There continues to be significant growth in the number and frequency of DDoS and web application attacks launched against online assets, and Q1 2016 was no exception.
According to the Q1 2016 State of the Internet – Security Report of Akamai Technologies, Inc., Akamai mitigated more than 4,500 DDoS attacks, a 125.36 percent increase compared with Q1 2015. As in recent quarters, the vast majority of these attacks were based on reflection attacks using stresser/booter-based tools. These tools bounce traffic off servers running vulnerable services such as DNS, CHARGEN, and NTP. In fact, 70 percent of the DDoS attacks in Q1 used the reflection-based DNS, CHARGEN, NTP, or UDP fragment vectors.
More than half of the attacks (55 percent) targeted gaming companies, with another 25 percent targeting the software and technology industry.
Q1 2016 also set a record for the number of DDoS attacks exceeding 100 Gigabits per second (Gbps): 19. The largest of these mega attacks mitigated by Akamai peaked at 289 Gbps. Fourteen attacks relied on DNS reflection methods. Last quarter, there were only five mega attacks; the previous record was 17, set in Q3 2014.
There has also been a 142.14 percent increase in infrastructure layer (layers 3 & 4) attacks compared with Q1 2015.
During Q4 2015, repeat DDoS attacks became the norm, with an average of 24 attacks per targeted customer in Q4. The trend continued this quarter; targeted customers were attacked an average of 39 times each. One customer was targeted 283 times – an average of three attacks per day.
“Interestingly, nearly 60 percent of the DDoS attacks we mitigated used at least two attack vectors at once, making defense more difficult,” Stuart Scholly, senior vice president and general manager, Security Business Unit. “Perhaps more concerning, this multi-vector attacks functionality was not only used by the most clever of attackers, it has become a standard capability in the DDoS-for-hire marketplace and accessible to even the least skilled actors.”
Web application attack activity
Web application attacks increased nearly 26 percent compared with Q4 2015. As in past quarters, the retail sector remained the most popular attack target, targeted in 43 percent of the attacks. But in a shift from last quarter, we saw a two percent decrease in web application attacks over HTTP and a 236 percent increase in web application attacks over HTTPS. There was also an 87 percent increase in SQLi attacks compared with the previous quarter.
As in recent quarters, the US was both the most frequent source of web application attack traffic (43 percent) and the most frequent target (60 percent).
Bot activity snapshot
For the first time, we’ve included an analysis of bot activity in the State of the Internet - Security Report. Looking at bot activity over 24 hours, we tracked and analyzed more than two trillion bot requests.
While identified and known, so-called good bots represented 40 percent of the bot traffic, 50 percent of the bots were determined to be malicious and were engaged in scraping campaigns and related activity.
Growth in DDoS reflectors
Using firewall data from the perimeter of the Akamai Intelligent Platform, our analysis showed a 77 percent growth in active Quote of the Day (QOTD) reflectors, a 72 percent increase in NTP reflectors and a 67 percent increase in CHARGEN reflectors compared to Q4 2015. Active SSDP reflectors declined by 46 percent.