[Q2 2015]

akamai.com

= malicious activity: key trends

In both Q1 and Q2 of 2015, the number of DDoS attacks

recorded hit a new record
For the last three quarters, year-over-year DDoS activity has
doubled
Since Q2 of 2014, the profile of the typical attack has shifted
from high-bandwidth, short-duration attacks to less powerful,
longer duration attacks
Mega attacks are getting larger and more frequent
The largest attack measured 249 Gbps
Five attacks in Q2 2015 peaked at over 50 Mpps

SYN and Simple Service Discovery Protocol (SSDP) were the

most common attack vectors
Though infrastructure attacks are most common, application
layer DDoS attacks continue to grow rapidly
2 / [The State of the Internet] / Security (Q1 2015)

= major DDoS statistical trends

Dramatic increase in DDoS attack frequency

Compared to Q2 2014, a 132% increase in total DDoS attacks

Longer, less powerful attacks persist

Average peak volume of attacks decreased by 77% percent compared to
Q2 2014
Average peak bandwidth decreased 11%
Average attack duration increased 19%

Mega attacks double year-over-year

Q2 2014 saw 6 attacks exceeding 100 Gbps
12 attacks in Q2 2015 exceeded 100 Gbps

3 / [The State of the Internet] / Security (Q1 2015)

= DDoS attack makeup

Infrastructure-layer attacks dominated DDoS methodologies,

accounting for 90% of all recorded attacks:
SYN floods were the most common attack vector, at 16% of
all DDoS Attacks
SYN floods played a significant role in mega attacks
Largely due to the rise of SSDP attacks, the percentage of SYN floods has
declined since Q2 2014, when it was 26%

SSDP attacks were just under 16% of total DDoS attacks

Slight decline from Q1 2015, when SSDP attacks were 21% of total
SSDP attacks are more difficult to mitigate because they often use
unsecured, home-based Internet devices

Most-common application-layer attack was HTTP GET ,

accounting for 7.5% of DDoS activity, consistent with Q1 2015
and Q4 2014 observations
4 / [The State of the Internet] / Security (Q1 2015)

= mega attacks in Q2 2015

In Q2 2015, 12 DDoS attacks registered more than 100 Gbps

The largest attack measured 249 Gbps, a significant increase from the
largest (170 Gbps) attack of Q1 2015
Gaming sites were the primary target of the attacks
Two of 12 mega attacks target gaming sites directly
The 10 attacks recorded against Internet and telecom were actually
targeting gaming sites hosted on the customer network

50+ Mpps attacks threatened significant damage in Q2

Attacks of this volume can exhaust ternary content addressable memory
(TCAM) resources and take out tier 1 routers, such as those used by Internet
service providers (ISPs)
A 214 Mpps attack on June 12 was one of the three largest DDoS
attacks ever recorded across the Prolexic Routed network

Attack was based on a UDP flood with 1-byte packets

Generated 70 Gbps of attack traffic
7 / [The State of the Internet] / Security (Q1 2015)

= mega attacks in Q2 2015 >100 Gbps

= targeted industries

Gaming has been the most targeted industry since Q2 2014

Online gaming networks suffered 35% of DDoS attacks, as in Q1 2015

Software and Technology, including Software-as-a-Service

and cloud-based technologies, was the second most
common target
Suffered 28% of attacks, a slight increase of 2% from Q1 2015

Internet and Telecoms suffered 13%

Slight decrease of 1% from last quarter

Media and Entertainment surpassed Financial Services

Attacks on media and entertainment businesses increased by 2 percent.

5 / [The State of the Internet] / Security (Q1 2015)

= source countries

China remained the leading source of non-spoofed DDoS

attack traffic
Accounted for 37% of DDoS traffic, up from 23% last quarter

US rose to second place

18% of recorded DDoS traffic originated from the US
A shift from Q2 2014, when the US was the number one source at 20%

UK was the third most common source country

Accounted 10% of DDoS traffic
In Q2 2014, the UK was not in the top 10

Decreases in percentages do not represent a drop in DDoS

traffic from these countries
DDoS traffic sources have increasingly diversified other countries are
producing more DDoS traffic, rather than the US producing less
6 / [The State of the Internet] / Security (Q1 2015)

= Q1 2015 State of the Internet Security Report

Download the Q2 2015 State of the Internet Security Report

The Q2 2015 report covers:

Analysis of DDoS web application attack trends

Bandwidth (Gbps) and volume (Mpps) statistics
Year-over-year and quarter-by-quarter analysis
Attack frequency, size, types and sources
Multi-vector mega attacks leveraging UPD and SYN floods
Dangers of third-party WordPress plugins and themes
Analysis of the Onion Router (Tor) project risks
Threat advisories issued in Q2 2015, including OurMine Team and RIPv1

9 / [The State of the Internet] / Security (Q1 2015)

= about stateoftheinternet.com

StateoftheInternet.com, brought to you by Akamai,

serves as the home for content and information intended to
provide an informed view into online connectivity and
cybersecurity trends as well as related metrics, including
Internet connection speeds, broadband adoption, mobile
usage, outages, and cyber-attacks and threats.

Visitors to www.stateoftheinternet.com can find current and

archived versions of Akamais State of the Internet
(Connectivity and Security) reports, the companys data
visualizations, and other resources designed to put context
around the ever-changing Internet landscape.

10 / [The State of the Internet] / Security (Q1 2015)