DDoS Attack Specialist Archive

A DDoS mitigation service is more than just the technology or the service guarantees. The quality and resilience of the underlying network is a critical component in your armor, and one which must be carefully evaluated to determine how well it can protect you against sophisticated DDoS attacks.

Massive Capacity

When it comes to protection against volumetric DDoS attacks, size matters. DDoS attack volumes have been steadily increasing over the past decade, with each year reaching new heights (and scales) of attacks.

To date, the largest-ever verified DDoS attack was a memcached-based attack against GitHub. This attacked reached peak of approximately 1.3 terabits per second (Tbps) and 126 million packets per second (PPS).

In order to withstand such an attack, scrubbing networks must have not just enough to ‘cover’ the attack, but also ample overflow capacity to accommodate other customers on the network and other attacks that might be going on at the same time. A good rule of thumb is to look for mitigation networks with at least 2-3 times the capacity of the largest attacks observed to date.

Dedicated Capacity

It’s not enough, however, to just have a lot of capacity. It
is also crucial that this capacity be dedicated to DDoS scrubbing. Many
security providers – particularly those who take an ‘edge’ security approach – rely
on their Content Distribution Network (CDN) capacity for DDoS mitigation, as
well.

The problem, however, is that the majority of this traffic
is already being utilized on a routine basis. CDN providers don’t like to pay
for unused capacity, and therefore CDN bandwidth utilization rates routinely
reach 60-70%, and can frequently reach up to 80% or more. This leaves very
little room for ‘overflow’ traffic that can result from a large-scale
volumetric DDoS attack.

Therefore, it is much more prudent to focus on networks whose capacity is dedicated to DDoS scrubbing and segregated from other services such as CDN, WAF, or load-balancing.

Global Footprint

Organizations deploy DDoS mitigation solution in order to
ensure the availability of their services. An increasingly important aspect of
availability is speed of response. That is, the question is not only is the
service available
, but also how quickly can it respond?

Cloud-based DDoS protection services operate by routing
customer traffic through the service providers’ scrubbing centers, removing any
malicious traffic, and then forwarding clean traffic to the customer’s servers.
As a result, this process inevitably adds a certain amount of latency to user
communications.

One of the key factors affecting latency is distance from
the host. Therefore, in order to minimize latency, it is important for the
scrubbing center to be as close as possible to the customer. This can only be
achieved with a globally-distributed network, with a large number of scrubbing
centers deployed at strategic communication hubs, where there is large-scale
access to high-speed fiber connections.

As a result, when examining a DDoS protection network, it is important not just to look at capacity figures, but also at the number of scrubbing centers and their distribution.

Anycast Routing

A key component impacting response time is the quality of
the network itself, and its back-end routing mechanisms. In order to ensure
maximal speed and resilience, modern security networks are based on
anycast-based routing.

Anycast-based routing establishes a one-to-many relationship between IP addresses and network nodes (i.e., there are multiple network nodes with the same IP address). When a request is sent to the network, the routing mechanism applies principles of least-cost-routing to determine which network node is the optimal destination.

Routing paths can be selected based on the number of hops,
distance, latency, or path cost considerations. As a result, traffic from any
given point will usually be routed to the nearest and fastest node.

Anycast helps improve the speed and efficiency of traffic routing within the network. DDoS scrubbing networks based on anycast routing enjoy these benefits, which ultimately results in faster response and lower latency for end-users.

Multiple Redundancy

Finally, when selecting a DDoS scrubbing network, it is
important to always have a backup. The whole point of a DDoS protection service
is to ensure service availability. Therefore, you cannot have it – or any
component in it – be a single point-of-failure. This means that every component
within the security network must be backed up with multiple redundancy.

This includes not just multiple scrubbing centers and
overflow capacity, but also requires redundancy in ISP links, routers,
switches, load balancers, mitigation devices, and more.

Only a network with full multiple redundancy for all components can ensure full service availability at all times, and guarantee that your DDoS mitigation service does not become a single point-of-failure of its own.

Ask the Questions

Alongside technology and service, the underlying network
forms a critical part of a cloud security network. The five considerations
above outline the key metrics by which you should evaluate the network powering
potential DDoS protection services.

Ask your service provider – or any service provider
that you are evaluating – about their capabilities with regards to each of
these metrics, and if you don’t like the answer, then you should consider
looking for alternatives.

Source: https://securityboulevard.com/2019/05/5-key-considerations-in-choosing-a-ddos-mitigation-network/

The number of DDoS attacks during the first quarter of 2019 increased by 84 percent compared with the previous quarter according to a new report from Kaspersky Lab.

This reverses last year’s trend of declining DDoS attacks as attackers shifted their attention to other sources of income, such as crypto-mining.

As well as increasing in number attacks are also getting longer. The number of DDoS attacks that lasted for more than an hour doubled in quantity, and their average length increased by 487 percent. These statistics confirm Kaspersky Lab experts’ hypothesis that hackers are evolving their techniques and are now able to launch longer attacks, which are more difficult to organize.

“The DDoS attack market is changing, and new DDoS services appear to have replaced ones shut down by law enforcement agencies,” says Alexey Kiselev, business development manager on the Kaspersky DDoS Protection team. “As organizations implement basic countermeasures, attackers target them with long-lasting attacks. It is difficult to say if the number of attacks will continue to grow, but their complexity is showing no signs of slowing down. We recommend that organizations prepare themselves effectively, in order to withstand sophisticated DDoS attacks.”

Kaspersky recommends that organizations ensure that their web and IT resources can handle high volumes of traffic, and that they use professional solutions that can protect the organization against DDoS attacks regardless of their complexity, strength or duration.

Source: https://betanews.com/2019/05/21/ddos-attacks-increase/

(DDOS) distributed denial-of-service mitigation is the process of protecting targeted networks and servers from attacks. A protection service based on the cloud mitigates the threat by protecting the intended victim. This is a type of cyber attack specifically targeting the most critical systems of the business to disrupt the connectivity or the network service. The result is the user is denied service from necessary resources. The attack combines the power of numerous computers infected with malware with the objective of targeting one system.

The Types of Attacks

There are three key types of attacks. The first is called a volumetric attack. This is when false data requests overwhelm the bandwidth of the network on every single open port available on the device. Once the system has been flooded with malicious requests, the data must be constantly checked. This means legitimate traffic cannot be accepted because there is no room left in the system. The two most frequently used volumetric attacks are ICMP and UDP floods.

The protocol attack damages the connection tables responsible for verifying the connections. This involves sending malformed pings, partial packets and slow pings. This can overload or crash the system because it creates memory buffers. Firewalls are unable to prevent this attack because it has the ability to target the firewalls.

The application layer is in the closest contact with the interaction of the users. An application layer attack is concentrated on the layer responsible for direct traffic from the internet. The potential attacks focus on HTTPS, HTTP, SMTP and DNS. This type of attack makes it difficult to catch the perpetrator due to the smaller amount of machines being used. This means it is possible to trick the server into believing the attack is nothing more than a high traffic volume.

The Importance of Mitigation

A mitigation plan can prevent attacks by making a complete security assessment. This is simpler for smaller businesses because larger companies often have multiple teams and an extremely complex infrastructure. Once the attack has occurred, the time for planning has already been lost. It is critical to ensure prompt reactions to mitigate the possibility of an attack. The first step is the development of a defense strategy. The strategy defines the impact of a malicious attack. The employees must understand their responsibilities and the data center must be ready to execute the plan. This can save the business from the time and expense of a lengthy recovery period while minimizing the chances of a successful attack.

The Most Important Elements of Mitigation

Every company needs to have mitigation in place. This provides the systems with filtering tools, advanced detection of potential threats and protection through software and hardware. Every company needs a response team to make certain the reaction to an attack is efficient, fast and organized. All procedures should be assigned to individual teams. This enables the employees to know where to turn if there is an attack. A complete list of emergency contacts should be posted along with the correct procedures. There must be solid communication between the company, their clients, their security vendors and their provider for cloud services.

Preventing Attacks through Security

The best possible way to prevent attacks is to decrease user mistakes as much as possible. This requires strong security practices. The employees should be required to change their passwords fairly frequently. Secure firewalls and anti-fishing will restrict most outside traffic. This is the basis for good security setup. Multi-level strategies are critical for ensuring the network remains secure. This includes the combination of numerous management and prevention systems including firewalls, a virtual private network (VPN), load balancing, defense techniques and content filtering. This is the best way to locate potential inconsistencies in traffic often resulting in an attack. High quality security can successfully block the attack.

Unfortunately, the majority of standard equipment currently available on the market offers very few options for mitigation. The best recourse is outsourcing to obtain the best possible mitigation available. Many of these resources are cloud based and simple to obtain. This is the ideal solution for both small and medium businesses because they can remain within their budget for security. Mitigation also means having multiple servers. This will provide additional resources if there is an attack on one of the servers. Outsourcing the service will enable the business to further increase security by having their servers in different locations. This makes it a lot harder for the attacker to target the business.

Updating the Systems

When any system is not kept updated, it is at a higher risk for an attack. Mitigation ensures the newest versions of software are installed to tighten the security and decrease the access for potential attacks. The main reason mitigation is so critical is because the attacks are extremely complicated. The system must be able to identify any traffic anomalies immediately to provide the necessary response. When the infrastructure has been properly secured, the threat is automatically minimized. This protects the business from all different types of attacks.

Identifying Unusual Activity

The best way to prevent any attack is with early detection. There are all different types of attacks but there are commonalities. The most common signs there has been an intrusion into the system are a large number of spam emails or a noticeable slowdown in the performance of the network. When these types of issues are noticed sooner, the threat can be successfully blocked. It is critical the employees understand the system and all of the available resources. Mitigation provides advanced resources to protect the system by detecting potential attacks and reacting immediately. Without these resources, the entire network of the business can crash.

The Cloud

Excellent attack prevention is available through DDOS mitigation providers using cloud-based services. This type of service is advantageous for numerous reasons. A private network does not have anywhere near the resources or bandwidth of the cloud. This is critical because so many businesses are strictly reliant on the hardware right on the premises. This makes it easier for an attacker to infiltrate the network. The cloud has apps capable of preventing malicious traffic from reaching their target. Software engineers are constantly monitoring the internet for the newest techniques being used by the attackers. This means they are more aware of what to look for and have the resources to find it faster to prevent the attack. Every company has different needs depending on their network and environment. This does not change the fact that every business must be flexible regarding their security.

The Warning Signs

Every attack has warning signs signaling a potential attack. This includes a slowdown of the network, websites constantly shutting down and issues with the connectivity. Every network can experience issues. When there is a consistent or severe issue with performance, there is a strong possibility an attack is in progress. Action must be taken immediately to protect the network. A service offers increased flexibility for dedicated and cloud hosting and on-premises networks. The components of the infrastructure must be compliant with the highest quality security requirements and standards to be effective. This enables the security to be customized for the specific needs of each business providing the best possible protection against malicious attacks.

The Bottom Line

Unfortunately, there will always be attackers consistently devising new and creative ways to attack a business network. Mitigation is the best way to stay a step ahead of the attacks. Preventing attacks save the business, money, time and a lot of aggravation.

Source: https://pctechmag.com/2019/05/ddos-mitigation-and-why-you-need-it/

The “IBM X-Force Threat Intelligence Index 2019” highlighted troubling trends in the cybersecurity landscape, including a rise in vulnerability reporting, cryptojacking attacks and attacks on critical infrastructure organizations. Yet amid all the concern, there is one threat trend that our data suggests has been on the decline: hacktivism — the subversive use of internet-connected devices and networks to promote a political or social agenda.

Looking at IBM X-Force data in the period between 2015 and 2019, our team noted a sharp decrease in publicly disclosed hacktivist attacks. Our data incorporates incidents pulled from established and reliable reporting streams and reveals where a specific group claimed responsibility for the incident and where there is quantifiable damage to the victim. While this data does not capture all cyber incidents — nor all hacktivist attacks that occurred in that period — the decrease in publicly acknowledged hacktivism attacks remains significant since public attribution is a key component in these types of attacks.

In 2016 in particular, hacktivist attacks such as Operation Icarus, which directed distributed denial-of-service (DDoS) attacks at banks worldwide, made headlines several times. Another 2016 attack by the same group was a “declaration of war” on Thai police following the conviction of two Burmese men for the murders of two British backpackers. That operation resulted in the defacement of several Thai police websites. In 2018, the number of reported attacks was much lower, although various groups used similar tactics, including DDoS attacks and the defacement of several government websites in Spain.

We have some theories about the reasons behind this decline — specifically, a decrease in attacks by one core hacking collective and law enforcement acting as a deterrent against hacktivism. Let’s explore these theories in more detail.

Public Hacktivist Attacks Have Dropped Nearly 95 Percent Since 2015

We’ll start by taking a closer look at the numbers. According to X-Force data collected between 2015 and 2019, hacktivist attacks have declined from 35 publicized incidents from our sample in 2015 to five publicized incidents in 2017. In 2018, only two publicized incidents were recorded, a dramatic decline over the past four years. Thus far for 2019, no hacktivist attacks have yet met the criteria to be included in our data set, although we are aware that some hacktivist attacks have occurred.

These numbers show a drop of nearly 95 percent from 2015 to 2018 as attacks from the groups behind the bulk of the 2015–2016 attacks decreased. Most notably, the Anonymous collective and associated groups that identify themselves as Anonymous in different parts of the world perpetrated fewer attacks.

Figure 1: Number of Publicized Hacktivist Attacks (Source: IBM X-Force Data, 2015-2018)

Figure 1: Number of publicized hacktivist attacks (Source: IBM X-Force Data, 2015–2018)

For the hacktivist attacks tracked through our X-Force data, an analysis shows that few hacktivist groups aside from Anonymous have notably dominated the attack landscape over the past four years, with most groups carrying out only one or two attacks and then disappearing for a time.

Several groups struck only once and were never heard from again under the same name. The following figure depicts the number of hacktivist attacks by group from 2015 through 2018. Attacks by Anonymous made up 45 percent of all attacks, a far higher percentage than any other group that kept the same identity over time.

Figure 2: Hacktivist Attacks by Group (Source X-Force Data 2015-2018)

Figure 2: Hacktivist attacks by group (Source X-Force Data, 2015–2018)

Where Have All the Hacktivist Groups Gone?

So how can this decrease in hacktivist attacks from 2015 to 2018 be explained, especially in view of how frequent these sorts of incidents were in previous years?

X-Force researchers have some theories about the changing nature of the hacktivist threat landscape that could have contributed to this decline. Upon examining these theories in light of additional data on hacktivist attacks and activity and law enforcement response, we noted several patterns that might help explain this downward trend.

A Decline in Anonymous Attack Campaigns

A decline in attacks associated with the hacking group Anonymous is one of the principal contributing factors in the overall decline in hacktivist attacks worldwide.

Starting around 2010, Anonymous became one of the most prolific hacktivist groups in the world, reaching a peak of activity in early- to mid-2016, according to IBM X-Force data. Since then, attacks by Anonymous have declined significantly, possibly due to an attrition of key leadership, differences of opinion and a struggle to find an ideological focus.

Some examples of this turmoil were on display during the 2016 US presidential election, which appeared to spark a sharp debate among Anonymous members, one that even spilled over into the public domain. While some members advocated for attacks against candidate websites, others strongly disagreed, arguing that the group does not support a particular political ideology and criticizing proposed attacks as “cringeworthy.”

In addition to differences in viewpoint, several cyber actors have sought to masquerade as Anonymous actors over the past three years, using the moniker in an attempt to legitimize their actions or to tarnish the group’s name by connecting their activities to Anonymous. In early 2016, Anonymous released a video warning about “fake Anons” and claiming that governments and individuals were acting in the name of the group in an attempt to “damage the name of Anonymous and [post] propaganda of their own ideologies,” or profit financially by using the group’s name as clickbait to attract traffic to advertising webpages. Any attempt to decrease the number of fake Anons may have led to a decrease in the number of true Anonymous actors overall.

X-Force data shows that decrease in Anonymous activity, with attacks dropping from eight incidents in 2015 to only one tracked in 2018.

Figure 3: Number of Publicized Anonymous Hacktivist Attacks Per Year (Source: IBM X-Force Data, 2015-2018)

Figure 3: Number of publicized Anonymous hacktivist attacks per year (Source: IBM X-Force Data, 2015–2018)

Legal Deterrence

Arrests and legal warnings issued to hacktivists at large may be acting as an effective deterrent against additional hacktivist activity. X-Force IRIS internal tracking of related arrests revealed that law enforcement agencies in the U.S., U.K. and Turkey have arrested at least 62 hacktivists since 2011. We suspect the actual number is greater than those publicly announced. Three of the arrested hacktivists received sentences in 2018 and 2019, all with prison time of three years or greater, including one with a 10-year prison sentence.

The 10-year sentence — plus a $443,000 fine — was placed on one self-proclaimed Anonymous hacktivist who hit Boston Children’s Hospital with DDoS attacks in 2014 and was arrested in February 2016. Some security practitioners noted that the long sentence had the potential to deter additional attacks.

Another hacktivist arrested in 2011 agreed to become an informant to the FBI, possibly contributing to the demise of his hacking group LulzSec and the arrests of potentially nine other hacktivists. This hacker then served seven months in prison before becoming a legitimate penetration tester.

In January 2017, one software engineer publicly proposed a DDoS attack on the White House’s website as a form of hacktivism. Security experts and law enforcement officials warned that such an act was illegal and would be tracked and punished. In the end, no attacks appeared to have occurred, and there were no reported problems with the White House website that month.

Hacktivism Is a Volatile Tactic

Where are hacktivist attacks likely to go from here? We are reluctant to say that the era of hacktivism has come to an end. Acute social justice issues, greater organizational capabilities among hacktivist groups and a stronger shift to areas that lay beyond the reach of law enforcement all have the potential to dramatically change the face of hacktivism in a relatively short period of time. More likely than not, we are experiencing a lull in hacktivist activity rather than a conclusion.

Hacktivism incidents in 2019 already suggest that this year may see an uptick in attacks, with a scattering of activity from attacks on Saudi newspapers in January to DDoS attacks on Ecuadorian government websites following the arrest of Julian Assange. As of yet, however, these numbers have still not reached the tempo of hacktivist attacks seen in 2015 and 2016.

For the time being, the world appears to be experiencing a relative respite from hacktivist attacks, perhaps freeing defensive resources to focus on more pressing threats, such as malicious actors’ use of PowerShell, Spectre/Meltdown and inadvertent misconfigurationincidents. These ongoing threats, X-Force IRIS predicts, will continue to demand more focus from security teams throughout 2019.

Source: https://securityintelligence.com/posts/the-decline-of-hacktivism-attacks-drop-95-percent-since-2015/

DDoS attacks top the list of primary security concerns for mobile operators now that 5G wireless is advancing as the number of connected devices grows.

The next generation of mobile networking technology — the highly anticipated 5G — will improve the speed and responsiveness of wireless networks when deployed, but it is already raising questions for mobile operators, specifically about the implications of 5G security.

Commercial 5Gis in the early stages of becoming a reality and will continue to grow. In “Opportunities and Challenges in a 5G Connected Economy,” a recent report from market research firm Business Performance Innovation Network, in partnership with security vendor A10 Networks, looked at the security concerns 5G brings to the mobile industry.

“Security is a top concern for 5G operators, almost equal to increasing capacity and throughput,” the report said, reporting that 94% of respondents expect the growth of 5G to increase security and reliability concerns for 5G mobile operators.

5G concerns can be looked at in two ways, according to Paul Nicholson, senior director of product marketing at A10 Networks. One concern is the increase of traffic and devices. Whenever technology changes, unexpected issues often arise. There is new technology with 5G, but operators are also moving to a cloud, software-type environment, so they have to secure that, he said, adding security works differently with different components.

Despite the high level of concern, the study also revealed most mobile operators still have significant work to do in building the security foundation needed to support 5G.

While the majority of survey respondents said they intend to upgrade security tools — such as firewalls — to work better with 5G, only 11% have actually implemented the upgrades.

A full 79% of survey respondents said their companies are taking 5G requirements into consideration with their current security investments. Another 17% said they are already looking at it.

The top security concerns include core network security, with 72% of respondents rating it very important; 60% are concerned with endpoint security and 38% with security management and staffing requirements.

Core network security concerns include upgrading different types of firewalls given the increased traffic and scalability of 5G. Only a small percentage of respondents have upgraded their firewalls already, while more than half said they plan to.

“The need to upgrade the Gi firewall at the Evolved Packet Core is widely recognized as a critical need for improving 5G security, while it also delivers significant benefits to existing 4G networks,” the report said.

“[Mobile operators] also need to think about external forces, like volumetric DDoS [distributed denial-of-service] attacks, which are coming in from the outside to try to disrupt service,” Nicholson said.

The most important security advances and capabilities for the future

The threat of DDoS attacks

The deployment of 5G will open a lot of networking possibilities due to its improvements in speed, capacity and latency. Those advances, however, also open up the possibility for more severe attacks.

One of the most significant security concerns of respondents was the possibility of DDoS attacks — 63% said advances in DDoS protection were important to their future ability to address larger and more sophisticated attacks.

“Today, A10 [Networks] knows that there are 23 million DDoS weapons out there poised to attack on demand,” Nicholson said, citing the spread of the Mirai botnet that followed DDoS attacks in 2016.

“The most recent was a 1.7 terabit attack against GitHubusing misconfigured Memcached servers in a reflection attack,” he said. “Reflection attacks are still the biggest attacks we see today with multiple types of devices being used.”

DDoS attacks often target internet-connected devices, so as the number of devices continues to grow and as 5G network deployments increase and connect to more devices, DDoS threats could lead to more attacks — not only in frequency but in how far and fast the attacks could spread.

“When we get to the 5G world, there’s going to be a lot more connected devices, and they’re going to be capable of generating traffic at a much higher rate,” Nicholson said. “With the DDoS weapons, we think this is just the tip of the iceberg.”

Source: https://searchsecurity.techtarget.com/feature/DDoS-attacks-among-top-5G-security-concerns