Akamai: The Internet's aging protocols make juicy targets

The latest wave of Internet attacks doesn't merely involve exploits like cross-site scripting; they also leverage aging protocols with enough volume to jam backbone routers

According to Akamai's Q2 2015 "State of the Internet -- Security" report, built from data harvested across Akamai's networks, DDoS attacks continue to rise -- and attackers continue to change their games in surprising ways.

Among the trends singled out in the report: Attacks are not only getting bigger in terms of total traffic, but are more aggressively exploiting limitations in older protocols ("infrastructure layer" attacks), and they're happening at a large enough scale that even Internet backbone hardware is at risk of being routinely gummed up.

Infrastructure attacks involve abusing limitations in existing protocols to flood victims with spurious data requests. Three of the protocols in the report showing an uptick in activity -- RIPv1, CHARGEN, and NTP -- are older or outright obsolete protocols. While the Linux Foundation is spearheading attempts to fix these protocols, such repairs don't come on short notice.

What's more, DDoS attacks are reaching the point where they are threatening to routinely cripple Internet border edge routers by their sheer size and volume alone. "Attack campaigns [of 50 megapackets per second or more] can exhaust ternary content addressable memory (TCAM) resources in border edge routers, such as those used by Internet service providers.... This can then result in collateral damage across the ISP’s network, which can manage production traffic for hundreds or thousands of organizations."

The most common infrastructure attacks, SSDP and SYN flooding, are typically launched by exploiting "unsecured in-home consumer devices," such as broadband routers. Those devices often remained unpatched or unreplaced for long periods of time, making these attacks all the easier to kick off.

Akamai also tracks, application-layer attacks: SQL injections, cross-site scriptinglocal file inclusion, and remote file inclusion. They aren't by themselves new, but the picture about which ones were being deployed changed after Akamai altered its analysis, adding cross-site scripting and Shellshock attacks to the roundup. Shellshock attacks made up more than 90 percent of the attacks launched via HTTPS in the first part of Q2, although it dropped off drastically to less than 10 percent. (SQL injections and local and remote file inclusions remain the big attack vectors across HTTP and HTTPS alike.)

The more broadly used the application, the more likely it is to be an attack victim or vector. To that end, the blogging/CMS engine WordPress (said to power 25 percent of the entire Web) earned its own section of the report. There, Akamai singled out minimally vetted third-party plug-ins as the culprit; while WordPress plug-ins are vetted on initial submission, they aren't vetted as stringently later on. "Your secure plug-in of today," stated the report, "could be your attacker’s plug-in of choice when the plug-in is updated in six months."

When it comes to mitigating attacks that use older protocols, Akamai is of the opinion the best defense will come from the ISP's side, and not the end user or the enterprise, but that isn't always easy to implement. "An ISP could globally filter any unnecessary services that could potentially be exploited," said David Fernandez of Akamai's PLXsert, in an email, referring to SSDP refection attacks as an example. "SYN floods are traditionally the most popularly used attack vector by malicious attackers and requires a more dedicated mitigation strategy. "

[Edited to add comments from Akamai.]

Copyright © 2015 IDG Communications, Inc.

How to choose a low-code development platform