《Akamai2017年Q1互联网现状安全报告英文版26页(27页).pdf》由会员分享,可在线阅读,更多相关《Akamai2017年Q1互联网现状安全报告英文版26页(27页).pdf(27页珍藏版)》请在三个皮匠报告上搜索。
1、akamais state of the internet / security Q1 2017 report Volume 4 / Number 1 AT A GLANCE Web application attacks, Q1 2017 vs. Q1 2016 35% increase in total web application attacks 57% increase in attacks sourcing from the U.S. (current top source country) 28% increase in SQLi attacks Web application
2、attacks, Q1 2017 vs. Q4 2016 2% decrease in total web application attacks 20% increase in attacks sourcing from the U.S. (still top source country) 15% decrease in SQLi attacks DDoS attacks, Q1 2017 vs. Q1 2016 30% decrease in total DDoS attacks 28% decrease in infrastructure layer (layers 3 new too
3、ls used by attackers follow a similar cycle of hype and integration. However, DDoS technology acceptance often proceeds at a much faster pace than consumer technologies, as there is much less resistance to change within the relatively small community of malicious actors. As shown over the last half
4、year, the Mirai botnet is an example of a disruptive technology working its way through the cycle. The development of Mirai happened quietly behind the scenes, while the first round of DDoS attacks were startling in their size and capability. The botnets capabilities quickly moved into a stage where
5、 contention for Internet of Things (IoT) devices reduced the size of attacks considerably. While many of the largest DDoS attacks observed this quarter were still based on Mirai-derived botnets, they were not as large as the initial attacks. What follows is the integration of the use of IoT as anoth
6、er part of the fabric of DDoS botnets and malware. As we discussed in last quarters report, there were long-term consequences to the release of Mirai. First, competitive forces drove botnet herders to keep up with Mirais technology or risk losing market share. The creators of other botnets are worki
7、ng to generate comparably-sized attacks. Secondly, other botnets families, such as BillGates, started adding new features, some taken directly from leaked Mirai source code. Meanwhile, Mirai has continued to splinter and evolve. There is now a variant which infects Windows systems, not to recruit th
8、em as attack nodes for the botnet, but to further expand the botnet by scanning and infecting Linux devices. This quarters Attack Spotlight includes our research into one of the Mirai DDoS tools used against financial services organizations. Called “dns Water Torture” in Mirais code, this dns query
9、flood generates relatively limited volumes of traffic, but can create denial of service outages by consuming the target domains resources in looking up randomly generated domain names in great numbers. Each query ties up memory and processor cycles, preventing the target from processing legitimate t
10、raffic. We also observed a new reflection attack vector, Connectionless Lightweight Directory Access Protocol (cldap). At this point, the protocol has not been a significant source of attack traffic, but the lack of contention for the resource could change its popularity. A link to the threat adviso
11、ry is provided in Cloud Security Resources. We are pleased to host a guest author this quarter: Wendy Nather, Principal Security Strategist at Duo Security. See what she has to say about the challenges of managing corporate security, given the current state of the Internet. The contributors to the S
12、tate of the Internet / Security Report include security professionals from across Akamai, including the Security Intelligence Response Team (sirt), the Threat Research Unit, Information Security, and the Custom Analytics group. Martin McKeay, Senior Editor and Akamai Sr. Security Advocate If you hav
13、e comments, questions, or suggestions regarding the State of the Internet / Security Report, connect with us via email at SOTIS. You can also interact with us in the State of the Internet / Security subspace on the Akamai Community at . For additional security research publications, please visit us
14、at The views of Ms. Nather are her own and do not necessarily reflect the opinions or perspectives of Akamai. The state of the Internet plicated, as always. Consider these changes over the past decade: Corporate and Consumer Use Are Intertwined / It used to be that you went to work in the office, us
15、ed corporate software, and then went home and used completely different software on your home computer. Now, more often than not, youve got a corporate login and a personal login with the same SaaS provider and youre using the same apps on your phone (Gmail, Dropbox, LastPass, etc.). Unless youre wo
16、rking in a strictly segmented environment, the expectation is that youll be using applications for both purposes and alternating at the drop of a hat, regardless of which network youre currently connecting to. BYODont / Some organizations have embraced the use of personal devices, and others havent,
17、 but its becoming harder to enforce a “no byod” policy when both the endpoint and the resources theyre accessing are outside of the corporate perimeter. Unmanaged personal devices raise the specter of risks ranging from unpatched vulnerabilities to e-discovery requirements that include searching you
18、r employees phones. And thats not even counting wearables and other Things. Password Policies / Remember when you only had a dozen usernames and passwords? Yeah, neither do I, and here we are. A typical online user could have literally hundreds of online accounts, some of which predate todays passwo
19、rd managers. Under pressure from bulk credential theft and compliance requirements, every system owner is being driven to require longer, more complicated and unique passwords. But the days of password rules such as “upper and lower case, one number, one special character, two emojis, and a squirrel
20、 noise” are going to come to an end; users are going to push back as soon as the absurdity becomes clear. Ubiquitous, consistent, and usable password managers are going to have to evolve into an application interface to shield everyday people from the malignant growth of complex passwords. To Sum Up
21、 / Our interaction with the Internet has evolved to “anytime, anywhere, using any device and software, for any purpose.” That means that enterprises have to address the security issues in ways that dont rely exclusively on traditional boundaries (“our network,” “our software,” “our hardware”). And t
22、hey have to be able to distinguish business data from personal data, which were created at the same time of day, in the same location, using the same applications, and stored in the same formats on the same hardware and services. Users expect a seamless experience that doesnt require them to sacrifi
23、ce a chicken every time they switch between corporate and personal contexts and they deserve one. The identity is the new boundary, together with the context. When you log into Gmail with your personal credentials, youre in charge of the security requirements you set for accessing your data; when yo
24、u use your corporate credentials to log in, your employer has to specify whats required to access business data, such as the combination of username, password, other authentication factors, and managed device. Its the same service, the same software, and the same person, but there are different stak
25、eholders based on the ownership of the data. Adapting to this new boundary, Google built a framework for their internal use and dubbed it BeyondCorp; whether theyre calling it “zero-trust,” or “perimeterless,” many organizations are looking to adopt it in their own ways. The important point is that
26、the security shouldnt rely solely on the traditional perimeter, and should accommodate the needs of both the user and the enterprise. Putting the user on equal footing with the data owner is a welcome trend, and its one that holds great promise for the ongoing challenge of securing the Internet. GUE
27、ST AUTHOR / WENDY NATHER Gue st Au thor Wendy Nather Principal Security Strategist Duo Security TABLE OF CONTENTS 1 SECTION1 = EMERGING TRENDS 3 SECTION2 = DDoS ACTIVITY 3 2.1 / DDoS Attack Vectors 5 2.2 / Mega Attacks 5 2.3 / Attack Spotlight: Mirai DNS Water Torture Attack Summary 10 2.4 / Reflect
28、ion Attacks 14 SECTION3 = WEB APPLICATION ATTACK ACTIVITY 14 3.1 / Web Application Attack Vectors 15 3.2 / Top 10 Source Countries 16 3.3 / Top 10 Target Countries 17 SECTION4 = LOOKING FORWARD 19 SECTION5 = CLOUD SECURITY RESOURCES 19 5.1 / CLDAP DDoS Threat Advisory 20 SECTION6 = BACKMATTER 1 SECT
29、ION1 EMERGING TRENDS T he median size of DDoS attacks has fallen steadily since the beginning of 2015. At the beginning of 2015, the median DDoS attack size was 4 Gbps. Two years later, at the beginning of 2017, the median attack size was just over 500 Mbps. Not to say huge attacks arent happening m
30、ega attacks topping 100 Gbps occur every quarter but half of all attacks are between 250 Mbps and 1.25 Gbps in size. Even these smaller attacks can harm unprepared organizations. Web application attacks shifted subtly towards the u.s. this quarter, both as a source and as a target. This type of atta
31、ck is important not because of their size, but because they attack the underlying fabric of sites, either tying up resources or pulling information from the database powering sites. The impact of IoT devices and dozens of attacks from the Mirai botnets since last September has had a strong practical
32、 effect on the security needs of organizations. The mega attacks are outliers that represent the limits enterprises must be prepared to defend against. However, the overwhelming number of smaller attacks means that these mega 2 / The State of the Internet / Security / Q1 2017 SECTION1 = EMERGING TRE
33、NDS attacks have little impact on the trend lines that define the median attack size, which is a better indicator of what an organization is most likely to see. The majority of attacks are still small relative to the largest Mirai attacks, but they dont need to be big to be effective. If we consider
34、 that many businesses lease uplinks to the Internet in the range of 110 Gbps, any attack exceeding 10 Gbps could be “big enough” and more than capable of taking the average unprotected business offline. At the same time, the effects of IoT are not to be underestimated, and the IoT ecosystem has draw
35、n the attention of a wider audience. A recent example is malware that compromises Internet-enabled toasters to mine Bitcoins1, an effort that appears to have been an ineffective proof of concept. Another trend is represented by the BrickerBot botnet, which attacks systems exposed directly to the Int
36、ernet with default Telnet passwords apparently in an attempt to prevent their use by the Mirai botnet. If this botnet is unable to disconnect the target device from the Internet, it corrupts the configuration, permanently bricking the devices2. Neither of these examples are major threats, but they d
37、o show a significant increase in attention from both the hacker and security communities. There is one factor that seems to be affecting the DDoS landscape as a whole: law enforcement. Early attacks by the Mirai botnets appear to have been triggered by the announcement of the arrests of two teens in
38、 Israel who were responsible for the vDos botnet3 a DDoS-for-hire tool that netted them hundreds of thousands of dollars. More recently, Europol coordinated the arrest of 34 individuals across 13 countries as part of an effort called Operation Tarpit4. Operations like Tarpit target the largest servi
39、ces responsible for DDoS attacks directed at banks, gaming companies, and retailers. This can have a significant effect in reducing the number of attacks on these organizations. Despite the overall reduction in volumetric DDoS attacks, Akamai has seen a significant increase in the amount of traffic
40、in reflection attacks. Taking advantage of the nature of dns, ntp, and other protocols, attackers make seemingly legitimate requests of servers, causing them to spew traffic at the attackers true target. Akamai recently released a threat advisory about adding a new DDoS reflection source, cldap5. Re
41、flection attacks are much more difficult to track back to the botnets that originate the attacks. In all likelihood, DDoS attacks will increase in size and frequency. We anticipate more frequent small-scale attacks, but the largest attacks will almost certainly continue to grow. As previously noted,
42、 we expect mega attacks to continue to have an outsized impact on DDoS trends in the coming years. 3 SECTION2 DDoS ACTIVITY 2.1 / DDoS Attack Vectors / As the research team dove into early 2017 data, we first examined infrastructure-related attack data. Invariably, infrastructure attacks are the lar
43、gest component of our quarterly volumetric attack data. In q1, these attacks accounted for roughly 99% of the overall attack traffic. Thats likely because its trivial for an attacker to launch a volumetric attack in comparison to the technical understanding needed to make effective use of applicatio
44、n layer tools. Application layer DDoS attacks such as get, push, and post floods remained a small component of the overall DDoS attack landscape. Two years ago, in q1 2015, application layer DDoS attacks accounted for 9% of all attacks. In q1 this year, only 0.6% of DDoS attacks targeted the applica
45、tion layer. Most application layer attacks arent designed for denial of service. 4 / State of the Internet / Security / Q1 2017 SECTION2 = DDoS ACTIVITY The top four infrastructure DDoS related attacks were the same as in recent quarters. udp fragments, dns floods, ntp floods, and chargen attacks do
46、minated, as shown in Figure 2-1. udp fragment, ntp, and chargen rose compared to the previous quarter, while dns attack traffic fell slightly from 21% to 20%. Organizations can keep their servers from participating in these DDoS attacks if they ensure that services such as chargen and ntp are either
47、 not accessible from the Internet or are patched. Older ntp daemons, as an example, send large amounts of reflected traffic at the intended attack target in response to relatively small illegitimate requests from attackers. This traffic amplification factor is one reason why attackers continue to us
48、e ntp reflection even as fewer and fewer unpatched ntp servers remain on the Internet. One easy fix is to confirm the ntp daemons that are running in your environment are well patched. No defender wants to make the job of an attacker easier. DDoS attacks are an ever present danger and its important
49、that defenders make sure that they are practicing proper security hygiene to avoid inadvertently participating in attacks. It is essential to ensure that services such as chargen and ntp are patched and firewalled off where they are not required to be available to the wider Internet. Infrastructure DDoS Attacks Total Percentage UDP7.06% DNS20% SNMP1.76% NTP15% SYN3.50% SSDP6.52% ACK1.23% CHARGEN11% UDP Fragment 29% RIP1.04% Other3.36% Application DDoS Attacks Total Percentage GET0.38% PUSH0.13% POST0.06% TCP Anomaly (0.72%) TFTP (0.66%) CLDAP (0.60%) RPC (0.50%) IC