Key Points from Akamai’s State of the Internet Q3 2016 Security Report

The Q3 2016 State of the Internet / Security Report represents analysis and research from Akamai based on data from their global infrastructure and routed DDoS solution.

Key points and insights from the report include:

  • 71% increase in DDoS attacks between Q3 2015 and Q3 2016.
  • 77% increase in infrastructure layer (layers 3 & 4) DDoS attacks.
  • 18% decrease in total web application attacks between Q3 2015 and Q3 2016.
  • Two attack bandwidth records were set in Q3 – 623 Gbps and 555 Gbps.
  • Application layer DDoS attacks account for only 1.66, but have a disproportionate impact to the infrastructure layer’s 98.34% share.
  • While the number of NTP attacks has increased over time, the total traffic generated by each one has decreased significantly. During the 2014 holiday season, the average NTP flood attack was over 40 Gbps and in the current quarter these have seen a 98% drop in bandwidth volume. This can be attributed to several NTP vulnerabilities having been discovered and subsequently patched by system administrators.
  • The Mirai family of botnets played a big part in recent mega attacks over 100 Gbps. Instead of using reflection mechanisms, it utilises IoT devices and generates traffic directly from them.
  • The top three source countries of attacks in this quarter are China, U.S. and U.K.  The proportion of traffic from China has been reduced by 56% since last quarter which has had a significant impact on the 8% overall decrease in traffic in Q3.
  • The average number of attacks per target has increased to 30 this quarter, which suggests that there is a strong probability that once an organisation has been targeted, it should expect subsequent attacks. 427 is the record number of attack to a single target in this quarter.
  • Reflection-based DDoS attacks saw a decline this quarter, but still were a majority with 51%. DNS attacks were the most common reflection-based attacks.
  • While certain ASNs contain many sources of reflection-based attacks and seem to contain repeat offenders, the vast majority of sources are scattered around the internet, meaning this is not restricted to certain regions or networks.
  • SQLi (48.83%) and LFI (39.97%) make up the majority of application-based attacks.
  • The majority of web application attacks continued to take place over HTTP (68%) as opposed to HTTPS (32%). Most websites still allow HTTP connections instead of forcing the use of HTTPS and as such there is no real motivation for attackers to use HTTPS. As a result many attack tools aren’t configured to use HTTPS by default.
  • Large sporting events like the European Football Cup Championship or the Summer Olympics can have an impact on the volume of web application attacks originating from places where these events are popular. Brazil was the source of 1 million attacks during the 17-day period of the summer games, while in the previous month for the same dates we saw 7.3 million attacks coming from the country. Attacks on web applications are generally more involved and require more intelligence and preparation, which contributes to the impact big events have on the productivity of actors.

Data Graphs

Download the full report:

External Footprinting Tools for Passive Reconnaissance

dmitry

dmitry or the Deepmagic Information Gathering Tool can be used for a variety of reconnaissance purposes. It ships with Kali Linux and can be used to perform a whois lookup on the domain name of a host and save it to a text file like this:
dmitry -winsepo example.txt example.com

whois

Kind of obvious, but very useful to get initial pointers on names as well as IP addresses.
ap-get install whois

BGP

Looking Glass or bgp.he.net can be used to run BGP queries on an ASN.

scans.io

scans.io provides downloads of TCP/UDP port scans as well as service fingerprints like security certificates and DNS records. Its sister project censys.io allows the data to be queried online as opposed to downloading it.

Side note: pigz (parallel implementation of gzip) is a great tool for interrogating downloads quickly by using multiple CPUs and threads.

shodan.io

shodan.io is the search engine for the internet of things.

Common Crawl

An open repository of web crawl data available at commoncrawl.org.

crt.sh

Comodo’s Certificate Search can find certificates by domain name, organisation name or fingerprint.

How to Enable Two-Factor Authentication on Amazon.co.uk

While two-factor authentication (2FA) isn’t officially available on Amazon UK, there is a very simple way of enabling the feature and making sure that your account benefits from that extra layer of security.

Two-Factor Authentication on Amazon

To enable 2FA for your non-US Amazon account, follow the steps below:

  1. Go to https://www.amazon.com and sign in using your Amazon UK credentials.
  2. Navigate to Your Account and locate the Change Account Settings link under Settings.
  3. You may be prompted for credentials again, but after you authenticate, you will be presented with a number of settings. Click Edit next to Advanced Security Settings.
  4. Read the information on the two-step verification page and click Get Started.
  5. Now you need to make a choice between enabling 2FA using SMS text messages or an authenticator app. Let’s consider each option’s features:
    • SMS text message:
      • Doesn’t require a smartphone or extra software, making it very easy to use and manage.
      • It is only available on a single device. If you lose your phone you may be left without access to your Amazon account until you can get a replacement SIM.
      • Requires cell reception to work.
    • Authenticator app (Authy):
      • It is not dependent on cell reception or a connection to the internet.
      • You can generate codes from multiple devices without relying on your phone.
      • Recovering Authy itself, if you only had it on a single device, is likely to rely on SMS verification as well.
      • Amazon uses SMS texts as it’s backup code verification method in case you lose access to your app!
  6. We will go with Authy for this example, although SMS on its own can be just as good in most cases. Click on the Authenticator app option.
  7. Scan the displayed QR code into Authy and type the token that the app displays back in Amazon.
  8. You will now be asked to enter your backup phone number; any country is allowed. Proceed through the form, verifying your number with the code you’ll receive via SMS.
  9. Agree to the caveat and you’re finished!
Caveat: The last step of activating 2FA on Amazon alerts you to a minor inconvenience seen on mobile devices – they don’y support it. You will sill be able to to sign in, but you will have to append the code you receive to the end of your password string.

Caveat for Two-Factor Authentication on Amazon


TL;DR: Enable 2FA under Advanced Security Settings on Amazon.com and it will work for the UK site.