akamai.com

[Q4 2014 ]

= spotlight: TCP flag DDoS attacks

• A group claiming to be Lizard Squad has engaged in an

ongoing attack campaign against an Akamai customer

• The attack vector and the events surrounding this attack

campaign indicates the ongoing development of DDoS attack

tools

• Although it was not a record-breaking attack, it was large –

peaking at 131 Gigabits per second (Gbps) and 44 Million

packets per second (Mpps)

• An attack of this level would slow or cause an outage in most

corporate infrastructures

• The attacks occurred in August and December 2014

2 / [state of the internet] / threat advisory

= SYN with a side of everything

• The TCP-based attack was packed with TCP flags

• One packet exhibited the greatest number of simultaneous

flags set of all the packets – only an ACK flag was missing

• In the order in which they appear [FSRPUEW], the flags

included FIN, SYN, RST, PSH, URG, ECN, and CWR.

• Such a flag-filled packet is commonly called a Christmas tree

packet

= christmas tree packets

• Christmas tree packets are almost always suspicious

• They use more processing power than usual packets

• As a result, they are commonly used in denial of service

attacks

• The TCP-based attack was packed with TCP flags, using all

but one TCP flag

• Christmas tree packets are also used in reconnaissance to

probe system response

4 / [state of the internet] / threat advisory

= statistics for the three campaigns

3 / [state of the internet] / threat advisory

= new attack tool?

• Some differences were present between the three attack

campaigns

• The December attack executed like a SYN flood

• There was a significant increase in volume from earlier

attacks

• The increased attack strength suggests new attack tool

development

• The expansion and sophistication of the third attack may

indicate new resources from the DDoS-for-hire underground

5 / [state of the internet] / threat advisory

= third attack may have been a different attacker

• Although Lizard Squad claimed responsibility for the attacks,

differences in the third attack campaign draw speculation of a

new attacker

• The first two attack campaigns did not produce even half of

the volume of the third attack campaign

• Although the first two attacks included a UDP flood, the third

campaign did not make use of the UDP flood attack vector

• The third campaign targeted random hosts in a specific /24

network and made use of the extra data in the Reset cause

field on the packets with the Reset flag set

6 / [state of the internet] / threat advisory

= distribution by Akamai scrubbing center

7 / [state of the internet] / threat advisory

full security report • Download the full Q4 2014 State of the Internet - Security

Report

• The security report includes:

• Analysis of DDoS attack trends

• Bandwidth (Gbps) and volume (Mpps) statistics

• Year-over-year and quarter-by-quarter analysis

• Application layer attacks

• Attack frequency, size and sources

• Where and when DDoSers strike

• Spotlight: A multiple TCP Flag DDoS attack

• Malware: Evolution from cross-platform to destruction

• Botnet profiling technique: Web application attacks

• Performance mitigation: Bots, spiders and scrapers

= full security report

9 / [state of the internet] / threat advisory

• StateoftheInternet.com, brought to you by Akamai,

serves as the home for content and information intended to

provide an informed view into online connectivity and

cybersecurity trends as well as related metrics, including

Internet connection speeds, broadband adoption, mobile

usage, outages, and cyber-attacks and threats.

• Visitors to www.stateoftheinternet.com can find current and

archived versions of Akamai’s State of the Internet

(Connectivity and Security) reports, the company’s data

visualizations, and other resources designed to put context

around the ever-changing Internet landscape.

= about stateoftheinternet.com

10 / [The State of the Internet] / Security (Q4 2014)