Mega Attacks Hit New Record; Repeat Attacks Surge; Booter/Stresser Sites Launching Multiple Attack Vectors Simultaneously

Latest Cloud Security Trends Shared in Akamai’s Q1 2016 State of the Internet - Security Report Show Retail, Gaming Industries Hardest Hit with Web Application and DDoS attacks

Cambridge, MA |

Akamai Technologies, Inc. (NASDAQ: AKAM), the global leader in content delivery network (CDN) services, today published the Q1 2016 State of the Internet – Security Report. The quarterly report provides a detailed view of the global cloud security threat landscape and in-depth analysis and insight into malicious activity observed across the Akamai Intelligent Platform™. Download the latest State of the Internet – Security Report at stateoftheinternet.com/security-report.

“We have continued to witness significant growth in the number and frequency of DDoS and web application attacks launched against online assets, and Q1 2016 was no exception,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “Interestingly, nearly 60 percent of the DDoS attacks we mitigated used at least two attack vectors at once, making defense more difficult. Perhaps more concerning, this multi-vector attacks functionality was not only used by the most clever of attackers, it has become a standard capability in the DDoS-for-hire marketplace and accessible to even the least skilled actors.”

DDoS attack activity at a glance

During Q1, Akamai mitigated more than 4,500 DDoS attacks, a 125 percent increase compared with Q1 2015. As in recent quarters, the vast majority of these attacks were based on reflection attacks using stresser/booter-based tools. These tools bounce traffic off servers running vulnerable services such as DNS, CHARGEN, and NTP. In fact, 70 percent of the DDoS attacks in Q1 used the reflection-based DNS, CHARGEN, NTP, or UDP fragment vectors.

More than half of the attacks (55 percent) targeted gaming companies, with another 25 percent targeting the software and technology industry.

Q1 2016 also set a record for the number of DDoS attacks exceeding 100 Gigabits per second (Gbps): 19. The largest of these mega attacks mitigated by Akamai peaked at 289 Gbps. Fourteen attacks relied on DNS reflection methods. Last quarter, there were only five mega attacks; the previous record was 17, set in Q3 2014.

During Q4 2015, repeat DDoS attacks became the norm, with an average of 24 attacks per targeted customer in Q4. The trend continued this quarter; targeted customers were attacked an average of 39 times each. One customer was targeted 283 times – an average of three attacks per day.

DDoS metrics

Compared with Q1 2015

  • 125.36 percent increase in total DDoS attacks
  • 142.14 percent increase in infrastructure layer (layers 3 & 4) attacks
  • 34.98 percent decrease in the average attack duration: 16.14 vs. 24.82 hours
  • 137.5 percent increase in attacks > 100 Gbps: 19 vs. eight

Compared with Q4 2015

  • 22.47 percent increase in total DDoS attacks
  • 23.17 percent increase in infrastructure layer (layers 3 & 4) attacks
  • 7.96 percent increase in the average attack duration: 16.14 vs. 14.95 hours
  • 280 percent increase in attacks > 100 Gbps: 19 vs. five

Web application attack activity

Web application attacks increased nearly 26 percent compared with Q4 2015. As in past quarters, the retail sector remained the most popular attack target, targeted in 43 percent of the attacks. But in a shift from last quarter, we saw a two percent decrease in web application attacks over HTTP and a 236 percent increase in web application attacks over HTTPS. There was also an 87 percent increase in SQLi attacks compared with the previous quarter.

As in recent quarters, the US was both the most frequent source of web application attack traffic (43 percent) and the most frequent target (60 percent).

Web application attack metrics

Compared with Q4 2015

  • 25.52 percent increase in total web application attacks
  • 1.77 percent decrease in web application attacks over HTTP
  • 235.99 percent increase in web application attacks over HTTPS
  • 87.32 percent increase in SQLi attacks

Bot activity snapshot

For the first time, we’ve included an analysis of bot activity in the State of the Internet - Security Report. Looking at bot activity over 24 hours, we tracked and analyzed more than two trillion bot requests. While identified and known, so-called good bots represented 40 percent of the bot traffic, 50 percent of the bots were determined to be malicious and were engaged in scraping campaigns and related activity.

Growth in DDoS reflectors

Using firewall data from the perimeter of the Akamai Intelligent Platform, our analysis showed a 77 percent growth in active Quote of the Day (QOTD) reflectors, a 72 percent increase in NTP reflectors and a 67 percent increase in CHARGEN reflectors compared to Q4 2015. Active SSDP reflectors declined by 46 percent.

Download the report

A complimentary copy of the Q1 2016 State of the Internet - Security Report is available for download at stateoftheinternet.com/security-report.

About Akamai

As the global leader in Content Delivery Network (CDN) services, Akamai makes the Internet fast, reliable and secure for its customers. The company's advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.