You are on page 1of 10

[Q3 2014]

Spotlight on a 321 Gbps Attack

= high-bandwidth attack on entertainment firm

10 distinct attacks over a one-week period
8 of 10 attack campaigns were high-bandwidth (100+
Peak bandwidth of the largest attack: 321 Gbps (a record)

This multi-vector attack hit:

Layer 7 (application layer)

Layer 3 (infrastructure layer)

All attacks were successfully mitigated by Akamai

Source IP addresses remain under watch

2 / [state of the internet] / security (Q3 2014)

= timeline of attacks
Attackers targeted an Akamai customer and Akamais DDoS
mitigation infrastructure
First attacks hit a customers web server

First and third attacks exceeded 100 Gbps

Next attack targeted an Akamai-owned network block protecting

the target

Peak 321-Gbps attack aimed at bypassing DDoS mitigation technology or

causing it to fail

After failing to bypass DDoS protections, attacks resumed on

the customers website

Attacks persisted from July 12 to July 20, averaging 90 hours

3 / [state of the internet] / security (Q3 2014)

= botnet topology
The attacks were launched by a collection of bots
reporting to a command-and-control (C2) host
The source IP sending commands was located in Asia
Bots were worldwide

Most traffic originated in U.S., Germany and China

Another botnet sending attack payloads was located in Korea

Botnets were built by targeting:

Linux-based servers
Customer-premises equipment

4 / [state of the internet] / security (Q3 2014)

= attack vectors
Multi-vector attacks used multiple types of flood:
SYN flood
UDP flood
ICMP flood

RESET flood
GET flood

Note: GET flood attacks usually reveal the actual source IP addresses

Attackers used mostly SYN flood and UDP flood traffic,

often together

5 / [state of the internet] / security (Q3 2014)

= about SYN floods

Subvert the normal Transmission Control Protocol (TCP)
used to establish a valid connection
Send multiple requests at a rapid rate or send extra large
Can render an unprotected server unable to respond to
legitimate requests

6 / [state of the internet] / security (Q3 2014)

= about UDP floods

Exploit the User Datagram Protocol (UDP)
Are a common protocol in voice-over-IP (VoIP) and online
Do not require establishing a verified connection to initiate

Make spoofing a source IP easy
Subvert mitigation efforts with spoofed addresses

7 / [state of the internet] / security (Q3 2014)

= attack statistics
Attack averages

154 Gbps
54 Mpps
90 hours

Peak attack stats:

321 Gbps
169 Mpps

Top three non-spoofed source IP origins

U.S.: 49%
Germany: 21%
China: 19%

8 / [state of the internet] / security (Q3 2014)

= Q3 2014 state of the internet security report

Download the Q3 2014 State of the Internet Security Report,
which includes:

Analysis of DDoS attack trends

Bandwidth (Gbps) and volume (Mpps) statistics

Year-over-year and quarter-by-quarter analysis

Application layer attacks and infrastructure attacks

Attack frequency, size and sources

Where and when DDoSers strike

How and why attackers are building DDoS botnets from devices other than PCs
and servers

Details of a record-breaking 321 Gbps DDoS attack

Syrian Electronic Army (SEA) phishing attacks

More at

9 / [state of the internet] / security (Q3 2014)

= about, brought to you by Akamai, serves as the home

for content and information intended to provide an informed view into
online connectivity and cybersecurity trends as well as related metrics,
including Internet connection speeds, broadband adoption, mobile
usage, outages, and cyber-attacks and threats.

Visitors to can find current and archived

versions of Akamais State of the Internet (Connectivity and Security)
reports, the companys data visualizations, and other resources
designed to put context around the ever-changing Internet landscape.

10 / [state of the internet] / security (Q3 2014)