Blocking DDoS Archive

A survey undertaken by Kaspersky Lab and B2B International has demonstrated that, in most cases, a DDoS attack is only the tip of the iceberg. 74% of respondents representing the corporate sector reported that DDoS attacks against their companies coincided with other IT security incidents.

Sometimes these are not coincidences, but deliberate attempts to distract IT personnel. This approach has been called DDoS smokescreening.

In the survey, respondents most often cited malware (21%) and hacking (22%) as the number one threats to their companies, while DDoS was chosen as the most dangerous threat by only 6%. At the same time, DDoS attacks often coincide with malware incidents (in 45% of all cases), and corporate network intrusions (in 32% of all cases). Data leaks were also detected simultaneously with an attack in 26% of cases. Construction and engineering companies encountered this problem more often than others: according to respondents, 89% of DDoS attacks on these companies coincided with other types of attacks.

However, even without taking collateral damage into account, DDoS attacks remain a serious problem that increasingly affects company resources. Specifically, in 24% of all cases a DDoS attack caused services to be completely unavailable (39% for government-owned companies). In 34% of all cases, some transactions failed due to such attacks (64% for transport companies). Last year, these figures were significantly lower: only 13% of companies reported that their services had become completely unavailable due to DDoS attacks, while errors in transactions were experienced by 29% of companies as a result of such attacks.

Significantly longer page loading times remained one of the most common consequences of DDoS attacks (53% this year vs. 52% last year); however, according to the survey, attacks can last for days or even weeks.

“It is natural that DDoS attacks are increasingly causing companies problems. The methods and techniques used by criminals are evolving, with attackers looking for new ways of ‘freezing’ their victims’ operations or masking intrusion into their systems. Even with a large staff of IT professionals it is almost impossible for companies to handle a serious DDoS attack and recover their services on their own. Moreover, if other malicious activity is going on at the same time, this multiplies the damage. The most dangerous part is that companies may never learn they were subjected to DDoS smokescreening,” says Evgeny Vigovsky, Head of Kaspersky DDoS Protection, Kaspersky Lab.

According to Kaspersky Lab, the most effective countermeasure against multi-vector attacks is comprehensive protection that provides security against malware, intrusions and DDoS attacks all at the same time.


Akamai Technologies’ Q4 2014 State of the Internet – Security report has found that the number of distributed denial-of-service (DDoS) attacks nearly doubled since 2013.

The report (PDF) showed DDoS attacks increased by 90 percent from Q4 2013, and increased by 57 percent compared to the last quarter. There was also a 52 percent increase in average peak bandwidth of DDoS attacks compared to Q4 2013.

Akamai observed that the rise of Internet of Things devices is having a profound impact on the DDoS thread landscape. The report showed that SSDP flood attacks increased by 214 percent from the last quarter, with one campaign generating 106Gbps of malicious traffic.

Despite this, the report showed that attackers continued to favour force over technique in their approach, which was aided by the exploitation of web vulnerabilities, the addition of millions of exploitable internet-enabled devices, and botnet building.

Attackers also leveraged multiple attack vectors during Q4. In the quarter, 44 percent of DDoS attacks leveraged multiple attack vectors, representing an 88 percent increase in the number of multi-vector attacks since Q4 2013. Akamai said the expansion of the DDoS-for-hire market promoted the execution of multi-vector campaigns.

Attack duration increased during the quarter by 31 percent to 29 hours, from last quarter at 22 hours. This increase is similar to a 28 percent year-over-year increase from Q3 2013, at 23 hours.

As for the timing of DDoS attacks, the report showed it was distributed evenly in Q4, a trend that Akamai said has been fuelled by the increasing number of targets of greater value in previously under-represented geographic locations.

(Image: Screenshot)

Meanwhile, Akamai said the United States and China continued as the lead source countries for DDoS traffic, with the US accounting for 31.54 percent of attacks, and China for 17.61 percent. This is a change from the last quarter, where Brazil, Russia, and India dominated as the source countries for DDoS attacks.

Akamai said gaming remained the most targeted industry since Q2 2014, and experienced a 2 percent increase this quarter. In Q4, attacks were fuelled by malicious actors seeking to gain media attention or notoriety from peer groups, damage reputations, and cause disruptions in gaming services. Some of the largest console gaming networks were openly and extensively attacked in December 2014, when more players were likely to be affected.

The software and technology industry, which includes companies that provide solutions such as software-as-a-service and cloud-based technologies, came in as the second most targeted industry during the quarter. According to Akamai, this industry saw the sharpest climb in attack rates, up 7 percent from last quarter to 26 percent of all attacks.

“An incredible number of DDoS attacks occurred in the fourth quarter, almost double what we observed in Q4 a year ago,” said John Summers, vice president, Akamai cloud security business unit.

“Denial of service is a common and active threat to a wide range of enterprises. The DDoS attack traffic was not limited to a single industry, such as online entertainment that made headlines in December. Instead, attacks were spread among a wide variety of industries.”


An upgrade to China’s Great Firewall is having knock-on effects all over the internet, with seemingly random sites experiencing massive traffic spikes.

One site owner in North Carolina, Craig Hockenberry, has written up how, after he looked into why his mail server was down, he found 52Mbps of search traffic piling into his system: 13,000 requests per second, or roughly a third of Google’s search traffic.

The post goes into some detail over howHockenberry managed to deal with the firehose-blast of requests, all of it coming from China and much of it trying to find Bittorrents or reach Facebook. Short version: he blocked all of China’s IP blocks.

Hockenberry is not the only one dealing with a sudden flood of requests, though. There are numerous reports of sysadmins finding that their IP address has appeared in front of the headlights of the Chinese government’s censorship juggernaut, causing them to fall over and forcing them to introduce blocking measures to get back online.

After a number of different theories about what was happening, including focussed DDoS attacks and “foreign hackers” – that suggestion courtesy of the Chinese government itself – the overall conclusion of the technical community is that bugs have been introduced into China’s firewall. Particularly, something seems to have gone wrong in how it uses DNS cache poisoning to redirect users away from sites the government doesn’t want them to see.


China uses a weak spot of the DNS system to intercept requests coming into and going out of the country. If it spots something it doesn’t like – such as a request for “” or “” – it redirects that request to a different IP address.

For a long while, China simply sent these requests into the ether – i.e. to IP addresses that don’t exist, which has the effect of causing the requests to time out. However, possibly in order to analyze the traffic more, the country has started sending requests to IP addresses used by real servers.

Unfortunately, it seems that there have been some configuration mishaps and the wrong IP addresses have been entered. When one wrong number means that a server on the other side of the world suddenly gets hits with the full stream of millions of Chinese users requesting information, well then … that server falls over.

The situation has had a broader impact within China. Tens of millions of users weren’t able to access the Web while the government scrambled to fix the problem. According to one Chinese anti-virus vendor, Qihoo 360, two-thirds of Chinese websites were caught up in the mess.

China’s DNS infrastructure experts started pointing the finger at unknown assailants outside its system. “The industry needs to give more attention to prevent stronger DNS-related attacks,” said Li Xiaodong, executive director of China’s Internet Network Information Center (CNNIC).

Your own medicine

The reality, however, is that China has seen the downside to its efforts to reconfigure the basic underpinnings of the domain name system to meet political ends. The network is designed to be widely distributed and route around anything that prevents effective communication.

By setting itself up as a bottleneck – and an increasingly huge bottleneck as more and more Chinese users get online – the Chinese government is making itself a single point of failure. The slightest error in its configurations will blast traffic in uncertain directions as well as cut off its own users from the internet.

For years, experts have been warning about the “balkanization” of the internet, where governments impose greater and greater constraints within their borders and end up effectively breaking up the global internet. What has not been covered in much detail is the downside to the countries themselves if they try to control their users’ requests, yet make mistakes.


Arbor Networks says that the number and size of DDoS attacks against French websites spiked considerably after 3.7 million people took to the streets to protest against terrorism.

The firm leveraged its Arbor Atlas initiative, which receives anonymised internet traffic and DDoS event data from 330 internet service providers (ISPs) worldwide, to view events in France in the days after the protest, which was in response to the Charlie Hebdo shootings that left 20 people dead.

The magazine was targeted by ISIS sympathisers and others unhappy with the satirical magazine’s ridiculing of Islam, including its depiction of the Prophet Muhammed. The publication also satirised other religions.

Comparing the DDoS attacks between January 3-10 and 11-18, the US security firm found that there were 1,342 unique attacks – an average of 708 attacks a day – during the two week period.

However, the firm noted in a recent blog post that the number of DDoS attacks after the march rose by 26 percent with the average size of DDoS attack growing 35 percent. In the eight days prior to the attack, the average size was 1.21Gbps but this later increased to 1.64Gbps.

The vast majority of these DDoS attacks were low-level although the number of attacks larger than 5Gbps did double in the days after the protest. Arbor reports that one attack measured as high as 63.2 Gbps on January 11.

“This is yet another striking example of significant online attacks paralleling real-world geopolitical events, wrote Arbor’s threat intelligence and response manager Kirk Soluk.

Speaking to SC after it first emerged that ‘thousands’ of French websites were facing cyber-attacks, Corero Network Security CEO Ashley Stephenson said that DDoS attacks were increasingly being used as an attack tool during international conflicts.

“Whatever the motivation – cyber-terrorism, retaliation, religious incitement, radicalisation… It is clear that modern conflicts will be fought in the cyber-world as well as the real world,” he said via email.

“The internet should be better protected against all of these associated cyber-threats. Increasingly we are seeing DDoS used as a tool in and around these conflicts and we should be prepared to institute increased cyber-security to protect this vital resource.”

Last week, Admiral Arnaud Coustilliere, head of cyber-defence at the French military, said that about 19,000 French websites had faced cyber-attacks in the days after the shootings, although one source closely connected with the clean-up operation for some of these sites later told SC that hacking groups from Tunisia, Syria, Morocco, the Middle East and Africa had largely ignored DDoS as an attack vector because such attacks “didn’t work”.

Instead, Gérôme Billois, senior manager of Solucom, said that these groups – also believed to often be ISIS sympathisers – had looked to scan thousands of websites to identify and exploit common WordPress, Joomla and other content management system (CMS) vulnerabilities.


It’s impossible to predict when distributed denial of service (DDOS) attacks will hit so companies must take measures to mitigate such an incident.

So says Martin Walshaw, senior engineer at F5 Networks, who notes barely a month goes by without media reports of a Web site or service being brought down by a DDOS attack. Sony’s PlayStation Network again became the victim of such an attack recently, while hacking group Anonymous is on a disabling offensive of extremist Web sites, he says.

According to research conducted by B2B International and Kaspersky Lab, 38% of companies providing online services, such as online shopping and online media, fell victim to DDOS attacks over the past 12 months.

Doros Hadjizenonos, sales manager at Check Point Technologies in SA, says DDOS criminal activity was used to attack the Web sites of various gaming platforms last year. This attack involves many computers continuously requesting certain information from the attacked network until saturation and, therefore, its downfall, Hadjizenonos explains.

Walshaw says DDOS attacks can come in a variety of shapes and sizes. “However, the aim of a DDOS attack is always the same – to saturate a server with so many requests that it simply cannot cope, leaving legitimate users unable to connect.

“Attackers will sometimes use their own network of computers to launch DDOS attacks, but what is now more common is for them to use a network of PCs across the world that have been infected with malware that is capable of joining in a DDOS attack without the owner’s knowledge,” Walshaw explains.

Legitimate traffic

The results of a DDOS attack can be disastrous: loss of revenue-generating applications as well as reputational damage can negatively impact a business for years.

However, Walshaw notes: “There are ways a company can keep its applications, services and even its whole network online without stopping legitimate traffic.”

He believes a sophisticated firewall manager, application security manager and local traffic manager combined provide the protection needed to mitigate DDOS attacks, from blocking attack traffic to re-routing legitimate requests to ensure uptime.

Analysis is also key, says Walshaw, adding understanding who is attacking you, as well as how and why, can help prevent an attack from causing too much damage and protect against future attacks.

Establishing which layer is being attacked (application, network or session, for example) will help a company know where to focus its resources, and intelligent firewall management will be able to inspect all traffic coming into a network and stop traffic that is coming from a DDOS attack, he points out.

Fire drills

According to Neil Campbell, group GM for Dimension Data’s Security Business Unit, IT security ‘fire drills’, supported by executive management and the risk committee should be conducted regularly in organisations in order to understand the appropriate course of action in advance of a security breach.

He believes technologies and services focused on incident response – rather than only incident prevention – should be one of the trends high on the agendas of security professionals in 2015.

“It’s inevitable that security incidents will occur. It’s, therefore, critical that organisations begin to focus on identifying what we call ‘indicators of compromise’, putting a comprehensive incident response plan in place, and performing regular IT security ‘fire drills’,” explains Campbell.

He points out the regular fire drills – or rehearsals – will ensure that, in the event of an incident, IT and management teams are clear about what needs to be done, and the business is less at risk. This includes recovering evidence, identifying and resolving the root cause of the incident (not just the symptoms), and undertaking a forensic investigation.