Akamai: The Internet's aging protocols make juicy targets

The latest wave of Internet attacks doesn't just involve regular exploits like cross-site scripting, but also leverage aging protocols with enough volume to jam up Internet backbone routers

According to Akamai's Q2 2015 "State of the Internet -- Security" report, built from data harvested across Akamai's networks, DDoS attacks continue to be on the rise -- and attackers continue to change their games in surprising ways.

Among the trends singled out in the report: Attacks are not only getting bigger in terms of total traffic, but are more aggressively exploiting limitations in older protocols ("infrastructure layer" attacks), and happening at a large enough scale that even Internet backbone hardware is at risk of being routinely gummed up.

Infrastructure attacks involve abusing limitations in existing protocols to flood victims with spurious data requests. Three of the protocols in the report that are showing an uptick in activity -- RIPv1, CHARGEN, and NTP -- are all older or outright obsolete protocols. And while the Linux Foundation is spearheading attempts to fix these protocols, such fixes don't come on short notice.

What's more, DDoS attacks are reaching the point where they are threatening to routinely cripple Internet border edge routers by their sheer size and volume alone. "Attack campaigns [of 50 megapackets per second or more] can exhaust ternary content addressable memory (TCAM) resources in border edge routers, such as those used by Internet service providers.... This can then result in collateral damage across the ISP’s network, which can manage production traffic for hundreds or thousands of organizations."

The most common infrastructure attacks, SSDP and SYN flooding, are typically launched by exploiting "unsecured in-home consumer devices," such as broadband routers. Those devices often remained unpatched or unreplaced for long periods of time, making these attacks all the easier to kick off.

Akamai also tracks, application-layer attacks --  SQL injections, cross-site scriptinglocal file inclusion, and remote file inclusion. They aren't by themselves new, but the picture about which ones were being deployed changed after Akamai altered its analysis, adding cross-site scripting and Shellshock attacks to the roundup. Shellshock attacks made up more than 90 percent of the attacks launched via HTTPS in the first part of Q2, although it dropped off drastically to less than 10 percent. (SQL injections and local and remote file inclusions remain the big attack vectors across HTTP and HTTPS alike, though.)

The more broadly used the application, the more likely it is to be an attack victim or vector. To that end, the blogging/CMS engine WordPress (said to power some 25 percent of the entire Web) earned its own section of the report. There, Akamai singled out minimally vetted third-party plugins as the culprit, since while WordPress plug-ins are vetted on initial submission, they aren't vetted as stringently later on. "Your secure plug-in of today," stated the report, "could be your attacker’s plugin of choice when the plug-in is updated in six months."

Join the Computerworld newsletter!

Error: Please check your email address.

More about CMSLinux

Show Comments