India one of top target nations for web application attacks in Q2: Akamai

India was one among the top 10 source countries for DDoS attacks, according to Akamai Technologies’ Q2 2015 State of the Internet – Security Report. About 7.43 percent of the DDoS attacks originated from India this quarter, while China was the largest source for the same at 37.01 percent. For the past three quarters, globally there has been a doubling in the number of DDoS attacks year over year. And while attackers favored less powerful but longer duration attacks this quarter, the number of dangerous mega attacks continues to increase. In Q2 2015, there were 12 attacks peaking at more than 100 Gigabits per second (Gbps) and five attacks peaking at more than 50 Million packets per second (Mpps). “Very few organisations have the capacity to withstand such attacks on their own,” the company said. [caption id=“attachment_2011331” align=“alignleft” width=“380”]  Representational image. Reuters[/caption] The largest DDoS attack of Q2 2015 measured more than 240 gigabits per second (Gbps) and persisted for more than 13 hours. Peak bandwidth is typically constrained to a one to two hour window. Q2 2015 also saw one of the highest packet rate attacks ever recorded across the Prolexic Routed network, which peaked at 214 Mpps. That attack volume is capable of taking out tier 1 routers, such as those used by Internet service providers (ISPs). DDoS attack activity set a new record in Q2 2015, increasing 132.43 percent compared to Q2 2014. The quarter witnessed 122.22 percent year-over-year increase in application layer (Layer 7) DDoS attacks; 133.66 percent increase in infrastructure layer (Layer 3 & 4) attacks; 18.99 percent increase in the average attack duration; 11.47 percent decrease in average peak bandwidth; and 77.26 percent decrease in average peak volume. SYN and Simple Service Discovery Protocol (SSDP) were the most common DDoS attack vectors this quarter – each accounting for approximately 16 percent of DDoS attack traffic. “The proliferation of unsecured home-based, Internet-connected devices using the Universal Plug and Play (UPnP) Protocol continues to make them attractive for use as SSDP reflectors. Practically unseen a year ago, SSDP attacks have been one of the top attack vectors for the past three quarters. SYN floods have continued to be one of the most common vectors in all volumetric attacks, dating back to the first edition of the security reports in Q3 2011.” Online gaming has remained the most targeted industry since Q2 2014, consistently being targeted in about 35 percent of DDoS attacks. India was one of the top target countries for Web Application Attacks in Q2 2015. According to statistics, 1 percent of the attack targeted India, and the highest attack was targeted towards US at 81 percent. This quarter, two additional attacks vectors were analysed:  Shellshock and cross-site scripting (XSS). Shellshock, a Bash bug vulnerability first tracked in September 2014, was leveraged in 49 percent of the web application attacks this quarter. However, 95 percent of the Shellshock attacks targeted a single customer in the financial services industry. Since Shellshock attacks typically occur over HTTPS, this campaign shifted the balance of attacks over HTTPS vs. HTTP. In Q1 2015, only 9 percent of attacks were over HTTPS; however, in this quarter 56 percent were over HTTPS channels. Looking beyond Shellshock, SQL injection (SQLi) attacks accounted for 26 percent of all attacks. “This represents a greater than 75 percent increase in SQLi alerts in the second quarter alone.” In contrast, local file inclusion (LFI) attacks dropped significantly this quarter. While it was the top web application attack vector in Q1 2015, LFI only accounted for 18 percent of alerts in Q2 2015. Remote file inclusion (RFI), PHP injection (PHPi), command injection (CMDi), OGNL injection using OGNL Java Expressing Language (JAVAi), and malicious file upload (MFU) attacks combined accounted for 7 percent of web application attacks. WordPress is an attractive target for attackers who aim to exploit hundreds of known vulnerabilities to build botnets, spread malware and launch DDoS campaigns, Akamai said in its report. Third-party plugins go through very little, if any, code vetting. To better understand the threatscape, Akamai tested more than 1,300 of the most popular plugins and themes. As a result, 25 individual plugins and themes that had at least one new vulnerability were identified. In some cases, the plugin or theme had multiple vulnerabilities – totaling 49 potential exploits. In addition, the Onion Router (TOR) project ensures the entry node to a network does not match the exit node, providing a cloak of anonymity for its users. While Tor has many legitimate uses, its anonymity makes it an attractive option for malicious actors. In order to assess the risks involved with allowing Tor traffic to websites, Akamai analysed web traffic across the Kona security customer base during a seven-day period. The analysis showed that 99 percent of the attacks were sourced from non-Tor IPs. However, 1 out of 380 requests out of Tor exit nodes were malicious. In contrast, only 1 out 11,500 requests out of non-Tor IPs was malicious. That said, blocking Tor traffic could have a negative business affect. However, legitimate HTTP requests to e-commerce related pages showed that Tor exit nodes had conversion rates on par with non-Tor IPs.