What is the state of Internet security?
Akamai Technologies recently published the "State of the Internet Security Report" for the first quarter of 2017. The report provides an analysis of the current cloud security and threat situation and offers insights into current trends.
"If we can conclude anything from the analysis of the first quarter of 2017, it's that cyber risks and affected industries remain high and the threat landscape is constantly evolving," said Martin McKeay, Senior Security Advocate and Senior Editor of the State of the Internet Security Report. "The use cases of botnet attacks, such as Mirai, have been continuously refined and changed. Attackers are increasingly exploiting vulnerabilities in the Internet of Things to carry out their attacks with DDoS botnets and malware. However, it would be naive to think Mirai is the only threat. With the release of the source code, any components of Mirai can be integrated into other botnets. Mirai aside, there is also evidence that botnets such as BillGates, elknot, and XOR have adapted to the changing environment to exploit it for themselves."
Highlights from the current report
DDoS attacks:
- "Mirai Water Torture" DNS attacks, that is, DNS query floods integrated with Mirai malware, have targeted Akamai customers in the financial services sector. The majority of affected DNS servers received queries at a steady rate during the attacks - however, one exception was an attack on January 15, 2017, when one of three DNS servers saw attack traffic of 14 Mpps. In such attacks, the resources of the target domain are overloaded by querying randomly generated domain names in large numbers, which ultimately leads to denial-of-service outages.
- Reflection attacks continue to be the most commonly used DDoS attack vectors - in the first quarter of 2017 alone, 57 percent of all attacks defended against were reflection attacks. Simple Service Discovery Protocol (SSDP) reflectors were the most commonly used attack vector.
Attacks on web applications:
- With another significant increase of 57 percent compared to the first quarter of 2016, the U.S. remains the country where the most web application attacks were recorded.
- The three most commonly used attack vectors in the first quarter of 2017 were SQLi, LFI, and XSS.
- The Netherlands, which ranked second in the first quarter of 2017, saw a slight decrease from the fourth quarter of 2016, now at 13 percent compared to 17 percent, but still remains a consistently popular source of attack traffic and has a disproportionately high share of attacks for a country with a population of just 17 million.
Key attack vectors:
- UDP fragments, DNS, and NTP remain the top three DDoS attack vectors; Protocol and Connection Floods also appear on the list for the first quarter of 2017.
- The first three places of the most frequently used attack vectors per week are occupied by ACK, CHARGEN and DNS.
- The new Connectionless Lightweight Directory Access Protocol (CLDAP) reflection attack vector has been discovered and continues to be monitored. It generates DDoS attacks comparable to DNS reflection, with traffic exceeding 1 Gbps.