DDoS attacks double in Q2 as hackers switch tactics

A new report from Akamai has pointed out the growing dangers and increasing numbers of DDoS (distributed denial of service) attacks.

According to Akamai, very few organisations have the capacity to withstand such attacks on their own. Additionally, the security firm recorded one of its highest packet rate attacks in the latest quarter, which peaked at 214 million packets per second. “Attack campaigns [of 50 megapackets per second or more] can exhaust ternary content addressable memory (TCAM) resources in border edge routers, such as those used by Internet service providers…”

During the second quarter of 2015 it increased by 7 percent compared to the previous three months and by 132 percent compared to the same period last year, the company’s data revealed.

SYN and SSDP were the most popular forms of DDoS in Q2, each accounting for 16% of attack traffic.

SSDP is part of the Universal Plug and Play (UPnP) set of networking protocols that allows devices to discover each other and establish functional services without manual configuration. Akamai also warned that many DDoS perpetrators were using DDoS attacks as a means of extortion, as particularly seen in Q2 in the activities of Bitcoin-demanding group DD4BC. “SYN floods have continued to be one of the most common vectors in all volumetric attacks, dating back to the first edition of the security reports in Q3 2011”.

Online gaming networks have become the most frequent target for DDoS attacks and have been the number one target for over a year, added the report.

This surge in bandwidth-based DDoS attacks – as opposed to Web application attacks, where Australia still doesn’t place – was, Akamai said, due to “increased adoption of high-speed internet through NBN and connectivity of IoT devices in the region”. Of all the attacks, 1 percent were targeted at India, the report said.

Akamai also tracks, application-layer attacks: SQL injections, cross-site scripting, local file inclusion, and remote file inclusion. “This represents a greater than 75 percent increase in SQLi alerts in the second quarter alone”. While it was the top web application attack vector in Q1 2015, LFI only accounted for 18 percent of alerts in Q2 2015. There, Akamai singled out minimally vetted third-party plug-ins as the culprit; while WordPress plug-ins are vetted on initial submission, they aren’t vetted as stringently later on. In some cases, the plugin or theme had multiple vulnerabilities – totalling 49 potential exploits. While Tor has many legitimate uses, its anonymity makes it an attractive option for malicious actors.

Finally, the report also assessed the threat of Tor.

The analysis showed that 99 percent of the attacks were sourced from non-Tor IPs. In contrast, only 1 out 11,500 requests out of non-Tor IPs was malicious.

Although this suggests Tor is more likely to be used for illegitimate reasons than the normal web, Akamai is firmly on the fence about blocking Tor traffic, noting this could have a “negative business effect”.