• Combination of vectors for mega-attacks: Hybrid Botnet • 1/3 of the times NTP is used in combination with other vectors • NTP: Malicious actors using NTP-APM attack tool. We expect NTP-APM attacks to grow faster than DNS attacks in the next few quarters • Multidomain DNS reflection attacks showed up for the first time ever • TFTP floods. Started slow last quarter but growing now. We expect to see more (amplification factor x35) Types of attacks. Why are they important
• May: Campaign against gaming industry • More single vector attacks: malicious actors (not very qualified) launching rogue attacks. We expect this trend to revert in the future Types of attacks. More findings
It is Not all Doom and Gloom! • Void Extortion were not successful • The value of NTP amplification attacks has been reduced. b/c ‘Monlist’ query patched • Hacker known as “Guccifer” was caught
12 Mpps 15 Mpps 5 Mpps 15 Mpps 3 Mpps 7 Mpps 363 Gbps, 57 Mpps DDoS attack targeting large European media company Six vectors including DNS reflection, SYN, PUSH, TCP, and UDP floods, UDP fragment Kaiten STD Botnet: targeting networking devices in SOHO and IoT devices List of recommendations available in the Threat Advisory 76 Gbps 94 Gbps 33 Gbps 98 Gbps 18 Gbps 44 Gbps Ashburn Frankfurt Hong Kong London San Jose Tokyo Scrubbing Centers in Action
1816 1538 1105 951 499 480 470 390 295 Vietnam Brazil Columbia Taiwan Mexico China India Russia Thailand Top 10 Countries by Source IP SOURCE COUNTRIES
What Can You Do • Review your playbook with IT and Security staff • Proactively Identify Critical Services • Keeping a current network diagram, IT infrastructure and assets inventory • Ensure all critical staff is either available or has designated backup • Keep IT management in the loop (corporate dealings, political overtones,…) • Closely monitor social netowork/blog activity about your company • Check corporate-sponsored, blogs, etc., for inflammatory postings • Don’t ignore mails, texts, etc., about extorsion and threaten • Alert Law Enforcement • Avoid paying ransoms • Stay in close contact with your security provider SOC
Disclaimer • SOTI analysis exludes traffic from commercial web vulnerability scanning: • Shellshock has been removed (it is typically scanning activity)
Evolution of Top Attack Source Countries 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Q2-2015 Q3-2015 Q4-2015 Q1-2106 Q2-2106 US Brazil Germany Russia China Rest
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Improve performance of your content – Cache content Cache is King Including API responses!!!
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Bandwidth is not the answer Faster mobile speeds 6.5 2 Mbps Average 4G Bandwidth UK 10 18 Mbps 2015 2020 2013 2014
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. BANDWIDT H LATENCY Bandwidth is not the answer More bandwidth isn’t a magic bullet for web performance 0 1 2 3 4 1 Mbps 2 Mbps 3 Mbps 4 Mbps 5 Mbps 6 Mbps 7 Mbps 8 Mbps 9 Mbps 10 Mbps 0 1 2 3 4 200ms 180ms 160ms 140ms 120ms 100ms 80ms 60ms 40ms 20ms Page load time against BANDWIDTH Page load time against LATENCY
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Improve performance of your content – Cache content
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. New Fast Purge creates more opportunity Beep Beep!!
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. All devices are not created equal 24,093 unique devices August 2015
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. All devices are not created equal 1.0 s 2.0 s 2.6 s 334ms 1003ms 1180ms 222ms 494ms Decode times 0.7 s 103ms
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Akamai can help your Mobile Websites with: •ACCELERATION Content delivery, Expedited rendering, Caching, Image / Route / Protocol optimization •REDUCED INFRASTRUCTURE Network traffic management, Network storage •SIMPLIFIED DEVELOPMENT Intelligence on end user device, location, browser
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Akamai can help you via Cellular Networks CONTENT ACCELERATION REDUCED INFRASTRUCTURE Global deployment/access, platform deployment on the mobile core networks
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Radio Access Network Mobile Core Internet Akamai today Akamai future Carrier today What can Akamai do with Cellular Networks? End users Getting closer to end users
Slow Mobile Apps 40% 20% 30% 10% 0% Switch to a competitor’s app 34% Less likely to purchase 31% Negative brand perception 24% Source: Forrester 48 Percent of Businesses Increased Spending on Mobile Apps in 2014 Source: CDW
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Akamai can help your Mobile Apps with: • API OPERATIONS Metering, Throttling, Authorization/Authentication • API ACCELERATION Content acceleration, Route optimization, Protocol Optimization, Caching • API RESPONSE API Development, Conditional API routing at the edge • MEDIA SUPPORT Image optimization
1 2 3 4 5 6 Carrier WiFi App Response - North America Origin Akamai Seconds Proof Point: API Acceleration on Akamai North American Bank – Online Banking App +52% Performance Improvement over cellular +71% Performance Improvement over WiFi
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Embrace the network Mobile SDK to make real-time decisions at the edge based on true network performance
Web Source: http://archive.org/web 1997 2016 2009 2004 • Explosion in images online • Diversity in endpoints • Mobile Internet Engagement Rich attractive images increase online engagement Diversity in devices and browsers introduce challenges Both challenge and opportunity for online business lie in mobile
(main, zoom, thumbnail) x 4 formats (jpeg, WebP, j2k, jpgXR) X 2 aspect ratio x 3 qualities _____________ 288 images (files) per product * This does not include art direction or HD images Improve performance of your content - Images
best defence against poor performance 2. The mobile landscape makes it hard to deliver 3. Optimise where you can to give yourself the best chance of good perf in poor conditions 4. Embrace a poor network
metrics indicated changes in the tools that booter/ stressor sites and botnets are using. Multi-vector attacks dropped 10 percentage points from the previous quarter, accounting for 49% of all attacks The increase in single-vector attacks seems to be the result of rogue attackers, with a single malicious actor running a particular attack tool alone. This trend is expected to revert to a greater instance of multi-vector attacks. Single-vector attacks observed so far typically carry a smaller punch than a multi-vector combination run from a booter framework. We also identified a trend in attacks greater than 300 Gbps. Where in the past these attacks were composed primarily of padded SYN And UDP flood payloads, the latest attacks contained other vectors, including reflection attacks. These attacks could indicate a new hybrid botnet that combines traditional attack tools spread on a wider scale. Web application attacks shifted this quarter. For the first time since this data was reported, the US fell to second as an attack source country. Instead, Brazil took the top spot due to a 197% increase in attacks. This quarter also posted new highs for sql injection (SQLi) and remote file inclusion (rfi) attacks with 7% and 57% increases over last quarter respectively. These web application attacks were also higher than in Q2 2015. DDoS Extortion Attempts / In recent months, there have been many news reports generated about attackers making extortion threats. It was a simple recipe. First, the attackers launched a burst of DDoS traffic. Then, they contacted the victim via email and demanded payment in exchange for a promise not to attack again. This demand was almost exclusively a request for bitcoins, in an attempt to avoid the money being traced back to the attackers. Shortly thereafter, copycats began making threats without launching any attacks. In a cursory examination of several extortion-related emails, we found the associated bitcoin wallets in each case had no recorded transactions. It appears that the targets were getting wise and not paying up. For the sake of clarity, this is not to say that all extortion attempts will be hand-waving actions with no substance — quite the contrary. Other attackers followed through on their extortion-related threats, making it difficult for any targeted organization to discern whether a threat is legitimate. This uncertainty reinforces the need for security controls to mitigate DDoS attacks.
Source Countries / China frequently appears as a top DDoS source country, a trend that continued this quarter with 56% of activity. Although China’s increase was large, when compared with Q2 2015, it represents a 75% decrease in sources. Much of this is due to the decrease in application layer attacks, which means fewer attacks can be confirmed as non-spoofed traffic. Also, UDP attacks, including reflection attacks, are not considered in this statistic. This quarter we saw Turkey end its streak as a top 10 source country for DDoS attacks, a trend that began in Q4 2015. After the us, in second place at 17%, the rest of the top 10 list was populated by countries seldom seen as DDoS sources. Taiwan (5%), Canada (4%), and Vietnam (4%) rounded out the top five. Canada appeared for the first time this quarter.
DDoS Attacks by Target / Akamai began looking at a new statistic in Q4 2015: the average number of attack events per customer. In looking back at Q1 2015, we saw an average of 15 attack events per customer, which climbed to 29 in Q1 2016 and fell slightly to 27 this quarter, as shown in Figure 2-12. One customer experienced 373 attack events this quarter, an average of four attacks per day. While most of these attacks were of relatively short duration and limited effect, the repeated hammering of the site was a serious threat to the organization. High value sites are attacked more frequently, because even a slight weakening in their defenses may reward the attacker with a significant return on the time spent. In general, we believe the increase in repeat attacks was driven by the use of stressor/booter botnets. Gaming companies continued to be the most popular target of repeat attacks, because even a minor degradation of their connectivity can greatly affect their audience of online gamers.
20, Akamai mitigated one of the largest confirmed DDoS attacks of the year on our routed network. The attack targeted a European media organization and was comprised of six DDoS attack vectors: SYN, UDP fragment, PUSH, TCP, DNS, and UDP floods. It peaked at 363 Gbps and 57 Mpps. The attack analysis identified a DNS reflection technique that abused a dnssec- configured domain. This attack technique generates an amplified response due to the requirements of the dnssec. During the past few quarters, Akamai observed and mitigated a large number of dns reflection and amplification DDoS attacks that abuse dnssec- configured domains. As with other DNS reflection attacks, malicious actors continued to use open DNS resolvers for their own purposes, effectively using these resolvers as a shared botnet.. The source domain was observed in DDoS attacks against customers in multiple industries. It was likely the work of malicious actors making use of a DDoS-for-hire service with purchased virtual private server (vps) services, public proxies, and legacy botnets. It appeared to have the ability to launch multiple simultaneous attack vectors, such as the ones used in this attack. Part of the SYN flood matched a signature from the Kaiten std botnet. Akamai SIRT has been investigating a malware variant of Kaiten std that specifically targets networking devices used in small-office and home-office (soho) environments and Internet of Things (IoT) devices. The malware has an extensive list of attack vectors and the capability to execute arbitrary commands and take full control of an infected system. The Kaiten std malware is packed with a custom packer/encoder to hinder analysis. It is compiled to run on multiple architectures (mips, arm, PowerPC, x86, x86_64) and uses a custom Internet relay chat (irc)-like communication protocol for command and control (C2) communications. The UDP flood could also have been generated by the Kaiten std botnet, a similar variant, or an entirely different botnet. The payload was too generic to draw a strong conclusion. This SYN flood can be identified by the length of its TCP headers and options.
Reflection § Uses UDP packets with forged source headers § Attacker targets in intermediate server: DNS, NTP, etc. § Server replies to the forged source, sending traffic to the victim § Victim does not know the source of the attack Amplification § Attacker makes a query to the intermediate server § The query is small but the answer is large § The difference allows a small botnet to send lots of small queries and still hit with a lot of traffic
majority of web application attacks continued to be conducted over http, with only 23% of attacks using https — a 7% drop from the previous quarter. It is likely that SQLi attacks are less common against encrypted portions of sites in large part because there are so many tempting targets on http pages. A large percentage of websites either don’t use https for their web traffic or use it only to safeguard certain sensitive transactions (such as login requests). However, https-based attacks still account for millions of attack alerts each quarter. Encrypting connections over https only affords protection to the data in flight. It does not provide any protection mechanisms for web applications, and attackers tend to shift to https to follow through on vulnerable applications.
Countries Top 10 Source and Target Countries / In Q2, Brazil was the main source of web application attacks for the first time since we’ve published the State of the Internet / Security Report, Brazil accounted for 25% of attack traffic, as shown in Figure 3-4. This is a 13% increase from last quarter, based largely on a series of attack campaigns in April against the hotel industry. The us was the second-largest source country at 23%, a huge drop from 43% in Q1. They were followed by Germany with 9% and Russia with 7%. The web application attacks we analyzed occurred after a TCP session was established. Due to the use of tools to mask the actual location, the attacker may not have been located in the country detected. These countries represent the IP addresses for the last hop observed.
industries / Figure 3-7 lists the number of attack triggers observed for all industries we classified, followed by their percentage of attacks as a whole. Industries not included in Figure 3-6 are shown in red. This level of granularity is important for understanding future attack trends. For example, although the pharmaceutical/healthcare industry only accounted for 0.31% of web application attack triggers in Q2, the presence of 899,827 attack triggers still provides a valuable dataset for in-depth research. In fact, this number is three times higher than Q2 last year, showing this industry is being increasingly targeted. Medical records are extremely valuable in the black market. While other industries do not top the list, they still face substantial and unique risks. By examining them closely, we can see the beginnings of threats to come by analyzing trends over time observed within our platform.
of Anonymizing Services in Web Attacks / Organizations interested in attack attribution often wonder how much web attack traffic comes from anonymizing services. Determining the true origin of web application attacks, however, is challenging. Common sense implies that malicious actors would strive to anonymize their activities and masquerade their source traffic to prevent traceback efforts. For this report, Akamai’s Threat Research Team analyzed web attack traffic and quantified the usage of anonymizing services such as virtual private networks (VPNs) and proxies in web application layer attacks. In addition, we identified which attack types tend to be launched behind anonymizers, along with a distribution of the source and target countries of these attacks. Anonymizing services: Proxies and VPNs / Using the Internet anonymously requires techniques that reduce the footprint of the user, as well as the user’s identity and Internet client. Many online articles (e.g., The ultimate guide to staying anonymous and protecting your privacy online 2) describe how to obscure one’s online footprints, and most of them include one or more of the following approaches: 1. Delete browser cache and cookies regularly (or browse using incognito mode) 2. Block JavaScript and other client-side technologies that can be used for browser environment fingerprinting (e.g., html5 features, Flash, Silverlight) 3. Use an http proxy when applicable (with a high anonymity level) 4. Use the tor network (see the Q2 2015 State of the Internet / Security Report) 5. Use an anonymizing VPN service
a third of the web attacks we observed originated from anonymizing VPN services and proxies, a ratio substantially higher than the 20% of all traffic to emerge from VPNs and proxies. Web attackers likely have two main reasons for using anonymizing services: • Anonymity: Hackers naturally prefer to perform their actions in a manner that will be untraceable to law enforcement organizations. • Bypassing geo-location restrictions: Many websites deploy geographical restrictions on the source IP address, blocking access from countries where they do not do business. We would like to note that while this discussion concentrated on malicious web activity, not all activity that is routed through proxies and VPNs is malicious. For example, many data mining services, business analytics, web scraping, and automated shopping bots also use anonymizing services, which allow them to load balance their activity and make it less detectable.
through Extortion occurs in two phases: Attack § The attacker will hit the target with a medium to large DDOS (3-6Gbps) Demand § The attacker demands payment to stop the attack and threatens additional attacks § Rise of bitcoin has enabled these attack as it allows for quick, anonymous payment. Demands are usually in bitcoins. § Some attackers are CDN aware and will launch direct-to-origin DDOS attacks, bypassing some defenses
ransom letter-- "We'll begin attack on Tuesday 06-09-2016 8:00 p.m.!!!!!" "EXS" Attack!!! "EXS" We are a HACKER TEAM - Armada Collective 1 - We have checked your information security systems, setup is poor; the systems are very vulnerable and obsolete. 2 - We'll begin attack on Tuesday 06-09-2016 8:00 p.m.!!!!! 3 - We'll execute some targeted attacks and check your DDoS servers by the 10-300 Gbps attack power 4 - We'll run a security breach test of your servers through the determined vulnerability, and we'll gain the access to your databases. 5 - All the computers on your network will be attacked for Cerber - Crypto-Ransomware 6 - You can stop the attack beginning, if payment 1 bitcoin to bitcoin ADDRESS: 1BMfGb5r7jJCq685ijN5GKyXWByRKn8wHh 7 - If you do not pay before the attack 1 bitcoin, the price will increase to 20 bitcoins 8 - You have time to decide! Transfer 1 bitcoin to ADDRESS: 1BMfGb5r7jJCq685ijN5GKyXWByRKn8wHh Bitcoins e-money https://en.wikipedia.org/wiki/Bitcoin Bitcoins are very easy to use. Instruction: 1.You have to make personal bitcoin wallet. It is very easy. You can download and install bitcoin wallet to your PC. There are lots of reliable wallets, such as: https://multibit.org/ https://xapo.com/ But there are much easier options as well. You can make bitcoin wallet online, for example blockchain.info or coinbase.com and many others. You may also transfer money directly from exchanger or bitcoin ATM to the decryption address provided to you. 2. You can top up the credit on your bitcoin wallet in most convenient way: - To buy bitcoins in the nearest bitcoin ATM; refer to the address on a website: coinatmradar.com/countries/ - by means of credit card or different payment systems such as PayPal, Skrill, Neteller and others or by cash, for example: https://localbitcoins.com/buy_bitcoinshttps://exchange.monetago.comhttps://hitbtc.com/exchange How to make bitcoin wallet with Google for the additional information --------------------
Akamai Security Operations Center is open 24/7, and our vast cloud-based mitigation platform is ready to respond. However, there are some proactive steps you can take: • Review your playbook with IT and security staff to ensure you are prepared and know what to do in the event of an attack. • Stay in close contact with the Akamai SOC / Account Managers • Check the Akamai Community Security page / Luna Portal alerts for updates: https://community.akamai.com/community/security-research-and-intelligence
customer reported an unknown attack and asked Akamai to investigate GET /wp-content/wordtube-button.php?wpPATH=http://www.google.com/humans.txt? HTTP/1.1 Host: www.vulnerable.site User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) Analysis Remote file inclusion (RFI) attack against a WordPress application 2122 different RFI exploit attempts The importance of INTELLIGENCE
Analysis Remote file inclusion (RFI) attack against a WordPress application GET /wp-content/wordtube-button.php?wpPATH=http://www.google.com/humans.txt? HTTP/1.1 Host: www.vulnerable.site User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) 24,301 attacks in total Looking at Big Data Same attacker launched attacks against different sites 34 Attacker part of a 272 strong botnet that targeted 1696 different applications With 1,358,980 attacks The importance of INTELLIGENCE
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Akamai Intelligent Platform Akamai Intelligent Platform Cloud Security Intelligence Visibility │ 15-30% of global web traffic │ every Akamai customer Data │ 80 million WAF triggers per hour │ 600,000 log lines a second │ 20 TB new attack data daily Analysis │ dedicated threat research team │ 8,000 queries a day
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Akamai Intelligent Platform Akamai Intelligent Platform People │ 150+ SOC engineers │ 200+ technical certifications Experience │ 12+ years experience │ 40 to 50 attacks per week │ time-to-mitigate SLAs Locations │ Ft. Lauderdale │ Cambridge (US) │ Krakow │ Bangalore │ Tokyo 24x7 global security operations center
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. People │ 200+ security-focused professional services staff Management │ security reviews │ ongoing configuration tuning │ tabletop attack drills Relationship │ customer success manager │ regular cadence meetings │ special events Akamai Intelligent Platform Security services and support
(SLA) UDP / ICMP floods 1 minute or less 5 minutes SYN floods 1 minute or less 5 minutes TCP flag abuses 1 minute or less 5 minutes HTTP GET / POST floods 10 minute or less 20 minutes DNS reflection 5 minute or less 10 minutes DNS attack 5 minute or less 10 minutes Commitment to SECURITY EXPERTISE
zlatchfo
codingconduct
marketingsoph
shpigford
ianozsvald
ryanjones
axbom
leimatthew05
inesmontani
mfonobong
michaelherold
baasie
sstephenson
