The Q3 2016 State of the Internet / Security Report represents analysis and research from Akamai based on data from their global infrastructure and routed DDoS solution.
Key points and insights from the report include:
- 71% increase in DDoS attacks between Q3 2015 and Q3 2016.
- 77% increase in infrastructure layer (layers 3 & 4) DDoS attacks.
- 18% decrease in total web application attacks between Q3 2015 and Q3 2016.
- Two attack bandwidth records were set in Q3 – 623 Gbps and 555 Gbps.
- Application layer DDoS attacks account for only 1.66, but have a disproportionate impact to the infrastructure layer’s 98.34% share.
- While the number of NTP attacks has increased over time, the total traffic generated by each one has decreased significantly. During the 2014 holiday season, the average NTP flood attack was over 40 Gbps and in the current quarter these have seen a 98% drop in bandwidth volume. This can be attributed to several NTP vulnerabilities having been discovered and subsequently patched by system administrators.
- The Mirai family of botnets played a big part in recent mega attacks over 100 Gbps. Instead of using reflection mechanisms, it utilises IoT devices and generates traffic directly from them.
- The top three source countries of attacks in this quarter are China, U.S. and U.K. The proportion of traffic from China has been reduced by 56% since last quarter which has had a significant impact on the 8% overall decrease in traffic in Q3.
- The average number of attacks per target has increased to 30 this quarter, which suggests that there is a strong probability that once an organisation has been targeted, it should expect subsequent attacks. 427 is the record number of attack to a single target in this quarter.
- Reflection-based DDoS attacks saw a decline this quarter, but still were a majority with 51%. DNS attacks were the most common reflection-based attacks.
- While certain ASNs contain many sources of reflection-based attacks and seem to contain repeat offenders, the vast majority of sources are scattered around the internet, meaning this is not restricted to certain regions or networks.
- SQLi (48.83%) and LFI (39.97%) make up the majority of application-based attacks.
- The majority of web application attacks continued to take place over HTTP (68%) as opposed to HTTPS (32%). Most websites still allow HTTP connections instead of forcing the use of HTTPS and as such there is no real motivation for attackers to use HTTPS. As a result many attack tools aren’t configured to use HTTPS by default.
- Large sporting events like the European Football Cup Championship or the Summer Olympics can have an impact on the volume of web application attacks originating from places where these events are popular. Brazil was the source of 1 million attacks during the 17-day period of the summer games, while in the previous month for the same dates we saw 7.3 million attacks coming from the country. Attacks on web applications are generally more involved and require more intelligence and preparation, which contributes to the impact big events have on the productivity of actors.