IoT continued to provide resources to fuel future DDoS attacks.
IoT continued to provide resources to fuel future DDoS attacks.

When the U.S. president delivers the State of the Union speech, he generally states that the state of the union is strong. It is unfortunate that the state of the internet is mixed at best.

While content delivery network services provider Akamai says, “The fourth quarter of 2016 relatively quiet for web application attacks,” in its "State of the Internet/Security" report for the fourth quarter of 2016 released on Tuesday, that relative quiet is compared to the previous quarter that witnessed some of the largest distributed denial of service (DDoS) ever seen, not from previous years.

The report notes that compared to the same quarter a year earlier, DDoS attacks increased four percent, Layer 3 and 4 (infrastructure) attacks increased six percent, reflection-based attacks increased 22 percent and attacks greater than 200 Gbps were up 140 percent. Many web applications attacks also were up by double-digits over a year earlier.

Mega DDoS attacks that exceeded 100 Gbps were down compared to the previous quarter – 12 versus 19 – but of those 12, several were driven by the notorious Mirai botnet.

“Mirai continued to drive large attacks and, with the source code publicly available, various actors have adopted and customized the code for their own purposes,” the report stated. “There were at least 37 attacks sourced from Mirai this quarter, averaging 57 Gbps, showing that this botnet is nowhere close to going away.”

However, while the Mirai botnet continues to be a major source of attacks, the Akamai report had this warning: “The Mirai botnet continued as one of the largest threats in the fourth quarter, but it is not the only Internet of Things (IoT)-based botnet. At least two other major IoT-based botnets are in use." 

They may be variants of Mirai or new, unrelated botnets, the report explained. In any case, IoT continues to provide resources to fuel future DDoS attacks. 

Another piece of malware that seems to be seeing new life is Spike. Akamai said that in September 2014 it mitigated a Spike attack that peaked at 214 Gbps. Two years later, it stopped a Spike attack that more than doubled to 517 Gbps.

Further, the Simple Service Discovery Protocol (SSDP) “exploded” this past quarter as a reflector source, expanding by 321 percent, the report stated, speculating that this massive increase might be due to the “greater level of focus that the attackers have been directing towards IoT devices.” Akamai attributes the increase in the fourth quarter last year to the growing number of home routers attached to IoT devices.

This isn't the first time Akamai warned about the vulnerabilities of IoT devices and Port 1900. In a threat advisory released by the company in October 2014, the company noted that the port was being used for DDoS attacks.