Blocking DDoS Archive

IoT networks can both amplify and be the targets of distributed denial of service (DDoS) or botnet attacks. Architect resilient solutions to properly secure your devices.

Cybercriminals have many different ways of exploiting network vulnerabilities and weak spots in our cyber defenses. Considering that the number of devices we use on a daily basis is growing, more avenues of exploitation will be open to cybercriminals — unless we close those pathways.

Distributed Denial of Service, or “DDoS,” attacks on IoT networks via botnets have been especially alarming and difficult to counter. Let’s have a closer look at DDoS attacks, botnets and ways of protecting against them.

The Anatomy of a DDoS Attack

A simple principle governs a “denial-of-service” attack: attackers attempt to deny service to legitimate users. Some typical examples might include attackers overwhelming a server or cluster with requests, disrupting everyone’s access to the site or focusing the attack on a particular target who will be denied access.

With DDoS, the attacker usually has one of three goals:

  1. To cause destruction or destructive change to network components
  2. To destroy configuration information
  3. To consume non-renewable or limited resources

DDoS attacks can be performed on their own or as part of a more massive attack on an organization. It usually targets bandwidth or processing resources like memory and CPU cycles. However, the type of DDoS attacks where we often see IoT devices used is a botnet attack.

What Makes a Botnet Attack So Destructive?

A botnet is a group of connected computers that work together on performing repetitive tasks, and it doesn’t necessarily have a malicious purpose. Unfortunately, it’s possible for an attacker to take control of a botnet by infecting a vulnerable device with malware. Then they can use the network as a group of devices to perform DDoS attacks that can be much more dangerous, depending on the number of mechanisms involved. What’s more, since IoT devices often interact in the physical world in ways that other IT devices don’t, it’s difficult to monitor and safeguard them.

If we strive to protect IoT devices the same way we protect our conventional IT devices, there will invariably be faults in the system that cybercriminals might exploit. To eliminate vulnerabilities, we must think of IoT protection in its own terms and take into account the various types of IoT use when we do.

Defending Against an IoT Botnet Attack

Even though the threat of botnets can’t wholly be eradicated, there are still ways to limit the impact and the scope of these attacks by taking preventative actions. One of them is placing IoT devices on a segmented network protected from external traffic. It’s also crucial to start monitoring the systems and invest in developing intrusion detection processes which would go a long way in warning a user that the system is being compromised.

How can each layer of your IoT solution stack be architected not to trust any other part naively? Think about that as you design your solution. Find ways to make your network more resilient. Model botnet attacks and test disaster scenario responses.

In addition to network segmentation and testing, we also shouldn’t forget fundamental security measures, such as timely firmware and software patching and the ability to control who can access a particular device, which every IoT solution should take care of.

The Search for a One-Size-Fits-All Security Solution

IoT is a developing technology that we must make as secure as possible, tempering its frenetic evolution with necessary security protocols and standards. Considering how quickly it’s being woven into our everyday lives, businesses and homes, IoT developers, manufacturers, distributors and consumers must work together to eliminate common IoT vulnerabilities and ensure that each device is as secure as it can be from emerging threats.

Source: https://www.iotforall.com/iot-botnets-ddos-attack-architecture/

LIHKG, one of the most important websites used to organise pro-democracy protests in Hong Kong, has been hit with a DDoS attack that temporarily took the forum offline this past weekend. And while no one knows for sure who’s behind the attack, we can take an educated guess. The Chinese government is very unhappy, to say the least, about the protests in Hong Kong that have been raging since June.

The DDoS attack, first reported by Bloomberg News, flooded the website’s servers for hours over the weekend, making it impossible for people to log on. The website reports that “some of the attacks were from websites in China.”

LIHKG has been a crucial online forum for the protesters, who are demanding democratic rights under the region’s “one country, two systems” arrangement with China. Protesters even conduct polls on the site to settle disputes about tactics in the leaderless protest movement.

“LIHKG has been under unprecedented DDoS attacks in the past 24 hours,” a statement posted to LIHKG reads. “We have reasons to believe that there is a power, or even a national level power behind to organise such attacks as botnet from all over the world were manipulated in launching this attack.”

The website says that they were hit with 1.5 billion requests on 31 August over a 16 hour period and has urged users to switch to the mobile website version of the forum if the smartphone app isn’t working properly.

The Chinese government is believed to have been behind a similar attack on the messaging service Telegram that happened back in mid-June. The people of Hong Kong have been waiting with dread for China’s People’s Liberation Army (PLA) to invade the semi-autonomous region, as the military has amassed troops just over the border in Shenzhen. It’s not clear whether the PLA will actually invade, but there have been hints by top government leaders over the past few weeks.

LIHKG has been vital for the protesters who use the motto, “Be Water,” a reference to staging civil disobedience in one part of Hong Kong to attract attention before dispersing and quickly moving to another part of the city. The tactic forces police to respond in faraway places and the protesters are often gone by the time the authorities arrive. These fast-adapting methods of protest are only made possible through online organising on services like LIHKG.

YouTube recently dismantled what it called an “influence operation” that may have been operated by the Chinese government to sway western opinion about the protests. Chinese state media have also complained that they’re being discriminated against on US-run social media like Twitter and Facebook, a rather ironic complaint given the fact that mainland Chinese citizens aren’t allowed to access those websites. China’s largest state-run media outlet, Xinhua News, was buying ads on Facebook to smear protesters as violent hooligans before the social media company declared it would no longer take money from the organisation.

Hong Kong’s top politician, Carrie Lam, was caught on audio over the weekend saying that she wished she could quit the job, but was unable. Most Hong Kongers interpreted that to mean Beijing is in control and won’t let her quit. China’s leader, Xi Jinping, took power in 2012 and has done nothing to liberalise the country as some had hoped, instead his regime has delivered strong economic results under tight government control which has kept the wealthy happy.

The young people of Hong Kong realise that this may be their last opportunity to stand up for their rights before Beijing exerts total dominance on the region. And they’ve sworn that they won’t give up.

All we can say as outsiders is that we hear you, we see you, and we’re with you in spirit. Stay strong, Hong Kong.

The issue impacts users of the vendor’s Cloud WAF product.

Imperva, the security vendor, has made a security breach public that affects customers using the Cloud Web Application Firewall (WAF) product.

Formerly known as Incapsula, the Cloud WAF analyzes requests coming into applications, and flags or blocks suspicious and malicious activity.

Users’ emails and hashed and salted passwords were exposed, and some customers’ API keys and SSL certificates were also impacted. The latter are particularly concerning, given that they would allow an attacker to break companies’ encryption and access corporate applications directly.

Imperva has implemented password resets and 90-day password expiration for the product in the wake of the incident.

Imperva said in a website notice that they learned about the exposure via a third party on August 20. However, the affected customer database contained old Incapsula records that go up to Sept. 15, 2017 only.

imperva

“We profoundly regret that this incident occurred and will continue to share updates going forward,” Imperva noted. “In addition, we will share learnings and new best practices that may come from our investigation and enhanced security measures with the broader industry. We continue to investigate this incident around the clock and have stood up a global, cross-functional team.”

Imperva also said that it “informed the appropriate global regulatory agencies” and is in the process of notifying affected customers directly.

When asked for more details (such as if this is a misconfiguration issue or a hack, where the database resided and how many customers are affected), Imperva told Threatpost that it is not able to provide more information for now.

Source: https://threatpost.com/imperva-firewall-breach-api-keys-ssl-certificates/147743/

As per Eric Muntz from Keone Software, malware and data breaches are not the only risks website owners face these days. DDoS attacks can be devastating enough to destroy your business. Read this post to find about major DDoS attacks.

The GitHub attack of 2018

The GitHub attack of 2018 remains the largest DDoS attacks of all times and targeted at GitHub that is a popular site for code management on the internet. The attack reached heights when it commenced at a rate of 1.3Tbps and sent packets at a rate of 126.9 million per second. In this attack, there were no bonnets involved and the attackers took resort to amplification effect of the database coaching system known as Memcached. GitHub, learning from its previous attack in 2015 was using a DDoS security system and was alerted within 10 minutes of the attack and let the attack last for only twenty minutes.

The Dyn Attack

The Dyn attack which took place on October 2016 was initiated by a DNS operator and aimed at dismantling and disintegrating the major websites that included PayPal, Amazon, Airbnb, Visa, The New York Times, Netflix, GitHub, and Reddit. The malware that was primarily used to achieve this target is known by the name Mirai that is capable of creating botnet from the vulnerable devices that are linked to the internet such as webcams, printers, monitors and others of the same genre. To launch the attack, all these devices were programmed to provide requests to one single victim at a time. The attack did not last long and Dyn bounced back from its clutches within a single day.

The Mafiaboy attack

The Mafiaboy attack was launched in 2000 by a boy of fifteen years only who came to be known as mafiaboy and here’s where the name came from. The websites that were attacked included eBay, Yahoo, Dell, CNN, E-trade which formed to be the group of the major search engines of that time. This attack did not only disrupt the major internet services but also brought about havoc loss in the stock market. The cybercrime laws that exist today came into being after this DDos attack.

The Spamhaus Attack

The Spamhaus attack was conducted in 2013 and is hailed as one of the most dangerous and largest attacks. Spamhaus, as the first part of the name, suggests is an organization that helps to recognize and filter the spam e-mails received by a user because of which they stand as the most targeted company by the hackers who have the intention to launch their attacks through spam e-mails. The attack was conducted with a speed of 300gbps and immediately after the process began, Spamhaus signed up for Cloudware’s DDoS protection which played a major role in saving the organization. Even though it was unable to cause major impacts, but still dilapidated the normal functioning of LINX and London Internet Exchange.

The GitHub Attack

This 2015 DDos attack was mainly focused on GitHub and researches have proved that this move was encouraged as a result of political rivalry; this one of those attacks that lasted for a while and adapted itself with the already existing DDoS mitigation strategies of GitHub. The attack was brought about to be injecting unknown JavaScript codes into browsers of users who browsed through China’s most famous search engine, Baidu. The sites that were using Baidu were also infected by this malicious code and were meant to send HTTP requests to GitHub pages.

Source: https://baltimorepostexaminer.com/top-5-ddos-attacks-of-all-times/2019/08/19

In July 1999, a set of computers infected with the Trin00 malware attacked and took down the network of the University of Minnesota. The episode marked the first recorded case of a distributed-denial-of-service (DDoS) attack.

20 years later, DDoS has evolved into one of the most serious security threats from the arsenal of both cybercrime gangs and nation-state actors.

What is DDoS?

As the name implies, the goal of DDoS attacks is to prevent the target website from providing service to its users by flooding its servers with bogus traffic and starving its resources.

Before engaging in DDoS, attackers typically assemble a “botnet”. Botnets are sets of computers compromised with a malware that enables the attacker, the “bot master,” to send them remote commands. After assembling their army of zombie devices, bot masters can launch DDoS attacks by commanding their botnet to simultaneously send fake requests to the target.

With a strong enough botnet, an attacker can overwhelm the targeted server and cause it to crash, preventing it from  responding to requests from legitimate users.

Threat evolution

Since the attack against the University of Minnesota, DDoS assaults by criminals have accounted for massive financial losses and damage to the reputation of targeted organizations.

In the past year alone, web hosting and content delivery giant Akamai recorded hundreds of DDoS attacks per week. A recent report by cybersecurity vendor Kaspersky Labs also found an 84% increase in the number of DDoS attacks in the first quarter of 2019, The Daily Swig reported.

Aside from frequency, DDoS attacks have grown in size and extent of damage that they can cause.

Domingo Ponce, director of global security operations at Akamai, has been on the front line of fighting DDoS for over ten years.

“When I started, we were protecting against hacktivism (like Anonymous), script kitties, and companies attacking each other (shady gambling sites),” he told The Daily Swig.

“Now DDoS is all grown up – attacks are state-sponsored, large criminal syndicates are involved, and DDoS is a very significant revenue-based black market industry.”

IoT insecurity fuels the fire

The expansion of the Internet of Things (IoT) has played a major role in the recent growth of DDoS attacks. Many of these devices forgo security because of reliance on default credentials, making them easy game for botnet viruses.

“Mirai was a turning point highlighting the power of DDoS botnets comprised of IoT devices,” Patrick Sullivan, Akamai’s senior director of security strategy, told The Daily Swig.

The Mirai botnet was behind a major DDoS attack against DNS provider Dyn, which caused a major internet outage in October 2016. The botnet comprised a large number of internet-connected cameras, home routers, and baby monitors.

“Not only do the sheer number of vulnerable IoT devices present a challenge, but attacker willingness to use these bots to perform Application Layer Attacks leads to higher levels of sophistication,” Sullivan said.

Protect and survive

Shortly after the Dyn attack in 2016, the hackers behind the Mirai botnet declared they would rent out their massive botnet for $7,500, marking the rise in DDoS-as-a-service, where cybercriminals need little or not technical knowledge to implement an attack.

The spread of DDoS attacks has also given rise to a market for DDoS mitigation.

“The only viable option is to deploy mitigation in even more distributed architectures,” Akamai’s Sullivan said.

“Even a massively scalable cloud solution deployed to a small number of locations and ISPs will struggle to contain the truly massive attacks. Peering points aren’t designed to handle huge spikes in traffic, and congestion will occur before traffic can route to mitigation points.”

Source:https://portswigger.net/daily-swig/20-years-of-ddos-attacks-what-has-changed