Blocking DDoS Archive

NEARLY THREE-QUARTERS of companies have been the victim of a distributed denial-of-service (DDoS) attack, and 80 per cent have been hit more than once, according to a new report from Neustar that puts part of the blame on the Internet of Things (IoT).

The Threatscape Widens: DDoS Aggression and the Evolution of IoT Risks report highlights a growing threat to small and medium sized businesses everywhere.

Neustar found that 57 per cent of victims reported some kind of theft following the attack involving customer data, financial information or intellectual property.

Some 47 per cent of companies that have been attacked have suffered more than five times. We reported in October that some firms get hit as many as four times a day.

The cost is not insignificant. Half of the victims lost an estimated $100,000 an hour during peak outages, while around a third took a $250,000 hourly punch in the face. Neustar reckons that it takes about three hours for an organisations to realise that it’s under attack.

You possibly know this already, but the threat of DDoS attacks has prompted firms to invest more money in security.

“The findings of our most recent report are clear: attacks are unrelenting around the world but organisations now recognise DDoS attacks for what they are – an institutionalised weapon of cyber warfare – and are protecting themselves,” said Rodney Joffe, head of IT security research at Neustar.

“We present the data from our third DDoS survey as a means to inform the public of the dangers associated with DDoS attacks. This should be a discourse that reaches from security through to marketing, as when a DDoS attack hits the reverberations have a domino effect throughout all departments.”

This wouldn’t be a 2016 security news story without some consideration of where the Internet of Things fits into this, and it seems to be right in the middle.

“The IoT is already here, but the internet was never built with security in mind; ease of use and convenience were paramount,” said Hank Skorny, senior vice president for the IoT at Neustar.

“Every IT professional knows it can take just one successful hack on an IoT device to access and compromise an entire network. As IoT devices continue to become ingrained into our electrical grid, hospitals, assembly lines and other essential areas of life, the stakes are simply too high to leave security to chance.”




New research has revealed that the UK is one of the biggest targets for DDoS criminals, as the number of attacks continues to soar.

The latest Imperva Global DDoS Threat Landscape Report discovered that the UK is the second-most targeted nation, being hit by over nine per cent of all DDoS attacks in the first three months of 2016. Only the US suffered more, at 50.3 per cent.


Main source

Businesses of all sizes are being targeted by the global threat of DDoS attacks, according to the report, which also revealed that South Korea is the main source of DDoS attacks around the globe. This is partly down to a sharp rise in botnet activity in the country according to Imperva. Russia and Ukraine also topped the list of originating countries, particularly via the Generic!BT malware which is Trojan used to compromise Windows computers.


Frequency increase

Finally, Imperva also saw the frequency of attacks continue to increase. In the first quarter of 2016, every other site that came under attack was targeted more than once. The number of sites that were targeted between two and five times increased from 26.7 percent to 31.8 percent.

Imperva’s Igal Zeifman said: “Every DDoS attack mitigated is an invitation for the attacker to try harder. This is the reality of DDoS protection business and the common motive for many of the trends we are observing in the DDoS threat landscape today.”



As we’ve reported repeatedly in these pages, distributed denial of service attacks are growing both in terms of number and size.

Now it seems that DDoS attackers are coming up with even more elaborate tools and attack methods to take down websites and networks, according to the latest report from DDoS mitigation firm Imperva.

Imperva’s analysis is based on data from 3,791 network layer and 5,267 application layer DDoS attacks on websites using its Incapsula services from January 1, 2016 through February 29, 2016.

For example, attackers are expanding their use of browser-like DDoS bots capable of bypassing standard security challenges. The use of these bots increased to a record-breaking 36.6 percent of application layer attacks, up from 6.1 percent in the previous report.

In addition, DDoS attackers are increasingly using upload scripts to mount multi-gigabit HTTP POST flood attacks. The scripts randomly generate large files and attempt to upload them to the server, creating an HTTP flood of extremely large content-length requests.

Also, network layer attacks are growing more sophisticated. Attackers are employing millions-of-packets-per-second, or Mpps, assaults in which small network packets are pumped out at extremely high speed to overwhelm network switches, resulting in denial of service.

In terms of botnets, the first quarter saw a steep increase in DDoS traffic out of South Korea, making it the country of origin for 29.5 percent of botnet activity. The majority of these assaults were aimed at websites hosted in Japan and the United States.

The United States took the brunt of all DDoS attacks, with a majority of attacks targeting that country. The United Kingdom came in a distant second with 9.2 percent of attacks targeting that country.



Having a military background, I tend to look at all security issues with the perspective of someone who’s served in the armed forces. That means using a thorough investigation process that doesn’t treat any action as accidental or an attack as a stand-alone incident and looking for links between seemingly unconnected events.


This method is used by law enforcement agencies to investigate acts of terrorism, which, sadly, are happening more frequently. While terror attacks that have occurred in the physical world are making headlines, the virtual world is also under attack by sophisticated hackers. However, not much is said about the similarities between investigating both types of attacks or what security researchers can learn from their law enforcement counterparts. I’ve had this thought for awhile and, fearing that I’d be seen as insensitive to recent events, debated whether to write this blog. After much thought, I decided that the stakes are too high to remain silent and continue treating each breach as a one-off event without greater security implications.

The parallels between cyber and terror attacks are numerous: they involve well-coordinated adversaries who have specific goals and planned intricate campaigns months in advance. The target’s security measures are irrelevant and can always be exploited. Preventing cyber and terror attacks is difficult, given the numerous vectors an adversary can use. Discovering one component of either type of attack can lead to clues that reveal an even larger, more detailed operation. But the methods used to investigate cyber attacks often fall short at establishing links between different events and possibly preventing hackers from striking again.

Cyber attacks targeting infrastructure are happening

To date, we haven’t experienced a cyber attack that has caused the same devastation of what’s happened in the physical world. Having your credit card number stolen doesn’t compare to lives being lost. But this doesn’t mean we won’t see cyber attacks that cause major disruptions by targeting critical infrastructure.

In fact, they’re already happening. Just last week the U.S. Department of Justice accused seven Iranians of hacking the computer control system of a dam in New York and coordinating DDoS attacks against the websites of major U.S. banks. According to the DOJ, the hackers would have been able to control the flow of water through the system had a gate on the dam not been disconnected for repairs. Then in December, hackers used malware to take over the control systems of two Ukraine energy plants and cut power to 700,000 people. I’m not trying to spread fear of a cyber apocalypse by mentioning these incidents. Fear mongering isn’t applicable if the events have occurred.
+ ALSO ON NETWORK WORLD U.S. Critical Infrastructure under Cyber-Attack +

When examining terror attacks, police conduct forensic investigations on evidence found at the scene. If suspects are arrested, the police confiscate their smartphones (as we’ve seen with the iPhone used by the shooter in the San Bernardino, Calif., attack) and computers and review information like call logs and browsing histories. These procedures may provide investigators with new information that could lead to other terror plots being exposed, the arrest of additional suspects and intelligence on larger terrorist networks.

Applying an IT perspective to breaches won’t reveal complete cyber attacks

Cyber attacks, on the other hand, are investigated in a manner that isn’t as effective. They’re handled as individual incidents instead of being viewed as pieces of a larger operation. I’ve found that too many security professionals are overly eager to remediate an issue. Considering the greater security picture isn’t factored into the process, nor is it culturally acceptable within most organizations to do so. Corporate security teams have been conditioned to resolve security incidents as quickly as possible, re-image the infected machine and move on to the next incident.

Cyber attacks, though, are multi-faceted and the part that’s the most obvious to detect sometimes serves as a decoy. Adversaries know security teams are trained to quickly shut down a threat so they include a component that’s easy to discover. While this allows a security professional to report that a threat has been eliminated, this sense of security is false. Shutting down one known threat means exactly that: you’re acting on a threat that was discovered. But campaigns contain other threats that are difficult to discover, allowing the attack to continue without the company’s knowledge.

Unfortunately, most companies don’t approach cyber security with either a military or law enforcement perspective. They use IT-based methods and try to block every threat and prevent every attack, approaches that are unrealistic and ineffective given the sophisticated adversaries they’re facing. The clues security teams need to discover, eliminate and mitigate the damage from advanced threats is contained in the incidents they have been resolving.

Cyber security stands to learn a lot from law enforcement when it comes to investigating attacks. Next time they’re looking into a breach, security professionals should:
• Not treat a security incident as an individual event. Try to place it in the greater context of what else is occurring in your IT environment. View the attack as a clue that, if followed, can reveal a much larger, more complex operation.

• Instead of immediately remediating an incident, consider letting the attack execute to gather more intelligence about the campaign and the adversary.

• Remember the threat that’s the most obvious to detect is often used as a decoy to shield a more intricate operation.

While there will always be terrorists and hackers, remembering these points helps us stay ahead of them, minimize the impact of their attacks and regain a sense of control.


Bitcoin startup Coinkite closes wallet service due to “BS” of DDoS attacks, dealing with lawyers | SiliconANGLE


Bitcoin startup Coinkite, Inc. has announced that it is closing down its secure Bitcoin wallet service in order to focus on building hardware-based Bitcoin products instead.

Founded in 2012, Coinkite billed itself as the easiest and safest way to use and accept Bitcoin, along with the claim that if offered “the world’s most advanced web wallet system” that “empowers customers and merchants to BUY, SELL, ACCEPT and STORE Bitcoins and other crypto currencies, in both the online and physical worlds.”

The closure of the Bitcoin wallet service will take place over the coming 30 days, with users who do not remove funds from their wallets at the end of the period having their Bitcoin withdrawn and credited to them automatically.

Projects listed by the company as being their future include something called Opendime, which is described as a physical Bitcoin; a completely stand alone Bitcoin terminal/ hardware wallet with printer and QR scanner; hardware products for authentication and security; general purpose stand-alone Bitcoin solutions, and last but not least hardened services for hosting Bitcoin hot wallets.


It would appear that much of the decision to get out of the online Bitcoin wallet business was due to the company constantly dealing with harassment, with a blog post announcing the move describing that they had been under constant Distributed Denial of Service (DDoS) attacks over the last three years, and that they had also had to deal with Government agencies and attempted intrusions into client privacy.

In an interview with Coindesk, Chief Executive Officer Rodolfo Novak said that the company wanted to move away from software as their meager resources were being drained by the “amount of bullshit” involved with running the service.

“We want to write software, not deal with lawyers and DDoSing … One of the main issues with SaaS is all the free users and need support and we want to provide good support. All these things have costs,” Novak noted.

Coinkite’s decision to close its Bitcoin wallet service is quite considerable, with the company having reported in September 2015 that it had processed some $250 million in transactions in the preceding 3 months, making it one of the bigger Bitcoin wallet providers in the market.

Before all services stop with 30 days Tor access and Coinkite’s application program interface will be closed with 14 days, along with prorated balances for annual pre-paid plans being refunded.