©2014 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500©2014 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500

War Stories from the Cloud

John Summers, VP Cloud Security

©2013 AKAMAI | FASTER FORWARDTM

The Akamai Intelligent Platform

• The Platform• 150,000+ Servers

• 2,300+ Locations

• 750+ Cities

• 92 Countries

• 1,227+ Networks

• The Data• 2 trillion hits per day

• 780 million unique IPv4

addresses seen quarterly

• 13+ trillion log lines per day

• 260+ terabytes of

compressed daily logs

15 - 30% of all web traffic

©2013 AKAMAI | FASTER FORWARDTM

How the Akamai Platform Works

Application ServerUsers

Edge Region closeto Origin Server

“SureRoute” and AkamaiProtocol optimize routeand reduce round trips

Edge Region closeto End User

Web-enabled ApplicationsMobile Applications

IP Applications

High PerformanceGlobal Overlay Network

Security embedded intoAkamai Edge Servers

©2013 AKAMAI | FASTER FORWARDTM

(Cloud)Datacenters

End User

1

10

100

10000

OriginTraffic

1000

AkamaiTraffic

1

10

100

10000

1000

The Akamai Platform Provides a Perimeter Defense

©2013 AKAMAI | FASTER FORWARDTM

9911317

2002

2936

68

38

79

45

8269

144

320

270

190

80x20142013201220112010

©2014 AKAMAI | FASTER FORWARDTM

Attacks Are Increasing in Size and Frequency

Attack size (Gigabits per second)

Attack size (Million packets per second)

Number of attacks per year

©2013 AKAMAI | FASTER FORWARDTM

Attack Trends

• Growth in “reflection”

DDoS attacks

• The rise of DDoS as a

service sites

• Robust attack landscape

reflects geopolitical

landscape

©2013 AKAMAI | FASTER FORWARDTM

Technology Trends

• The Enterprise attack

surface continues to grow

• Continued movement of

applications to the cloud

• Bring your own device

and SAAS applications

means more enterprise

traffic is completely

outside the perimeter

©2013 AKAMAI | FASTER FORWARDTM

Avoid data theft and downtime by extending the

security perimeter outside the data-center and

protect from increasing frequency, scale and

sophistication of web attacks.

Case Study: Large Financial Institution

Day 2

HTTP flood againstunprotected Web site

Page view errors spike1,327%

Day 2

DNS-based volumetricattack

40 Gbps, 1.8m requests/speak

Maintained 100%availability

Day 1

HTTP flood against homepage

30 Gbps, 4m requests/minpeak

Maintained normalcustomer traffic through theattack

Challenge

Maintain customer Web experience during amulti-dimensional DDoS attack by asophisticated attacker

Solution

Cloud-based Web security that stops DDoSattacks at the edge, before they reach theapplication

©2013 AKAMAI | FASTER FORWARDTM

Case Study: DDoS Attack against Media Company

0

20

40

60

80

100

120

• Q2 14 attack targeted a politically-active newspaperin APJ

Phase 1• Bandwidth: 88 Gbps

• Requests: 56 Mpps

• Duration: 18 hours

Phase 2• Bandwidth: 93 Gbps

• Packets: 53 Mpps

• Duration: 30 hours

Phase 3• Bandwidth: 111 Gbps

• Packets: 53 Mpps

• Duration: 3 hours

W Th F S S M T W Th F S S

©2013 AKAMAI | FASTER FORWARDTM

Avoid data theft and downtime by extending the

security perimeter outside the data-center and

protect from increasing frequency, scale and

sophistication of web attacks.

Not just DDoS: Mobile check deposit applicationattack

What happened

Anonymous attacker accessed URLs for mobile check deposit application 120,000 timesover four hours

Web requests for “checkfront.jpg”, “checkback.jpg”, and more

How the attack was defeated

Web application firewall rate controls

©2013 AKAMAI | FASTER FORWARDTM

Large March 2014 Attack

• Mixed Attack, Significant NTP Traffic

• DDoS Start :: 8MAR14 13:52:00 UTC

• DDoS Stop :: 9MAR14 02:00:00 UTC

• Peak Bps :: 200+Gbps

• Peak Pps :: 65Mpps

• 2 hosts targeted on Random

UDP/TCP/ICMP ports

©2013 AKAMAI | FASTER FORWARDTM

320 Gbps DDoS Attack against Gaming Customer

• Largest attack ever mitigated by

Akamai against a single customer

• Targeted primary website,

supporting network infrastructure,

and DNS

• Multiple attack vectors:

– SYN / UDP floods against an entire

subnet

– Volumetric attack against DNS

• Attack characteristics:

– 320 Gbps and 71.5 Mpps peak attack

traffic through Prolexic scrubbing centers

– 2.1 million requests/s through Fast DNS

Prolexic:

Fast DNS:

©2013 AKAMAI | FASTER FORWARDTM

138

232

321

155177

312

4

198217

308

35 33

70

3

21.5

One Attack in a Broader DDoS Attack Campaign

Start End

Infrastructure (Gbps) DNS (Mpps) DNS (Mpps)Web (Gbps)

Two-month campaign against single

customer

• 39 distinct attacks targeting applications and DNS

infrastructure

• Eight attacks >100 Gbps including record 321 Gbps attack

©2013 AKAMAI | FASTER FORWARDTM

Web Application Attacks and Holiday Shopping

• Spike in attacks against Top 30 retailers

– 5.6x increase in blocked attacks from Nov 1 to Nov 29

• Attacks grew twice as fast as user traffic

– 2x increase in blocked attacks per page view

365k

222k

79k67k65k

.017.013

.019

.031

.038

Attacks .016xRatio 50x

Nov 1 Nov 8 Nov 15 Nov 22 Nov 29

©2014 AKAMAI | FASTER FORWARDTM

Blocked attacks

Blocked attacks perpage view

©2013 AKAMAI | FASTER FORWARDTM

“Akamai, we are under attack!...”

The following slides are based on a real events on January 5th 2014….

Leveraging Big Data to Understand Attackers

©2013 AKAMAI | FASTER FORWARDTM

Ad-Hoc Attack Analysis

• An attempt to exploit an old (2007) WordPress Remote File Inclusion

vulnerability. The victim application was running ASP.NET

GET /wp-content/wordtube-button.php?wpPATH=http://www.google.com/humans.txt? HTTP/1.1Host: www.vulnerable.siteUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4)

Attacked parameter : wpPATH

Malicious payload: http://www.google.com/humans.txt

©2013 AKAMAI | FASTER FORWARDTM

What Else Did This Attacker Do On This Site?

• Same attacker Sent 2122 different RFI exploit attempts

©2013 AKAMAI | FASTER FORWARDTM

• 34 different sites were attacked by the same attacker

• with a total of 24,301 attacks

Was There Similar Activity Going On At The Same Time?

Attacks originated from a botnet containing 272attacking machines

1696 victim applications were targeted

1,358,980 attacks were launched during thecampaignThe campaign lasted for 2 weeks

©2013 AKAMAI | FASTER FORWARDTM

Closing Thoughts

• Attacks are increasing targeting the application

• Most web applications have vulnerabilities that can be

exploited

• Organizations need to incorporate security into their

SDLC

• It is simply not possible to patch a production

vulnerability fast enough

• A cloud security layer is no longer a nice to have

©2013 AKAMAI | FASTER FORWARDTM

©2014 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500©2014 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500