Akamai: DDoS activity is down, but proliferation of IoT devices makes internet less secure

Mirai has encouraged a plethora of imitators, warns Akamai

Akamai has warned that, while the number and volume of DDoS attacks have declined so far in 2017, a proliferation of Mirai-style botnets on IoT devices means that bigger attacks could be just around the corner.

The content distribution company, which accounts for as much as 30 per cent of all online traffic, made the claims in its latest State of the Internet (PDF) report.

Like any product, DDoS attack tools follow a 'hype cycle', it suggested, but it is typically much faster than consumer technologies as the relatively small community working with botnets is very open to change.

Researchers have been testing the security of IoT devices for a long time and have often found them lacking even basic security practices - Liviu Arsene, Bitdefender

Mirai is currently working its way through the malware hype cycle, although its popularity has hampered it somewhat; contention for insecure IoT devices, which Mirai targets, has reduced the size of attacks considerably.

The effects of the IoT should not be underestimated as the space is drawing more attention from a wider audience. For example, malware last year targeted IoT toasters in order add them to bitcoin mining botnets. Although the malware was ineffective, it provided an interesting proof of concept.

Liviu Arsene, senior e-threat Analyst at Bitdefender, told Teiss.co.uk: "Researchers have been testing the security of IoT devices for a long time and have often found them lacking even basic security practices. From enforcing strong password authentication to encryption and security updates, most IoT manufacturers treat security features trivially and oftentimes are not even included in the device's development roadmap."

Despite the Mirai botnet, DDoS attacks in general have fallen 30 per cent, year-on-year, and 17 per cent, quarter-on-quarter. The median size has also fallen, from 4Gbps in 2015 to just over 500Mbps today. However, this is likely due to the increased number of smaller attacks, with half of all assaults now between 250Mbps and 1.25Gbps.

Even these smaller attacks can harm unprepared organisations, though.

Akamai warned: "If we consider that many businesses lease uplinks to the Internet in the range of 1-10Gbps, any attack exceeding 10Gbps could be ‘big enough' and more than capable of taking the average unprotected business offline."

^{The solid red line represents the 75th percentile, showing that 75 per cent of all DDoS attacks were below 1.3Gbps in the examined time period. If a business can withstand this, then it can shrug off 75 per cent of all current DDoS attacks. However, if the uptime goals are higher then it would need to be able to absorb an attacks of 5Gbps to withstand 95 per cent of attacks}

It is expected that the size and frequency of DDoS attacks will increase in the near future; small-scale attacks are especially expected to rise, but the mega attacks will continue to have an outsized impact on DDoS trends.

A new attack spotlighted by Akamai was Mirai's DNS Water Torture, first seen in mid-January and targeting customers in the financial services industry. It is a flood of DNS queries, which can lead to a denial of service for legitimate users if the target server is unprepared. However, it was reflection attacks that continued to dominate DDoS activity.

There was a subtle shift in the area of web application attacks, with 57 per cent more coming from the USA in the first quarter of 2017 compared to the same quarter in 2016. These target the underlying fabric of websites; either tying up resources or taking information from the database powering the sites. The impact can be longer-lasting than outages from infrastructure-related DDoS attacks.

The USA, Netherlands, Brazil, China and Germany were the top sources of web application attacks in the first quarter. The Netherlands is an interesting standout, with a population of only 17 million but producing 12.7 per cent of web attacks. By comparison, the USA has a population almost 20 times higher, but produces ‘just' 34 per cent of attacks.

Web application attacks targeted the USA (221 million), Brazil (24.2 million), the UK (14.2 million), Japan (13.4 million) and Germany (10.8 million). Although the US was far in advance of any other country, the figure was actually down 9 per cent, while Brazil and the UK were up (46 per cent and 30 per cent, respectively).

Peering into the crystal ball…

The number of DDoS attacks has fallen since 2016, but the risks are as present as ever. In fact, the capabilities of high-end attackers are rising, threatening not only the initial target, but collateral businesses, as well.

Maximum attack size has been rising ever since Mirai: from 100Gbps in the first quarter of 2016 to 600Gbps in the third quarter of the same year.

Several organisations, including Akamai, have seen attacks size exceeded 1Tbps. The possibility of a ‘super-botnet', perhaps due to the emergence of a unified command and control structure, could result in 2Tbps-or-more attacks in the near future.

Despite the moves of security organisations such as Europol and ISPs to counter Mirai, it would be short-sighted to think of this botnet as the only threat. Its source code, now available to all, has already been incorporated into competitors - such as the BillGates family - which are evolving to take advantage of the changed DDoS landscape.