Headlines You May Have Seen

© 2010 Akamai

Headlines You May Have SeenOnline attack hits US government Web sites (7 Jul 09)

Twitter DDoS Attack Politically Motivated, Says Report (7 Aug 09)

Four arrested in China over net-paralyzing gaming spat (2 Sep 09)

DDoS attacks topple 40 Swedish sites (30 Oct 09)

Study: DDoS attacks threaten ISP infrastructure (11 Nov 09)

Hacker grinches launch DDoS attack against Amazon (29 Dec 09)

Chinese Human Rights Sites Hit by DDoS Attack (25 Jan 10)

DDoS attacks, Network hacks rampant in oil & gas industry (28 Jan 10)

Intel Chief: U.S. at Risk of Crippling Cyber Attack (4 Feb 10)

Chinese ISP Momentarily hijacks the Internet (again) (8 Apr 10)

Attack of the Opt in Botnets (23 Apr 10)

Verisign Warns of growing denial-of-service threat (7 May 10)

Hackers Retaliate as Turkey’s censorship tightens (18 Jun 10)

[DDoS] BotNet spread by pressing one button… (2 Aug 10)

DNSMadeEasy Rallies After 50Gbps DDoS (9 Aug 10)

© 2010 Akamai

Headlines You DID NOT See

POWERING A BETTER INTERNET

President Delays Trip Due to Cyber Attacks

Independence Day Attacks Paralyze the U.S.

Government and Financial Websites Attacked and Taken Down: Stocks Show Concerns

© 2010 Akamai

IT Risk In a Complex World

© 2010 Akamai

What’s At Risk?

NSA's Guide: Defense in Depth - A practical strategy for achieving Information Assurance in today’s highly networked environments

Reputation & Brand

Dollars & Revenue Mission & Trust

Weathering Storms in the Cloud: Analyzing Massive DDoS Attacks to Prepare for the Future

R. H. Powell IVSenior Service Line ManagerAugust 10, 2010

© 2010 Akamai

Agenda

Weathering Storms in the Cloud• Is the Threat Worth Considering?• Data Collection & Considerations• Observations from the Wild

• July 4th DDoS Case Study• How Do you Analyze This• Future Expectations & Innovation

© 2010 Akamai

State of Internet Security Today

• 95% of corporate Web applications have severe vulnerabilities.1

• 34 million computers in the U.S. alone may now be part of a botnet.2

• Cybercrime costs businesses $1 trillion a year.3

• In 2008, a Web page was infected every 4.5 seconds.4

• Attack traffic observed from 198 countries in Q1 ‘10, up 291% from 68 countries in Q1 ‘09.5

1 WASC 2 Georgia Tech Information Security 3 McAfee 4 Sophos 5 Akamai

© 2010 Akamai

Targets of Opportunity

2,750

1,875

3,4624000

3000

2000

1000

0Volu

me

of V

ulne

rabi

litie

s

2,029

2008 2007 20082007(Web Application Vulnerabilities)

(Non-Web Application Vulnerabilities)

Source: Symantec Internet Security Threat Report, April 2009

© 2010 Akamai

50 454035302520151050

Peak Attack Traffic per year

2002 2003 2004

1.22.5Atta

ck S

ize -

Gbps

10

17

2005 2006 2007 2008

24

40

(Arbor Networks)

49

>200

(Akamai Technologies)2009

250 225200175150125100

755025

0

© 2010 Akamai

Where Does the Data Come From?

Primary Data

Sources

AuxiliaryData

SourceAkamai Distributed Agents

Publicly Available ReportsAkamai Customer Production Traffic Logs

© 2010 Akamai

Top Attack Countries (Akamai Agents)

© 2010 Akamai

Top Attack Regions (Akamai Agents)

Europe 44% Overall Europe 50% of Mobile

© 2010 Akamai

A Note On Mobile Connectivity

The GSM Association reports that global Mobile Broadband connections roughly doubled during 2009 to 200 million. By the

end of 2010, they estimate this will reach 342 million global connections, with 120 million in Europe, 116 million in the Asia

Pacific region, and 58 million in North America. 2

1 Akamai 2 GSM Association

GlobalMobile

Providers

% > 1 Mbps

% > 2Mbps

% > 5 Mbps

% > 10 Mbps

Average Connection Speed 32%1 13%1 -- --Maximum Connection Speed -- 76%1 30%1 6%1

© 2010 Akamai

July 4 2009 DDoS AttackObserved Attack Profile

Type of Attack – Brute Force DDoS• The largest coordinated DDoS cyber attack against

US Government Websites• HTTP Resource Drain attack• Sourced primarily from compromised Korean

computers Intensity of Attack• 1,000,000+ hits per second and ~200 Gbps

aggregate attack traffic (US Gov Only)• One website received 8 years of traffic in a day

All Traffic Logged for Akamai Customers• 64 Billion Log Lines• 13 TB of uncompressed log data (400+

Gigs of Compressed logs)“Between the volume of the requests and their frustrating nature, a Web site with few servers or limited bandwidth can quickly be taken down. Others with greater physical and financial resources can take the punishment. That may explain why high-volume Web sites such as those belonging to the White House, the Pentagon and the New York Stock Exchange were able to withstand such attacks with barely a hiccup, while the Federal Trade Commission's and the Transportation Department's were knocked offline." - Paul Wagenseil, Fox News

© 2010 Akamai

July 4, 2009 DDoS Attack

Customer – PROTECTEDU.S. Government Customer 1U.S. Government Customer 2U.S. Government Customer 3U.S. Government Customer 4U.S. Government Customer 5U.S. Government Customer 6New U.S. Government Customer

Peak Traffic124 Gbps32 Gbps9 Gbps9 Gbps2 Gbps1.9 Gbps0.7 Gbps

Times AbovePrevious Peak Traffic598x369x39x19x9x6xSITE DOWN before Akamai

“Between the volume of the requests and their frustrating nature, a Web site with few servers or limited bandwidth can quickly be taken down. Others with greater physical and financial resources can take the punishment. That may explain why high-volume Web sites such as those belonging to the White House, the Pentagon and the New York Stock Exchange were able to withstand such attacks with barely a hiccup, while the Federal Trade Commission's and the Transportation Department's were knocked offline." - Paul Wagenseil, Fox News

© 2010 Akamai

Akamai Analysis of Log Data Top Attacking IP Address Over Time

• July 4th – Attacks focused on two sites• July 5th – Attacks spread to include 5 other sites. Even traffic spread.• July 5th (late) – Attack shifts bulk of attack to 2 new sites• July 7th (late) – Attack Ends

All Targeted US Government Websites (not using Akamai) Went Down!

© 2010 Akamai

Unique Hostile IPs Over Time

Much Larger Then Any Public Estimates2.23.5 5.0.0 6.8.0 7.16.0 9.0.0 10.8.0 11.16.0 13.0.00

20000

40000

60000

80000

100000

120000# Unique Hostile IP's Per 30 Minute Block

# IP's

Spike 1

Spike 3Spike 2

Few common attackers between spikes:(Only 4,284 IP’s Shared Across all Spikes)

97,882 Unique IP’s in 30 mins

© 2010 Akamai

Crunching The Data

© 2010 Akamai

Future Outlook and Innovation

Thank you

© 2010 Akamai

Akamai Architecture Operational View – OV-1

End Users

Internet

Network Storage

Akamai Network65,000+ Servers1500+ Locations950+ Networks70+ Countries

Compression

AkamaiSite Shield

Network Storage

Back-Up Site or Load Balanced

Multi-Data Center

EDNSTransaction

Server

DNS Server

Directory/Policy Server

LegacySystems App

Servers

Database

Load Balancer

Edge Servers

Web Servers

FireWall Edge Servers

Data Center

Security Availability Scalability Visibility Resource Savings Performance

WAF

© 2010 Akamai

Technology• The top five anti-virus companies

Media & Entertainment• 30 of the top 30 M&E companies

Retail & Travel• Over 400 Global Retailers• 50 of the top 50 U.S. Retailers• Over 125 Global Online Travel Sites

Broad adoption across verticalsIf you’re on-line you’re using Akamai

Finance• 9 of top 15 Global Banks

© 2010 Akamai

US Government Customers12 of 15 Cabinet Agencies