time line-of-ddos-campaigns-against-mit-threat-advisory

1

CaseStudy:Time-lineofDDoScampaignsagainstMITAuthoredbyWilberMejia,AkamaiSIRT

1.0/OVERVIEW/THISpublicationdetailsaseriesofDDoSattackcampaignsagainsttheMassachusetts Institute of Technology (MIT)network.Sofarin2016,MIThasreceivedmorethan35DDoScampaignsagainstseveraldifferenttargetswhichhavebeenmitigatedbyatleastoneofourcloudsolutions.

FurtherinvestigationbyAkamaiSIRTrevealedthatcloseto43%ofattackvectorsleveragedduringthesecampaignsincludedDDoSreflectionandamplificationattackvectors.ThefullvectorlistconsistedofACK,CHARGEN,DNS,GET,ICMP,NTP,NETBIOS,RESERVEprotocol,SNMP,SSDP,SYN,TCPanomaly,UDP,andUDPFRAGMENTfloods.AttackerstargetedmultipledestinationIPswithintheMITnetworkduringthecampaigns.AttacksoriginatedfromacombinationofdevicesvulnerabletoreflectionabuseandspoofedIPsources.ThefullvectordistributionbreakdownforallattacksislistedinFigure4.

TheanalysisisbasedonfingerprintedsignaturescollectedfromattackreportsaswellasthesourceIPsfromourmitigationdevices.Thelargestattackcampaignpeakedat295GbpsconsistingofonlyaUDPfloodattackvector.Priortothat,thelargestattackpeakedat89.35usingacombinationofUDPflood,DNSflood,andUDPfragmentattackvectors.DuringthiscampaignattackerstargetedatotalofthreedestinationIPaddresses.Theseattacktypeshavecommonlybeenincludedinsitesofferingsocalledbooterorstresserservices.

UDPandDNSreflectionsattackvectorsgeneratedthemajorityofattacktrafficfromtheinvestigatedcampaigns.However,onMay6thof2015,MITexperiencedaverylargeDDoScampaignwhichincludedaspecificpaddedSYNflood.Additionalinformationsurroundingthiscampaignisdescribedinmoredetailwithinthe Q32015StateoftheInternet-SecurityReport.

2.0/HIGHLIGHTEDATTACKCAMPAIGNATTRIBUTES/AlthoughXorDDoSBOTNETattackswerepersistent,theydidnotproducethelargestamountofmalicioustrafficagainstMIT.Asmentionedpreviously,thelargestattackpeakedat295Gbps|58.6Mppswhilethesecondlargestattackpeakedat89.35Gbps|8.37Mpps.Thelatterattackwaslaunchedusingattacksandtoolscommonlyofferedinbooter/stressersuites.The295GbpsattackwascomprisedofaspecificUDPfloodsignaturewhichisbelievedtobepartofamalwarevariantknownasSTD/Kaiten.AnongoinginvestigationisbeingconductedbyAkamaiSIRTregardingthismalware.Listedbelowaresomecampaignhighlights:

TLP:WHITE

IssueDate:7.22.2016

2

LARGESTATTACKCAMPAIGN ● EventTimeStart:Jun7,201622:48:55UTC● EventTimeEnd:Jun8,201617:04:04UTC● Peakbandwidth:295Gigabitspersecond● Peakpacketspersecond:58.6MillionPacketspersecond● AttackVector:UDPFlood,UDPFragment,DNSFlood● Sourceport:randomized● Destinationport:80

UDPFlood: 22:48:55.057813IPx.x.x.x.48679>x.x.x.x.80:UDP,length600 22:48:55.057815IPx.x.x.x.46076>x.x.x.x.80:UDP,length600 22:48:55.057819IPx.x.x.x.34698>x.x.x.x.80:UDP,length600 22:48:55.057848IP181.136.97.12.34161>x.x.x.x.80:UDP,length600 22:48:55.057853IP181.136.97.12.34161>x.x.x.x.80:UDP,length600 22:48:55.057863IP201.232.6.199.44219>x.x.x.x.80:UDP,length600

23:58:08.871990IPx.x.x.x.4751>x.x.x.x.80:UDP,length1 23:58:08.871999IPx.x.x.x.4751>x.x.x.x.80:UDP,length1 23:58:08.872005IPx.x.x.x.4751>x.x.x.x.80:UDP,length1 23:58:08.872011IPx.x.x.x.4751>x.x.x.x.80:UDP,length1 23:58:08.872014IPx.x.x.x.4751>x.x.x.x.80:UDP,length1 23:58:08.875194IPx.x.x.x.4751>x.x.x.x.80:UDP,length1 Figure1:LargestdocumentedUDPFloodcampaignagainstMIT

SECONDLARGESTATTACKCAMPAIGN

● EventTimeStart:Apr2,201604:17:00UTC● EventTimeEnd:Apr2,201614:45:11UTC● Peakbandwidth:89.35Gigabitspersecond● Peakpacketspersecond:8.37MillionPacketspersecond● AttackVector:UDPFlood,UDPFragment,DNSFlood● Sourceport:53,randomized● Destinationport:randomized

UnlikeXor,thesekindsofattacksaremoreaccessibletoamuchlargerpopulationofmaliciousactors.ThefactisalmostanyonewithmotivationandenoughknowledgetodeterminetheIPoftheirtargetcanlaunchtheseattacksatlowcost.ArecentlookatapricingofpopularsitesofferingDDoS“stresser”servicesshowthiscanbeperformedforaslittleas19.99/month.

3

Figure2:Examplebootersitepricingplans

Figure3containsalltheattacksignaturesusedinthespecifiedDDoSattack.Inparticularthesignaturerevealsthedomainsabusedforamplificaitonofattackreponsesincludedcpsc.govandisc.org.Inaddition,thesedomainsmakeuseofDNSSEC.ArecentAkamaiSIRTadvisorydetailstheincreasesinuseofDNSSECpoweredreflectionattacks.TheseDNSattackshavebeenwidespreadacrossmultipleindustriesincludinggamingandfinancialservices.Thedomainownersthemselvesarenotatfaultanddon'tfeeltheeffectsoftheseattacks.AttackersabuseopenresolversbysendingabarrageofspoofedDNSquerieswheretheIPsourceissettobetheMITtargetIP.Mostoftheseserverswillcachetheinitialresponsesomultiplequeriesarenotmadetotheauthoritativenameservers.

DNSreflectionflood 04:17:11.736254IPx.x.x.x.53>x.x.x.x6007:45488|22/0/0DNSKEY,AAAA2600:803:240::2,A63.74.109.2,TXT"v=spf1ip4:63.74.109.6ip4:x.x.x.xip4:x.x.x.xmxa:REDACTED

04:17:11.736257IPx.x.x.x.53>x.x.x.x.30267:43542/2/0NSREDACTED.(105)

04:17:11.736276IPx.x.x.x.53>x.x.x.x7519:45488|22/0/0Type51,RRSIG,DNSKEY,DNSKEY,DNSKEY,DNSKEY[|domain]

04:17:11.736287IPx.x.x.x.53>x.x.x.x.44609:4354|22/0/0RRSIG,A63.74.109.2,TXT"v=spf1

04:20:08.919421IPx.x.x.x.53>x.x.x.x.51286:5215613/4/2SPF,DNSKEY,DNSKEY,NAPTR,TXT"v=spf1amxip4:x.x.x.x/21ip4:x.x.x.x/16ip6:2001:04F8::0/32ip6:xxx:xxx:xx::xx/128~all",REDACTED

04:20:08.920044IPx.x.x.x.53>x.x.x.x.15097:6481213/4/2MX)REDACTED

UDPfragmentflood 04:17:11.736255IPx.x.x.x>x.x.x.x:udp 04:17:11.736279IPx.x.x.x>x.x.x.x:udp 04:32:25.135792IPx.x.x.x>x.x.x.x:udp 04:32:25.135794IPx.x.x.x>x.x.x.x:udp Figure3:SecondLargestdocumentedDNSreflectioncampaignagainstMIT

AllthreeidentifiedsignaturesarerelatedtotheuseofDNSreflectionandamplification.Thelargestresponsesizeofdomainsusedintheattackarelargerthan4,000bytes.ThiscausesfragmentedUDPresponsesduetosurpassingtheMTUsizelimit.Inaddition,theopenresolversatsomepointresponded

4

onrandomsourceportscreatingwhatappearedtobeaUDPflood.ThisfloodcontainedpartsoftheDNSresponsesaswell.

3.0/SAMPLESIGNATURESFROMALLATTACKCAMPAIGNS/InFigure4wehaveincludedattacksignaturesfromotherDDoSattackcampaignslaunchedagainstMIT.Someoftheseareattributedtospecificattacktoolsormalwareasnotedwithintheassociatedheading.Allofthereflectionattacksincludedtypicallyhaveknownattackscriptsnamedaftertheprotocolbeingabusedforreflection.AkamaiSIRThasidentifiedseveralbasedonactivereflectedDDoScampaignsmitigatedthroughouttheyears.

tcpanomaly(noflagflood) 06:16:47.376148IPx.x.x.x.14009>x.x.x.x.63774:Flags[],win16384,length0 06:16:47.376167IPx.x.x.x.42368>x.x.x.x.14547:Flags[],win16384,length0

udpflood 00:09:07.369811IPx.x.x.x.54235>x.x.x.x.80:UDP,length1 00:09:07.369815IPx.x.x.x.34839>x.x.x.x.80:UDP,length1

udpflood-ValveSourceEngineserverattack 05:12:50.302018IPx.x.x.x.10900>x.x.x.x.80:UDP,length25 .e..E(.5......7F.,1...4Z*..P.!......TSourceEngineQuery. 05:12:50.302023IPx.x.x.x.50567>x.x.x.x.80:UDP,length25 .e..E(.5/.............4Z...P.!......TSourceEngineQuery.

udpflood-KaitenIRCbot 01:21:07.454468IPx.x.x.x.48969>x.x.x.x.80:UDP,length50 ....E..NkI@.=...mW....4d.I.P.:..std.PRIVMSG%s:[STD]Donehitting%s! ..PRIVMSG%s 01:21:07.454578IPx.x.x.x.45279>x.x.x.x.80:UDP,length50 ....E..N..@.:.&.[..k..4d...P.:.gstd.PRIVMSG%s:[STD]Donehitting%s! ..PRIVMSG%s reservedprotocolflood 09:05:17.104369IPx.x.x.x>x.x.x.x:ip-proto-25540 09:05:17.104391IPx.x.x.x>x.x.x.x:ip-proto-25540

icmpflood 05:56:30.132249IPx.x.x.x>x.x.x.x:ICMPechorequest,id0,seq0,length1052 05:56:30.132318IPx.x.x.x>x.x.x.x:ICMPechorequest,id0,seq0,length33 05:56:30.132327IPx.x.x.x>x.x.x.x:ICMPechorequest,id0,seq0,length33

ackflood 21:26:26.747124IPx.x.x.x.1313>x.x.x.x.64:.ack1599122023win65535 21:26:26.747126IPx.x.x.x.1299>x.x.x.x.54:.ack2431016982win65535

synflood 19:41:27.945435IPx.x.x.x.30739>x.x.x.x.80:Flags[S],seq3212705792,win0,length0 19:41:27.945449IPx.x.x.x.14150>x.x.x.x.80:Flags[S],seq2408579072,win0,length0

04:00:29.021344IPx.x.x.x.834>x.x.x.x.80:Flags[S],seq674742734,win16384,length0 04:00:29.021350IPx.x.x.x.834>x.x.x.x.80:Flags[S],seq674742744,win16384,length0

5

synflood-dominateattackscript 22:46:18.939811IPx.x.x.x.50991>x.x.x.x.80:Flags[SEW],seq2223243264,win65535,length0 22:46:18.939817IPx.x.x.x.5076>x.x.x.x.80:Flags[SEW],seq3714842624,win65535,length0

Reflectionbasedattacks(notincludingDNS)

ntpflood 03:10:07.762377IPx.x.x.x.123>x.x.x.x.59007:NTPv2,Reserved,length440 03:10:07.762520IPx.x.x.x.123>x.x.x.x.3955:NTPv2,Reserved,length440

ssdpflood 04:32:27.704362IPx.x.x.x.1900>x.x.x.x.80:UDP,length326 04:32:27.704387IPx.x.x.x.1900>x.x.x.x.80:UDP,length314 04:32:27.704411IPx.x.x.x.1900>x.x.x.x.80:UDP,length268 04:32:27.704436IPx.x.x.x.1900>x.x.x.x.80:UDP,length268 04:32:27.704461IPx.x.x.x.1900>x.x.x.x.80:UDP,length290

snmpflood 00:37:05.109903IPx.x.x.x.161>x.x.x.x.80:[len1468x.x.x.x.80:[len1468.U.....P...0.......public.....S.........0..0-..+........!EdgeOSv1.7.0.4783374.150622.15340...+........ ..+.......C..0........C.SD.h0...+........."snmp@domain.com"0...+.........router-sflanxxxx...+........

chargenflood 16:11:12.127001IPx.x.x.x>x.x.x.x:udp ....E....9..v.P@..L...4_STUVWX pqrstuvwxyz{|}!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXY qrstuvwxyz{|}!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ rstuvwxyz{|}!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[ stuvwxyz{|}!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\ tuvwxyz{|}!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\] uvwxyz{|}!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^ vwxyz{|}!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ wxyz{|}!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_` xyz{|}!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a

netbiosflood 15:41:44.528687IPx.x.x.x.137>x.x.x.x.80:NBTUDPPACKET(137):QUERY;POSITIVE;RESPONSE;UNICAST 15:41:44.528706IPx.x.x.x.137>x.x.x.x.80:NBTUDPPACKET(137):QUERY;POSITIVE;RESPONSE;UNICAST Figure4:AttacksignaturesamplesforcampaignslaunchedagainstMIT

BetweenthetimeframeofAugust2013-April2016,MIThasreceivedatotalof74DDoScampaignswithacombinationof121attackvectors.InFigure5weseethebreakdownofallthevectorsleveraged.

6

Figure5:Attackvectorpercentagebreakdown

Agoodportionoftheseattacksusedreflectionbasedattackvectors.Thesereflectorsarenotnecessarilyownedoracquiredbythemaliciousactorsrathertheyareabusedforuseintheseattacks.ForattacksagainstMIT,thereflectorpopulationwasmostlyconcentratedinChina.InFigure6thedistributionshownisbasedon18,825uniquesourcesofreflectorsobservedduringMITattacksandtheircountryoforigin.Chinaalonehadthehighestnumberofreflectorsperasinglecountryinrelationtoallothercountrieswherereflectorsweresourcingfrom.

Figure6:Distributionofreflectorswhichtotaled18,825uniquesources

7

4.0/ATTACKCAMPAIGNSIN2015/In2015,30DDoScampaignsweredetectedandmitigatedoverourdistributedscrubbingcenters.OneofthelargestDDoSattackcampaignsoccurredonMay5th2015consistingofanXorbotnetSYNFlood.

● EventTimeStart:May5,201500:00:00UTC● EventTimeEnd:May6,201501:16:48UTC● Peakbandwidth:41.5Gigabitspersecond● Peakpacketspersecond:5.5MillionPacketspersecond● AttackVector:SYNFlood● Sourceport:Random● Destinationport:80

ThisvectorisconfirmedtobeproducedbytheXorDDoSmalware.Thiswasthelastofaseriesof4attacksfromthisbotnet.AlaterattackfollowedinDecember.InparticularthemalwareisofChineseorigin.AttacksmatchingthispayloadhavemostlytargetedorganizationsinAsia.ThefewcasesofattacksoutofAsiaindicatethebotnetwasundercontrolbymaliciousactorsoperatingoutofChina.ThisbotnetwasbelievedtohavebeentakendownfollowingreportsofarrestsmadeinChinaregardingtheuseofthebotnetinattacks.

Althoughattacksdidstopshortlyafterthosereports,someattacksusingthismalwarearestartingtooccuragainthisyear,althoughatamuchlowerbandwidthpeaks.Figure7providesbandwidthandtimelineofxorspecificattacks.ThebotnetattacksconsistedofSYNfloodtraffic.

Fig7-xorattacktimelinewithpeakGbpsandMpps

5.0 / ATTACK TOOLS - XOR DDOS AND OTHERS / Akamai SIRT was able to obtain and analyze asampleof theXorDDoSmalwaresampleused in theSYN floodattackcampaignagainstMIT.A fullcopyoftheXorDDoSthreatadvisorycanbefoundhere.

8

Thefollowingrepresentsapacketsampleasseeninthewiresharkprotocolanalysistool.ThecharacteristicsobservedmatchedexactlywiththeXorpayloadattacks.

Figure8:Xorpacketsamplewith3flagsset.

XORSYNFlood 07:43:00.790843IPx.x.x.x.29868>x.x.x.x.80:Flags[S],seq1957463376:1957464272,win65535,length89607:43:00.790843IPx.x.x.x.63903>x.x.x.x.80:Flags[S],seq4188011121:4188012017,win65535,length89607:43:00.790844IPx.x.x.x.44652>x.x.x.x.80:Flags[S],seq2926328590:2926329486,win65535,length89607:43:00.790846IPx.x.x.x.14450>x.x.x.x.80:Flags[S],seq947050872:947051768,win65535,length89607:43:00.847578IPx.x.x.x.52587>x.x.x.x.80:Flags[S],seq3446345520:3446346416,win65535,length89607:43:00.847579IPx.x.x.x.36150>x.x.x.x.80:Flags[SE],seq2369138793:2369139689,win65535,length89607:43:00.847579IPx.x.x.x.25421>x.x.x.x.80:Flags[S],seq1666031903:1666032799,win65535,length89607:43:00.847581IPx.x.x.x.18694>x.x.x.x.80:Flags[SE],seq1225191529:1225192425,win65535,length89607:43:00.847581IPx.x.x.x.45937>x.x.x.x.80:Flags[SW],seq3010528554:3010529450,win65535,length89607:43:00.847582IPx.x.x.x.20853>x.x.x.x.80:Flags[SEW],seq1366671372:1366672268,win65535,length89607:43:00.847582IPx.x.x.x.7638>x.x.x.x.80:Flags[SEW],seq500597574:500598470,win65535,length896

Fig9-Attackpayloadtrafficsamples-XorSYNflood

TheintentionofthemalwarecreatorwastocreateapaddedSYNflood.InsomecasesvariousotherflagsareappliedtotheTCPheader.TheextraflagsthatoccurareduetoerrorsintheconstructionoftheTCPheader.TheTCPheaderoptionsarealwaysstaticbutaresometimesplacedinthewronglocationsduetoheadersizecalculationerrors.

AsidefromtheXormalware,mostoftheattackscriptsavailablearewrittenintheCprogramminglanguage.ThevariousSYNfloodattackscriptsseemtobebasedonorsharethesamecode.Thesearethetypesofattackstypicallyavailableonbooter/stressersites.CommonSYNfloodscriptsincludeESYN,XSYN,andDOMINATE.OneobviousexampleofsharedorreusedcodeisobservedinacommentwithintheDOMINATEscript.Figure10containsthecommentfoundinoneofthescriptsindicatinghowsimilartheseare.

9

/*"DOMINATE"AttackScript,thisscriptwassodifficulttomake,itrequiredtakingtheverypublicESSYN attackscript,andreplacing"tcph->res2=1;"to"tcph->res2=3;"inthe"setup_tcp_header"function. Anybodywhopurchasedthisscriptfor$300BTC,yup,it'sliterallychanginga1toa3.

Leaked/MadebyAndyQuez,Arealmexianhero. */ Figure10:DOMINATEattackscriptcommentindicatingcodere-use.

Inadditionallscriptsrandomlygeneratespoofedsourceaddressesandinmostcasesrandomizesourceports.

ForUDPbasedreflectionattacks.Thevariousattackscriptcodealsoborrowsfromotherreflectionattackscripts.Forexample,inthenextfigurethemostcommonchangeistherequestpayloadanddestinationport.

SSDPattackscriptquery: udph->dest=htons(1900); udph->check=0; strcpy((void*)udph+sizeof(structudphdr),"M-SEARCH*HTTP/1.1\r\nHost:239.255.255.250:1900\r\nST:ssdp:all\r\nMan:\"ssdp:discover\"\r\nMX:3\r\n\r\n");

Netbiosattackscriptquery: udph->dest=htons(137); udph->check=0; memcpy((void*)udph+sizeof(structudphdr),"\xe5\xd8\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x20\x43\x4b\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\x21\x00\x01",50); Figure11:SSDPandNetbiosreflectionscriptpayloadsections.

6.0/CONCLUSION/Whileanalyzingattacks,itisusuallyverydifficulttoobtainattribution.InthecaseofXorit'spossiblethatthisbotnetwasunderthecontrolofagroupinChinaasperthearrestsinthisreport.NoattacksfromXorwereobservedduringaperiodoftimefollowingthisnews.Otherattackmethods,mostlyavailableinbootersites,addalargerpoolofpotentialactors.Asmoredataiscollectedfromattacks,itmaybepossibletonarrowitdownfurtherbybootersite.AkamaiSIRTwillprovideupdatesasavailable.

CustomerswhobelievetheyareatriskandneedadditionaldirectioncancontactAkamaidirectlythroughCCareat1-877-4-AKATEC(USAndCanada)or617-444-4699(International),they'reEngagementManager,ortheiraccountteam.

Toaccessotherwhitepapers,threatadvisoriesandsecurityresearchpublications,pleasevisitourSecurityResearchandIntelligencesectiononAkamaiCommunity.

10

AboutAkamaiSecurityIntelligenceResponseTeam(SIRT)Focusesonmitigatingmaliciousglobalcyberthreatsandvulnerabilities,theAkamaiSecurityIntelligenceResponseTeam(SIRT)conductsandsharesdigitalforensicsandpost-eventanalysiswiththesecuritycommunitytoproactivelyprotectagainstthreatsandattacks.Aspartofitsmission,theAkamaiSIRTmaintainsclosecontactwithpeerorganizationsaroundtheworldandtrainsAkamai’sProfessionalServicesandCustomerCaretramtobothrecognizeandcounterattacksfromawiderangeofadversies.TheresearchperformedbytheAkamaiSIRTisintendedtohelpensureAkamai’scloudsecurityproductsarebestofbreedandcanprotectagainstanyofthelatestthreatsimpactingtheindustry.

AboutAkamaiAsthegloballeaderinContentDeliveryNetwork(CDN)services,AkamaimakestheInternetfast,reliableandsecureforitscustomers.Thecompany'sadvancedwebperformance,mobileperformance,cloudsecurityandmediadeliverysolutionsarerevolutionizinghowbusinessesoptimizeconsumer,enterpriseandentertainmentexperiencesforanydevice,anywhere.TolearnhowAkamaisolutionsanditsteamofInternetexpertsarehelpingbusinessesmovefasterforward,pleasevisitwww.akamai.comorblogs.akamai.com,andfollow@AkamaionTwitter.

AkamaiisheadquartedinCambridge,MassachusettsintheUnitedStatswithoperationsinmorethan40officesaroundtheworld.OurservicesandrenowenedcustomercareenablebusinessestoprovideanunparalleledInternetexperiencefortheircustomersworldwide.Addresses,phonenumbersandcontactinformationforalllocationsarelistedonwww.akamai.com/locations

©2016AkamaiTechnologies,Inc.AllRightsReserved.Reproductioninwholeorinpartinanyformormediumwithoutexpresswrittenpermissionisprohibited.AkamaiandtheAkamaiwavelogoareregisteredtrademarks.Othertrademarkscontainedhereinarethepropertyoftheirrespectiveowners.Akamaibelievesthattheinformationinthispublicationisaccurateofit’spublicationdate;suchinformationissubjecttochangewithoutnotice.Published07/16