Q3 2014 State of the Internet Security Report Case Study

Selected excerpts
Prolexic Security Engineering and Response Team (PLXsert) recently released the Q3 2014
State of the Internet Security Report, which spotlights the use of devices other than PCs and
servers to build botnets used in distributed denial of service (DDoS) attacks. The case study
described in the report is a good example of how the addition of a new class of devices
makes attacks more complex, more powerful and more resistant to mitigation.
Malicious actors continually seek ways to expand their resources and create new DDoS
attack vectors. They want the capacity to produce large bandwidth attacks, the ability to
make multiple simultaneous connections and the ability to use geographically dispersed
resources. Employing these capabilities makes it more difficult for defenders to mitigate
DDoS attacks and may cause the defenders to block legitimate traffic and thus suffer
collateral damage from large attacks. As a result, malicious actors are involving new types
of devices and platforms in their DDoS botnets.
Community efforts to harden and protect PCs and servers from infection by bot malware
has resulted in an increase in the time and level of skill required of malicious actors to
bypass protections and produce effective exploits. As a result, across many campaigns
PLXsert has observed attack signatures that do not match commonly used PC and server
bots. This trend has increased over the last two years.
The new signatures come from devices such as commercial routers, customer premise
equipment (CPE), mobile handheld devices, video conference devices and Internet of
Things (IoT) devices. Some of these devices are thought of as low-consumption and lowbandwidth devices, but in a DDoS botnet, leveraging thousands of such devices contributes
significant power.
There is a commonality among most embedded devices: They appear transparent to the
end user or require above-average skill to access and manage. As a result, they are often
unmanaged and unmonitored for lengthy periods of time. Often access to these unmanaged
devices is left open with default credentials or credentials that are exposed to the Internet.
Another sign of malicious actors seeking to expand their range of resources is the
appearance of botnet development tools crafted to probe and find specific signatures and
banners of new types of devices. An example of this trend is the scanner tools available on
the Internet to identify devices using the Simple Service Discovery Protocol (SSDP).
Once these devices have been identified, they are targeted for remote exploitation or
reflection abuse. These attacks use devices with open ports and protocols to amplify
responses against designated targets, allowing attackers to generate a higher attack volume
with fewer resources. Malicious actors focus on Internet-enabled devices suggests the
transitioning into a scenario where a DDoS botnet may not be principally composed of PCs
or servers.

Highlighted campaign
The DDoS attack campaign illustrated in the Q3 2014 State of the Internet Security Report
was observed during Q3 2014 using ARM-based payloads. The attack peaked at 215 Gbps
and 150 Mpps, and source IPs were identified in countries including the U.S., China, Japan,
Korea and Germany.
Close to 10 percent of attacking IP addresses involved customer premise devices (CPE)
with payloads matching the Spike toolkit, which is discussed in the Spike DDoS Toolkit
Threat Advisory from PLXsert.
DDoS mitigation and community action
Mitigation is needed at both the device level and the administrator level.
OEM manufacturers and platform and application developers must take greater care when
developing software and firmware for these devices, making security a fundamental part in
the development of firmware and applications. Mechanisms must be available to update
and patch systems that will eventually fall vulnerable over their lifecycle.
Industrywide collaboration is necessary to address this growing threat. Hardware vendors
and software developers need to address the cleanup, mitigation and management of
current and potential vulnerabilities during the lifecycle of these devices.
Get the full Q3 2014 State of the Internet Security Report with all the details
Each quarter Akamai produces a quarterly Internet security report. Download the Q3 2014
State of the Internet Security Report for:
Analysis of DDoS attack trends
Bandwidth (Gbps) and volume (Mpps) statistics
Year-over-year and quarter-by-quarter analysis
Application layer attacks
Infrastructure attacks
Attack frequency, size and sources
Where and when DDoSers strike
How and why attackers are building DDoS botnets from devices other than PCs and
servers
Details of a record-breaking 321 Gbps DDoS attack
Syrian Electronic Army (SEA) phishing attacks target third-party content providers
The more you know about cybersecurity, the better you can protect your network against
cybercrime. Download the free the Q3 2014 State of the Internet Security Report at
http://www.stateoftheinternet.com/security-reports today.
About stateoftheinternet.com

StateoftheInternet.com, brought to you by Akamai, serves as the home for content and
information intended to provide an informed view into online connectivity and
cybersecurity trends as well as related metrics, including Internet connection speeds,
broadband adoption, mobile usage, outages, and cyber-attacks and threats. Visitors to
www.stateoftheinternet.com can find current and archived versions of Akamais State of
the Internet (Connectivity and Security) reports, the companys data visualizations, and
other resources designed to help put context around the ever-changing Internet landscape.