Web app attacks up 35%, Akamai uncovers a brand new threat

Akamai’s latest State of the Internet security report centers around the recent spate of DDoS (distributed denial of service) attacks spearheaded by the infamous Mirai botnet, which has tarnished the reputation of the IoT. The lines between the IoT and the entertainment technology industry are blurring – meaning that the 35% rise in web application attacks in the past year are a major cause for concern, even for our video-centric readers.

The world record Mirai botnet attack of October last year, which reached speeds of 1.5 Tbps, was a cold reminder that the IoT is closer to home than we think. While many focused on security concerns such as the hacking of autonomous vehicles, attackers were targeting everyday connected devices. Deutsche Telekom was the most notable recipient to come under fire, resulting in some 900,000 broadband WiFi routers becoming infected with an adapted form of the botnet, and it won’t be the last major operator to fall victim.

Web applications within browsers, desktops or mobiles are targeted by various methods, including buffer overflows, SQL injection and DDoS attacks, resulting in data security breaches. Web application vectors are considered more tricky to handle and can result in longer lasting damage than just triggering network outages, which are more common in infrastructure-related DDoS attacks.

It comes as no surprise that the US maintained its position as the number-one target country for web application attacks during the first quarter of 2017, as Akamai registered a total of 221 million attacks in the quarter. The US is leagues ahead of Brazil in second place, which was the victim of 24.2 million web applications attacks throughout the last quarter, followed by the UK in third with 14.2 million.

Interestingly, the US saw a 9% fall in the volume of web application attacks compared to the previous quarter, while attacks in Brazil and the UK surged 46% and 30%, respectively.

The US was also naturally the top source country for web application attacks in the quarter, rising from 28% to 34% of attacks sourced, but the report notes that the volume of attack traffic that ostensibly originated from the Netherlands was curious finding. The Netherlands came second with 12.7% of attacks sourced, and Akamai highlights that the large proportion of attacks from a country of just 17 million people is a distinct anomaly.

Despite the huge scale of individual DDoS attacks over the past six-months, and the widespread media attention that has accompanied them, Akamai found that the overall volume of DDoS attacks actually decreased, whereas the amount of traffic in reflection attacks increased significantly.

Reflection attacks are much more difficult to track back to the botnets that originate the attacks, according to Akamai, and arise when attackers make requests to servers using DNS, NTP and other protocols, which are detected as legitimate requests, not as threats. This results in the attacker being able to send a surge of traffic to a target.

One revelation uncovered by Akamai in the last quarter was a new reflection attack vector called Connectionless Lightweight Directory Access Protocol (CLDAP), which has been observed producing DDoS attacks comparable to DNS reflection – with most attacks exceeding 1 Gbps. Little is known about this fledgling attack vector, but Akamai has published a CLDAP DDoS threat advisory, following the detection and mitigation of 50 CLDAP reflection attacks since October 2016.

So called mega attacks, those topping 100 Gbps, will continue to rise and have an outsized impact on DDoS trends in the coming years, states the report. A mega attack might sound daunting, but Akamai reassures readers that large scale attacks are outliers that represent the limits businesses must be prepared to defend against.

The report suggests that a potential way for enterprises to eliminate weaknesses within business is to enforce a no BYOD (bring your own device) polcy, dubbed “BYODon’t.” Unmanaged personal devices raise the security risk, with a multitude of potentially vulnerable devices entering a building, from mobiles to wearables or even the connected coffee machine, but BYODon’t is becoming much harder to implement when both the endpoints and the resources that employees are accessing are outside of the corporate perimeter.

Guest author of the report, Wendy Nather, Principal Security Strategist at DUO Security, commented, “our interaction with the internet has evolved to anytime, anywhere, using any device and software, for any purpose. That means that enterprises have to address the security issues in ways that don’t rely exclusively on traditional boundaries (“our network,” “our software,” “our hardware”). And they have to be able to distinguish business data from personal data, which were created at the same time of day, in the same location, using the same applications, and stored in the same formats on the same hardware and services. Users expect a seamless experience that doesn’t require them to sacrifice a chicken every time they switch between corporate and personal contexts – and they deserve one.”