Akamai is out with its State of Internet Security report for the first quarter of 2015. This report is based on actual, observed traffic as opposed to being the result of user surveys, making it a good record of recent security conditions.
The report opens with a very troubling statistic: the number of DDoS attacks recorded in the first quarter of this year is more than double what was recorded during the same quarter of 2014. There was a 35 percent increase in attacks from the fourth quarter of 2014. This trend does not bode well for organizations that don't have a DDoS protection strategy.
The report brings other interesting data to light. For example, the typical profile of observed attacks has changed greatly in a year. In 2014, it was all about the high bandwidth attacks that lasted only a short time. At that time we were reporting attacks that peaked at 200 or 300 gigabits per second (Gbps) or more and 50 million packets per second (mpps). Attackers have backed off that massive size trend and now the typical attack profile is low bandwidth, long duration. Akamai reports that the typical DDoS attack in Q1 2015 lasted 24 hours or more, which is much more damaging in terms of taking a business out of commission for a longer time.
The gaming sector continues to lead all other industries as targets for DDoS attacks. This doesn't mean that other industries aren't vulnerable; just less so than gaming companies. However, all companies should keep in mind that gaming businesses often host their applications with the same hosting companies as many other types of businesses. This makes everyone vulnerable if the hosting provider isn't adequately prepared to fend off an attack.
The observed DDoS attack vectors continue to fluctuate from one quarter to the next. Akamai reports that SDDP attacks represented the top overall infrastructure based attack in Q1 2015, whereas SYN floods took that "honor" in Q4 2014. At other times, DNS reflection and UDP floods have been the lead vectors. Infrastructure-based attacks have represented the bulk of the attacks over the past year., with application layer attacks holding steady at about 10 percent of overall attacks.
Regardless of the attack vectors, we note that attackers are resourceful. They shift their methods often to avoid defenses and to take advantage of different vulnerabilities and the availability of different compromised resources, such as home routers. Therefore targeted companies need an anti-DDoS solution that can defend against a variety of types of attacks, especially when an attack uses multiple vectors at once.
As for the source countries of the attacks, they also vary from quarter to quarter. In Q1 2015, China led the way, whereas the Unites States took top honors in Q4 2014. Other countries that frequently turn up in the "top ten" offenders list include Russia, Korea, India, Turkey and Germany. For companies that do not do a lot of international business, knowing the source countries of a majority of attacks provides an opportunity to use Geo-IP filtering to stop all traffic from a particular country. For example, if a company does not do any business at all with entities in China, then why not simply block all traffic coming from that country? That would block not only a lot of DDoS attack traffic but a good bit of spam and phishing traffic as well.
Clearly, the state of Internet security is growing worse as time goes by. Businesses that want to sustain their ability to stay online in the face of attacks will do something about it, and that starts with a solid DDoS defense strategy.