DDoS Protection Specialist Archive

Denial of service is on the rise. What can you do to respond?

Business in the West runs on the Internet, a fact your reporter is acutely aware of as he writes offline, the office having been plunged into the 1950s for reasons best known to the IT department.

That in mind, it is no surprise that web disruption has acquired a status formerly reserved for mass traffic jams or tree-wrenching storms, a fact illustrated by the speculation that followed Facebook going offline for a mere sixty minutes in January.

Though the social network eventually claimed the shutdown was planned maintenance, many took seriously the claim that Lizard Squad, a group of hackers known for shutting down video game networks, had brought one of Silicon Valley’s giants to a halt through a distributed-denial-of-service (DDoS) attack.

Whilst Lizard Squad’s prowess likely does not extend to such feats, the idea that a business could be paralysed by DDoS attacks is not so strange. The attack method, which involves flooding servers with traffic, is one of the easiest hacks to pull off – so much so that some purists do not even consider it to qualify as hacking.

Launching such an attack can be as simple as downloading a tool for your computer that effectively automates a page refresh on a website at high speed. More advanced versions require roping in other machines to create botnets (robot networks), with such services also available to rent for as little as a few pounds. So what can be done about them?

Hacking politics

“The primary purpose of a denial-of-service attack is to interfere with an organisation’s Internet activity,” says Chris Richter, SVP of managed security services at Level 3, a telecoms firm. “We see a lot of that happening with companies dependent on high speed transactions such as gaming or finance.”

According to Richter as much as three-quarters of these attacks fall into the realm of “hacktivism”, a form of political protest in which hackers disrupt a company or government’s operations to register their opposition to a given policy or practice – a common tactic among groups such as Anonymous.

More problematic are the “mixed” or “blended” attacks, which used DDoS as a distraction. Mike Langley, EMEA VP of Palo Alto Networks, a security vendor, says DDoS attacks can be just the start of a broader assault, which may leave firms open to devastating damage.

“DDoS attacks are how you cripple a company, then you utilise malware to break the perimeter and get where you want to go,” he says. “We’re certainly defending against DDoS attacks, but the reality of all these threats is it’s sophisticated malware and that’s getting past people’s perimeters.”

Blocking the threat

Langley adds that the CISOs he talks to tend not worry so much about the hacktivism, but rather how they can beat the cybercriminals before they have a chance to steal data or intellectual property.

It is in this vein Richter’s company Level 3 runs a “scrubbing” service, so called because it can wash traffic clean before the bad stuff has a chance to disrupt a website. It works by redirecting traffic away from the website for assessment, only passing on the legitimate visitors to the main site.

“We decided to build a DDoS mitigation service because wee scan so much of the world’s traffic,” he says. “We see about 70% of the world’s IP headers flowing across our routers. That gives us the ability to detect all of the malicious activity, including DDoS attacks.”

By analysing the NetFlow packets, which contain data on router traffic, Level 3 is able to tell which traffic is good or bad based on its origin, destination, volume and protocol. It has even devised an analytics program that can be taught what to look for.

This approach differs from Palo Alto’s solution, which relies on staple defences that most companies would be considering as part of a broader security programme. These include segmenting data, implementing systems that beat unpatched “zero day” flaws, blocking command and control (C&C) servers which send instructions to viruses, and limiting user privileges across a system.

“The nature of any malware is that it’s going to do something that’s not acceptable use,” Langley explains. Both firms plans are part of a broader initiative to detect strange behaviour, which is an increasing focus among security vendors.

Denial of future

Yet even as the defenders become smarter, the hackers are expanding their efforts to carry out DDoS attacks. Richter reports that his company has seen a rise in volumetric attacks, which launch thousands of bots at a given website, and also strikes levelled against web apps as opposed to websites.

“These [application attacks] are low and slow,” he says, adding that they involved crafted packets that target specific vulnerabilities and are primed to go off at a specific time. Such strikes will be harder to his firm to detect than the current batch, but no less damaging. Troubling times await.

Source: http://www.cbronline.com/news/security/how-to-protect-yourself-from-ddos-attacks-4527651

There’s a striking disparity between how threatened service providers feel by potential DDoS attacks and how prepared they are to mitigate one, according to a Black Lotus survey. The findings demonstrate that while almost all participants (92 percent) have some form of DDoS protection in place, it is insufficient to stop an attack before damage is done.


Most respondents incurred increased operational expenses due to DDoS attacks, with more than 35 percent of the providers surveyed indicating that they are hit with one or more attacks weekly. The respondents represented companies of all sizes, from small to large.

The largest group represented in the survey was small companies of one to 999 employees worldwide (52 percent of all companies surveyed), with organizations of fewer than 250 employees (20 percent) as the largest subgroup.

Among the findings were:

  • 61 percent of providers feel that DDoS is a threat to their businesses.
  • Only 16 percent of the providers surveyed indicated that they had been rarely or never hit by a DDoS attack.
  • The top three industries with customers affected by DDoS attacks are managed hosting solutions (MHS), voice over IP (VoIP) and platform as a service (PaaS).
  • In case of a DDoS attack, 34 percent of the surveyed providers remove the targeted customer, and 52 percent temporarily null route or block the problem customer.
  • 64 percent of PaaS providers have been impacted by DDoS.
  • 56 percent of MHS providers have been impacted by DDoS.
  • 52 percent of infrastructure as a service (IaaS) providers have been impacted by DDoS.

“DDoS attacks lasting hours or even minutes can lead to loss of revenue and customers, making DDoS protection no longer a luxury, but a necessity,” said Shawn Marck, CSO of Black Lotus. “DDoS attacks will continue to grow in scale and severity thanks to increasingly powerful (and readily available) attack tools, the multiple points of Internet vulnerability and increased dependence on the Internet. Enterprises have to move from thinking of DDoS as a possibility, to treating it as an eventuality.”

Source: http://www.net-security.org/secworld.php?id=18043

Gary Newe, systems engineer, F5 Networks, recommends taking 10 decisive actions when you come under DDoS attack

The frequency and size of Distributed Denial of Service (DDoS) attacks is ever-growing and continues to be a priority issue for many businesses. With the ongoing work to shut-down or neutralise botnets, a cyber-arms race has started with hactivists and other cyber criminals constantly searching for new ways in which to amplify attacks. As a result, DDoS attacks are increasingly common.

As the lines between the professional and social use of technology continue to blur, it is vital that we start to really recognise the significance of these attacks, how likely they are and how damaging they can be.

Scary and stressful

For the first-time DDoS victim, these attacks can be scary and stressful ordeals. That’s not surprising; poor network performance and website downtime can be massively costly for businesses, both in lost sales and consumer trust. It’s not all bad news though, as there are some steps that can be taken to mitigate the impact. Here, Gary Newe, systems engineer at F5 Networks , give his recommendations on action to take, should you experience an attack:

1. Verify that there is an attack – Rule out common causes of an outage, such as DNS misconfiguration, upstream routing issues and human error.

2. Contact your team leads – Gather the operations and applications team leads need to verify which areas are being attacked and to officially confirm the attack. Make sure everyone agrees on which areas are affected.

3. Triage your applications – Make triage decisions to keep your high-value apps alive. When you’re under an intense DDoS attack and you have limited resources, focus on protecting revenue generators.

4. Protect remote users – Keep your business running: Whitelist the IP addresses of trusted remote users that require access and mainlist this list. Populate the list throughout the network and with service providers as needed.

5. Classify the attack – What type of attach is it: Volumetric? Slow and low? Your service provider will tell you if the attack is solely volumetric and may already have taken remediation steps.

6. Evaluate source address mitigation options – For advanced attack vectors your service provider can’t mitigate/ determine the number of sources. Block small lists of attacking IP addresses at your firewall. Block larger attacks with geolocation.7. Mitigate application layer attacks – Identify the malicious traffic and whether it’s generated by a known attack tool. Specific application-layer attacks can be mitigated on a case-by-case basis with distinct countermeasures, which may be provided by your existing solutions.

8. Leverage your security perimeter – Still experiencing issues? You could be confronting an asymmetric layer 7 DDoS flood. Focus on your application-level defences: login walls, human detection, or Real Browser Enforcement.

9. Constrain Resources – If previous steps fail, simply constraining resources, like rate and connection limit is a last resort – it can turn away both good and bad traffic. Instead, you may want to disable or blackhole an application.

10. Manage public relations – If the attack becomes public, prepare a statement and notify internal staff. If industry policies allow it, be forthright and admit you’re being attacked. If not, cite technical challenges and advise staff to direct all inquiries to the PR manager.
It’s an unfortunate fact that the DDoS threat has never been greater and is likely to continue to grow. As ever, the best protection is to be prepared for whatever will get thrown at you and DDoS mitigation should be part of your preparation. It’s important to consider if your network is up to scratch to cope with unexpected loads and if it has the intelligence to identify legitimate traffic during peaks, before an attack hits.

Source: http://www.techweekeurope.co.uk/networks/mitigate-ddos-attack-real-time-162718

In the final quarter of 2014, the size of distributed denial-of-service (DDoS) attacks mitigated by Verisign had an average peak size of 7.39 Gbps, marking a 14 percent increase over the third quarter of 2014 (6.46 Gbps) and a 245 percent increase over the final quarter of 2013 (2.14 Gbps).

Those findings are a part of the ‘Verisign Distributed Denial-of-Service Trends Report’ for the fourth quarter of 2014, which includes observations on DDoS activity for the period beginning Oct. 1, 2014 and ending Dec. 31, 2014.

“In all, 42 percent of attacks leveraged more than 1 Gbps of attack traffic, which even today remains a significant amount of bandwidth for any network-dependent organization to over-provision for DDoS attacks,” the report revealed, adding 17 percent of attacks leveraged more than 10 Gbps of DDoS traffic.

In the fourth quarter of 2014, UDP amplification attacks leveraging Network Time Protocol (NTP) continued to be the most common DDoS attack vector, but Simple Service Discovery Protocol (SSDP) also continues to be exploited in amplification attacks, according to Verisign’s research.

For NTP amplification attacks, the report stated that “the solution can be as easy as restricting or rate-limiting NTP ports inbound/outbound to only the authenticated/known hosts.” With SSDP-based attacks, “SSDP implementations [for most organizations] do not need to be open to the Internet.”

Which industry was hit hardest by DDoS attacks in the fourth quarter of 2014?

Verisign saw IT services/cloud/Software as a Service (SaaS) customers experiencing the largest volume of attacks, with one customer experiencing the largest volumetric UDP-based DDoS attack in the final quarter of 2014, the report indicated.

“This was primarily an NTP reflection attack targeting port 443 and peaking at 60 Gbps and 16 Mpps,” the report states. “The attack persisted at the 60 Gbps rate for more than 24 hours, and serves as another example of how botnet capacity and attack sustainability can be more than some organizations can manage themselves.”

The media and entertainment industry was also a big target. One customer experienced the largest TCP-based attack – a SYN flood – of the quarter, according to the report, which explains that the attack targeted a custom gaming port and peaked at 55 Gbps and 60 Mpps.

Altogether, 33 percent of Verisign DDoS mitigations were for IT services/cloud/SaaS customers, 23 percent were for media and entertainment customers, 15 percent were for financial customers, 15 percent were for public sector customers, eight percent were for ecommerce/online advertising customers, and six percent were for telecommunications customers.

Public sector customers experienced the largest increase in attacks in quarter four of 2014, the report notes.

“Verisign believes the steep increase in the number of DDoS attacks levied at the public sector may be attributed to attackers’ increased use of DDoS attacks as tactics for politically motivated activism, or hacktivism, against various international governing organizations, and in reaction to various well-publicized events throughout the quarter, including protests in Hong Kong and Ferguson, MO,” the report states.

Source: http://www.scmagazine.com/report-shows-42-percent-of-attacks-leveraged-more-than-1-gbps-of-attack-traffic/article/399206/

With social networking, mobile devices and cloud computing solutions being used more pervasively, we will see a transformational change in how service providers and large organizations deploy and enable security in their revenue generating network infrastructure.

Recent security breaches, amongst even security conscious companies worldwide, have put an uncomfortable spotlight on corporate security and compliance measures. Security professionals and network administrators have to walk a fine line between enforcing application security against increasingly sophisticated cyber attacks, while also providing sufficient access for their corporate customers.

Service providers such as cloud providers, web hosting services, ISPs as well as large enterprises require an environment that is highly available and secure. Any failure to resolve prevailing security threats such as cyber intrusions and distributed denial of service (DDoS) attacks can present costly and complicated scenarios for them.

DDoS attacks, for example, have become a significant and escalating threat for businesses. They have dramatically grown over the last several years in frequency, volume and sophistication. Attacks may originate from inside or outside of the corporate network. A recent survey report from Prolexic, a US-based distributed DDoS mitigation service provider, estimated that about 89 percent of DDoS attack traffic in the second quarter of 2014 was directed at infrastructure, many targeting telecom and service provider router infrastructures and involving Layer 3 and 4 protocols, with the remaining 11 percent being attacks targeting applications.

To defend against DDoS attacks—especially infrastructure attacks–service providers need solutions that can scale to handle large volumes of DDoS traffic. Security appliances that use specialized processors to detect and mitigate DDoS attacks can provide service providers the performance they need to block massive attacks.

At the same time, any deployment of mobile devices by an operator can present a significant amount of risk. The wireless networks on which mobile devices run outside of an operator’s subscriber network can leave information at risk of interception. The theft or loss of a device can be detrimental for the business, resulting in loss of sensitive or proprietary corporate information.

What Is Your Best Security Containment Strategy?

How can large enterprises and service providers cope with growing security threats? While they are becoming more and more reliant on the uptime of Internet-connected services, many are finding that legacy security solutions such as firewalls and intrusion prevention systems (IPS) have insufficient capacity to mitigate today’s multi-vector DDoS attacks at scale, that are growing in number and sophistication.

Recent DDoS attacks can overwhelm lesser performing network devices and render network infrastructure and applications vulnerable to downtime and further threats. To stay resilient, enterprises and service providers need robust security and processing hardware functionality that allow them to continue to provide full system functionality even while simultaneously under volumetric attacks, without impacting system performance.

 In addition, a robust security solution that can readily integrate with their existing IT infrastructure is required to protect against DDoS attacks. This can include a feature set for traffic management to ensure high availability and selective delivery of subscriber services. Together, these physical and virtual systems must be able to ensure that network operators can also expand their network capacity, mitigate threats, and exert greater content control.Scaling security devices and encrypted communications is a critical requirement as the network grows in complexity and size. Service providers can build robust layer 7 safeguards by leveraging products that offer agile defense mechanisms against more subtle attacks such as Slowloris and Tor’s Hammer to protect against seemingly legitimate traffic streams exploiting application vulnerabilities.

As more new devices are added to the network, they need to be integrated into the operator’s security system to meet policy and compliance requirements. TechTarget reports that new appliances today are capable of performing policy-based networking actions in hardware such as the ability to implement security functions — like traffic management or cloud security policies – to protect the performance and availably of applications and ensure large customer-facing networks are free from disruption. ADCs and CGNS, for example, sit at the critical ingress to most networks and is a natural place to locate advanced security capabilities so threats can be stopped or mitigated before they can enter the network.

Other measures that enterprises and network operators can take to strengthen their network defense include adopting multiple complementary approaches to security enforcement at various points in the network, therefore removing single points of security failure; incorporating people and processes in network security planning; employing security policies, security awareness training and policy enforcement; and maintaining the integrity of the network, servers and clients by ensuring the operating system of every network device is protected against attack by disabling unused services.

As enterprise and service provider networks evolve, ensuring security will become a compulsory IT requirement – and not a ‘nice-to-have’. Security breaches span access, infrastructure and applications across every industry. They can happen on both fixed and mobile networks and destroy your physical, intellectual and financial capital. Any downtime resulting from breaches on the network can have a devastating impact on your customer’s experience, your brand reputation, and ultimately your revenue and sustainability of your business.

James Wong is the Managing Director, South Asia, A10 Networks

Source: http://www.networksasia.net/article/ensuring-security-your-it-transformation.1424138223