Analysis of Black Friday Data Reveals Shift in Attack Vectors

December 8, 2014 12:08 am Tags: , , , , , No Comments 0

Akamai can see and analyze enormous amounts of attack data during events such as Black Friday. This year they tracked requests coming into dozens of online retailers over 24 hour periods for each of the 5 Fridays leading up to Black Friday.

During that period they analyzed 4.2 billion HTTP requests directed at dynamic application pages (not including requests for media files, JavaScript or other static objects). For those 4.1b requests, they saw 574 million WAF rule triggers. They analyzed which rules were triggered more on Black Friday in order to answer a few questions.

“Our main goal was to figure out: Were the bad guys busy trying to wreak havoc or were they looking out for some good “deals” of their own?”

In the world of information security we deal with lots of grey areas. So to get to a reasonable answer to our main question, we first had to ask a few other questions. Among them: Where did the majority of attacks come from? There are a few stereotypes and generalizations that can be made about the source of attacks (and remember that all generalizations are false, including this one): Attacks from China are suspected of being “state run” and thus politically motivated, attacks from the former Eastern Bloc countries are typically financed by criminal underground gangs, and attacks from Europe/US are typically mercenary (they are in it for the money).

During Black Friday 2014 the majority of attacks analyzed came from the US. So we can generalize (falsely, of course) that the attackers from the US were looking for good “deals”. You might be thinking “What about Proxies?” – we actually looked for those as well, and discovered a 12% increase in the number of proxy addresses used on Black Friday, which could indicate a desire for malicious actors to mask themselves as legitimate US-based shoppers.

Figure 1: Top 10 sources of Application Attack Traffic by Country on Black Friday

The second question we asked was whether there were any attack vectors which actually decreased between Oct 31 (the first Friday we tracked) and Nov 28th (the last). Last year we saw a rise in all attack vectors. This year we were surprised to find that volumetric attacks, or at least the rate control triggers that indicate the presence of volumetric attacks, went down. In fact, they went down drastically to less than 1/5 of the number of attacks on Nov 28th vs. Oct 31.

Figure 2: Attack Vectors Between Oct 31 and Black Friday

WAF rule triggers, as shown in the chart above, actually rose faster than total unique web clients seen – i.e. WAF activity during Black Friday was higher than one would expect as a result of seeing more web clients . So a preliminary look at the data shows that application layer attacks went up, while volumetric attacks went down. Since DDoS attacks are not typically lucrative for the attacker, a rise in application layer attacks as a proportion of total web attacks points to a more “mercenary” threat actor.

The 3rd thing we looked for was what type of WAF rule was triggered most often. We are used to seeing SQL injections in this category but were again surprised to find that Command injections were the more common attack vector across our sample set. It is possible that our data was skewed in this measure by one particularly persistent attacker who spent more than 8 hours attacking 1 large US retailer with command injections from what appears to us to be a home IP. At any rate, command injection attacks are usually employed in order to take over a server and potentially install a backdoor, which then allows the hacker to get access to whatever files and resources exist on the machine, such as database files, credit card information, passwords and so forth.

Generally speaking we see these three data sets as pointing towards a Black Friday that saw a particularly sharp rise in application attacks that could be used to steal data or goods.
The last data point we wanted to mention was gathered from our newest security service, Kona Client Reputation. This service discovered and flagged as malicious over 5,700 attacker IP addresses before they launched malicious requests on Black Friday. Some of the customers who are already in the Client Reputation beta program benefited from this information and automatically blocked the clients who had been deemed malicious, thus saving themselves the hassle and potential financial loss of thousands of malicious requests on the busiest day of their year.

As mentioned in previous blog posts, Akamai analyzes all of its security related data via a unique big data platform called “Cloud Security Intelligence”. We look forward to analyzing more of the data that we gather using this tool in the near future, and sharing out findings over the course of 2015.

This blog post was written by Dan Shugrue and Ory Segal for Akamai

0