Retail, gaming industries hardest hit with web application and DDoS attacks

Akamai published the Q1 2016 State of the Internet – Security Report, which provides a detailed view of the global cloud security threat landscape and in-depth analysis and insight into malicious activity.

Multi-vector attacks accounted for 59% of DDoS activity in Q1 2016, reflecting a slight increase compared with last quarter (56%)

During Q1, Akamai mitigated more than 4,500 DDoS attacks, a 125 percent increase compared with Q1 2015. As in recent quarters, the vast majority of these attacks were based on reflection attacks using stresser/booter-based tools. These tools bounce traffic off servers running vulnerable services such as DNS, CHARGEN, and NTP. In fact, 70 percent of the DDoS attacks in Q1 used the reflection-based DNS, CHARGEN, NTP, or UDP fragment vectors.

“We have continued to witness significant growth in the number and frequency of DDoS and web application attacks launched against online assets, and Q1 2016 was no exception,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “Interestingly, nearly 60 percent of the DDoS attacks we mitigated used at least two attack vectors at once, making defense more difficult. Perhaps more concerning, this multi-vector attacks functionality was not only used by the most clever of attackers, it has become a standard capability in the DDoS-for-hire marketplace and accessible to even the least skilled actors.”

More than half of the attacks (55 percent) targeted gaming companies, with another 25 percent targeting the software and technology industry.

Q1 2016 also set a record for the number of DDoS attacks exceeding 100 Gigabits per second (Gbps): 19. The largest of these mega attacks mitigated by Akamai peaked at 289 Gbps. Fourteen attacks relied on DNS reflection methods. Last quarter, there were only five mega attacks; the previous record was 17, set in Q3 2014.

During Q4 2015, repeat DDoS attacks became the norm, with an average of 24 attacks per targeted customer in Q4. The trend continued this quarter; targeted customers were attacked an average of 39 times each. One customer was targeted 283 times – an average of three attacks per day.

DDoS metrics

Compared with Q1 2015:

• 125.36 percent increase in total DDoS attacks
• 142.14 percent increase in infrastructure layer (layers 3 & 4) attacks
• 34.98 percent decrease in the average attack duration: 16.14 vs. 24.82 hours
• 137.5 percent increase in attacks > 100 Gbps: 19 vs. eight.

Compared with Q4 2015:

• 22.47 percent increase in total DDoS attacks
• 23.17 percent increase in infrastructure layer (layers 3 & 4) attacks
• 7.96 percent increase in the average attack duration: 16.14 vs. 14.95 hours
• 280 percent increase in attacks > 100 Gbps: 19 vs. five.

In Q1 2016 there were an average of 29 DDoS attacks per target, up from 24 last quarter

Web application attack activity

Web application attacks increased nearly 26 percent compared with Q4 2015. As in past quarters, the retail sector remained the most popular attack target, targeted in 43 percent of the attacks. But in a shift from last quarter, we saw a two percent decrease in web application attacks over HTTP and a 236 percent increase in web application attacks over HTTPS. There was also an 87 percent increase in SQLi attacks compared with the previous quarter.

As in recent quarters, the US was both the most frequent source of web application attack traffic (43 percent) and the most frequent target (60 percent).

Web application attack metrics

Compared with Q4 2015:

• 25.52 percent increase in total web application attacks
• 1.77 percent decrease in web application attacks over HTTP
• 235.99 percent increase in web application attacks over HTTPS
• 87.32 percent increase in SQLi attacks.

Bot activity snapshot

Looking at bot activity over 24 hours, the researchers tracked and analyzed more than two trillion bot requests. While identified and known, so-called good bots represented 40 percent of the bot traffic, 50 percent of the bots were determined to be malicious and were engaged in scraping campaigns and related activity.

Growth in DDoS reflectors

Using firewall data from the perimeter of the Akamai Intelligent Platform, analysis showed a 77 percent growth in active Quote of the Day (QOTD) reflectors, a 72 percent increase in NTP reflectors and a 67 percent increase in CHARGEN reflectors compared to Q4 2015. Active SSDP reflectors declined by 46 percent.