Q3 2014 State of the Internet:

Security Report
Case Study

Botnets of New Types of Devices

As system hardening tactics and protection for PCs and
servers have strengthened, attackers have shifted their
attention to a new class of devices for building DDoS botnets:

Commercial routers
Customer-premise equipment (CPEs)
Mobile handheld devices
Video conference devices
Internet of Things (IoT) devices

A DDoS botnet can leverage thousands of low-bandwidth

devices for a large attack

2014 AKAMAI | FASTER FORWARDTM

Unmanaged and Unmonitored Devices

Several factors make Internet-enabled embedded devices
vulnerable to abuse:

Insecure configurations
Outdated firmware
Lack of management and user interface to correct and update security
issues
Lack of detection mechanisms
Unrestricted uploads

With more than160 million wireless access points worldwide,

these vulnerabilities represent a significant risk

2014 AKAMAI | FASTER FORWARDTM

SSDP Reflection Attacks

A recently discovered botnet development tool crafted to probe
and find devices using the Simple Service Discovery Protocol
(SSDP) reveals a powerful new attack vector:

SSDP permits networked devices to find each other and establish a network
connection
Scans have discovered more than 17 million SSDP-enabled devices
Malicious actors target these devices for reflection and amplification attacks

2014 AKAMAI | FASTER FORWARDTM

Devices Using SSDP

SSDP is the basis of the discovery protocol of Universal Plug
and Play (UPnP)
SSDP is enabled on millions of Internet-connected devices:

Routers
Network cameras
Smart TVs
Desktop computers
Laptops

Akamai research reveals that 38 percent of such devices in

use may be susceptible to abuse

2014 AKAMAI | FASTER FORWARDTM

Highlighted Campaign
This new class of devices supports larger, more complex
attacks

High bandwidth consumption: 215 Gbps

Processing power consumption: 150 Mpps
Geographical distribution: U.S., Europe, and Asia

Almost 10 percent of IP addresses involved customer

premises equipment devices (CPEs) with payloads that
matched the Spike DDoS Toolkit

2014 AKAMAI | FASTER FORWARDTM

Geographical Dispersion of Source IPs

This figure shows the distribution of source IPs from a Q3 2014 attack. The new
class of devices allows wider geographic distribution of attack sources, which
creates greater complexity when mitigating DDoS campaigns.
2014 AKAMAI | FASTER FORWARDTM

DDoS Mitigation and Community Action

Mitigation is needed at both the device level and the
administrator level
Security must be a fundamental part in the development of
device firmware and applications
Mechanisms must be available to update and patch systems
that will eventually fall vulnerable over their lifecycle
Industrywide collaboration is necessary to address this
growing threat
Hardware vendors and software developers are needed to
address the cleanup, mitigation and management of current
and potential vulnerabilities during the lifecycle of these
devices

2014 AKAMAI | FASTER FORWARDTM

Q3 2014 State of the Internet Security Report

Download the Q3 2014 State of the Internet Security
Report, which includes:

Analysis of DDoS attack trends

Bandwidth (Gbps) and volume (Mpps) statistics
Year-over-year and quarter-by-quarter analysis
Application layer attacks and infrastructure attacks
Attack frequency, size and sources
Where and when DDoSers strike
How and why attackers are building DDoS botnets from devices other than
PCs and servers
Details of a record-breaking 321 Gbps DDoS attack
Syrian Electronic Army (SEA) phishing attacks
More at www.stateoftheinternet.com/security-reports

2014 AKAMAI | FASTER FORWARDTM

About stateoftheinternet.com
StateoftheInternet.com, brought to you by Akamai, serves
as the home for content and information intended to
provide an informed view into online connectivity and
cybersecurity trends as well as related metrics, including
Internet connection speeds, broadband adoption, mobile
usage, outages, and cyber-attacks and threats.
Visitors to www.stateoftheinternet.com can find current
and archived versions of Akamais State of the Internet
(Connectivity and Security) reports, the companys data
visualizations, and other resources designed to put
context around the ever-changing Internet landscape.

2014 AKAMAI | FASTER FORWARDTM