VOLUME 6, NUMBER 3 3RD QUARTER, 2013 REPORT The State of the Internet Â©2014 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice. Published 01/14. AkamaiÂ® is the leading cloud platform for helping enterprises provide secure, high-performing online experiences on any device, anywhere. At the core of the companyâ€™s solutions is the Akamai Intelligent Platformâ„¢ providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the pace of innovation in a hyperconnected world, please visit www.akamai.com and follow @Akamai on Twitter. Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 40 offices around the world. Our services and renowned customer care are designed to enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on www.akamai.com/locations. Acknowledgements EDITOR: David Belson CONTRIBUTOR: Jon Thompson CONTRIBUTOR: Svante Bergqvist (Ericsson) ART DIRECTOR: Brendan Oâ€™Hara CONTRIBUTOR: Martin Mckeay CONTRIBUTOR: Mathias Sintorn (Ericsson) GRAPHIC DESIGNER: Carolynn DeCillo CONTRIBUTOR: Michael Smith CONTRIBUTOR: Geoff Huston (APNIC) Please send comments, questions, and corrections to firstname.lastname@example.org Follow @akamai and @akamai_soti on INCLUDES INSIGHT ON MOBILE TRAFFIC AND CONNECTED DEVICES FROM ERICSSON AQUA Web TERRA Enterprise KONA Security SOLA Media AURA Network Introducing the Complete Solution. Hyperconnected. Cloud and Mobile Ready. The hyperconnected world presents tremendous opportunities for businesses to lead. Four key trends shape todayâ€™s marketplace: mobile, media, cloud, and security. Each one represents its own set of challenges and opportunities for businesses. To help customers accelerate growth in this landscape, Akamai continues to develop innovative solutions that leverage the power of the Intelligent Platform.â„¢ www.akamai.com/solutions BUILT ON THE AKAMAI INTELLIGENT PLATFORMTM SERVICE & SUPPORT FROM INTERNET EXPERTS Optimize and mobilize to grow revenues Gain business agility by leveraging cloud Web security so you can innovate fearlessly Engage your audience globally and at scale Monetize your network and control costs Control Center @Akamai facebook.com/AkamaiTechnologies linkedin.com/company/Akamai-Technologies youtube.com/AkamaiTechnologies blogs.akamai.com pinterest.com/AkamaiTech slideshare.net/AkamaiTechnologies WEâ€™RE SOCIAL, FOLLOW US! Letter From the Editor Over the last five-plus years, the State of the Internet Report has grown into a key reference for those involved in broadband initiatives around the world, whether at an industry or government level. I am extremely excited to see that it has become such a valuable resource for those tracking the progress of high-speed Internet connectivity in their state or country. Going forward, I am confident that average and average peak connection speeds, as well as high broadband and broadband adoption levels, will continue to improve over the long term, and that the State of the Internet Report and associated data visualization tools will continue to provide valuable and actionable data for this constituency. While those tracking broadband progress often focus primarily on wired connectivity, we also need to make sure that we donâ€™t lose sight of the progress being made on mobile Internet connectivity as well. While the State of the Internet Report currently provides somewhat limited insight into connection speeds across mobile network providers, we plan to improve this insight throughout 2014, expanding the scope of coverage. In addition, the often vast differences in experience across users on various types of devices and platforms on mobile and fixed connections means that content providers are now faced with the challenge of optimizing for each unique user experience â€“ something known as â€œsituational performanceâ€. In this issue, we begin looking at situational performance, analyzing actual end-user performance measurement data from Akamai customers that have implemented Akamaiâ€™s Real User Monitoring (RUM). Going forward, we plan to expand this insight as well, looking at things like differences between device types and trends over time. In addition, the ongoing improvements in Internet connectivity and the growth in connected devices continue to contribute to the exhaustion of available IPv4 address space. This exhaustion has, in part, driven growth in the adoption of IPv6, though arguably not quite as fast as necessary. Starting with this issue of the report, we are also looking at IPv6 adoption rates at a country and network level, as observed from content requests to the Akamai Intelligent Platform, highlighting those that have taken a leadership position in making this important new technology available. We will track changes and trends in this data going forward. Finally, Akamai is launching a State of the Internet companion application for Apple iOS devices. The app provides easy access to interactive State of the Internet data, including the ability to drill down on trends over time at a country level. Each new issue of the report will be available through the app as it is published, and a library of past issues of the report is available as well. The app also includes a feed of State of the Internet-related news items. To download it onto your iPhone or iPad (iOS 6 or 7 required), search the Apple iOS App Store for â€œAkamaiâ€™s State of the Internetâ€. As always, if you have questions, comments, or suggestions regarding the State of the Internet Report, connect with us via e-mail at email@example.com or on Twitter at @akamai_soti. â€“ David Belson Table of Contents Â© 2014 Akamai Technologies, Inc. All Rights Reserved EXECUTIVE SUMMARY 3 SECTION 1: SECURITY 4 1.1 Attack Traffic, Top Originating Countries 4 1.2 Attack Traffic, Top Ports 5 1.3 Observations on DDoS Attacks 5 1.4 Ongoing Syrian Electronic Army Attacks 7 SECTION 2: INTERNET PENETRATION 9 2.1 Unique IPv4 Addresses 9 2.2 IPv4 Exhaustion 9 2.3 IPv6 Adoption 11 SECTION 3: GEOGRAPHY â€“ GLOBAL 13 3.1 Global Average Connection Speeds 13 3.2 Global Average Peak Connection Speeds 14 3.3 Global High Broadband Connectivity 15 3.4 Global Broadband Connectivity 15 SECTION 4: GEOGRAPHY â€“ UNITED STATES 16 4.1 United States Average Connection Speeds 16 4.2 United States Average Peak Connection Speeds 16 4.3 United States High Broadband Connectivity 17 4.4 United States Broadband Connectivity 18 SECTION 5: GEOGRAPHY â€“ AMERICAS 19 5.1 Americas Average Connection Speeds 19 5.2 Americas Average Peak Connection Speeds 19 5.3 Americas High Broadband Connectivity 20 5.4 Americas Broadband Connectivity 21 SECTION 6: GEOGRAPHY â€“ ASIA PACIFIC REGION 22 6.1 Asia Pacific Average Connection Speeds 22 6.2 Asia Pacific Average Peak Connection Speeds 22 6.3 Asia Pacific High Broadband Connectivity 23 6.4 Asia Pacific Broadband Connectivity 23 SECTION 7: GEOGRAPHY â€“ EUROPE/MIDDLE EAST/AFRICA (EMEA) 25 7.1 EMEA Average Connection Speeds 25 7.2 EMEA Average Peak Connection Speeds 25 7.3 EMEA High Broadband Connectivity 26 7.4 EMEA Broadband Connectivity 27 SECTION 8: MOBILE CONNECTIVITY 28 8.1 Connection Speeds on Mobile Networks 28 8.2 Mobile Browser Usage Data 28 8.3 Mobile Traffic Growth as Observed by Ericsson 31 SECTION 9: SITUATIONAL PERFORMANCE 32 SECTION 10: INTERNET DISRUPTIONS & EVENTS 33 10.1 Syria 33 10.2 Myanmar 33 10.3 Sudan 34 SECTION 11: APPENDIX 35 SECTION 12: ENDNOTES 36 3Â© 2014 Akamai Technologies, Inc. All Rights Reserved Akamaiâ€™s globally-distributed Intelligent Platform allows us to gather massive amounts of information on many metrics, including connection speeds, attack traffic, network connectivity/availability issues, and IPv6 growth/transition progress, as well as traffic patterns across leading Web properties and digital media providers. Each quarter, Akamai publishes the State of the Internet Report. This quarterâ€™s report includes data gathered from across the Akamai Intelligent Platform in the third quarter of 2013, covering attack traffic, Internet connection speeds and broadband adoption, and mobile connectivity, as well as trends seen in this data over time. In addition, this edition of the report includes insight into ongoing Syrian Electronic Army attacks, the states of IPv4 exhaustion and IPv6 adoption, Internet disruptions that occurred during the quarter, and observations from Akamai partner Ericsson regarding data and voice traffic growth on mobile networks. Security During the third quarter of 2013, Akamai observed attack traffic originating from source IP addresses in 185 unique countries/regions. Note that our methodology captures the source IP address of an observed attack and cannot determine attribution of an attacker. China regained the top slot, growing to 35% of observed attack traffic. After spiking over the last several quarters, Indonesiaâ€™s share fell by nearly half, as it originated 20% of observed attack traffic during the quarter. In addition to Chinaâ€™s increase, the United States also saw significant growth in observed attack traffic, responsible for 11%. Overall attack traffic concentration across the top 10 countries/regions was on par with the second quarter, up slightly to 83% of observed attacks. Along with the decline in observed attacks originating in Indonesia, the percentage of attacks targeting Ports 80 and 443 declined in the second quarter as well, accounting for just over 27% combined. Port 445 returned to its position in as the most-targeted port, growing to 23% of attacks. During the third quarter, Akamai customers reported being targeted by 281 DDoS attacks, an 11% reduction from the prior quarter. Enterprise and Commerce customers together accounted for just over 70% of the reported attacks. In addition, a group known as the Syrian Electronic Army continued its attacks, compromising domain name registrations to redirect traffic away from legitimate sites. Internet and Broadband Adoption In the third quarter, Akamai observed a 1.1% increase in the number of unique IPv4 addresses connecting to the Akamai Intelligent Platform, growing to just under 761 million, or about 8 million more than were seen in the second quarter of 2013. Looking at connection speeds, the global average connection speed grew 10% to 3.6 Mbps, but the global average peak connection speed declined 5.2% to 17.9 Mbps. At a country level, South Korea had the highest average connection speed at 22.1 Mbps, while Hong Kong continued to have the highest average peak connection speed at 65.4 Mbps. Globally, high broadband (>10 Mbps) adoption jumped 31% to 19%, and South Korea remained the country with the highest level of high broadband adoption, growing to 70%. Global broadband (>4 Mbps) adoption grew 5.8% quarter-over-quarter to 53%, with South Korea taking the top slot for this metric as well, with an adoption rate of 93%. Mobile Connectivity In the third quarter of 2013, average connection speeds on surveyed mobile network providers ranged from a high of 9.5 Mbps down to a low of 0.6 Mbps. Average peak connection speeds ranged from 49.8 Mbps down to 2.4 Mbps. Based on traffic data collected by Ericsson, the volume of mobile data traffic increased by 80% from the third quarter of 2012 to the third quarter of 2013, and grew around 10% between the second and third quarters of 2013. Analysis of Akamai IO data collected across the third quarter from a sample of requests to the Akamai Intelligent Platform indicates that, for users of devices on cellular networks, just over 50% more requests came from Android Webkit- based browsers than from Apple Mobile Safari, with Webkit accounting for almost 38% of requests, and less than 24% for Safari. However, for users of mobile devices across all networks (not just cellular), Apple Mobile Safari accounted for just over 47% of requests, with Android Webkit approximately two- thirds of that, at just over 33% of requests. Executive Summary 3 i 4 Â© 2014 Akamai Technologies, Inc. All Rights Reserved SECTION 1: Security Akamai maintains a distributed set of agents deployed across the Internet that monitor attack traffic. Based on data collected by these agents, Akamai is able to identify the top countries from which attack traffic originates, as well as the top ports targeted by these attacks. Note that the originating country as identified by the source IP address is not attribution â€“ for example, a criminal in Russia may be launching attacks from compromised systems in China. This section provides insight into port-level attack traffic, as observed and measured by Akamai, during the third quarter of 2013. the second quarter, the United States remained well behind in third place, originating 11% of observed attacks, up from just under 7% in the prior quarter. With the exception of Indonesia and India, all of the countries/regions among the top 10 saw attack traffic percentages increase quarter-over-quarter. This includes Venezuela, which replaced Turkey among the top 10. The overall concentration of attacks declined as compared to the second quarter, with the top 10 countries originating 83% of observed attacks, down from 89% in the prior quarter. With Indonesia and China continuing to originate significantly more observed attack traffic than any other country/region, the regional distribution of attack traffic remains heavily weighted to the Asia Pacific region. In the third quarter, the region was responsible for just over 68% of observed attacks, down from 79% in the second quarter. Europeâ€™s contribution increased, growing to 13.5% of observed attacks, while North and South America also increased, originating a combined 16%. The percentage of observed attacks originating in Africa also increased slightly in the third quarter, but was still miniscule, at 0.4%. It also includes insight into DDoS attacks that targeted Akamai customers during the third quarter of 2013, as well as additional insight into ongoing attacks for which a group known as the Syrian Electronic Army has claimed responsibility. Within this report, all representations represent our view of the best and most consistent ways of attributing attacks we have been seeing, based not only on published claims, but on analysis of the tools, tactics, and procedures that tend to provide a consistent signature for different adversaries. 1.1 Attack Traffic, Top Originating Countries During the third quarter of 2013, Akamai observed attack traffic originating from 185 unique countries/regions, up 10 from the second quarter. As shown in Figure 1, after surging earlier in the year, Indonesia dropped back to the second-place slot, responsible for 20% of observed attacks â€” just over half of the volume seen in the prior quarter. China, which returned as the source of the largest percentage of observed attacks, saw a nominal increase from the second quarter, originating 35% of observed attacks. Though its percentage grew significantly from Figure 1: Attack Traffic, Top Originating Countries (by source IP address, not attribution) Venezuela, 1.1% South Korea, 1.2% Romania, 1.7% India, 1.9% Brazil, 2.1% Russia, 2.6% Taiwan, 5.2% 1 China 35% 33% 2 Indonesia 20% 38% 3 United States 11% 6.9% 4 Taiwan 5.2% 2.5% 5 Russia 2.6% 1.7% 6 Brazil 2.1% 1.4% 7 India 1.9% 2.0% 8 Romania 1.7% 1.0% 9 South Korea 1.2% 0.9% 10 Venezuela 1.1% 0.6% â€“ Other 17% 11% Q2 â€˜13 %Q3 â€˜13 % TrafficCountry Other 17% Indonesia 20% China 35% United States 11% 5Â© 2014 Akamai Technologies, Inc. All Rights Reserved 1.2 Attack Traffic, Top Ports As shown in Figure 2, Port 445 (Microsoft-DS) returned to its spot as the most targeted port in the third quarter, drawing 23% of observed attacks. Commensurate with the observed decline in attacks originating in Indonesia, the volume of attacks targeting Ports 80 (WWW/HTTP) and 443 (SSL/HTTPS) also declined in the third quarter, dropping to 14% and 13% respectively. The overall concentration of attacks across the top 10 ports declined quarter-over-quarter as well, dropping from 82% to 76%. Nine of the top 10 targeted ports remained consistent from the prior quarter, with Port 6666 (IRCU) leaving the list, replaced by Port 1998 (Cisco X.25 Over TCP Service), which grew from next to nothing to 1.6% of observed attacks. Data published1 by the Internet Storm Center indicates elevated rates of attack activity targeting Port 1998 during both July and September â€” this could be part of the same attack activity that pushed the port into the top 10 for the third quarter. Interestingly, approximately 60% of the observed attacks targeting the port originated in China, with the balance mostly originating from Taiwan. As noted above, Ports 80 and 443 both saw quarterly declines in traffic percentages, and were joined by Port 1433 (Microsoft SQL Server) and Port 23 (Telnet). In addition to the quarterly increase seen by Port 445, quarter-over-quarter growth in observed attack traffic volume was also seen on Port 3389 (Microsoft Terminal Services), Port 135 (Microsoft-RPC), Port 22 (SSH), Port 8080 (HTTP Alternate), and Port 1998, as mentioned previously. As the most targeted port overall for the third quarter, Port 445 was the top target port in eight of the top 10 countries/ regions â€” all except for China and Indonesia. In half of those countries/regions, it was responsible for a significantly larger volume of attack traffic than the second most targeted port, ranging from 10x more in Brazil to nearly 57x more in Romania. Within China, Port 1433 continued to be the top target of attacks observed to originate in that country, with just over 2x as many attacks targeting that port as Port 3389, the second most targeted port from the country. Indonesiaâ€™s top targeted ports remained Port 443 and Port 80, with over 30x as many attacks targeting those ports as Port 445, the next most targeted port for attacks from the country. 1.3 Observations on DDoS Attacks Akamai has been analyzing Distributed Denial of Service (DDoS) attacks aimed at our customers for the State of the Internet Report since the end of 2012. The Akamai Intelligent Platform is a massively distributed network of servers that is designed to deliver Web content from optimal servers, ideally as close to the end user as possible. Part of the value of the Akamai platform is to enable our clients to deal with sudden spikes in Web site requests, such as during holiday sales or flash mobs created by news events. Malicious traffic often attempts to overload sites by mimicking these types of events and the difference is often only distinguishable through human analysis and intervention. Akamai combats these attacks by serving the traffic for the customer while the analysis is being performed and creating specific Web application firewall rules or implementing other protections such as blocking specific geographic regions or IP address blocks as necessary. An additional aspect of the Akamai platform is that some of the most common methodologies that are used in DDoS attacks are simply ignored. Attacks that target the lower levels of the Figure 2: Attack Traffic, Top Ports Cisco X.25 Over TCP, 1.6% HTTP Alternate, 2.0% SSH, 2.2% Microsoft-RPC, 2.8% Telnet, 3.8% Microsoft Terminal Services, 5.1% Microsoft SQL Server, 8.6% 445 Microsoft-DS 23% 15% 80 WWW (HTTP) 14% 24% 443 SSL (HTTPS) 13% 17% 1433 Microsoft SQL Server 8.6% 9.5% 3389 Microsoft Terminal Services 5.1% 4.7% 23 Telnet 3.8% 3.9% 135 Microsoft-RPC 2.8% 1.4% 22 SSH 2.2% 1.9% 8080 HTTP Alternate 2.0% 1.4% 1998 Cisco X.25 Over TCP 1.6% <0.1% Various Other 24% â€“ Q2 â€˜13 %Q3 â€˜13 % TrafficPort UsePort Other 24% Microsoft-DS 23% WWW (HTTP) 14% SSL (HTTPS) 13% 6 Â© 2014 Akamai Technologies, Inc. All Rights Reserved Figure 4 illustrates the distribution of DDoS attack targets by geography. Customers in North America saw only 165 attacks in the third quarter of 2013, an 18% decrease from the previous quarter. These customers continued to see the majority of the attack traffic, although it was only 57% of the total attacks in the third quarter, as opposed to 65% in the second quarter. Customers in the Asia Pacific region saw 71 attacks this quarter, representing a modest decrease of 10% from the previous quarter, but still well above the number of attacks seen in late 2012 and the first quarter of 2013. In contrast, Europe saw a 22% increase in attacks over the previous quarter. Overall, the attacks seen in the third quarter appeared to be targeting customers in European countries while moving away from American customers, with little change seen across Asia Pacific customers. Looking at each sector as a proportion of the overall DDoS attacks suffered in the third quarter, Enterprise and Commerce continue to account for nearly the same amount of attacks as the previous quarter, together just over 70% of the total number of attacks, as shown in Figure 5. Both the Media & Entertainment and High Tech segments saw significantly fewer attacks, which was a key contributor to the overall reduction in the number of attacks seen. Given that these two sectors experienced a significantly smaller number of attacks than Commerce and Enterprise, third quarter attack volume SECTION 1: Security (continued) TCP/IP stack, such as UDP floods and SYN floods, hit the Akamai platform and are dropped. Specifically, Layer 1-4 traffic does not contain the information needed by Akamai to route it to a specific customer, and is automatically assumed to be either malicious or malformed traffic. The vast majority of the attacks that Akamai is reporting on here is related to traffic in layers 5â€“7 of the TCP stack, such as volumetric attacks like HTTP GET floods and repeated file downloads, or application and logical layer attacks, which require much less traffic to be effective. These statistics are based on the higher level attacks reported by our customers. As shown in Figure 3, for the first time since Akamai first began reporting on DDoS attacks, we have seen fewer attacks on a quarterly basis than during the prior quarter, with 281 attacks seen in the third quarter, compared to 318 in the second quarter. Despite this decrease in attacks, Akamai has already seen more attacks so far in 2013 (807) than was seen in all of 2012 (768). While there was a minor reduction (11%) in the number of attacks during the third quarter, 2013 will end up being a much more active year for DDoS than 2012 was. One explanation for the shrinking number of attacks in this quarter is relative silence by one of the biggest attackers from last year and earlier this year, the Izz ad-Dim al-Qassam Cyber Fighters. Figure 3: DDoS Attacks Reported by Akamai Customers by Quarter 350 300 250 200 150 100 50 0 Q4 2012 Q1 2013 Q2 2013 Q3 2013 # of A tt ac ks 200 208 318 281 Americas 165 Asia Pacific 71 EMEA 45 Figure 4: Q3 2013 DDoS Attacks by Region 7Â© 2014 Akamai Technologies, Inc. All Rights Reserved 1.4 Ongoing Syrian Electronic Army Attacks In the third quarter of 2013, the hacktivist group calling itself the Syrian Electronic Army (SEA) continued its march. The SEA, which supports the regime of Syrian President Bashar Hafez al- Assad, claimed credit for launching a series of phishing attacks against the DNS registrars of multiple enterprises. One such attack compromised the administrative panel of a third-party content discovery engine. As part of the attack, malicious code was injected into content served to customers. Other attacks led to compromises at DNS registrars Melbourne IT and GoDaddy. These attacks allowed the SEA to redirect traffic for legitimate domains to one they controlled. Any visitor to an affected Web site was sent to syrianelectronicarmy.com, a propaganda page for the SEA. Before we delve deeper into the attack details, itâ€™s important to understand who the targets are. Specifically, there are three parties involved when talking about domain names: â€¢ Registrants: People or companies that own a domain name. This is the customer or prospect of the registrar. â€¢ Registrars: Companies that provide domain name registration services to registrants. These companies make money by selling domain names to registrants and uploading the records to a registry. Melbourne IT and GoDaddy are two examples. represented a large decrease in the amount of attacks as compared to the second quarter, with the numbers much closer to what was seen in the first quarter of 2013. A key question that Akamai has started to explore within the DDoS data set is â€If youâ€™re the victim of a DDoS attack, what are the chances that youâ€™ll be attacked again?â€ Figure 6 shows the results as seen in the third quarter data. Out of the 281 attacks that were reported to Akamai in the third quarter, there were a total of 169 unique targets. Twenty-seven customers were attacked a second time, five more reported three attacks, and an additional seven companies were attacked more than three times during the quarter. One customer reported a total of 51 unique attacks in the third quarter of 2013 alone, meaning that on average, at least every other day during the quarter, this customer was the target of a DDoS attack. Based on initial analysis of this data, if your company has been the target of a DDoS attack, there is a 1 in 4 (25%) chance that you will be attacked again within 3 months. While Akamai saw a modest decrease in the overall number of attacks that were reported in the third quarter of 2013, there is no indication that this is a long-term reduction. Given that previous quarters saw major increases in the number of attacks, any decrease in the amount of DDoS attacks is a positive sign. However, despite the apparently reduced DDoS threat in the third quarter, Akamai is still projecting that weâ€™ll have seen over a thousand attacks reported by customers by the end of 2013. Business Services 66 Financial Services 41 Enterprise 127 Commerce 80 Media & Entertainment 42 Figure 5: Q3 2013 DDoS Attacks by Sector High Tech 14 Public Sector 18 Figure 6: Frequency of Repeated DDoS Attacks 30 25 20 15 10 5 0 2 3 4 5 >5 # of C us to m er s Times Attacked 27 5 3 1 3 8 Â© 2014 Akamai Technologies, Inc. All Rights Reserved â€¢ Registries: Companies that maintain the Top Level Domains (TLDs). Registries operate a central database of domain names, but do not sell the names themselves. Registries take the data from the registrars and make it available to anyone querying their servers. Registry examples include Verisign for .com and .net, the Public Interest Registry for .org and the General Services Administration for .gov. In the most successful and high-profile attacks executed by the SEA in the third quarter, attackers were able to hijack an administrative account from the DNS registrarsâ€™ servers. According to published reports2 about the attacks, account access was obtained through a phishing attack that compromised an e-mail account where the credentials were stored â€” specifically, an e-mail account associated with the registrar login was compromised. With these high-level credentials, the attackers were able to change the DNS entries for several common domains at once, resulting in a flood of traffic to the attackerâ€™s propaganda page. Following these attacks by the SEA, Akamai offered the following guidance to customers to mitigate such attacks: â€¢ First, properly educate the employees with the appropriate access that allows them to update DNS records with the registrar. Many times in these attacks, the username and password were successfully phished away from someone with the relevant credentials. If the credentials can be phished away, the second part of the protection will not help. â€¢ The second part is to have domain locks in place. The site owner can set and control registrar locks. These will prevent any other registrar from being able to successfully request SECTION 1: Security (continued) a change to DNS for a domain. The locks that can be set at the registrar level by the site owner are: â€¢ clientDeleteProhibited: prevents the registrar from deleting the domain records without the owner first unlocking the site. â€¢ clientUpdateProhibited: prevents the registrar from making updates to the domain name. â€¢ clientTransferProhibited: prevents the registrar from transferring the domain name to another registrar. The only exception to these locks is when the domain registration period has expired. These locks can be set and unset by the site owner and many registrars will allow these locks at no cost. A second level of locks can also be set, although a domain owner may incur additional costs in implementing these. These second level locks are: â€¢ serverDeleteProhibited â€¢ serverUpdateProhibited â€¢ serverTransferProhibited These server locks operate similarly to the client locks in that they prevent unauthorized changes. Using two-factor authentication, the customer must confirm with the registrar, usually with a passphrase, that it wishes to make the requested changes. This reduces the chance of the registrar being able to make accidental or unwanted changes to the DNS records for the domain.