A Two Week Overview of the Latest Massive Scale RFI Scanning

Unterföhring, (PresseBox) - In the past several weeks, Akamai was in a unique position to witness a massively orchestrated attack, designed to map Internet facing web servers that are susceptible to certain specific vulnerabilities.

While various sources on the blogosphere speculated about the scale and nature of these attacks seen on their own infrastructure, Akamai's big data intelligence platform demonstrated the true massive scale and reach of this internet-wide orchestrated attack.

In order to thoroughly analyze this attack and bring you our conclusions and impressions, we extracted attack data on the last 2 weeks (January 5th - January 19th, 2014) from Akamai's security big data platform (Cloud Security Intelligence).

Detailed Findings:

During our analysis period, Akamai has seen a total of 2,071,089 Remote File Inclusion attack attempts, targeting mostly PHP applications.

Our data shows that at its peak during the past 2 weeks, 80,000 attacks were launched per hour. It is also quite obvious that attack volume has subsided gradually, and perhaps the attack is about to end.

In addition to the above, we saw that the most "active" attacker performed attacks against 86 different web sites, and sent a total of 73,515 attacks. The average number of attacked sites per attacker was 10 sites/attacker, while the average attacks per attacker stood on 8738 attacks/attacker.

When inspecting closely the top attack source IPs, we discovered that most of them were running on a web server, and seemed to belong to web hosting providers running the cPanel management application. Using web servers for launching massive scale attacks on the web is definitely becoming the de-facto approach for hackers who are looking for high bandwidth.

Depending on the attacker and target application, the attack itself seemed to look for 2,000 - 2,500 different known Remote File Inclusion attacks, mostly in PHP applications. Our data also shows that when the web server failed to respond according to the scanner's expected behavior (e.g. HTTP authentication was required, or an HTTP 5XX error was raised), scanning activity stopped after only a few attempts.

While we can't expose the names and industry sectors of the target sites, it's clear from the top-level domains of the sites, that attackers were not only interested in .com web sites, but also targeted government and military web properties.

Of the 2,071,089 attacks registered during our sample period, more than 99% of HTTP requests were extremely basic and were stripped down of almost all HTTP headers except the mandatory 'Host' header - this leads us to believe that a very rudimentary script performed the attacks, since sophisticated scanners usually perform more deep crawling and usually support cookie-setting, session token refresh and will submit more headers in order to mimic browser web interaction.

Press releases you might also be interested in

Weitere Informationen zum Thema "Internet":

Migration zu Exchange Online: Spaziergang oder Kraftakt?

Die Cloud ist ver­lo­ckend, und der Um­s­tieg auf Ex­chan­ge On­li­ne scheint ein­fach zu sein. Doch in der Pra­xis lau­ern zahl­rei­che Stol­per­stei­ne. Wie sich die ver­mei­den las­sen, be­sch­reibt Ju­li­an Wendt*.


Subscribe for news

The subscribtion service of the PresseBox informs you about press information of a certain topic by your choice at a choosen time. Please enter your email address to receive the email with the press releases.

An error occurred!

Thank you! You will receive a confirmation email within a few minutes.

I want to subscribe to the gratis press mail and have read and accepted the conditions.