DDoS Attack Specialist Archive

June 19th, 2013

When distributed denial-of-service (DDoS) attacks first started appearing in the late 1990s, the response from businesses was broadly similar to that of most new cyber threats: A shrug of the shoulders and an ‘it won’t happen to me’ attitude.

Then, as they became more prevalent, companies began to take notice. Yet until relatively recently, products that could successfully defend against a DDoS attack weren’t available to many businesses. Businesses that did get hit had no option but to grin and bear it.

Vendors now offer a wide range of mitigation solutions that offer protection to companies that find themselves under siege. While their effectiveness can’t be guaranteed, it allows firms to be proactive and put together defence strategies, instead of simply waiting to be targeted.

The frequency of DDoS attacks is growing at a frightening rate, with one report claiming a 200 per cent annual increase.

A week rarely goes by without the media running a story about a high-profile victim of a successful DDoS attack. With our always-online culture coupled with businesses migrating more of their services onto the internet, the threat has become more acute.

This increase in attacks and greater public awareness has moved DDoS onto all businesses’ risk dashboards – from start-ups to multi-national corporations, but simply putting mitigation measures in place and hoping for the best isn’t enough.

It’s been suggested that defending against a DDoS attack can cost as much as £2.5 million. Although this may be an overestimation, businesses do need to be certain that their mitigation investment will pay dividends.

In other areas of cyber security, the cost effectiveness of this type of investment can be assessed. For instance, a penetration test can measure how effective a network’s defences are and pinpoint vulnerabilities. But with a DDoS attack, how do you know that your investment is worthwhile, until it’s too late?

There’s also practical preparation to think about too. Do IT employees and service providers know what a DDoS attack will look like? Do they know the signs to look out for, and do they know their role during an attack scenario?

In the workplace, we all know what to do if there was ever a fire because of fire drills; we run over the steps we¹d need to take so that, should the real thing happen, we are prepared.

That is exactly the mind-set that businesses should have when it comes to DDoS attacks, and why we’ve created a DDoS fire drill service. Building on our DDoS assured simulation service – which emulates a real attack through our own botnet in a secure, controlled manner – we can test businesses with a controlled, low level DDoS attack and allow them to test their response processes.

While we control the attack, companies can examine staff and supplier reaction and ensure realistic procedures are in place to manage not only the attack itself, but also discourse with the supply chain without having to wait until a real attack occurs.

For instance, working out whose responsibility it is to phone the necessary third parties might seem like an inconsequential issue, but if employees don’t know their roles or have never had a chance to practice then it shouldn’t be assumed.

What about the mitigation solutions that aren’t fully automated? Whose role is it to man them, and do they know how? With the DDoS fire drill, everyone can learn exactly what part they’re expected to play. When the fire alarm goes off, employees know exactly where to go -­ it should be the same once the tell-tale DDoS signs appear.

Being prepared and ready is paramount when it comes to any emergency, and cyber security is no different. Too many businesses are like rabbits in the headlights once a DDoS attack starts. But prepare and practice accordingly and it is possible to minimise the damage.

For protection against your eCommerce site click here.

Source: http://www.scmagazineuk.com/ddos-evolution-and-the-importance-of-preparation/article/299171/

Anonymous, the international collective of hackers and activists, has continued its online cyberattack on Turkey’s Internet infrastructure that began over the weekend. In response to a violent police crackdown of protesters and censoring communications, Anonymous launched #OpTurkey and have now hacked over 100 Turkish websites, including several belonging to the Turkish government.

“We will attack every Internet and communications asset of the Turkish government,” Anonymous threatened in a YouTube video posted Sunday. “You have censored social media and other communications of your people in order to suppress the knowledge of your crimes against them. Now Anonymous will shut you down, and your own people will remove you from power.”

Anonymous used distributed denial of service, or DDoS, hacks to overload servers and knock target websites offline. In addition to websites belonging to the Turkish government, political parties and police department, Anonymous hacked websites belonging to media outlets that support Prime Minister Tayyip Erdogan. One example was the private news broadcaster NTV, which was criticized for not reporting on the police brutality.


Other Turkish websites were hacked and defaced to include images supporting the protesters in Turkey. Several Tunisian hackers got involved with #OpTurkey and claim to have hacked more than 145 Turkish websites.

The Turkey protests began as a peaceful demonstration against plans to build over Gezi Park in Taksim Square. The protest changed to a call for Erdogan to resign and police responded with tear gas and pepper spray. Several international human rights groups have condemned the police action in Turkey as excessive use of force.

Turkish protesters have said that the government has shut down Internet connections and censored social media websites in an attempt to hide the police brutality. While these reports haven’t been confirmed, Erdogan has expressed distaste for social media, calling it “menace.” To combat, Anonymous has shared how to use encryption software to evade government censors and have tweeted passwords to free virtual private networks.

Earlier this year, Anonymous launched cyberattacks against North Korea and Israel and hacked several government websites. Last week, Anonymous joined a protest in solidarity with the hunger strike in Guantanamo Bay, effectively making the protest the No. 1 topic on Twitter.

Source: http://www.ibtimes.com/opturkey-anonymous-hacks-145-turkish-websites-shares-free-internet-access-protestors-turkey-1290799

The New York Times Company was a victim of online attacks earlier this week that slowed down The New York Times Web site and limited access to articles and other types of content.

According to Danielle Rhoades Ha, a company spokeswoman, the Web site became unavailable to “a small number of users” after a denial-of-service attack, a tactic used by hackers to slow or halt Web traffic by bombarding a host site with requests for information. She added that the company did not “have confirmation on who is responsible for the most recent attacks on nytimes.com.”

The announcement follows attacks that were made on The Times’s site late last year. In January, the newspaper announced that its computer systems had been infiltrated by Chinese hackers who found passwords for reporters and other employees. The attacks took place as The Times investigated the relatives of Wen Jiabao, China’s prime minister, and how they had built up a multibillion-dollar fortune during his political tenure. David Barboza, the author of the article, won a Pulitzer Prize.

Attacks on media organizations are not unique to The Times. Shortly after the January announcement by The Times, officials at The Wall Street Journal and The Washington Post also reported that their Web sites had been attacked by Chinese hackers. On Friday, the Syrian Electronic Army said it had hacked the Web site and several Twitter accounts that belonged to The Financial Times. In the past, it has attacked other media companies, including The Associated Press and The Onion.

Source: http://www.nytimes.com/2013/05/18/business/media/times-site-is-attacked-by-hackers.html?_r=0

Government IT managers should be aware that distributed denial of service (DDOS) attacks may become more than just a frustrating nuisance that they need to deal with on their networks. Such attacks may increasingly be used as a ploy used to create background interference during a major emergency. Think of it as creating a communication traffic jam that keeps first responders stuck in low gear.

But first, a little update on where DDOS stands today. A study by Prolexic Technologies reports a 718 percent increase  this year in the overall bandwidth consumed by DDOS attacks, while a recent report from Verizon says that most recent DDOS attacks have been launched by activist groups. Many Internet service providers have reported a general increase in DDOS-related traffic.

Meanwhile, the Homeland Security Department and the FBI have issued an alert noting that they are aware of dozens of (TDOS) attacks aimed at government or financial communications centers. This variation is similar to DDOS attacks. Computer-controlled calls are made in a high volume, but they target voice lines rather than computers. So far the targets have been mostly administrative, not 911, telephone lines. But that could change.

Evidence of DDOS attacks launched in conjunction with real emergencies is spotty, but there have been instances.

In 2010, after a hurricane in Myanmar/Burma, an international DDOS attack targeted some of the media sites that had relocated after the storm. This made it difficult for them to share government news.

This year, not long after the Boston Marathon bombing, the social news site Reddit set up a section to allow visitors to post photos and share theories about the event. The pages grew in popularity and received attention from the mainstream press, particularly after it has misidentified several people as suspects. Once that happened, the site became the target of a massive DDOS attack which shut off contact for over 50 minutes while site managers worked to re-rout traffic and address security issues. High-traffic sights often use content delivery networks (CDNs), essentially a distributed system of servers housed at multiple data centers. At the peak of the attack, Reddit was hit with more than 400,000 requests per second to its CDN. The requests came from “thousands of separate IP addresses, all hammering illegitimate requests, and all of them simultaneously changing whenever we would move to counter,” according to a statement made by one of the Reddit editors.

The banking industry has been targeted many thousands of times with DDOS attempts, sometimes in conjunction with specific news events related to economic reports.

Government needs to be aware of these connections because, in extreme situations, DDOS could be used to block Internet access to critical services like traffic controls, river or dam monitoring, contact with police and more.

For protection against your eCommerce site click here.

Source: http://gcn.com/Articles/2013/04/26/When-DDOS-attacks-become-real-threat.aspx?Page=2

Distributed Denial of Service attacks have increased in scale, intensity and frequency. The wide range of motives for these attacks – political (hacktivism), criminal (coercion), or social (malice) – makes every merchant or organization with an online presence a potential target. The shared nature of the Internet infrastructure – whether hosting, DNS, or bandwidth – puts many merchants or organizations at risk of becoming collateral damage, as well. If you find that your site or organization is under attack, it’s important that you report such attacks quickly to parties that are best positioned to help you mitigate, weather, and restore normal service.

I’m under attack. What should I do? Whom should I call?

Any Internet service – web, DNS, Internet voice, mail – can be the target of a DDoS attack. If your organization uses a hosting provider for a service that is attacked, first contact the hosting provider. If your organization hosts the network or Internet service that is under attack, first take measures to contain or dampen the attack. Next, call the service provider that provides Internet access for your network. Most hosting providers and ISPs post emergency contacts on their web sites and many include at least general contact numbers on bills. If you only have a general contact number, explain that you are under attack and ask the customer care agent to escalate (forward) your call to operations staff with the ability and authority to investigate.

Helping Hands

Traffic associated with a single DDoS attacks may originate from hundreds or thousands of attack sources (typically compromised PC or servers). In many cases, your hosting provider or your Internet access provider should act on your behalf (and in self-interest). They will contact “upstream” providers and the ISPs that route traffic from the DDoS attack sources to notify these operators of the nature and suspected origins of the attack. These operators will investigate and will typically revoke routes or take other measures to squelch or discard traffic close to the source.

If you cannot find contacts, or if the contacts you find are unresponsive, try contacting a Computer Incident, Emergency, or Security Incident Response Team (CERT/CIRT/CSIRT), or a Trusted Introducer (TI) team. CERT/CIRT organizations (find a national list here) or TI teams will investigate an attack, notify and share information with hosting providers or ISPs whose resources are being used to conduct the attack, and work with all affected parties to coordinate an effective mitigation.

Should I contact Law Enforcement?

Contact your national law enforcement agency if you believe that a crime is being committed; for example, you should contact law enforcement if your organization received a threat prior to the attack, or received a demand for money in return for not being attacked, or if you believe that critical infrastructure or delivery of a critical service (such as Emergency 911) is threatened.

Contact law enforcement to report a crime, not to mitigate an attack. DDoS attacks are criminal acts in many jurisdictions. By filing a report, you and other victims provide valuable information that may be relevant in any subsequent investigation or prosecution of the attackers.

Provide Good Intel

At an operational level, you, your hosting provider or ISP should gather as much information related to the attack as possible. The Operations Security Trust Forum recommends collecting the following kinds information:

  1. Provide as much time information as possible: identify the start of attack, end of attack, whether the attacks are repeated, and whether there are observable patterns or cycles to the attacks.
  2. Share any insights or suspicions you have regarding the nature of the attack. Does it appear to correlate with a geo-political event? Did you receive threatening correspondence prior to or during the attack and if so, what was the nature of the threat?
  3. Provide detailed traffic information including: type of traffic (ICMP, DNS, TCP, UDP, application), source and targeted IP addresses and port numbers, packet rate, packet size, and bandwidth consumed by the attack traffic.
  4. Describe any unique traffic or packet characteristics you observe. Is the attack targeting a particular virtual host or domain? What have you observed from application protocol headers? Have you observed any unusual patterns of flag settings in underlying protocols (TCP, UDP, ICMP, IP)?
  5. Identify any changes you observe in the attack over time (i.e., to packet sizes, rates, unique IPs seen per epoch, protocols, etc.). These may be indications that the attacker is reacting to mitigation efforts you or others have implemented.
  6. Provide your assessment of the impact; for example, explain whether you are managing the attack using mitigations and assistance, or that your services or performance is {moderately, severely} affected, or that your services have been disrupted entirely.

Don’t Wait Until You Are a Victim

If you have not already prepared a plan to respond to a DDoS attack, please consider doing so. The article Preparing for the (Inevitable) DDOS Attack offers a checklist of contacts, information, and mitigation strategies.

For protection against your eCommerce site click here.

Source: http://blog.icann.org/2013/04/how-to-report-a-ddos-attack/