[Q4 2014]

akamai.com

= spotlight: TCP flag DDoS attacks

A group claiming to be Lizard Squad has engaged in an

ongoing attack campaign against an Akamai customer
The attack vector and the events surrounding this attack
campaign indicates the ongoing development of DDoS attack
tools
Although it was not a record-breaking attack, it was large
peaking at 131 Gigabits per second (Gbps) and 44 Million
packets per second (Mpps)
An attack of this level would slow or cause an outage in most
corporate infrastructures
The attacks occurred in August and December 2014

2 / [state of the internet] / threat advisory

= SYN with a side of everything

The TCP-based attack was packed with TCP flags

One packet exhibited the greatest number of simultaneous
flags set of all the packets only an ACK flag was missing

In the order in which they appear [FSRPUEW], the flags

included FIN, SYN, RST, PSH, URG, ECN, and CWR.
Such a flag-filled packet is commonly called a Christmas tree
packet

= christmas tree packets

Christmas tree packets are almost always suspicious

They use more processing power than usual packets
As a result, they are commonly used in denial of service
attacks
The TCP-based attack was packed with TCP flags, using all
but one TCP flag
Christmas tree packets are also used in reconnaissance to
probe system response

4 / [state of the internet] / threat advisory

= statistics for the three campaigns

3 / [state of the internet] / threat advisory

= new attack tool?

Some differences were present between the three attack

campaigns
The December attack executed like a SYN flood
There was a significant increase in volume from earlier
attacks

The increased attack strength suggests new attack tool

development
The expansion and sophistication of the third attack may
indicate new resources from the DDoS-for-hire underground

5 / [state of the internet] / threat advisory

= third attack may have been a different attacker

Although Lizard Squad claimed responsibility for the attacks,

differences in the third attack campaign draw speculation of a
new attacker
The first two attack campaigns did not produce even half of
the volume of the third attack campaign

Although the first two attacks included a UDP flood, the third
campaign did not make use of the UDP flood attack vector
The third campaign targeted random hosts in a specific /24
network and made use of the extra data in the Reset cause
field on the packets with the Reset flag set

6 / [state of the internet] / threat advisory

= distribution by Akamai scrubbing center

7 / [state of the internet] / threat advisory

= full security report

full security report
Download the full Q4 2014 State of the Internet - Security
Report

The security report includes:

Analysis of DDoS attack trends

Bandwidth (Gbps) and volume (Mpps) statistics
Year-over-year and quarter-by-quarter analysis
Application layer attacks
Attack frequency, size and sources
Where and when DDoSers strike
Spotlight: A multiple TCP Flag DDoS attack
Malware: Evolution from cross-platform to destruction
Botnet profiling technique: Web application attacks
Performance mitigation: Bots, spiders and scrapers

9 / [state of the internet] / threat advisory

= about stateoftheinternet.com

StateoftheInternet.com, brought to you by Akamai,

serves as the home for content and information intended to
provide an informed view into online connectivity and
cybersecurity trends as well as related metrics, including
Internet connection speeds, broadband adoption, mobile
usage, outages, and cyber-attacks and threats.

Visitors to www.stateoftheinternet.com can find current and

archived versions of Akamais State of the Internet
(Connectivity and Security) reports, the companys data
visualizations, and other resources designed to put context
around the ever-changing Internet landscape.

10 / [The State of the Internet] / Security (Q4 2014)