DDoS Protection Specialist Archive

Romania is in top ten countries with the highest number of command-and-control (C&C) servers used in DDoS attacks, according to the Kaspersky Lab DDoS Q1 2019 report. A total of 2.89% of these servers are located in Romania, which places the country 9th in the world.

Most botnet C&C servers are located in the US (34.10%), followed by The Netherlands with a share of 12.72% and Russia with 10.40%.

The number of DDoS attacks increased by 84% in the first quarter of 2019 compared to the last quarter of 2018, according to Kaspersky Lab. There was a remarkable increase especially in the number of attacks lasting over an hour and the average duration of this type of attack, the same report shows.

“Last year, the number of DDoS attacks dropped continuously, prompting Kaspersky Lab’s experts to assume that cybercriminals who carried out DDoS attacks to get financial gains turned their attention to other sources of income (such as cryptocurrencies). However, first-quarter statistics contradict this trend and show that the number of DDoS attacks blocked by Kaspersky DDoS Protection increased by an astonishing 84% compared to Q4 2018,” Kaspersky Lab said in a press release.

The most visible growth was registered in the category of DDoS attacks lasting more than one hour. Their number doubled and the average duration increased by 487%. These numbers “confirm Kaspersky Lab’s hypothesis that hackers are improving their techniques and are able to launch longer-lasting attacks that are harder to organize.”

To remain protected from DDoS attacks, Kaspersky Lab recommends organizations to make sure web and IT resources can handle large traffic and to use specialized solutions.

Source: https://www.romania-insider.com/romania-servers-ddos-attacks

Sudden surge suggests that new actors have stepped up to the plate to replace the old operators.

Distributed denial-of-service attacks (DDoS) — particularly those lasting more than an hour — increased sharply in number during the first quarter of this year over the prior quarter after declining steadily for most of 2018.

The unexpected resurgence suggests that new suppliers of DDoS services have quietly emerged to replace operators that were disrupted in a series of law enforcement actions last year, Kaspersky Lab said in a report summarizing DDoS activity in Q1 2019.

The security vendor’s analysis shows the number of DDoS attacks in Q1 to be some 84% higher than the number recorded in the last three months of 2018.

One significant trend that Kaspersky Lab notes is an overall increase in the number of attacks lasting one hour or longer. Over one in 10 (10.13%) of the DDoS attacks in Kaspersky Lab’s dataset lasted between five hours and nine hours, and another 9.37% lasted between 10 hours and 49 hours — or more than two days. Some 2% of the attacks were longer than 50 hours, with the longest one lasting 289 hours, or just over 12 days.

In total, the proportion of sustained attacks, or those lasting more than an hour, nearly doubled from 11% of the overall number of DDoS attacks in the last quarter of 2018 to 21% of the total in the first three months this year. Correspondingly, the number of short-duration DDoS attacks lasting less than four hours declined — from 83.34% in Q4 2018 to 78.66% this year.

Alexander Gutnikov, an analyst with Kaspersky Lab DDoS prevention service, says attackers are increasingly moving away from volumetric, high-bandwidth attacks at the network (L3) and transport (L4) layers because of the mitigations available for such attacks. Instead, they are turning to smarter DDoS attacks such as those that target the application layer.

“The main driver of the growth of smart DDoS attacks is a decrease in the effectiveness of volumetric attacks,” Gutnikov says. “Volumetric attacks have to be very powerful to significantly affect the stability of resources,” For vendors that provide dedicated DDoS mitigation services, the trend is not particularly new. he adds.

As has been the case for several years, a majority of DDoS attacks last quarter were SYN flood attacks. However, the number of SYN attacks as a percentage of the overall total of DDoS attacks jumped sharply from 58.1% in the last quarter of 2018 to over 84% in this year’s first quarter. Meanwhile, other types of DDoS attacks, such as UDP flooding and TCP flooding, showed a corresponding decrease.

HTTP flooding attacks targeting the Web application layer are still relatively rare. However, the number of such attacks appears to be growing. Kaspersky Lab analysis shows HTTP flood attacks increasing in number from 2.2% of the overall total in Q4 to 3.3% last quarter. “In terms of the ratio of effectiveness and cost of organization, application-level attacks, L7, are an optimal option for malefactors,” Gutnikov notes.

A Persistent Threat
Kaspersky Lab’s new report is the latest to highlight the continuing threat that DDoS attacks present to organizations despite some major wins for law enforcement against those behind such attacks.

Last April, for instance, European law enforcement agencies, in cooperation with their counterparts in other regions of the world, dismantled Webstresser, one of the largest sites for buying and selling DDoS services at the time, and announced the arrests of the operators and several clients of the illegal outfit.

More recently the US Justice Department announced it had seized 15 websites offering similar DDoS-for-hire services and charged three individuals for their roles in the operation. In January, a Boston federal judge sentencedan individual convicted on charges of launching a DDoS attack on Boston Children’s Hospital to 10 years in prison.

The fact that the number of attacks increased last quarter are all the same suggests that new actors have stepped up to the plate to replace the old operators, according to Kaspersky Lab.

“We believe that the motives for DDoS services remain the same: politics, unfair competition, concealment of other cybercrime, or personal motives,” Gutnikov says. “And for people who conduct DDoS attacks, the main motive is money.”

Data from Verizon’s “2019 Data Breach Investigations Report” (DBIR) shows that public-sector organizations and those in the IT, finance, and professional services sectors are far more frequent targets of DDoS attacks than organizations in other industries. Verizon counted more than 990 DDoS incidents against public-sector organizations in 2018, 684 attacks against IT organizations, 575 targeting financial firms, and nearly 410 against professional services firms.

Financial services organizations and IT companies are also targets of some of the biggest DDoS attacks — from a bandwidth and packets-per-second standpoint. Verizon’s data shows that in 2018, the median size of DDoS attacks against financial services companies and IT organizations were 1.47 Gbps and 1.27 Gbps, respectively.

“Over time, DDoS attacks have been getting much more tightly clumped with regard to size,” with little difference in size between the largest and smallest attacks, Verizon said.

Ominously for enterprise organizations, while DDoS attacks, on average, have shrunk in size overall, there has been an increase in the number of really massive attacks.

According to security vendor Imperva, there has been a recent increase in DDoS attacks involving 500 million or more attack packets per second. During a one-week period earlier this year, Imperva’s researchers detected nine such DDoS attacks, with the largest one hitting an astounding 652 million packets per second.


A DDoS mitigation service is more than just the technology or the service guarantees. The quality and resilience of the underlying network is a critical component in your armor, and one which must be carefully evaluated to determine how well it can protect you against sophisticated DDoS attacks.

Massive Capacity

When it comes to protection against volumetric DDoS attacks, size matters. DDoS attack volumes have been steadily increasing over the past decade, with each year reaching new heights (and scales) of attacks.

To date, the largest-ever verified DDoS attack was a memcached-based attack against GitHub. This attacked reached peak of approximately 1.3 terabits per second (Tbps) and 126 million packets per second (PPS).

In order to withstand such an attack, scrubbing networks must have not just enough to ‘cover’ the attack, but also ample overflow capacity to accommodate other customers on the network and other attacks that might be going on at the same time. A good rule of thumb is to look for mitigation networks with at least 2-3 times the capacity of the largest attacks observed to date.

Dedicated Capacity

It’s not enough, however, to just have a lot of capacity. It
is also crucial that this capacity be dedicated to DDoS scrubbing. Many
security providers – particularly those who take an ‘edge’ security approach – rely
on their Content Distribution Network (CDN) capacity for DDoS mitigation, as

The problem, however, is that the majority of this traffic
is already being utilized on a routine basis. CDN providers don’t like to pay
for unused capacity, and therefore CDN bandwidth utilization rates routinely
reach 60-70%, and can frequently reach up to 80% or more. This leaves very
little room for ‘overflow’ traffic that can result from a large-scale
volumetric DDoS attack.

Therefore, it is much more prudent to focus on networks whose capacity is dedicated to DDoS scrubbing and segregated from other services such as CDN, WAF, or load-balancing.

Global Footprint

Organizations deploy DDoS mitigation solution in order to
ensure the availability of their services. An increasingly important aspect of
availability is speed of response. That is, the question is not only is the
service available
, but also how quickly can it respond?

Cloud-based DDoS protection services operate by routing
customer traffic through the service providers’ scrubbing centers, removing any
malicious traffic, and then forwarding clean traffic to the customer’s servers.
As a result, this process inevitably adds a certain amount of latency to user

One of the key factors affecting latency is distance from
the host. Therefore, in order to minimize latency, it is important for the
scrubbing center to be as close as possible to the customer. This can only be
achieved with a globally-distributed network, with a large number of scrubbing
centers deployed at strategic communication hubs, where there is large-scale
access to high-speed fiber connections.

As a result, when examining a DDoS protection network, it is important not just to look at capacity figures, but also at the number of scrubbing centers and their distribution.

Anycast Routing

A key component impacting response time is the quality of
the network itself, and its back-end routing mechanisms. In order to ensure
maximal speed and resilience, modern security networks are based on
anycast-based routing.

Anycast-based routing establishes a one-to-many relationship between IP addresses and network nodes (i.e., there are multiple network nodes with the same IP address). When a request is sent to the network, the routing mechanism applies principles of least-cost-routing to determine which network node is the optimal destination.

Routing paths can be selected based on the number of hops,
distance, latency, or path cost considerations. As a result, traffic from any
given point will usually be routed to the nearest and fastest node.

Anycast helps improve the speed and efficiency of traffic routing within the network. DDoS scrubbing networks based on anycast routing enjoy these benefits, which ultimately results in faster response and lower latency for end-users.

Multiple Redundancy

Finally, when selecting a DDoS scrubbing network, it is
important to always have a backup. The whole point of a DDoS protection service
is to ensure service availability. Therefore, you cannot have it – or any
component in it – be a single point-of-failure. This means that every component
within the security network must be backed up with multiple redundancy.

This includes not just multiple scrubbing centers and
overflow capacity, but also requires redundancy in ISP links, routers,
switches, load balancers, mitigation devices, and more.

Only a network with full multiple redundancy for all components can ensure full service availability at all times, and guarantee that your DDoS mitigation service does not become a single point-of-failure of its own.

Ask the Questions

Alongside technology and service, the underlying network
forms a critical part of a cloud security network. The five considerations
above outline the key metrics by which you should evaluate the network powering
potential DDoS protection services.

Ask your service provider – or any service provider
that you are evaluating – about their capabilities with regards to each of
these metrics, and if you don’t like the answer, then you should consider
looking for alternatives.

Source: https://securityboulevard.com/2019/05/5-key-considerations-in-choosing-a-ddos-mitigation-network/

The number of DDoS attacks during the first quarter of 2019 increased by 84 percent compared with the previous quarter according to a new report from Kaspersky Lab.

This reverses last year’s trend of declining DDoS attacks as attackers shifted their attention to other sources of income, such as crypto-mining.

As well as increasing in number attacks are also getting longer. The number of DDoS attacks that lasted for more than an hour doubled in quantity, and their average length increased by 487 percent. These statistics confirm Kaspersky Lab experts’ hypothesis that hackers are evolving their techniques and are now able to launch longer attacks, which are more difficult to organize.

“The DDoS attack market is changing, and new DDoS services appear to have replaced ones shut down by law enforcement agencies,” says Alexey Kiselev, business development manager on the Kaspersky DDoS Protection team. “As organizations implement basic countermeasures, attackers target them with long-lasting attacks. It is difficult to say if the number of attacks will continue to grow, but their complexity is showing no signs of slowing down. We recommend that organizations prepare themselves effectively, in order to withstand sophisticated DDoS attacks.”

Kaspersky recommends that organizations ensure that their web and IT resources can handle high volumes of traffic, and that they use professional solutions that can protect the organization against DDoS attacks regardless of their complexity, strength or duration.

Source: https://betanews.com/2019/05/21/ddos-attacks-increase/

(DDOS) distributed denial-of-service mitigation is the process of protecting targeted networks and servers from attacks. A protection service based on the cloud mitigates the threat by protecting the intended victim. This is a type of cyber attack specifically targeting the most critical systems of the business to disrupt the connectivity or the network service. The result is the user is denied service from necessary resources. The attack combines the power of numerous computers infected with malware with the objective of targeting one system.

The Types of Attacks

There are three key types of attacks. The first is called a volumetric attack. This is when false data requests overwhelm the bandwidth of the network on every single open port available on the device. Once the system has been flooded with malicious requests, the data must be constantly checked. This means legitimate traffic cannot be accepted because there is no room left in the system. The two most frequently used volumetric attacks are ICMP and UDP floods.

The protocol attack damages the connection tables responsible for verifying the connections. This involves sending malformed pings, partial packets and slow pings. This can overload or crash the system because it creates memory buffers. Firewalls are unable to prevent this attack because it has the ability to target the firewalls.

The application layer is in the closest contact with the interaction of the users. An application layer attack is concentrated on the layer responsible for direct traffic from the internet. The potential attacks focus on HTTPS, HTTP, SMTP and DNS. This type of attack makes it difficult to catch the perpetrator due to the smaller amount of machines being used. This means it is possible to trick the server into believing the attack is nothing more than a high traffic volume.

The Importance of Mitigation

A mitigation plan can prevent attacks by making a complete security assessment. This is simpler for smaller businesses because larger companies often have multiple teams and an extremely complex infrastructure. Once the attack has occurred, the time for planning has already been lost. It is critical to ensure prompt reactions to mitigate the possibility of an attack. The first step is the development of a defense strategy. The strategy defines the impact of a malicious attack. The employees must understand their responsibilities and the data center must be ready to execute the plan. This can save the business from the time and expense of a lengthy recovery period while minimizing the chances of a successful attack.

The Most Important Elements of Mitigation

Every company needs to have mitigation in place. This provides the systems with filtering tools, advanced detection of potential threats and protection through software and hardware. Every company needs a response team to make certain the reaction to an attack is efficient, fast and organized. All procedures should be assigned to individual teams. This enables the employees to know where to turn if there is an attack. A complete list of emergency contacts should be posted along with the correct procedures. There must be solid communication between the company, their clients, their security vendors and their provider for cloud services.

Preventing Attacks through Security

The best possible way to prevent attacks is to decrease user mistakes as much as possible. This requires strong security practices. The employees should be required to change their passwords fairly frequently. Secure firewalls and anti-fishing will restrict most outside traffic. This is the basis for good security setup. Multi-level strategies are critical for ensuring the network remains secure. This includes the combination of numerous management and prevention systems including firewalls, a virtual private network (VPN), load balancing, defense techniques and content filtering. This is the best way to locate potential inconsistencies in traffic often resulting in an attack. High quality security can successfully block the attack.

Unfortunately, the majority of standard equipment currently available on the market offers very few options for mitigation. The best recourse is outsourcing to obtain the best possible mitigation available. Many of these resources are cloud based and simple to obtain. This is the ideal solution for both small and medium businesses because they can remain within their budget for security. Mitigation also means having multiple servers. This will provide additional resources if there is an attack on one of the servers. Outsourcing the service will enable the business to further increase security by having their servers in different locations. This makes it a lot harder for the attacker to target the business.

Updating the Systems

When any system is not kept updated, it is at a higher risk for an attack. Mitigation ensures the newest versions of software are installed to tighten the security and decrease the access for potential attacks. The main reason mitigation is so critical is because the attacks are extremely complicated. The system must be able to identify any traffic anomalies immediately to provide the necessary response. When the infrastructure has been properly secured, the threat is automatically minimized. This protects the business from all different types of attacks.

Identifying Unusual Activity

The best way to prevent any attack is with early detection. There are all different types of attacks but there are commonalities. The most common signs there has been an intrusion into the system are a large number of spam emails or a noticeable slowdown in the performance of the network. When these types of issues are noticed sooner, the threat can be successfully blocked. It is critical the employees understand the system and all of the available resources. Mitigation provides advanced resources to protect the system by detecting potential attacks and reacting immediately. Without these resources, the entire network of the business can crash.

The Cloud

Excellent attack prevention is available through DDOS mitigation providers using cloud-based services. This type of service is advantageous for numerous reasons. A private network does not have anywhere near the resources or bandwidth of the cloud. This is critical because so many businesses are strictly reliant on the hardware right on the premises. This makes it easier for an attacker to infiltrate the network. The cloud has apps capable of preventing malicious traffic from reaching their target. Software engineers are constantly monitoring the internet for the newest techniques being used by the attackers. This means they are more aware of what to look for and have the resources to find it faster to prevent the attack. Every company has different needs depending on their network and environment. This does not change the fact that every business must be flexible regarding their security.

The Warning Signs

Every attack has warning signs signaling a potential attack. This includes a slowdown of the network, websites constantly shutting down and issues with the connectivity. Every network can experience issues. When there is a consistent or severe issue with performance, there is a strong possibility an attack is in progress. Action must be taken immediately to protect the network. A service offers increased flexibility for dedicated and cloud hosting and on-premises networks. The components of the infrastructure must be compliant with the highest quality security requirements and standards to be effective. This enables the security to be customized for the specific needs of each business providing the best possible protection against malicious attacks.

The Bottom Line

Unfortunately, there will always be attackers consistently devising new and creative ways to attack a business network. Mitigation is the best way to stay a step ahead of the attacks. Preventing attacks save the business, money, time and a lot of aggravation.

Source: https://pctechmag.com/2019/05/ddos-mitigation-and-why-you-need-it/