Akamai has released its Q2 2017 State of the Internet Security Report, which shows that distributed denial of service (DDoS) and web application attacks are on the rise.
Contributing to the rise was the PBot DDoS malware, which re-emerged as the foundation of the strongest DDoS attacks seen by Akamai in Q2.
Attackers were able to create a mini-DDoS botnet capable of launching a 75Gbps DDoS attack.
Interestingly, the Pbot botnet was comprised of only 400 nodes, yet was able to generate a significant level of attack traffic.
Domain Generation Algorithms
Another entry on the “everything old is new again” list was the use of Domain Generation Algorithms (DGA) in malware Command and Control (C2) infrastructure.
Introduced with the Conficker worm in 2008, DGA has remained a frequently-used communication technique for modern malware.
Akamai found that infected networks generated approximately 15-times the DNS lookup rate of a clean network.
This was the outcome of access to randomly-generated domains by the malware on the infected networks, as most of the generated domains were not registered and trying to access them created a lot of noise.
Akamai also used its “unique visibility” in defending against attacks from the Mirai botnet in September 2016 and onward to study different aspects of the botnet – specifically its C2 infrastructure in Q2.
Akamai said Mirai, like other botnets, is now contributing to the commoditization of DDoS.
While many of the botnet’s C2 nodes were observed conducting “dedicated attacks” against IPs, more were noted as participating in “pay-for-play” attacks.
In these situations, Mirai C2 nodes were observed attacking IPs for a short duration, going inactive, and then re-emerging to attack different targets.
- The number of DDoS attacks in Q2 increased by 28% quarter-over-quarter, following three quarters of decline.
- DDoS attackers are more persistent than ever, attacking targets an average of 32 times over the quarter. One gaming company was attacked 558 times.
- Egypt was the origin of the greatest number of unique IP addresses used in frequent DDoS attacks, with 32% of the global total.
- Fewer devices were used to launch DDoS attacks this quarter. The number of IP addresses involved in volumetric DDoS attacks dropped 98% from 595,000 to 11,000.
- The incidence of Web application attacks increased 5% quarter-over-quarter, and 28% year-over-year.
- SQLi attacks were used in 51% of web application attacks – up from 44% last quarter – generating nearly 185 million alerts in Q2.