Multi-vector attacks standard even for amateurs: Akamai

Multi-vector attacks are now standard in the DDoS-for-hire-marketplace, according to Akamai’s latest security report.

The first quarter of this year also set a record for the number of DDoS attacks the content delivery network providers had observed that exceeded 100Gbps. The 19 ‘mega-attacks’ in Q1 2016 beat the previous record of 17 set in Q3 2014.

DDoS attacks at the beginning of this year are up 125 per cent on the same period last year, the vast majority of which were reflection attacks using booter and stresser-based tools – which bounce traffic off servers running vulnerable services.

“Nearly 60 per cent of the DDoS attacks we mitigated used at least two attack vectors at once, making defense more difficult,” said Stuart Scholly, senior VP of Akamai’s Security Business Unit.

“Perhaps more concerning, this multi-vector attacks functionality was not only used by the most clever of attackers, it has become a standard capability in the DDoS-for-hire marketplace and accessible to even the least skilled actors.”

Of the 4,500 DDoS attacks Akamai mitigated during Q1, more than half (55 per cent) targeted gaming companies and a quarter were aimed at the software and technology industry. The majority of these were sourced to China, the US and Turkey.

Web application attacks also increased by 26 per cent on the previous quarter and, consistent with previous reports, were mainly targeted at the retail sector. Around two fifths were SQLi attacks, and 36 per cent were LFI attacks.

As per recent quarters, the US was both the most frequent source of web app attack traffic, and the most frequent target.