Q3 2014 State of the Internet:

Security Report Case Study

©2014 AKAMAI | FASTER FORWARDTM

Botnets of New Types of Devices

• As system hardening tactics and protection for PCs and

servers have strengthened, attackers have shifted their

attention to a new class of devices for building DDoS botnets:

• Commercial routers

• Customer-premise equipment (CPEs)

• Mobile handheld devices

• Video conference devices

• Internet of Things (IoT) devices

• A DDoS botnet can leverage thousands of low-bandwidth

devices for a large attack

©2014 AKAMAI | FASTER FORWARDTM

Unmanaged and Unmonitored Devices

• Several factors make Internet-enabled embedded devices

vulnerable to abuse:

• Insecure configurations

• Outdated firmware

• Lack of management and user interface to correct and update security

issues

• Lack of detection mechanisms

• Unrestricted uploads

• With more than160 million wireless access points worldwide,

these vulnerabilities represent a significant risk

©2014 AKAMAI | FASTER FORWARDTM

SSDP Reflection Attacks

• A recently discovered botnet development tool crafted to probe

and find devices using the Simple Service Discovery Protocol

(SSDP) reveals a powerful new attack vector:

• SSDP permits networked devices to find each other and establish a network

connection

• Scans have discovered more than 17 million SSDP-enabled devices

• Malicious actors target these devices for reflection and amplification attacks

©2014 AKAMAI | FASTER FORWARDTM

Devices Using SSDP

• SSDP is the basis of the discovery protocol of Universal Plug

and Play (UPnP)

• SSDP is enabled on millions of Internet-connected devices:

• Routers

• Network cameras

• Smart TVs

• Desktop computers

• Laptops

• Akamai research reveals that 38 percent of such devices in

use may be susceptible to abuse

©2014 AKAMAI | FASTER FORWARDTM

Highlighted Campaign

• This new class of devices supports larger, more complex

attacks

• High bandwidth consumption: 215 Gbps

• Processing power consumption: 150 Mpps

• Geographical distribution: U.S., Europe, and Asia

• Almost 10 percent of IP addresses involved customer

premises equipment devices (CPEs) with payloads that

matched the Spike DDoS Toolkit

©2014 AKAMAI | FASTER FORWARDTM

Geographical Dispersion of Source IPs

This figure shows the distribution of source IPs from a Q3 2014 attack. The new

class of devices allows wider geographic distribution of attack sources, which

creates greater complexity when mitigating DDoS campaigns.

©2014 AKAMAI | FASTER FORWARDTM

DDoS Mitigation and Community Action

• Mitigation is needed at both the device level and the

administrator level

• Security must be a fundamental part in the development of

device firmware and applications

• Mechanisms must be available to update and patch systems

that will eventually fall vulnerable over their lifecycle

• Industrywide collaboration is necessary to address this

growing threat

• Hardware vendors and software developers are needed to

address the cleanup, mitigation and management of current

and potential vulnerabilities during the lifecycle of these

devices

©2014 AKAMAI | FASTER FORWARDTM

Q3 2014 State of the Internet – Security Report

Download the Q3 2014 State of the Internet – Security

Report, which includes: • Analysis of DDoS attack trends

• Bandwidth (Gbps) and volume (Mpps) statistics

• Year-over-year and quarter-by-quarter analysis

• Application layer attacks and infrastructure attacks

• Attack frequency, size and sources

• Where and when DDoSers strike

• How and why attackers are building DDoS botnets from devices other than

PCs and servers

• Details of a record-breaking 321 Gbps DDoS attack

• Syrian Electronic Army (SEA) phishing attacks

• More at www.stateoftheinternet.com/security-reports

©2014 AKAMAI | FASTER FORWARDTM

About stateoftheinternet.com

• StateoftheInternet.com, brought to you by Akamai, serves

as the home for content and information intended to

provide an informed view into online connectivity and

cybersecurity trends as well as related metrics, including

Internet connection speeds, broadband adoption, mobile

usage, outages, and cyber-attacks and threats.

• Visitors to www.stateoftheinternet.com can find current

and archived versions of Akamai’s State of the Internet

(Connectivity and Security) reports, the company’s data

visualizations, and other resources designed to put

context around the ever-changing Internet landscape.