DDoS Protection Specialist Archive

Security firm Radware claims to have spotted evidence online that suggests hactivist group Anonymous is gearing up to target denial-of-service attacks on the websites of British companies BT and GlaxoSmithKline during the Olympics, and maybe do much more.

The Radware Emergency Response Team has identified postings on Pastebin that suggest that Anonymous intends to attack London-based global network-services provider BT and pharmaceuticals and healthcare provider company GlaxoSmithKline (GSK). Both companies happen to have roles to play associated with the London-based Olympics — GSK is providing drug-testing and associated medical input, while BT is supporting numerous Olympics-related projects. Radware says its evidence is information posted by someone claiming to be tied to the shadowy group Anonymous.

Anonymous uses a few tools to attack its targets, and one of them is the High Orbit Ion Cannon (HOIC), a weapon that’s been out for about six months, says Carl Herberger, vice president of security solutions at Radware. He says there’s now attack information contained in what’s called a “HOIC booster” posted online and advertised as coming from Anonymous to attack both BT and GSK. He acknowledges, though, this “could be anybody.”

The HOIC tool provides you with the ability to use scripted code, Herberger says, noting it allows for opening up many connections from a single machine, and hence represents a more powerful attack tool from the older, known “Low Orbit Ion Cannon” attack tools, which couldn’t do this. The HOIC booster information that’s posted essentially represents something along the lines of “ordnance” that can be loaded into the HOIC to hit a target.

While the Pastebin information related to HOIC may in the end may be of no consequence, Herberger says there were a series of attacks on sites in India in the past in which this type of information was posted in advance, and the attacks did occur. Radware is putting out this information in what it regards as an advanced warning to help companies prepare.

For fast DDoS protection click here.

Source: http://www.networkworld.com/news/2012/073012-anonymous-bt-gsk-261281.html

Next week is Black Hat — perhaps the world’s most significant and influential annual hacking conference. It’s an event that draws in the best and brightest (and sometimes, the borderline legal) hackers from around the world to show off the latest threats to our phones, laptops, PCs, Macs, tablets — and literally anything else with a digital heartbeat.

While it may not be as well-known as other ‘geek’ cons like CES or Comic-Con, what happens at Black Hat will eventually impact every consumer, business executive and government official in the U.S. In the last few years, the potential risks from hackers have reached epic proportions — from doomsday ‘worms’ that can physically destruct nuclear plants to ‘botnets’ that enslave millions of home PCs each year, leading to millions of dollars in credit card theft and other financial identity crimes.

Back in 1997, when Black Hat was founded, the average person could be excused for not paying attention to what was happening in the hacker underground. But today, when all of us depend on the Internet and technology devices to bank, buy, work and live, and the groups attacking us have evolved dramatically (Russian cyber crime gangs, Anonymous and other hacktivists, Chinese government sponsored hackers, etc.), there is simply no excuse to remain uninformed.

It’s time for everyone to learn about hacking threats.

But one of the first hurdles most people face is the language. What’s ‘smishing?’ or ‘0-days?’ or ‘clickjacking?’

The first step is to learn how to speak hacker — then the concepts really aren’t that hard to understand, and it’s possible to keep up with the latest threats and protect yourself.

Here is a simple hacker-decoder:

Virus, Worm, Trojan, Malware — What’s the Difference?

When news reports come out about a new computer threat, they often call it a ‘virus.’ But much of the time, that isn’t correct. In fact, most of the computer infections we see today aren’t viruses at all — viruses are somewhat ‘old school’ in the hacking world. It’s important to understand that there are several different types of infections that can target you — knowing the difference between them can better help you to stay safe.

A ‘virus’ is the oldest type of computer infection. It is a malicious computer program that is often hidden inside a seemingly legitimate email attachment. The good thing about a virus is that it can’t work unless the victim interacts with the file it’s in — either by clicking or downloading it. Once inside a computer, it will try to reproduce itself and infect other parts of the computer or network.

A ‘worm’ is different than a virus: it doesn’t require user interaction, so even if you don’t click on an infected file, the worm can still infect your computer. Worms are designed to spread, and spread fast — once they’re in, they typically try to install a ‘backdoor’ in the computer or cause it to shut down.

A ‘Trojan’ is another infection that was named after the Trojan horse in the Odyssey. It looks like something you want, but conceals an attack. Trojans are often hidden in file attachments, like Word docs, Excel, PDF, even a computer game. Once a computer is infected, a Trojan gives the hacker remote access to your computer — this lets him spy on your online activities, capture email and account passwords.

And ‘malware’ refers to it all — viruses, worms, Trojans, and other nasty things like adware, spyware and rootkits. So if you want to use a general term for a computer infection, malware is technically correct instead of virus.

Types of Hackers

There are three types of hackers: the ‘white hat,’ ‘black hat,’ and ‘gray hat.’

The white hat is the good guy — he or she is a professional in the security field who hacks products, services and companies, with their permission, in order to figure out how to better protect them. White hats are also called ‘ethical hackers,’ ‘penetration testers’ or ‘offensive security’ professionals. A black hat is someone who breaks into a computer network with malicious intent. A gray hat is one who bounces between good and evil in his or her hacking prowess — think of him as Luke from Star Wars: he wants to be with the force, but Darth Vader keeps calling him to the dark side.

Common Attacks

So how do hackers get all this bad stuff onto our computers? Here are the most common types of attacks they use to infect us with viruses, worms, Trojans and other malware:


Ever get a fake email claiming to be from a bank or a Nigerian prince? This is phishing. It’s a fake email that often appears to be from a legitimate source, like the IRS, a bank, a former employer, friend, etc. The goal of the email is to get you to click or download something that will infect your computer; or trick you into giving up information, like your Social Security Number. When a phishing email appears to come from a real email (like IRS.gov, or the actual email of an old friend), that’s called ‘spoofing.’ Phishing isn’t only done via email — today, it’s also sent via text message (‘smishing’) and social networks like Facebook. Most of the time, phishers send out these fake emails to hundreds or thousands of people, and they’re easy to spot — but sometimes, they go after one person in particular and use personal information gathered from Facebook or other social networks to make it seem like they know you. This is called ‘spear-phishing.’

Social Engineering

This is the old-fashioned con game. It refers to a criminal who’s able to trick or persuade a person to do something they shouldn’t — like give a network password to a person claiming to be from the IT department; or granting a person supposedly from ‘Microsoft’s security team’ permission to remote access a computer they claim is infected. Social engineering is often done in a phone call, but it can also be done in person, via email or social networks.

Internet-based Attacks

Most people tend to think that they won’t get infected unless they open a virus-laden attachment in an email. But the truth is, you can get infected just by going on Facebook or visiting the New York Times website. Hackers today can target people directly through the Internet browser (Internet Explorer, Firefox, Chrome, Safari), even if the browser is fully patched and up to date. How does it work? Hackers write special programs which they insert into websites — it could be a sketchy website, legitimate website, social network site, blog, forum, comment feed, etc. On some of these sites, the website itself is infected — think of a blog or questionable website, such as pornography. Once you visit the website, it hits you with a ‘cross-site scripting’ (or XSS) attack which will then try to steal any cookies or passwords saved in your browser. This allows the hacker to gain access to your accounts. Another attack that is similar to XSS is ‘clickjacking.’ The difference, however, is that the website itself isn’t infected — instead the hack attack is hidden inside something such as a ‘Like’ button in a Facebook message chain or the play button on a movie. When the user clicks on that button, she is ‘clickjacked,’ because the hidden program is what is actually activated. Another trick hackers use is the ‘drive-by download.’ These are most common with pop-up ads, anti-virus warnings or even an email. The computer is infected when you click to cancel the pop-up or click ‘accept’ or ‘deny’ on the anti-virus ads. With emails, a drive-by download can happen just by viewing the message. Sometimes legitimate-looking ads on legitimate websites can launch a drive-by attack. When this happens, it’s called ‘malvertising.’

Wi-Fi Attack

In the majority of cases, when you log on to a public Wi-Fi hotspot — at Starbucks, the airport, hotel or even a municipal hotspot — your computer is at risk of a ‘man-in-the-middle’ attack (or ‘MITM’). This is an attack in which the hacker sits between you and the Internet, essentially. Because the network is open to anyone, he can use special tools to find other people who are using the same network — and then intercept their computer’s signal. This allows him to see everything you do, in real time. He can steal passwords and even force your computer to go to a bad site without your knowledge.

Real-Life Zombies

Everyone should know what a ‘botnet’ is, because there’s a one in four chance your home PC is already part of one. A botnet is a collection of ‘zombie computers’ — these are computers that have been infected with worms or Trojans and allow a hacker to remotely control them. They’re called zombies because they’re now a slave to this hacker. When a hacker controls a lot of zombies, i.e., a botnet, he can then sell them to other cyber criminals who want to steal personal identities, or he can rent them out to hackers who want to attack another computer network — like Anonymous’ attacks on the CIA, Visa and others. When hackers use botnets to shutdown another computer, it’s called a ‘denial-of-service’ (DoS) or ‘distributed-denial-of-service’ (DDoS) attack. A DoS or DDoS basically involves using all of these computers — typically in the thousands — to flood another computer with so many data requests that the computer network crashes. The FBI is now targeting botnets and will shut them down — which can disable your Internet access if it’s part of one.

For protection against DDoS click here.

Hacker Tools

Hackers favor a few different types of computer tools in order to launch their attacks. It’s helpful to know what they are:

‘Zero-day,’ or ‘0-day’

This is a flaw in a software program or an actual device that doesn’t yet have a fix. In many cases, the company (like Microsoft, Apple, Firefox, etc.) doesn’t even know the flaw exists. Events like Black Hat are a great way to make companies aware that they have flaws. For consumers, there’s nothing you can to avoid a 0-day attack — except to not use the product, pray, or both.


Hacking is a multi-billion dollar industry these days, and it’s grown so sophisticated that skilled hackers will actually sell hacking programs to other criminals. This is called crimeware — any type of malicious program that is sold on the black market. A good example is phishing email — those fake IRS emails that look like they really came from the IRS? Yep, that’s crimeware.


Hackers also go to special underground forums known as ‘carding’ sites to swap, sell and buy other people’s credit card information. Most of these credit cards were previously stolen through Trojans and keyloggers.


This is a popular program that lets you become anonymous on the Web. Ever see a crime movie where the FBI can’t trace the call? TOR is like that for the Web — it hides your IP address (think of this as a computer’s phone number) so no one can tell who is visiting a certain website or launching an attack. It’s like calling from someone else’s phone, a hundred times over.


A tool hackers use to ‘sniff’ or intercept Internet or Web traffic, for instance, on a public Wi-Fi hotspot. One of the most notorious ‘sniffers’ is Firesheep.


‘Fuzzing’ is a tactic hackers use to figure out where a Web application is vulnerable. The fuzzer will bombard the computer program with bizarre or random computer requests that will eventually cause the program or computer to make a mistake or crash — and that tips off the hacker as to where it is weak.

Hacker Insults

It also helps to know some of the derogatory terms that are often used online.

‘Noob,’ or ‘n00b’

A newbie, someone who’s an amateur or uninformed. If you’re reading this article, you’re a n00b.

‘Script Kiddie’

If you’re a ‘script kiddie,’ you’re a poser, essentially. A script kiddie is someone who isn’t very skilled at hacking, but thinks they are – or tries to pretend they are. It’s a step above a n00b.

‘Owned,’ ‘Pwned’

Getting owned or ‘pwned’ (pronounced: pOWNed) basically means getting hacked. It can also refer to having your computer ‘backdoored’ by a Trojan or worm, or simply losing an argument in an online forum.


You definitely don’t want to get ‘doxed.’ This is what hacktivist groups like Anonymous made famous in 2010, 2011. Doxing is when you gather sensitive, personally revealing information about someone — it could be there true identity, where they live, family, personal emails, etc. What can follow doxing is a ‘dump.’ That’s when all that sensitive or embarrassing information is posted online, such as Pastebin.com.

Computer technology and hacking isn’t as complicated as many think. By understanding the basics, you can learn how to protect yourself online.

Source: http://www.huffingtonpost.com/michael-gregg/how-to-speak-hacker_b_1690465.html


Previous characterizations of activist DDOS campaigns have traditionally fallen into one of two camps: those that unilaterally condemn activist DDOS campaigns as bullying and censorship, and those that align such actions with IRL sit ins.  Both these characterizations, however, cannot be applied to the entire landscape of activist DDOS campaigns as a whole. Rather, each campaign must be examined individually before a judgement can be made regarding its validity as a protest action.  DDOS as a tool cannot be wholly condemn or lauded without its surrounding context.

In this talk, I’ll be examining those previous characterizations, and at different DDOS campaigns that do and do not fit those models.  Next I’ll be outlining the current state of play of activist DDOS.  Finally I’ll be presenting a new analytical model for looking at activist DDOS campaigns, and presenting an analysis of the December 2010 Operation PayBack DDOS campaign against PayPal.  Also, to reward all you find people for coming out so late for this talk, there will be lots of pictures of cats.



The “censorship” characterization of activist DDOS as espoused by folks like Oxblood Ruffin from the Cult of the Dead Cow and others, claims that DDOS is equivalent to “shouting down” an opponent in a public forum, and that DDOS attacks deny individuals and organizations their rights to free speech.  In some but not all cases, this is a valid criticism, but before such a characterization can be made, we need to look at the motivation and intended effect of an action, the actual effects of the action and the technology used.

In July of 1997, a large scale DDOS attack was launched against the Institute for Global Communications (IGC), a non-profit internet service provider. The number of participants and the original organizers of the campaign are not known.

The attack was part of a wide spread public campaign to pressure the ISP to remove the website of the Basque publication Euskal Herria Journal, which was thought to have ties to the militant group, ETA.

The campaign was a combination of mailbombing and network-based DDOS attacks.  This was a populist-minded action; at one point, the major Spanish newspaper El Pais threw its support behind the mailbombing campaign and published target email addresses for the IGC in its digital edition, though it later retracted its support and removed the addresses from its website.

The IGC’s servers were knocked offline, rendering inaccessible the websites and email of over 13,000 subscribers.  While the IGC did eventually remove the Euskal Herria Journal‘s content from its servers, it replaced it with a statement decrying what it saw as vigilante censorship on the internet, and was supported in its arguments by groups like NetAction, Computer Professionals for Social Responsibility, and the Association for Progressive Communications.

The goal of the IGC action was to force IGC to remove the Euskal Herria Journal‘s website from its servers.  This was an objection to content being available on the internet. For as long as it was successfully running, the DDOS attack rendered that content unavailable to the internet.  So in actual effect, the IGC action was not so much a protest so much as it was the will of one group being forced on another.  “If you don’t take it down, we’ll take it down for you.”  No public debate was sought, and most of the publicity associated with the campaign revolved around recruiting participants, not articulating grievances.  The goal of the DDOS action was a permanent imposition of its immediate effects.  While DDOS actions are often condemned for being as good as censorship, the goal of the IGC action was censorship, and in the end, the condemnation it suffered was as much for its goal as for its tactics.  However, where the “censorship” condemnation falls short is in its assigning equal value to any potential target on the web.  The IGC attack targeted politically vulnerable speech online, and obliterated the Euskal Herria Journal‘s ability to reach its audience and crippled the IGC’s ability to perform its professional function.  However, targeting the website of a large corporation or government agency often has little effect on the actual operations of that entity or its ability to communicate with the public through media appearances and press releases. It would be absurd to declare an ethical equivalency between seeking to silence content  entirely, which is reprehensible, and the relative inconvenience suffered by large corporations whose online posters have briefly been torn down (to paraphrase XKCD).


The “electronic sit in” characterization was first clearly articulated by the Critical Art Ensemble, a performance art/activism collective in their essay “Electronic Civil Disobedience.”  There, they drew an equality between the monopolization of resources that takes place during an IRL sit-in, and the monopolization of resources which occurs on the technological level during a DDOS campaign.  This characterization draws heavily on the history of sit-ins in social movements for much of its validity.

In 2001, the Electronic Disturbance Theater, a spin-off of the Critical Art Ensemble, launched a campaign called the “Deportation Class Action.” Estimates put the number of participants at around 13,000, recruited primarily through activist and performance art mailing lists and websites.

The goal of the action was to draw public attention to the the German government’s use of the airline’s flights to deport immigrants, and through that public pressure change Lufthansa’s behavior as a corporation.  The online action was powered by FloodNet, a brower-based DDOS tool developed by the EDT in 1998.  The tool allowed users to participate in pre-planned DDOS campaigns, but required that users take the positive steps of navigating to the FloodNet page and choosing to participate in the action.  The FloodNet action was augmented by press releases and protests at Lufthansa stockholder meetings.

The action did result in some downtime for the Lufthansa homepage.  Shortly after the action, Lufthansa stopped allowing the German government to use its flights to deport immigrants.

The Lufthansa action resulted in the arrest and trial of Andreas-Thomas Vogel, who had run a website, libertad.de, which posted a call to action for the Lufthansa protest.  A lower court in Frankfurt initially found Vogel guilty of using force against Lufthansa, based on the economic losses the airline had suffered during the campaign.  Upon appeal, however, a higher court overturned the verdict, finding, “…the online demonstration did not constitute a show of force but was intended to influence public opinion.”

The stated goal of the Lufthansa action was to draw public attention to a specific aspect of the airline’s business, and through that attention change its behavior.  Though the DDOS attack took place on the internet, the effect it sought to have was not limited, was not even present, in the online realm.  It is important to note that, in and of itself, the DDOS attack could not have achieved what the EDT and Vogel set out to accomplish.  They set out to change the behavior of a corporation.  It took positive action on the part of Lufthansa for that to happen.  It could not be accomplished by fiat by activists on the outside.  One of the benefits of the “electronic sit in” characterization is that it references a tactic with a very visible history: most people already know what a sit-in looks like.  The comparison holds up provided the technology used remains heavily reliant on individual agency, with participants either using manual DDOS tools like FloodNet or participate in strictly voluntary botnets.  The use of sophisticated traffic multipliers, exploits or non-voluntary botnets complicates the situation enormously, and can make the use of this characterization seem overly simplistic and self-congratulatory.



The primary goals of many popular DDOS campaigns, or those which actively seek the participation of large numbers of people, are to direct media coverage, and to impact the identity of those participating in the action.  Like the Lufthansa campaign, these actions ultimately seek societal and policy changes that cannot be achieved simply by taking down a website.  Rather, the goal is to attract significant attention to a set of issues, and to cultivate a population that considers themselves activists, and who can be called on to participate in future actions.


It is much more difficult now than it was in 1997 or 2001 to bring down a corporate site through the power of individual activists alone.  Traffic multipliers and non-volunteer botnets can give all-volunteer efforts the boost needed to bring down a large site, but those tactics have the potential to delegitimize activist DDOS in the eyes of the media, policy makers, and participants.


The Electronic Disturbance Theater primarily spread word of its actions via activism and performance art centered email lists and message boards.  As a result, their participants were, more often than not, experienced activists well versed in the practices and risks of on-the-streets activism.  While they may have had an incomplete understand on the online space they were moving to, it is safe to assume that they had an understanding of the legal risks often associated with acts of civil disobedience.  As the Electronic Disturbance Theater was primarily engaged in drawing an explicit linkage between traditional forms of civil disobedience and digital actions like DDOS attacks, they were also aware, by association, of the illegal nature of the acts they were undertaking and the risks they were exposed to.

This has not necessarily been the case with more recent DDOS campaigns.  Activism-minded individuals have come onto the scene with little activism experience, either IRL or digital.  Their tactics are often innovative and interesting, but they lacked a core awareness of the basic risks they are exposing themselves to.  The media attention attracted by these actions attracts more neophytes to the cause, which is great for expanding the active population, but puts more pressure on those in leadership positions to educate newcomers.  The relative ease with which individuals can become involved, in a piecemeal fashion, with different campaigns also leads to high turnover in the active population, which makes things difficult for a political culture which is trying to establish its own internal norms and modes, as well as its legitimacy to outsiders.


Just in case there is any doubt, as of this talk, DDOS attacks remain illegal in most jurisdictions, including the United States, where it is a felony.  Participating in one remains a high risk activity, unlike many other activities associated with IRL activism, including street marches and sit-in.  The onus to educate inexperienced participants about these risks falls to the organizers, as does the ethical quandary of whether or not these types of actions are, at this time, worth the legal risk.


Finally, there are shifting views as to what constitutes a “successful” DDOS campaign.  Many activists are moving away from a strict binary “website up/website down” conception of success to more nuanced views, like number of participants, number of participants who stick around for other campaigns or levels of media coverage.


So in order to take into account both the new developments in activist DDOS campaigns and to allow for an accurate analysis of the use of the tactic, I propose an analytical model. Rather than reacting based on an objection to DDOSes as a whole or comparisons to already existing activist tactic, this model looks at the motivations behind a campaign, its intended effects, its actual effects, and the technologies used before coming to a conclusion on the legitimacy of an activist action.

Using this model we can look at Anonymous’s December 2010 Operation PayBack DDOS campaign against PayPal and other sites in the same way that we looked at the campaigns analyzed earlier.

While Operation PayBack began as an opposition to the MPAA and other copyright organizations, December 6, 2010 marked the beginning of the second stage, sometimes known as Operation Avenge Assange.  These attacks were powered by the LOIC DDOS tool, volunteer botnets running through the LOIC Fucking Hivemind mode, and non-volunteer botnets.

This stage of the campaign targeted organizations and individuals Anonymous believe were acting against the interests of Wikileaks, either by cutting off its channels of financial support, refusing to provide hosting to the website and its domain name, or by speaking out against the organization publicly.  The overall  goal was the draw attention to the ongoing banking blockade against Wikileaks, and to force media coverage of the issue.  Over the course of four days, Anonymous would launch DDOS attacks against the websites of the Swedish Prosecution Authority, EveryDNS, Senator Joseph Lieberman, MasterCard, two Swedish politicians, Visa, PayPal, and Amazon.com, forcing many of the sites to experience at least some amount of downtime.

The campaign led to massive amounts of media coverage, mostly of Anonymous itself, but also of the banking blockade and various other grievances publicized in Anonymous press releases and calls to action.  It brought extraordinary public attention to Anonymous, and with that many new participants.  It also led to the arrest of over a dozen participants in the United States, who were charged with felony violations of the Computer Fraud and Abuse act, with more individuals being arrested internationally.  Others had their homes raided by the FBI and their possessions seized.

The December DDOS attacks of Operation Payback bear a far closer resemblance to the Electronic Disturbance Theater’s 2001 Lufthansa action than they do to the IGC attacks of 1997.  Though the diffuse, unorganized, and leaderless Anons bear a much closer resemblance to the participant population of the IGC attacks, made up as it was of individuals recruited through enthusiastic media coverage, disparate people coming together for a moment around one emotional issue, the motivation and actual effects of Operation Payback are far more akin to the Electronic Disturbance Theater’s push for popular attention and policy change.  A primary goal of Operation Avenge Assange was to bring widespread attention to the plight of Wikileaks, and in that it succeeded.  A secondary goal was to cause financial damage and embarrassment to the corporations targeted, but as stated above, bringing down a corporate webpage does not restrict that corporation’s ability to function.  Rather, the corporations targeted by Anonymous had caused more harm to Wikileak’s ability to function by unilaterally cutting off its means of financial support and refusing to host it.  These actions in and of themselves constitute “denial of service” attacks in the most basic sense of the term.  The use of non-volunteer botnets to achieve downtime in the targeted servers in troubling, as is the lack of success in educating participants on the legal risks they were taking.  I feel that neither of these facts are troubling enough to completely delegitimize Operation PayBack as a reasonable act of civil protest, but they are mistakes that need to be learned from for future actions.


In conclusion, there are uses of DDOS that are more appropriate and acceptable in an activist context than others.  Not every DDOS attack that claims the activist label does so appropriately.  It is also possible to say that though the technological effects of one DDOS attack may be indistinguishable from another, the actual effects differ widely based on the circumstances and contexts of a given action.  Paradoxically, an attack on the homepage of a large corporation may draw a large amount of media attention, but have little immediate effect on the corporation itself, while an attack on a smaller, internet based organization may completely wipe it out while attracting no attention or criticism at all.

What may be considered censorship in one instance can be reasonably considered to not be censorship in another, though the technological facts remain the same.  When attempting to determine the validity of an activist DDOS action, or any contentious computer action, it is vital that we not privilege technological facts over the motivations and stated goals of the participants and the actual effects of the action.  To do so would ignore the fact that identical technological states can be arrived at under vastly differing circumstances, and ultimately devalues human agency in our dealings with technology.

Source: http://oddletters.com/2012/07/15/hope9-talk-activist-ddos-when-similes-and-metaphors-fail/

Botnet operators are changing their methods for conducting distributed denial of service (DDoS) attacks.

A customer study from security firm Prolexic found that over the last quarter, DDoS attacks used less bandwidth and took place over shorter durations of time. Additionally, botnet operators were more aggressive with the time they did spend, increasing packet-per-second volume by 63 per cent.

Researchers believe that the trend indicates a tendency for botnet operators to be more cautious with their attacks, conducting shorter operations in order to reduce the risk of detection and the possible loss of their networks.

“As perpetrators realise their DDoS attacks are being blocked by a mitigation provider, they are moving on to easier targets sooner than in the past,” the company said in the report.

Despite being more cautious in their activity, botnet herders showed no sign of letting up. The study found that DDoS attacks were on the rise across all sectors of the business space. The report found that the total number of reported attacks had doubled over the same period in 2011.

The survey found that attacks on the routing and transport layers of infrastructure components accounted for 81 per cent of attacks, while application layer attacks were down on the quarter.

Prolexic researchers believe that the trend indicates a growth in the popularity of DDoS attacks and easier management and infection tools.

“This indicates the technical barrier to entry has been significantly lowered for malicious actors who seek to participate in denial of service attacks through improved accessibility to no-cost and simple, yet powerful tools,” the company said.

Source: http://www.v3.co.uk/v3-uk/news/2191368/ddos-attacks-becoming-shorter-and-more-intense-as-botnet-operators-get-cautious

The scene outside the Supreme Court after the justices narrowly upheld the Affordable Care Act looked chaotic, yet the scene on the back end of SCOTUSblog wasn’t — due in part to some serious planning.

SCOTUSblog is a website dedicated to news and analysis of the Supreme Court of the United States, run as a separate business by the lawyers at Washington, D.C.-based law firm Goldstein and Russell. It averages about 30,000 hits a day, but in the months leading up to the court’s ruling on the Patient Protection and Affordable Care Act, it became clear that something would have to be done to support a huge amount of traffic.

The blog staff knew that they were in for traffic problems when page views spiked during oral argument in March. Over a three-day period, the site received more than a million hits, creating a slow experience for users that was punctuated by crashes during peak hours.

“We were just really, really struggling to serve that audience,” said Max Mallory, deputy manager of the blog.

Mallory, a self-described liberal arts-type who learned IT on the fly after becoming deputy manager of the blog, said that the staff took stock of what they had and decided there was no way for them to rework it on their own. To accommodate the blog  traffic they expected when they reported on the court’s decision, they would need to get outside help.

SCOTUSblog planned for huge traffic boost
Options on what to do ranged from completely redesigning the entire site to optimizing what they already had and adding more servers.

“There was tons of stuff being thrown around,” Mallory said.

The bloggers decided to bring in a team of developers who, over the course of the two months between the argument and the decision, reworked various aspects of the website. Mallory said they fixed Javascript conflicts and plug-in issues, cleared out extraneous data, compressed the database and made cosmetic changes to the website that simplified loading.

Monday, June 18 was the earliest the court could have made its decision and served as the first testing day for the site’s changes. They decided to redirect traffic from the homepage to the live blog page, something they normally do on breaking news days. At one point, 40,000 simultaneous users were on the live blog, a fraction of what they expected on the big day, but it still revealed difficulties on the back end.

By Thursday, they had implemented a new plan — split the traffic between three servers. The main blog page would be hosted on Media Temple, the service they had been using all along. That page would redirect to a landing page that housed just the live blog, which would be hosted by WP Engine. Once those readers clicked to activate the live blog, that traffic would be hosted by third-party live blogging service CoverItLive.

In anticipation of a decision that still hadn’t come that day, traffic again spiked and the site stayed afloat, but still moved slowly. The WP Engine server handled the live blog page, but the Media Temple server was swamped by redirect requests.

“Friday morning I knew there was no way based on that performance we were going to be able to handle it,” Mallory said.

So Mallory reached out to Datagram, a server provider that handles hosting for some large blogs, and asked them to put him in touch with “the best optimizer of WordPress sites.” Datagram gave him the name of Andy LoCascio and his company, Sound Strategies. By the end of the day, LoCascio was in charge of rebuilding everything from the ground up.

After bringing LoCascio on board, the team learned all their work over the previous two months was essentially a waste.

“Literally everything that [could be] wrong was wrong,” Mallory said.

LoCascio’s team worked all day Friday and Saturday, adding a high-powered NGINX deployment on top of the Media Temple server, rewriting all Apache and MySQL configurations, fixing plug-ins and reworking caching. By Sunday, everything was finished.

Most court watchers expected the decision to come down on Monday. The blog surpassed its all-time traffic record by 2 p.m. and had more than 100,000 viewers on the live blog. Everything went well, but the big day had yet to come.

Finally, the media learned Thursday was going to be the day and the team was prepared to sit and wait. But on Tuesday evening they experienced a distributed denial of service (DDoS) attack, which left them scrambling to find a way to protect themselves from a nefarious attempt to crash the site.

They decided to eliminate the chain of servers at different companies and consolidate resources. The night before decision day, they set up four satellite servers off the main Media Temple server, each of which would host a cached version of the site that would be updated on a fixed, periodic schedule.

Two more DDoS attacks came the morning of the decision, but neither worked. Then, the news they and their audience had been waiting for broke.

“Right at 10:03 a.m. Thursday, we were getting more than 1,000 requests every second,” Mallory said.

In the end, SCOTUSblog received 5.3 million page views with no crashes or lag time. Load time never climbed above one second and CPU usage never ventured above 1%, a vindication of the new design. The site previously operated around 60% to 80% CPU usage with a hundredth of the traffic.

Traffic has since subsided and is expected to fade as the court heads for its summer recess. Mallory said the system set up for the health care decision will be shut off for now, but added that he and his colleagues will be prepared for the next major Supreme Court decision.

Source: http://searchcloudapplications.techtarget.com/news/2240159201/SCOTUSblog-survives-major-traffic-spike