DDoS Attack Specialist Archive

In the final quarter of 2014, the size of distributed denial-of-service (DDoS) attacks mitigated by Verisign had an average peak size of 7.39 Gbps, marking a 14 percent increase over the third quarter of 2014 (6.46 Gbps) and a 245 percent increase over the final quarter of 2013 (2.14 Gbps).

Those findings are a part of the ‘Verisign Distributed Denial-of-Service Trends Report’ for the fourth quarter of 2014, which includes observations on DDoS activity for the period beginning Oct. 1, 2014 and ending Dec. 31, 2014.

“In all, 42 percent of attacks leveraged more than 1 Gbps of attack traffic, which even today remains a significant amount of bandwidth for any network-dependent organization to over-provision for DDoS attacks,” the report revealed, adding 17 percent of attacks leveraged more than 10 Gbps of DDoS traffic.

In the fourth quarter of 2014, UDP amplification attacks leveraging Network Time Protocol (NTP) continued to be the most common DDoS attack vector, but Simple Service Discovery Protocol (SSDP) also continues to be exploited in amplification attacks, according to Verisign’s research.

For NTP amplification attacks, the report stated that “the solution can be as easy as restricting or rate-limiting NTP ports inbound/outbound to only the authenticated/known hosts.” With SSDP-based attacks, “SSDP implementations [for most organizations] do not need to be open to the Internet.”

Which industry was hit hardest by DDoS attacks in the fourth quarter of 2014?

Verisign saw IT services/cloud/Software as a Service (SaaS) customers experiencing the largest volume of attacks, with one customer experiencing the largest volumetric UDP-based DDoS attack in the final quarter of 2014, the report indicated.

“This was primarily an NTP reflection attack targeting port 443 and peaking at 60 Gbps and 16 Mpps,” the report states. “The attack persisted at the 60 Gbps rate for more than 24 hours, and serves as another example of how botnet capacity and attack sustainability can be more than some organizations can manage themselves.”

The media and entertainment industry was also a big target. One customer experienced the largest TCP-based attack – a SYN flood – of the quarter, according to the report, which explains that the attack targeted a custom gaming port and peaked at 55 Gbps and 60 Mpps.

Altogether, 33 percent of Verisign DDoS mitigations were for IT services/cloud/SaaS customers, 23 percent were for media and entertainment customers, 15 percent were for financial customers, 15 percent were for public sector customers, eight percent were for ecommerce/online advertising customers, and six percent were for telecommunications customers.

Public sector customers experienced the largest increase in attacks in quarter four of 2014, the report notes.

“Verisign believes the steep increase in the number of DDoS attacks levied at the public sector may be attributed to attackers’ increased use of DDoS attacks as tactics for politically motivated activism, or hacktivism, against various international governing organizations, and in reaction to various well-publicized events throughout the quarter, including protests in Hong Kong and Ferguson, MO,” the report states.

Source: http://www.scmagazine.com/report-shows-42-percent-of-attacks-leveraged-more-than-1-gbps-of-attack-traffic/article/399206/

With social networking, mobile devices and cloud computing solutions being used more pervasively, we will see a transformational change in how service providers and large organizations deploy and enable security in their revenue generating network infrastructure.

Recent security breaches, amongst even security conscious companies worldwide, have put an uncomfortable spotlight on corporate security and compliance measures. Security professionals and network administrators have to walk a fine line between enforcing application security against increasingly sophisticated cyber attacks, while also providing sufficient access for their corporate customers.

Service providers such as cloud providers, web hosting services, ISPs as well as large enterprises require an environment that is highly available and secure. Any failure to resolve prevailing security threats such as cyber intrusions and distributed denial of service (DDoS) attacks can present costly and complicated scenarios for them.

DDoS attacks, for example, have become a significant and escalating threat for businesses. They have dramatically grown over the last several years in frequency, volume and sophistication. Attacks may originate from inside or outside of the corporate network. A recent survey report from Prolexic, a US-based distributed DDoS mitigation service provider, estimated that about 89 percent of DDoS attack traffic in the second quarter of 2014 was directed at infrastructure, many targeting telecom and service provider router infrastructures and involving Layer 3 and 4 protocols, with the remaining 11 percent being attacks targeting applications.

To defend against DDoS attacks—especially infrastructure attacks–service providers need solutions that can scale to handle large volumes of DDoS traffic. Security appliances that use specialized processors to detect and mitigate DDoS attacks can provide service providers the performance they need to block massive attacks.

At the same time, any deployment of mobile devices by an operator can present a significant amount of risk. The wireless networks on which mobile devices run outside of an operator’s subscriber network can leave information at risk of interception. The theft or loss of a device can be detrimental for the business, resulting in loss of sensitive or proprietary corporate information.

What Is Your Best Security Containment Strategy?

How can large enterprises and service providers cope with growing security threats? While they are becoming more and more reliant on the uptime of Internet-connected services, many are finding that legacy security solutions such as firewalls and intrusion prevention systems (IPS) have insufficient capacity to mitigate today’s multi-vector DDoS attacks at scale, that are growing in number and sophistication.

Recent DDoS attacks can overwhelm lesser performing network devices and render network infrastructure and applications vulnerable to downtime and further threats. To stay resilient, enterprises and service providers need robust security and processing hardware functionality that allow them to continue to provide full system functionality even while simultaneously under volumetric attacks, without impacting system performance.

 In addition, a robust security solution that can readily integrate with their existing IT infrastructure is required to protect against DDoS attacks. This can include a feature set for traffic management to ensure high availability and selective delivery of subscriber services. Together, these physical and virtual systems must be able to ensure that network operators can also expand their network capacity, mitigate threats, and exert greater content control.Scaling security devices and encrypted communications is a critical requirement as the network grows in complexity and size. Service providers can build robust layer 7 safeguards by leveraging products that offer agile defense mechanisms against more subtle attacks such as Slowloris and Tor’s Hammer to protect against seemingly legitimate traffic streams exploiting application vulnerabilities.

As more new devices are added to the network, they need to be integrated into the operator’s security system to meet policy and compliance requirements. TechTarget reports that new appliances today are capable of performing policy-based networking actions in hardware such as the ability to implement security functions — like traffic management or cloud security policies – to protect the performance and availably of applications and ensure large customer-facing networks are free from disruption. ADCs and CGNS, for example, sit at the critical ingress to most networks and is a natural place to locate advanced security capabilities so threats can be stopped or mitigated before they can enter the network.

Other measures that enterprises and network operators can take to strengthen their network defense include adopting multiple complementary approaches to security enforcement at various points in the network, therefore removing single points of security failure; incorporating people and processes in network security planning; employing security policies, security awareness training and policy enforcement; and maintaining the integrity of the network, servers and clients by ensuring the operating system of every network device is protected against attack by disabling unused services.

As enterprise and service provider networks evolve, ensuring security will become a compulsory IT requirement – and not a ‘nice-to-have’. Security breaches span access, infrastructure and applications across every industry. They can happen on both fixed and mobile networks and destroy your physical, intellectual and financial capital. Any downtime resulting from breaches on the network can have a devastating impact on your customer’s experience, your brand reputation, and ultimately your revenue and sustainability of your business.

James Wong is the Managing Director, South Asia, A10 Networks

Source: http://www.networksasia.net/article/ensuring-security-your-it-transformation.1424138223

A sophisticated distributed denial-of-service (DDoS) blocked Dutch government and privately run commercial sites from the public for more than 10 hours Tuesday.

The ministry of General Affairs, the National Cyber Security Center (NCSC), website hosting company Prolocation and services provider Centric are working to determine the specific methods used in the attack and who was behind it.

The attack, which started at 9:45 a.m. local time, was difficult to deflect because the attack patterns changed regularly, said Prolocation’s director, Raymond Dijkxhoorn. The attack was different from the usual DDoS attempts that happen on an almost daily basis and are easier to defend against, he said.

“It is the first time that we couldn’t deal with it,” Dijkxhoorn said.

The attack targeted the sites of the federal government directly, but also caused other sites that were hosted on the same network to go down, Dijkxhoorn said. Blog site Geenstijl.nl and telecom provider Telfort’s site were among those blocked in the attack.

A few of the sites on the network used DDoS-deflecting services from providers like Cloudflare, Dijkxhoorn noted. But unless all clients on a network are able to ward off a DDoS attack, there is a risk for other sites on that network, he said.

Geenstijl, for instance, uses Cloudflare, which will usually allow traffic to reach the site’s server when a DDoS attack targets the site. However, Geenstijl’s server can still become unreachable as a result of a DDoS attack aimed at other sites on the network that don’t have such protection, Dijkxhoorn said. The Dutch government did not use such external DDoS protection services, he said.

The DDoS attack consisted of mix of methods used alternately, according to Dijkxhoorn. Though Prolocation has experience with DDoS attacks, this was the first time they encountered this strategy, he said. He declined to provide more details about the attacks, since he has agreed with the NCSC not to do so until the investigation is finished.

The NCSC and Centric both declined to comment on details of the attack, pending the investigation.

Prolocation, however, has discussed the incident with engineers at Prolexic and Akamai, who say they have seen similar methods used in DDoS attacks in other places around the world.

Sites hosted on the same IP block can go down as collateral damage when one site is the focus of the attack, confirmed Akamai’s manager for Belgium, the Netherlands and Luxembourg, Hans Nipshagen. If the government sites had used external DDoS filtering services, the network might have stayed up, he said.

While it was difficult to tell from the outside the exact methods used against the government sites, the DDoS attack seems to have been large-scale, employing a vast amount of traffic, Nipshagen said. Some big DDoS attacks use multiple vectors to deliver large bandwidth-consuming packets at an extremely high rate of speed, swarming target sites, according to an Akamai report. These incidents have been fueled by the increased availability of attack toolkits with easy-to-use interfaces as well as a growing DDoS-for-hire criminal industry, Akamai said.

Source: http://www.techworld.com.au/article/566111/ddos-attack-takes-dutch-government-sites-offline-10-hours/

In recent years, DDoS (distributed denial-of-service) attacks have been increasing in frequency, resulting in companies of every size being targeted, including major organisations like Google, Visa, Paypal, Sony, Deezer, and Evernote.

Many experts say the traditional methods of prevention and mitigation have become less effective, but could SAVI help? Here we look at what DDoS attacks are, and what can be done to minimise their impact.

What are DDoS attacks?

A DDoS attack is essentially an attempt to make a website or online service unavailable to users. There are a number of different methods to execute a DDoS attack, but one of the most common is sending so many requests that a server is overloaded, and unable to respond to legitimate requests. Anyone visiting the website or service will either not be able to access it at all, or have a very limited experience, and that can obviously have a big impact on a business.

Organisations of all sizes are targeted. For example, millions of PlayStation gamers were affected by DDoS attacks on Sony’s PlayStation Network (PSN) on several occasions last year. This meant that gamers couldn’t use a service that they had paid for, leaving them very frustrated, and resulting in Sony losing revenue.

It’s worth noting that it’s not just the immediate impact that can do damage – there may be ongoing reputational harm if the company is perceived as being unable to provide people with a stable and reliable experience. No-one wants to rely on a service which may or may not be available at any given time.

Protecting your company

Source Address Validation Improvement (SAVI) is one way to protect your company against these threats. DDoS attacks are typically targeted to exploit the fact that IP does not perform a robust mechanism for authentication, which is proving that a packet came from where it claims it did – a packet simply claims to originate from a given address, and there isn’t a way to be sure that the host that sent the packet is telling the truth.

SAVI methods were developed by the Internet Engineering Task Force (IETF) to prevent this spoofing. SAVI works by mitigating the risk of nodes attached to the same IP link from spoofing each other’s IP addresses, complementing access filtering with unique, standardised IP source address validation.

In summary, businesses of all sizes should be aware of how their servers are protected against DDoS attacks, and what redundancies are in place in the event of an attack. If people are more aware of security issues and how to minimise their impact, the internet and the web will continue to be an incredible resource for everyone.

Source: http://www.techradar.com/news/world-of-tech/how-to-minimise-the-impact-of-ddos-attacks-on-your-business-1283432

While massive retail breaches dominated headlines in 2014, with hacks involving state-sponsored threats coming in a strong second, distributed denial-of-service (DDoS) attacks continued to increase, both in the volume of malicious traffic generated and the size of the organizations falling victim.

Recently, both the Sony PlayStation and Xbox Live gaming networks were taken down by Lizard Squad, a hacking group which is adding to the threat landscape by offering for sale a DDoS tool to launch attacks.

The Sony and Xbox takedowns proved that no matter how large the entity and network, they can be knocked offline. Even organizations with the proper resources in place to combat these attacks can fall victim. But looking ahead, how large could these attacks become?

According to the “Verisign Distributed Denial of Service Trends Report,” covering the third quarter of 2014, the media and entertainment industries were the most targeted during the quarter, and the average attack size was 40 percent larger than those in Q2.

A majority of these insidious attacks target the application layer, something the industry should be prepared to see more of in 2015, says Matthew Prince, CEO of CloudFlare, a website performance firm that battled a massive DDoS attack on Spamhaus early last year.

Of all the types of DDoS attacks, there’s only one Price describes as the “nastiest.” And, according to the “DNS Security Survey,” commissioned by security firm Cloudmark, more than 75 percent of companies in the U.S. and U.K. experienced at least one DNS attack. Which specific attack leads that category?

You guessed it. “What is by far the most evil of the attacks we’ve seen…[are] the rise of massive-scale DNS reflection attacks,” Prince said.

By using a DNS infrastructure to attack someone else, these cyber assaults put pressure on DNS resolver networks, which many websites depend on when it comes to their upstream internet service providers (ISP).

Believing these attacks are assaults on their own network, many ISPs block sites in order to protect themselves, thus achieving the attacker’s goal, Prince said. By doing so “we effectively balkanize the internet.”

As a result, more and more of the resolvers themselves will be provided by large organizations, like Google, OpenDNS or others, says Prince.

That in itself could lead to an entirely different issue: Consolidating the internet.

Source: http://www.scmagazine.com/tidal-waves-of-spoofed-traffic-ddos-attacks/article/393059/