akamai’s [state of the internet] / security
Q1 2017 report
[V
ol
um
e/ N
um
be
r
1]
AT A GLANCE
Web application attacks, Q1 2017 vs. Q1 2016
35% increase in total web application attacks
57% increase in attacks sourcing from the U.S. (current top source country)
28% increase in SQLi attacks
Web application attacks, Q1 2017 vs. Q4 2016
2% decrease in total web application attacks
20% increase in attacks sourcing from the U.S. (still top source country)
15% decrease in SQLi attacks
DDoS attacks, Q1 2017 vs. Q1 2016
30% decrease in total DDoS attacks
28% decrease in infrastructure layer (layers 3 & 4) attacks
19% decrease in refection-based attacks
89% decrease in attacks greater than 100 Gbps: 2 vs. 19
DDoS attacks, Q1 2017 vs. Q4 2016
17% decrease in total DDoS attacks
17% decrease in infrastructure layer (layers 3 & 4) attacks
14% decrease in refection-based attacks
83% decrease in attacks greater than 100 Gbps: 2 vs. 12
*Note: percentages are rounded to the nearest whole number.
What you need to know
and accounted for 57% of all mitigated attacks.
malware, targeted Akamai customers in the fnancial services industry.
Details are provided in this quarter’s
Attack Spotlight.
Duo Security, as the frst Guest Author.
LETTER FROM THE EDITOR
letter from the editor / Te
q1 2017
State of the Internet / Security Report
represents analysis
and research based on data from Akamai’s global infrastructure and routed Distributed Denial of
Service (DDoS) solution.
Technology milestones are ofen marked by a signifcant event, followed by a long adoption phase.
When referring to consumer adoption of technology, this is called the “hype cycle,” a term created
by the consulting frm Gartner. Te initial hype surrounding a product far exceeds its capabilities
in the real world, followed by a period of disillusionment and a slow integration into the fabric of
our lives. Te world of DDoS attack tools difers little from other technologies; new tools used by
attackers follow a similar cycle of hype and integration. However, DDoS technology acceptance
ofen proceeds at a much faster pace than consumer technologies, as there is much less resistance
to change within therelatively small community of malicious actors.
As shown over the last half year, the Mirai botnet is an example of a disruptive technology working
its way through the cycle. Te development of Mirai happened quietly behind the scenes, while
the frst round of DDoS attacks were startling in their size and capability. Te botnets’ capabilities
quickly moved into a stage where contention for Internet of Tings (IoT) devices reduced the size
of attacks considerably. While many of the largest DDoS attacks observed this quarter were still
based on Mirai-derived botnets, they were not as large as the initial attacks. What follows is the
integration of the use of IoT as another part of the fabric of DDoS botnets and malware.
As we discussed in last quarter’s report, there were long-term consequences to the release of Mirai.
First, competitive forces drove botnet herders to keep up with Mirai’s technology or risk losing
market share. Te creators of other botnets are working to generate comparably-sized attacks.
Secondly, other botnets families, such as BillGates, started adding new features, some taken
directly from leaked Mirai source code. Meanwhile, Mirai has continued to splinter and evolve.
Tere is now a variant which infects Windows systems, not to recruit them as attack nodes for the
botnet, but to further expand the botnet by scanning and infecting Linux devices.
Tis quarter’s Attack Spotlight includes our research into one of the Mirai DDoS tools used
against fnancial services organizations. Called “dns Water Torture” in Mirai’s code, this dns
query food generates relatively limited volumes of trafc, but can create denial of service outages
by consuming the target domain’s resources in looking up randomly generated domain names
in great numbers. Each query ties up memory and processor cycles, preventing the target from
processing legitimate trafc.
We also observed a new refection attack vector, Connectionless Lightweight Directory Access
Protocol (cldap). At this point, the protocol has not been a signifcant source of attack trafc, but
the lack of contention for the resource could change its popularity. A link to the threat advisory is
provided in
Cloud Security Resources
.
We are pleased to host a guest author this quarter: Wendy Nather, Principal Security Strategist at
Duo Security. See what she has to say about the challenges of managing corporate security, given
the current state of the Internet.
Te contributors to the
State of the Internet / Security Report
include security professionals from
across Akamai, including the Security Intelligence Response Team (sirt), the Treat Research
Unit, Information Security, and the Custom Analytics group.
— Martin McKeay, Senior Editor and Akamai Sr. Security Advocate
If you have comments, questions, or suggestions regarding the
State of the Internet / Security Report
, connect with us via
email at
SOTISecurity@akamai
. You can also interact with us in the
State of the Internet / Security
subspace on the
Akamai Community at
https://community.akamai
. For additional security research publications, please visit us at
www.akamai/cloud-security
. Te views of Ms. Nather are her own and do not necessarily refect the opinions or
perspectives of Akamai.
Te state of the Internet is..plicated, as always.
Consider these changes over the past decade:
Corporate and Consumer Use Are Intertwined / It used to be that you went to work in
the ofce, used corporate sofware, and then went home and used completely diferent sofware
on your home computer. Now, more ofen than not, you’ve got a corporate login and a personal
login with the same SaaS provider and you’re using the same apps on your phone (Gmail, Dropbox,
LastPass, etc.). Unless you’re working in a strictly segmented environment, the expectation is that
you’ll be using applications for both purposes and alternating at the drop of a hat, regardless of
which network you’re currently connecting to.
BYODon’t / Some organizations have embraced the use of personal devices, and others haven’t,
but it’s becoming harder to enforce a “no byod” policy when both the endpoint and the resources
they’re accessing are outside of the corporate perimeter. Unmanaged personal devices raise the
specter of risks ranging from unpatched vulnerabilities to e-discovery requirements that include
searching your employees’ phones. And that’s not even counting wearables and other Tings.
Password Policies / Remember when you only had a dozen usernames and passwords
Yeah, neither do I, and here we are. A typical online user could have literally hundreds of online
accounts, some of which predate today’s password managers. Under pressure from bulk credential
thef and compliance requirements, every system owner is being driven to require longer, more
complicated and unique passwords. But the days of password rules such as “upper and lower case,
one number, one special character, two emojis,
and a squirrel noise” are going to come to an
end; users are going to push back as soon as the
absurdity becomes clear. Ubiquitous, consistent,
and usable password managers are going to have
to evolve into an application interface to shield
everyday people from the malignant growth of
complex passwords.
To Sum Up / Our interaction with the Internet
has evolved to “anytime, anywhere, using any device and sofware, for any purpose.” Tat means
that enterprises have