Interview: Akamai at the Heart of the Recent DDoS Attacks

The largest distributed denial of service (DDoS) attacks are now considerably larger, having doubled in size in 2016. They are not only bigger but also more complex than past DDoS attacks, and defence against them requires more expertise. They are not limited to any particular industry.

On Tuesday, 20 September, the website of one of our clients suffered a massive attack exceeding 650 Gbit/s, that is to say, the largest in history (more than double the peak of the last attack endured by our platform). The targeted website remained available throughout the attack, and our systems and employees showed themselves to be particularly effective under these difficult conditions.

Why were these attacks unprecedented ?

These attacks were unprecedented in that the tool used was a botnet. While it was the largest attack ever sustained by Akamai, other factors also distinguished it from a « standard » DDoS attack. Foremost among them was its origin, namely a botnet largely consisting of connected devices (IoT) identified as security cameras and DVRs used in « Small Office/Home Office » configurations. After verification, most of these devices were found to use easy-to-guess usernames and passwords (such as « admin », « password » or « 1234 ») or default passwords. Moreover, the attack relied on a significant volume of traffic directly linking the botnet to the target, unlike the recent large attacks exploiting NTP and DNS flaws which depended on traffic reflection and/or amplification.

Were these attacks an isoldated case or have then been followed by others of the same kind ?

Since then, a new series of the same sort of attack has occurred, this time against Dyn, a DNS service provider. Dyn is not a client of Akamai, and we were not involved in mitigating this attack. Likewise, the attacks that targeted Dyn did not target Akamai and did not have an impact on Akamai services. Nevertheless, we were able to help Akamai clients utilising Dyn Managed DNS thanks to a technique that allowed us to make use of old known valid DNS resolutions. As a result, we could continue identifying client origins and helped resolve close to 60,000 DNS requests per second which would have failed without our assistance.

How have they impacted your company’s activities ?

Akamai has been fighting against DDoS attacks for nearly 20 years and has proven itself to be capable of protecting its clients and maintaining the availability of their infrastructure even during the largest DDoS attacks. As cybercrime evolves, Akamai continues to publish studies on new threats such as the August 2016 SIRT team papers concerning the Mirai botnet: https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf. At the same time, Akamai continues to adapt its procedures and the infrastructure of its platform to anticipate acts of malicious intent. Akamai, faced with increasingly massive attacks, monitors its network to anticipate attacks and strengthen its capabilities of defence. Akamai will publish more information on these two attacks in the 2016 Q3 State of the Internet (SOTI): https://www.akamai.com/fr/fr/our-thinking/state-of-the-internet-report/global-state-of-the-internet-security-ddos-attack-reports.jsp.

Akamai will also be a partner of FIC2017.