文本描述
[V
ol
um
e/ N
um
be
r
2]
[state of the internet] / security
Q2 2017 Report
AT A GLANCE
Web application attacks, Q2 2017 vs. Q2 2016
25% increase in total web application attacks
86% increase in attacks sourcing from the U.S. (current top source country)
60% decrease in attacks sourcing from Brazil (Q2 2016 top source country)
44% increase in SQLi attacks
Web application attacks, Q2 2017 vs. Q1 2017
5% increase in total web application attacks
4% increase in attacks sourcing from the U.S.
21% increase in SQLi attacks
DDoS attacks, Q2 2017 vs. Q2 2016
18% decrease in total DDoS attacks
17% decrease in infrastructure layer (layers 3 & 4) attacks
13% decrease in refection-based attacks
19% increase in average number of attacks per target
DDoS attacks, Q2 2017 vs. Q1 2017
28% increase in total DDoS attacks
27% increase in infrastructure layer (layers 3 & 4) attacks
21% increase in refection-based attacks
28% increase in average number of attacks per target
*Note: percentages are rounded to the nearest whole number
What you need to know
a 28% increase over the previous quarter. These attacks were overwhelmingly volumetric attacks (99%).
(44,198) – 32% of the global total.
to 11,000 from 595,000 in the previous quarter.
web application attacks.
technique, have unique behavioral characteristics that can be used to identify them.
LETTER FROM THE EDITOR
letter from the editor / Te
q2 2017
State of the Internet / Security Report
represents
analysis and research based on data from Akamai’s global infrastructure and routed
DDoS solution.
Te number of organizations infected and harmed by WannaCry and Petya malware gives
the security community a lot to think about. We know that patching sofware can largely
prevent damage from malware infection. And yet months afer a patch became available,
even afer global news of WannaCry signaled a clarion call to patch, many companies still
fell victim to Petya.
Patching is not a simple issue. Organizations make patching decisions based on risk and
business priorities. Patching has direct costs, such as staf and testing, and indirect costs,
such as downtime. Due to costs, patching is ofen de-prioritized as a business function.
Tis is a legitimate decision, if it’s made from a rational, risk driven viewpoint. All too ofen
though, it’s not: Te conversation hasn’t happened and no careful evaluation of the risks
involved has been presented to business leaders.
But the risk equation is always changing. It’s estimated the WannaCry malware could cost
businesses $4 billion worldwide by itself. Even the best, most rational, risk-driven decision
made six months ago may no longer be appropriate today. Have any of the recent events
changed the way your organization evaluates security
Tis quarter’s report examines trends in DDoS and web application attack trafc, along
with additional research.
First, we have the DDoS Attack Spotlight, which looks at the re-emergence of PBot, decades-old
php code that generated the largest DDoS attack of the quarter. Attackers used PBot to
create a mini-DDoS botnet that launched at 75 gigabits per second (Gbps) DDoS attack.
Second, we have research showing how Akamai mined dns-related traffic to discover
anomalous behavior on networks with malware infections that use domain generation
algorithms (DGAs).
Tird, we have a statistical analysis of the relationship between Mirai command and control
(C&C) ip addresses and their attack targets. Te behavior of Mirai command and control
clusters reveals that many of the individual botnets were used to attack only a few targets.
Te contributors to the
State of the Internet / Security Report
include security professionals
from across Akamai, including the Security Intelligence Response Team (sirt), the Treat
Research Unit, Information Security, and the Custom Analytics group.
— Martin McKeay, Senior Editor and Akamai Sr. Security Advocate
If you have comments, questions, or suggestions regarding the
State of the Internet / Security Report
, connect
with us via email at
SOTISecurity@akamai
. You can also interact with us in the
State of the Internet /
Security
subspace on the Akamai Community at
https://community.akamai
. For additional security
research publications, please visit us at
akamai/cloud-security
.
TABLE OF CONTENTS
5 [SECTION]1 = EMERGING TRENDS
7 [SECTION]2 = DDoS ACTIVITY
7 2.1 / DDoS Attack Vectors
9 2.2 / DDoS Sources
9 2.3 / Industry Targets
10 2.4 / Attacks Per Target
10 2.5 / Attack Spotlight: PBOT Mini-DDoS Botnets
12 2.6 / Reflection Attacks
14 [SECTION]3 = WEB APPLICATION ATTACK ACTIVITY
14 3.1 / Web Application Attack Vectors
15 3.2 / Top 10 Source Countries
173.3 / Top 10 Target Countries
18 [SECTION]4 = CLOUD SECURITY RESOURCES
18 4.1 / Domain Generation Algorithm
20 4.2 / Mirai Command and Control Clusters
24 4.3 / Additional Akamai Research
25 [SECTION]5 = LOOKING FORWARD
55
[SECTION]EMERGING TRENDS
T
he number of ip addresses producing DDoS trafc plummeted
in q2. Of the countries that were the fnal hop before our
network in q1 — u.s., u.k., Germany, Canada, and Brazil — only
one remained on the top fve list in q2: the u.s., where the number of
ip addresses involved in volumetric DDoS attacks dropped 98% from
595,000 to 11,000. As a result, for the frst time ever, Egypt topped the
list of countries with the most ip addresses sourcing volumetric DDoS
attacks with 44,000 source ip addresses.
While the number of attacks was up 28% afer a sustained downward
trend in recent quarters, the median size of attacks was reduced overall.
Tis should not be surprising, given that our monitoring indicates
that hundreds of thousands of DDoS sources were taken ofine. Our
research this quarter shows a botnet strain called PBot is being reused
more frequently than we’ve seen before. Tis botnet has been observed
with node counts in the hundreds, rather than the tens of thousands
seen with Internet of Tings (IoT) botnets.
6 / The State of the Internet / Security / Q2 2017
[SECTION]1 = EMERGING TRENDS
Finally, for the frst time in many years, Akamai observed no entries for one of the key metrics — large attacks exceeding 100 Gbps.
Tis quarter’s Attack Spotlight on the PBot botnet refects the trend of markedly fewer ip addresses being used in DDoS attacks. PBot node
scans reveal the presence of Apache Tomcat along with the php interpreter. Apache Struts exploits have been observed in the wild issuing
commands that attempt to download and then execute code. Tis is just one potential avenue that attackers are using for delivery of PBot
malware. PBot botnets although limited in bot count have delivered DDoS attacks peaking up to 75 Gbps.
While we saw a precipitous drop in the number of IPs that were used in volumetric attacks this quarter, we saw a modest increase in the
web application attack counts. Te u.s. had the top spot as both the source and destination of the most web application attack trafc, which
is a common occurrence. In fact, the attacks from most regions was relatively stable, with the exception of Asia, where attack trafc from
Singapore fell by half, causing them to drop of the top 10 source country list for web application attacks.
Te DDoS attacks on gaming companies certainly ramped up signifcantly, with one company targeted with 558 attacks over the quarter.
While gaming has always been a large target for DDoS, the popularity of games relying on the millisecond timing of packets makes a
tempting target, frustrating both the players and the gaming companies. Tis trend may culminate in signifcant attacks during the winter
h