DDoS Attack Specialist Archive

The total number of distributed denial of service attacks declined steadily last year, from more than 450,000 attacks in the first quarter to fewer than 150,000 in the fourth quarter — but the size and complexity of the average attack both increased, according to a new report from Black Lotus Communications.

San Francisco-based Black Lotus, a DDOS mitigation firm, saw a total of 1.14 million different attacks last year, with an “alarming” surge in the last quarter of the year.

The average bit volume of each attack — the number of packets, multiplied by the size of each packet — increased 3.4 times compared to the third quarter of the year.

In addition, it was the first time that Black Lotus saw average attack size pass 10 gigabits per second, reaching an average of 12.1 Gbps in the fourth quarter, up from just 2.7 Gbps at the start of the year.

This isn’t bad news for Black Lotus, which is in the business of protecting organizations from the largest attacks. But it is bad news for enterprises doing their own DDOS mitigation.

“If people are trying to defend their own network using an on-premise device, they typically don’t have the capacity to exceed 20 gigabits,” said Frank Ip, the company’s VP of marketing and business development.

In other bad news, the complexity of attacks has already increased.

“There is a continuous trend of people combining different attacks together, in hybrid attacks,” Ip said.

“We’re also seeing more application-layer attacks,” he added. “Even though those are smaller in size, they are not smaller in terms of effect or damage to the targeted victim.”

While network attacks try to use up all the network bandwidth, application attacks target just one application’s resources, he explained.

“These are much easier to over run,” he said.

In fact, he said, the increased sophistication of the attacks may explain, in part, why there are fewer of them.

“They’re being more efficient,” he said. “They don’t have to lodge as many attacks to accomplish what they have to accomplish.”

There was also some good news last year, he added.

Attacks that used compromise servers to magnify the size of the attack are almost completely gone, he said.

“All the operators and companies that ran DNS and servers have patched up all the loopholes,” he said. “There are no more vulnerable servers available to generate those large volumes.”

Source: http://www.csoonline.com/article/2902309/network-security/ddos-attacks-less-frequent-last-year-more-dangerous.html

According to the latest quarterly threat report from network security specialist Black Lotus the frequency of DDoS attacks fell by 44 percent in the last quarter of 2014.

However, the average packet volume of attacks increased 340 percent to 4.36 million packets per second (Mpps), and the average bit volume swelled 245 percent to 12.1 gigabits per second (Gbps) over the same period.

The report is based on analysis of Black Lotus’ customer network logs. The largest bit volume DDoS attack observed during the report period was 41.1 Gbps on Oct 1, a rise in volume since the beginning of 2014, due to attackers’ usage of blended, complex attacks to achieve outages.

Of the 143,410 attacks observed during Q4 2014 49 percent were regarded as severe and more than half (53 percent) of all those mitigated resulted from UDP flood attacks. These cause poor host performance or extreme network congestion by producing large amounts of packets and IP spoofing.

The average attack during the report period was 12.1 Gbps and 4.36 Mpps, tripling average packet volume since the previous quarter. This indicated a continued reliance on using multi-vector attacks, signaling the need for security practitioners to use intelligent DDoS mitigation rather than padding networks with extra bandwidth.

“We found DDoS attacks continued trending down in frequency quarter over quarter, but, on average, attack volumes multiplied,” says Shawn Marck, co-founder and chief security officer of Black Lotus. “With networks and IT teams becoming defter at spotting and stopping volumetric attacks, cybercriminals are turning to blended approaches to confuse organizations, often using DDoS attacks as smokescreens for other underhanded activity”.

Looking ahead, Black Lotus has revised its estimate of the security measures enterprises will need to protect against the majority of attacks throughout 2015. It now says they’ll need to be capable of handling 15 Gbps minimum in bit volume, up from its Q3 prediction of five Gbps minimum. The research team anticipates that attackers will continue to try new DDoS recipes in an effort to confuse security teams and allow agitators to steal user credentials, customer billing information or confidential files.

Source: http://betanews.com/2015/03/24/ddos-attacks-reduce-in-frequency-but-grow-in-volume/

Research said organisations fear losing contracts and ongoing business as a consequence

Research by Kaspersky has revealed businesses fear losing clients as a result of DDoS attacks, although the construction industry is more concerned about the cost of eradicating threats.

A survey conducted by the security firm in partnership with B2B International revealed 26 per cent of companies thought the problems caused by such attacks were long-term, meaning they could lose current or prospective clients as a result.

23 per cent said they were concerned a DDoS attack would cause reputational issues, while 19 per cent thought the risk of losing current customers who were not able to access services as a result of an outage was the biggest threat to business.

The research revealed that only 37 per cent of the companies surveyed had measures already in place to protect against DDoS attacks.

Evgeny Vigovsky, head of Kaspersky DDoS Protection at Kaspersky said: “People who have not yet faced a particular threat often tend to underestimate it while those who have already experienced it understand which consequences might be the most damaging for them. 

“However, it makes little sense to wait until the worst happens before acting – this can cost companies a lot, and not only in financial terms. That is why it is important to evaluate all possible risks in advance and take appropriate measures to protect against DDoS attacks.”

Of those surveyed, the majority of telecoms, e-commerce, utilities, utilities and industrial companies viewed the loss of business as the main DDoS risk, while construction and engineering verticals explained they were concerned about the cost of implementing backup systems most.

Source: http://www.itpro.co.uk/security/24245/ddos-attacks-losing-companies-business-opportunities

Denial of service is on the rise. What can you do to respond?

Business in the West runs on the Internet, a fact your reporter is acutely aware of as he writes offline, the office having been plunged into the 1950s for reasons best known to the IT department.

That in mind, it is no surprise that web disruption has acquired a status formerly reserved for mass traffic jams or tree-wrenching storms, a fact illustrated by the speculation that followed Facebook going offline for a mere sixty minutes in January.

Though the social network eventually claimed the shutdown was planned maintenance, many took seriously the claim that Lizard Squad, a group of hackers known for shutting down video game networks, had brought one of Silicon Valley’s giants to a halt through a distributed-denial-of-service (DDoS) attack.

Whilst Lizard Squad’s prowess likely does not extend to such feats, the idea that a business could be paralysed by DDoS attacks is not so strange. The attack method, which involves flooding servers with traffic, is one of the easiest hacks to pull off – so much so that some purists do not even consider it to qualify as hacking.

Launching such an attack can be as simple as downloading a tool for your computer that effectively automates a page refresh on a website at high speed. More advanced versions require roping in other machines to create botnets (robot networks), with such services also available to rent for as little as a few pounds. So what can be done about them?

Hacking politics

“The primary purpose of a denial-of-service attack is to interfere with an organisation’s Internet activity,” says Chris Richter, SVP of managed security services at Level 3, a telecoms firm. “We see a lot of that happening with companies dependent on high speed transactions such as gaming or finance.”

According to Richter as much as three-quarters of these attacks fall into the realm of “hacktivism”, a form of political protest in which hackers disrupt a company or government’s operations to register their opposition to a given policy or practice – a common tactic among groups such as Anonymous.

More problematic are the “mixed” or “blended” attacks, which used DDoS as a distraction. Mike Langley, EMEA VP of Palo Alto Networks, a security vendor, says DDoS attacks can be just the start of a broader assault, which may leave firms open to devastating damage.

“DDoS attacks are how you cripple a company, then you utilise malware to break the perimeter and get where you want to go,” he says. “We’re certainly defending against DDoS attacks, but the reality of all these threats is it’s sophisticated malware and that’s getting past people’s perimeters.”

Blocking the threat

Langley adds that the CISOs he talks to tend not worry so much about the hacktivism, but rather how they can beat the cybercriminals before they have a chance to steal data or intellectual property.

It is in this vein Richter’s company Level 3 runs a “scrubbing” service, so called because it can wash traffic clean before the bad stuff has a chance to disrupt a website. It works by redirecting traffic away from the website for assessment, only passing on the legitimate visitors to the main site.

“We decided to build a DDoS mitigation service because wee scan so much of the world’s traffic,” he says. “We see about 70% of the world’s IP headers flowing across our routers. That gives us the ability to detect all of the malicious activity, including DDoS attacks.”

By analysing the NetFlow packets, which contain data on router traffic, Level 3 is able to tell which traffic is good or bad based on its origin, destination, volume and protocol. It has even devised an analytics program that can be taught what to look for.

This approach differs from Palo Alto’s solution, which relies on staple defences that most companies would be considering as part of a broader security programme. These include segmenting data, implementing systems that beat unpatched “zero day” flaws, blocking command and control (C&C) servers which send instructions to viruses, and limiting user privileges across a system.

“The nature of any malware is that it’s going to do something that’s not acceptable use,” Langley explains. Both firms plans are part of a broader initiative to detect strange behaviour, which is an increasing focus among security vendors.

Denial of future

Yet even as the defenders become smarter, the hackers are expanding their efforts to carry out DDoS attacks. Richter reports that his company has seen a rise in volumetric attacks, which launch thousands of bots at a given website, and also strikes levelled against web apps as opposed to websites.

“These [application attacks] are low and slow,” he says, adding that they involved crafted packets that target specific vulnerabilities and are primed to go off at a specific time. Such strikes will be harder to his firm to detect than the current batch, but no less damaging. Troubling times await.

Source: http://www.cbronline.com/news/security/how-to-protect-yourself-from-ddos-attacks-4527651

There’s a striking disparity between how threatened service providers feel by potential DDoS attacks and how prepared they are to mitigate one, according to a Black Lotus survey. The findings demonstrate that while almost all participants (92 percent) have some form of DDoS protection in place, it is insufficient to stop an attack before damage is done.


Most respondents incurred increased operational expenses due to DDoS attacks, with more than 35 percent of the providers surveyed indicating that they are hit with one or more attacks weekly. The respondents represented companies of all sizes, from small to large.

The largest group represented in the survey was small companies of one to 999 employees worldwide (52 percent of all companies surveyed), with organizations of fewer than 250 employees (20 percent) as the largest subgroup.

Among the findings were:

  • 61 percent of providers feel that DDoS is a threat to their businesses.
  • Only 16 percent of the providers surveyed indicated that they had been rarely or never hit by a DDoS attack.
  • The top three industries with customers affected by DDoS attacks are managed hosting solutions (MHS), voice over IP (VoIP) and platform as a service (PaaS).
  • In case of a DDoS attack, 34 percent of the surveyed providers remove the targeted customer, and 52 percent temporarily null route or block the problem customer.
  • 64 percent of PaaS providers have been impacted by DDoS.
  • 56 percent of MHS providers have been impacted by DDoS.
  • 52 percent of infrastructure as a service (IaaS) providers have been impacted by DDoS.

“DDoS attacks lasting hours or even minutes can lead to loss of revenue and customers, making DDoS protection no longer a luxury, but a necessity,” said Shawn Marck, CSO of Black Lotus. “DDoS attacks will continue to grow in scale and severity thanks to increasingly powerful (and readily available) attack tools, the multiple points of Internet vulnerability and increased dependence on the Internet. Enterprises have to move from thinking of DDoS as a possibility, to treating it as an eventuality.”

Source: http://www.net-security.org/secworld.php?id=18043