Blocking DDoS Archive

“Altogether, since February 5, there have been 17 separate instances where the volume of inbound internet traffic has exceeded the carrying capacity of our [internet service provider] for 5 minutes or longer,” said Martin Manjak, UAlbany’s chief information security officer.

Information technology systems at University of Albany have been targeted with cyber-attacks. In the space of two weeks, UA systems experienced a total of 17 distributed denial-of-service (DDoS) attacks, with threats as recent as Feb. 19.

“Altogether, since February 5, there have been 17 separate instances where the volume of inbound internet traffic has exceeded the carrying capacity of our [internet service provider] for 5 minutes or longer,” said Martin Manjak, UAlbany’s chief information security officer.

DDoS attacks flood a network with malicious requests, disrupting the normal flow of data between servers and legitimate users attempting to connect.

These attacks have impacted the availability and functionality of several UA IT systems, particularly Blackboard. According to Manjak, neither the integrity nor confidentiality of university information has been compromised.

Manjak said he believes the attacks may be related. However, no one has claimed responsibility and no motivate has been identified.

“All we know is that the resource being targeted is Blackboard,” Manjak said.

Computers on UA’s network, like those in the library, were not affected by the DDoS attack. However, students and faculty using their own devices were unable to access Blackboard.

“We’re able to maintain access to electronic resources from on-campus through a combination of firewall and filtering rules,” Manjak said, “but access from off-campus was affected because the attacker(s) filled our internet pipe.”

Members of the UA community received two information security alert emails from Manjak about the attacks, one on Feb. 5 and the other on Feb. 18.

“Communication is sent to the University community when we identify an active threat that has the potential to impact the entire campus,” Manjak said.


Hackers are targeting airlines as never before, and this could affect your next flight. That’s the conclusion of a troubling new study of airline IT outages by Netscout, a provider of application and network performance management products.

Attacks against passenger air travel increased by more than 15,000% between 2017 and 2018, according to Netscout’s research.

That’s no decimal point error. 15,000%.

Why? Airlines are easier targets.

“Cybercriminals have traditionally concentrated attacks on internet service providers, telecoms, and cable operators,” says Hardik Modi, Netscout’s senior director for threat intelligence. “While those categories still represent prime targets, they are now relatively well protected”. Subsequently, cybercriminals are now targeting the enterprise market, including passenger air travel, with real venom.

Sungard Availability Services, a provider of IT production and recovery services, tracks the major airline IT outage incidents. It shows that their numbers steadily increasing.

Last year, the domestic airline industry had 10 major outages, the most since 2015, according to Sungard. It’s unknown what role, if any, cyberattacks played in these outages.

The trend appears to be accelerating in 2019. Southwest Airlines suffered a computer outage on Friday that temporarily grounded flights across the country. The airline said it suspended operations for about 50 minutes to ensure the performance of software systems that had been upgraded overnight. The airline also had a smaller outage in January that affected flights to and from Baltimore-Washington International Airport.

In January, 27 Alaska Airlines flights were delayed after the airline suffered a power outage in Seattle.

The incidents trigger an avalanche of consumer complaints to my nonprofit advocacy organization.

airline it outages

What’s going on with airline IT outages?

What’s happening? Distributed denial of service (DDoS) attacks are to blame for some of the outages, according to Netscout. DDoS attacks disrupt services of a host connected to the Internet. You can see some of these attacks in real time on a service like (here’s Southwest Airlines and here’s Alaska Airlines.)

“Disruptions to air travel are felt immediately,” explains Modi. “We’re all used to seeing images of grounded flights on the evening news, while delayed passengers make their frustrations known over social media channels.”

airline it outages

But not all of the attacks directly affect passengers. Netscout’s analysis also reveals a spike in attacks which passengers might not notice, with volumes reaching levels not seen since 2016.

“Our analysis also indicated that the size of attacks grew at an alarming rate during 2018,” Modi adds. “The maximum attack size recorded last year reached a staggering 245 Gbps (billions of bits per second, a measure of internet bandwidth). When comparing this to the maximum attack sizes recorded in 2016, which reached 124 Gbps, you begin to understand the increasing severity of these attacks.”

In other words, the flight disruptions you’re feeling are only a small part of a much bigger problem that are keeping airline IT workers busy this year. Data trends point to even more outages in the coming weeks, which also happen to be among the busiest for air travel.

airline it outages

How to prevent hackers from ruining your next flight

Airline IT outages can affect your next flight, as I pointed out in my Washington Post column last year.

No one knows when the next IT outage will happen, but there are steps you can take to protect yourself from the worst effects.

Consider travel insurance. The major carriers offer coverage for flight disruptions, which include any information-systems problems that cause delays or force an airline to cancel flights. Cast a broad net when you’re researching coverage. A company like Etherisc allows you buy insurance up to 24 hours before your flight, track it in real time and receive an instant payout if your flight is delayed or canceled. There’s no formal claims process. I have an annual travel insurance policy through Allianz Travel Insurance that covers flight disruption.

Choose your airline carefully. Carriers that have been through multiple mergers are most likely to suffer an IT outage, due to the merged patchwork of systems, components and staffing. All of the major legacy airlines, plus Southwest Airlines, have recently completed mergers. Some are aggressively upgrading their aging IT equipment, which has led to a few hiccups.

Schedule your flight early and book it as a nonstop. Many IT outages happen in the afternoon or evening, as server loads spike. Passengers on early-morning flights aren’t affected. And flying nonstop lessens the chance that you’ll be stuck somewhere on a connection.

Know your rights. If you’re flying in the United States, your rights are outlined in the contract of carriage, the legal agreement between you and the airline. It’s a dense and often difficult-to-understand contract, but it contains several provisions that promise an airline will offer meal vouchers, phone cards and overnight hotel accommodations during a service disruption. While there’s no requirement that an airline must rebook you on a different carrier (known as endorsing the ticket), airlines are known to consider doing that on a case-by-case basis.

Could this be the year of the airline IT outage? Perhaps. Even if the first two months of the year are a fluke, you need to know the extent of the problem — and the fixes.


  • Cybersecurity company Recorded Future conducted a research study on the history of Iran’s hacker culture, its ties to the country’s government and mistakes the loosely tied-together group has made along the way.
  • Forums started in 2002 have provided a launch point for a series of sophisticated attacks against world governments and companies throughout the past two decades, according to the report.

Iranian hackers have congregated since at least 2002 in online forums to share tips on the best ways to create successful cyberattacks.

Those conversations have given birth to some of the most significant global cybersecurity incidents, including devastating attacks on Saudi Aramco, attacks against the public-facing websites of large banks and espionage campaigns on a wide range of Western targets, according to new research by cybersecurity intelligence firm Recorded Future.

Among the findings in the report:

  • A forum called “Ashiyane,” created by a cybersecurity company called the Ashiyane Digital Security Team, served as a medium for Iranian contractors to show off their talents for executing successful online offensive campaigns.
  • The forum was one of Iran’s most popular with around 20,000 users and had direct ties to Iran’s Islamic Revolutionary Guard Corps.
  • Many of the hackers on the forum considered themselves “gray hats,” a term for hackers that participate in both legitimate and criminal cyber actions. It’s a mixture of the term “white hat,” which refers to ethical hackers, and “black hats,” which refers to hackers who take part in malicious or illegal activities.
  • During the Iranian green movement of 2009, the forum was one of only a few that remained in use as Iran’s government cracked down on hacking websites.
  • The forum’s archives feature details of how participants shared information on how to execute distributed denial of service attacks, or DDOS attacks, which are meant to push websites out of service by flooding them with information, as well as Android exploits and commonly used cyberattack techniques.
  • The forum was shutdown in 2018. Though the reason for the shutdown is not clearly known, Recorded Future cites sources as saying the forums became involved in online gambling, an endeavor explicitly prohibited in the Islamic state.


The breathtaking pace at which everyone and everything is becoming connected is having a profound effect on digital business, from delivering exceptional experiences, to ensuring the security of your customers, applications, and workforce.

Consider this: There are over 20 billion connected devices and more than 2 billion smartphones in use today. Gartner predicts that by 2022, $2.5 million will be spent every minute in the IoT and 1 million new IoT devices will be sold every hour.

No longer can you secure the perimeter or a centralized core and trust that nothing will get in or out. Effective security depends upon an in depth strategy – from the core to the edge – that enables you to protect your most valuable assets by implementing proactive protection closer to the threats and far away from your end users.

The Evolution of a Digital Topology

Centralized computing systems were never an extraordinarily efficient or cost-effective way to process huge volumes of transactional data for throngs of online users concurrently. The search for more engaging experiences at digital touchpoints paved the way for cloud and distributed computing to exploit parallel processing technology in the marketplace.

This worked for a while, until streaming video and other rich media became the norm across the Internet and users had very little tolerance for glitches or latency. The problem is, dragging every experience back and forth to a centralized cloud doesn’t resolve the critical issues of capacity and traffic pile ups.

It’s one of the great misconceptions of the Internet that “the last mile” is the bottleneck. The issue instead lies within the cloud data centers and backbone providers, which typically only have a few hundred Tbps capacity – not enough to deliver the kind of experiences or security your customers expect.

The demand for more real-time business moments between things and people at digital touchpoints is pushing us all toward the edge. Which is a good thing. It’s already expanding business opportunities, and fundamentally changing how we live, interact, shop, and work.

It’s forcing businesses to adapt, either by pushing faster development, becoming more agile in their processes, favoring faster features over perfect features, or all three. The problem is, security teams aren’t currently set up to handle this kind of disruption on top of the need to monitor, develop insights, and adapt processes based on soak time they simply don’t have anymore.

All the while, attacks continue to grow and target with more precision. Trust based on a single network location is no longer enough.

Enter Security at the Edge

Security at the edge is an approach to defending your business, your customers – all of your users – from security threats by deploying in depths defense measures closer to the point of attack and as far away from your assets (your people, applications, or infrastructure) as possible. Security at the edge allows InfoSec pros to address three critical security imperatives.

1. Scale We live in a time when attackers hold unprecedented power and there’s simply no way to summons the capacity you need to defend yourself in a data center. Even the largest cloud data centers can be overwhelmed by the attacks we’re seeing. And even if it was physically possible to equip the cloud data center with enough capacity, the cost would be prohibitive.

This is becoming an even more widespread problem with the rise of IoT. There are now billions of devices connected at the last mile, with powerful CPU and little or no security.

The only way to prevent this is by intercepting the enormous volumes of attack traffic at the edge, where there is the capacity to mount a viable defense and stop attacks from reaching and swamping your data centers.

2. Intelligence It’s now imperative that you protect applications and APIs deployed anywhere – in your data centers or in the public cloud – with DDoS protection, web app firewall, and bot management. An intelligent defense strategy has become more important as more people than ever are accessing your apps through APIs from mobile devices. What’s more, the millions of bots being deployed by malicious actors are becoming extremely sophisticated at evading traditional defenses.

But protecting your apps, APIs and users is about more than just capacity, it requires cutting edge threat intelligence. Threat intelligence should leverage a multilayered approach of machine learning and human intelligence where both data scientists and algorithms perform statistical, trend, and pattern analysis of structured and unstructured data to identify and mitigate new attack vectors before anybody else. The key is that this is all happening at the edge, closer to the attack point and farther away from you and your end users.

3. Expertise Nothing tops human expertise. Not only do you need the network capacity that the ever-growing threat of volumetric DDoS attacks demand, but you also need the expertise to understand what the data, the patterns, and anomalies are telling you.

Along with sophisticated technology and a security at the edge approach, industry experts are capable of helping you make sense of the threats you face everyday. And as you know, attackers never sleep. The only response: always-on, 24x7x365 monitoring, scrubbing, and DDoS mitigation services.

Connecting to the Future

At the end of the day, it’s all about connecting to your customers and your employees; your apps and data; and to the countless IoT devices out there. Simply put: You need to be everywhere your customers are. When it comes to performance it has to be fast. And when it comes to security it needs to be proactive and in depth.

As nearly everyone and everything gets connected, the data required to function in the digital world risks not only being congested in the core but, even worse, caught up in large-scale cyberattacks. And cloud data centers are struggling to keep up.

Delivering engaging and glitch free digital business moments securely is the heart and the backbone of everything your digital business stands for. And In spite of how remarkably the Internet has grown and evolved over the past 20 years, we believe the most dramatic digital experiences are yet to come.

As a result, the world is now realizing just how important a security-at-the-edge strategy can be – one that brings users closer to the digital experiences and knocks down attacks where they’re generated. One that breeds trust and puts the confidence and control back in your hands.


2018 brought massive, hardware-level security vulnerabilities to the forefront. Here’s the five biggest vulnerabilities of the year, and how you can address them.

2018 was a year full of headaches for IT professionals, as security vulnerabilities became larger and more difficult to patch, since software mitigations for hardware vulnerabilities require some level of compromise. Here’s the five biggest security vulnerabilities of 2018, and what-if anything-you can do to address them in your organization.

1. Spectre and Meltdown dominated security decisions all year

On January 4, the Spectre and Meltdown vulnerabilities allowing applications to read kernel memory were disclosed, and posed security problems for IT professionals all year, as the duo represented largely hardware-level flaws, which can be mitigated-but not outright patched-through software. Though Intel processors (except for Atom processors before 2013, and the Itanium series) are the most vulnerable, microcode patches were necessary for AMD, OpenPOWER, and CPUs based on Arm designs. Other software mitigations do exist, though some require vendors to recompile their programs with protections in place.

The disclosure of these vulnerabilities sparked a renewed interest in side-channel attacks requiring manipulative or speculative execution. Months later, the BranchScope vulnerability was disclosed, focusing on the shared branch target predictor. The researchers behind that disclosure indicated that BranchScope provides the ability to read data which should be protected by the SGX secure enclave, as well as defeat ASLR.

Between the initial disclosure, Spectre-NG, Spectre 1.2, and SpectreRSB, a total of eight variants were discovered, in addition to related work like SgxPectre.

2. Record-breaking DDoS attacks with memcached

Malicious actors staged amplification attacks using flaws in memcached, reaching heights of 1.7 Tbps. The attack is initiated by a server spoofing their own IP address-specifying the attack target address as the origin address-and sending a 15-byte request packet, which is answered by a vulnerable memcached server with responses ranging from 134KB to 750KB. The size disparity between the request and response-as much as 51,200 times larger-made this attack particularly potent.

Proof-of-concept code, which can be easily adapted for attacks was published by various researchers, among them “,” which integrates with the Shodan search engine to find vulnerable servers from which you can launch an attack.

Fortunately, it is possible to stop memcached DDoS attacks, though users of memcached should change the defaults to prevent their systems from being abused. If UDP is not used in your deployment, you can disable the feature with the switch -U 0. Otherwise, limiting access to localhost with the switch -listen is advisable.

3. Drupal CMS vulnerability allows attackers to commandeer your site

A failure to sanitize inputs resulted in the announcement of emergency patches for 1.1 million Drupal-powered websites in late March. The vulnerability relates to a conflict between how PHP handles arrays in URL parameters, and Drupal’s use of a hash (#) at the beginning of array keys to signify special keys that typically result in further computation, allowing attackers to inject code arbitrarily. The attack was nicknamed “Drupalgeddon 2: Electric Hashaloo” by Paragon Initative’s Scott Arciszewski.

In April, the same core issue was patched for a second time, relating to the URL handling of GET parameters not being sanitized to remove the # symbol, creating a remote code execution vulnerability.

Despite the highly publicized nature of the vulnerability, over 115,000 Drupal websites were still vulnerable to the issue, and various botnets were actively leveraging the vulnerability to deploy cryptojacking malware.

ZDNet’s Catalin Cimpanu broke a story in November detailing a new type of attack which leverages Drupalgeddon 2 and Dirty COW to install cryptojacking malware, which can proliferate due to the number of unpatched Drupal installations in the wild.

4. BGP attacks intercept DNS servers for address hijacking

Border Gateway Protocol (BGP), the glue that is used to determine the most efficient path between two systems on the internet, is primed to become the target of malicious actors going forward, as the protocol was designed in large part before considerations of malicious network activity were considered. There is no central authority for BGP routes, and routes are accepted at the ISP level, placing it outside the reach of typical enterprise deployments and far outside the reach of consumers.

In April, a BGP attack was waged against Amazon Route 53, the DNS service component of AWS. According to Oracle’s Internet Intelligence group, the attack originated from hardware located in a facility operated by eNet (AS10297) of Columbus, Ohio. The attackers redirected requests to to a server in Russia, which used a phishing site clone to harvest account information by reading existing cookies. The hackers gained 215 Ether from the attack, which equates to approximately $160,000 USD.

BGP has also been abused by governments in certain circumstances. In November 2018, reports indicated that the Iranian government used BGP attacks in an attempt to intercept Telegram traffic, and China has allegedly used BGP attacks through points of presence in North America, Europe, and Asia.

Work on securing BGP against these attacks is ongoing with NIST and DHS Science and Technology Directorate collaborating on Secure Inter-Domain Routing (SIDR), which aims to implement “BGP Route Origin Validation, using Resource Public Key Infrastructure, [which] can address and resolve the erroneous exchange of network routes.”

5. Australia’s Assistance and Access Bill undermines security

In Australia, the “Assistance and Access Bill 2018,” which provides the government “frameworks for voluntary and mandatory industry assistance to law enforcement and intelligence agencies,” basically provides government access to the contents of encrypted communication. It is essentially the definition of a self-inflicted wound, as the powers it provides the government stand to undermine confidence in Australian products, as well as the Australian outposts of technology companies.

The bill hastily passed on December 7 and was touted as necessary in the interest of “safeguarding national security,” though subtracting perpetrators. Australia has seen a grand total of seven deaths related to terrorist activities since 2000. Additionally, the bill permits demands to be issued in relation to “the interests of Australia’s foreign relations or the interests of Australia’s national economic well-being.”

While the bill appears to not provide the full firehose of user data unencrypted to government agencies, it does permit the government to compel companies to provide content from specific communication, though forbids the disclosure of any demands made to companies about compliance. Stilgherrian provides a balanced view of the final bill in his guide on ZDNet.