subtle shifts to the threat landscape because of an increased focus on Russia, but it probably won\u2019t be a significant portion of the overall traffic. To put it another way, the additional attack traffic headed toward the targets will be huge from their point of view, but when compared to the sum of the world\u2019s traffic, it won\u2019t be that noticeable.Similar to the larger trends in DDoS, reflection attacks will continue to be the main tool of choice. DNS, NTP, CharGEN and SSDP are always the primary suspects, though there\u2019s a slim possibility that a new attack vector could be released during the World Cup. The security response to the discovery of memcached as a reflector clamped down that vector quickly this past April, but a new vector could pose a significant threat to sites and video streams if it was used correctly.\u00a0Hackers going for the goalWe saw evidence of web application attacks that appeared to be timed to coincide with specific games, but that could be more incidental than coordinated. There is anecdotal evidence of attackers who\u2019ve used DDoS attacks to distract defenders from attacks against other systems in the past. As mentioned, during the Croatia vs. Brazil game there was an upturn in SQLi attacks, but it\u2019s not quite conclusive evidence.While it\u2019s not exactly a DDoS or a traditional web application attack, one of the biggest threats we expect the average user will be aware of is the use of bots to buy event tickets. Bots being trained to buy tickets or products, like shoes, are a known problem at most events, so it\u2019s almost certain that there are organized efforts to purchase tickets for scalping. There\u2019s a constant dance between event organizers and criminals who want tickets for resale, something Akamai is interested in helping combat.One final point regarding what to expect from the upcoming World Cup:\u00a0 criminals love major sporting events. Akamai has soon-to-be-released research on account takeover attempts against hotel and travel sites, highlighting where these attacks are coming from. While it probably won\u2019t surprise many people to see that many of the credential abuse attempts we see come from Russia, the sheer number of these attacks we see on a daily basis might.\u00a0It\u2019s almost certain that there will be attacks motivated by national pride. It\u2019s equally certain, that bad guys will see a heavily attended (both physically and virtually) event like the World Cup as too attractive to ignore. If your organization is directly or indirectly associated with the World Cup, plan for an increase in attacks, even if there\u2019s no logical reason you think you\u2019d be a target. Sometimes, even having a name similar to another target or being in the same region as a hated opponent is enough reason for someone to send a DDoS your way.