The number of DDoS attacks is decreasing, according to the Akamai Q1 2017 State of the Internet/Security Report, but high numbers of web application attacks and evolving botnets show that this change is not necessarily for the better.
Data gathered from the Akamai Intelligent Platform shows that the total number of DDoS attacks in Q1 2017 was down 17 percent from Q4 2016, and down 30 percent from Q1 2016. There were only two attacks greater than 100 Gbps in the quarter, down from 12 the previous quarter and 19 a year earlier, and the number of infrastructure layer (level 3 and 4) attacks and reflection-based attacks decreased similarly. Reflection attacks still represented 57 percent of all mitigated attacks in the quarter, however.
Akamai observed a DNS query flood included in Mirai malware, which it calls “DNS Water Torture Attacks” targeting customers in the financial services industry in Q1. The report provides details of the attack, and advises that “DDoS protection should take DNS load distribution into account.”
“If our analysis of Q1 tells us anything, it’s that risks to the Internet and to targeted industry sectors remain and continue to evolve,” Martin McKeay, senior security advocate and senior editor, State of the Internet / Security Report said in a statement. “Use cases for botnets like Mirai have continued to advance and change, with attackers increasingly integrating Internet of Things vulnerabilities into the fabric of DDoS botnets and malware. It’s short sighted to think of Mirai as the only threat, though. With the release of the source code, any aspect of Mirai could be incorporated into other botnets. Even without adding Mirai’s capabilities, there is evidence that botnet families like BillGates, elknot, and XOR have been mutating to take advantage of the changing landscape.”
Though web application attacks decreased by 2 percent from Q4 2016, they were up 35 percent from Q1 2016, with SQLi, LFI, and XSS the most common web application attack vectors. Web application attacks sourcing from the U.S. increased by 57 percent from a year earlier, while attacks from the Netherlands fell 4 percent from the previous quarter to 13 percent, still disproportionately high and the second most of any country.
The lower number of DDoS attacks may have contributed to relatively high uptime for top sites in the quarter, as measured by CloudEndure. That will be small consolation, however, to the thousands of businesses and consumers affected by the recent explosion of ransomware.