DDoS Archive

In October 2016, the Mirai botnet took down domain name system provider Dyn, waking much of the world up to the fact that Internet of Things devices could be weaponized in a massive distributed denial of service (DDoS) attack. Although DDoS attacks have been around since the early days of the modern internet, IT communities around the globe came to realize that IoT devices could be leveraged in botnet attacks to go after all kinds of targets.

In the case of Dyn, the cyberattack took huge chunks of the web offline, since Dyn served as a hub and routing service for internet traffic. The attack temporarily shut off access to Twitter, Netflix, Spotify, Box, GitHub, Airbnb, reddit, Etsy, SoundCloud and other sites.

The rising prominence of botnets in DDoS attacks also prompted the federal government to take a stronger interest. President Donald Trump’s May 2017 executive order on cybersecurity directed the secretaries of Commerce and Homeland Security to lead “an open and transparent process to identify and promote action by appropriate stakeholders” that would improve the resilience of the internet and encourage collaboration around the goal of “dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).”

In late May, the departments of Commerce and Homeland Security issued a final report on the topic, which included numerous recommendations for agencies to take to mitigate DDoS attacks and botnet threats.

The government, the report says, “should leverage industry-developed capability baselines, where appropriate, in establishing capability baselines for IoT devices in U.S. government environments to meet federal security requirements, promote adoption of industry-led baselines, and accelerate international standardization.”

Among numerous other measures, the report says that agencies should put in place basic DDoS prevention and mitigation measures for all federal networks, and ensure they are not used to amplify DDoS attacks.

Before federal IT leaders and professionals put mitigation and prevention measures in place, it’s worth taking time to understand the nature of the threat. Here is a primer on DDOs attacks, botnets, the damage they can do and how agencies can guard against them.

What Is a DDoS Attack?

A DDoS attack is a cyberattack in which multiple compromised systems attack a given target, such as a server or website, to deny users access to that target.

Attackers often use compromised devices — desktops, laptops, smartphones or IoT devices — to command them to generate traffic to a website in order to disable it, in ways that the user does not even detect.

“The smart cybercriminal imposes limits on the malware code to avoid detection by not utilizing too much of the user’s bandwidth or system resources,” Carl Danowski, a CDW service delivery architect in managed services, writes in a blog post. “The user would have to know where to look to detect this, and probably won’t be motivated to as long as the software doesn’t cause any problems for them. The attack does not use just a single system but millions of such compromised systems, nearly simultaneously.”

The malware then visits or sends special network packets (OSI Layer 7 and Layer 3, respectively) to the website or DNS provider. The attack then generates what looks like, to most cybersecurity tools, normal traffic or unsuccessful connection attempts.

“However, the website soon becomes unavailable as some part of the infrastructure can no longer handle the sheer number of simultaneous requests,” Danowski notes. “It could be the router, the firewall, the web servers, the database servers behind the web servers — any number of points can become overwhelmed, leading to the unavailability of the service they are providing. As a result, legitimate users of the website are denied service.”

As the DHS/Commerce report notes, DDoS attacks have been a concern since the early days of the internet and were a regular occurrence by the early 2000s. They can “overwhelm networked resources, sending massive quantities of spam, disseminating keylogger and other malware.”

What Is a Botnet Attack?

Botnet attacks are related to DDoS attacks. Not all botnets are malicious; a botnet is a simply a group of connected computers working together to execute repetitive tasks, and can keep websites up and running. However, malicious botnets use malware to take control of internet-connected devices and then use them as a group to attack.

“More often than not, what botnets are looking to do is to add your computer to their web,” a blog post from anti-virus firm Norton notes. “That usually happens through a drive-by download or fooling you into installing a Trojan horse on your computer. Once the software is downloaded, the botnet will now contact its master computer and let it know that everything is ready to go. Now your computer, phone or tablet is entirely under the control of the person who created the botnet.”

Malicious botnets are often used to amplify DDoS attacks, as well as sending out spam, generating traffic for financial gain and scamming victims.

The rise of the IoT makes botnets more dangerous and potentially virulent. The IoT means there are simply many more (usually unsecured) connected devices for attackers to target. As a result, the DHS/Commerce report notes, “DDoS attacks have grown in size to more than one terabit per second, far outstripping expected size and excess capacity. As a result, recovery time from these types of attacks may be too slow, particularly when mission-critical services are involved.”

Further, the report adds, traditional DDoS mitigation techniques, such as network providers building in excess capacity to absorb the effects of botnets, “were not designed to remedy other classes of malicious activities facilitated by botnets, such as ransomware or computational propaganda.”

Botnet Detection and Removal Tools

Botnet detection can be difficult, since infected bots are designed to operate without users knowing about them. A blog post from CA Technologies suggests several symptoms of botnet infection that administrators should look for. These Include:

  • Internet Relay Chat traffic (botnets and bot masters use IRC for communications)
  • Connection attempts with known command-and-control servers
  • Multiple machines on a network making identical DNS requests
  • High outgoing Simple Message Transfer Protocol traffic (as a result of sending spam)
  • Unexpected pop-ups (as a result of clickfraud activity)
  • Slow computing/high CPU usage spikes in traffic, especially on Port 6667 (used for IRC), Port 25 (used in email spamming) and Port 1080 (used by proxy servers)
  • Outbound messages (email, social media, instant messages, etc.) that weren’t sent by the user

Some tools, such as CDW’s Threat Check tool, perform passive inspection of all inbound and outbound network traffic and look for evidence of malicious activity. “It will not block any traffic but simply monitor and report on what it sees. This includes connections to botnets, connections to command and control servers, remote access tools, visits to sites hosting malicious code, or any other evidence of an infection,” Aaron Colwell, manager of strategic software sales for the analytics practice at CDW, writes on CDW’s solutions blog.

“Botnet detection is useless without having botnet removal capabilities,” the CA blog notes. “Once a bot has been detected on a computer, it should be removed as quickly as possible using security software with botnet removal functionality.”

Microsoft offers tools to remove malicious software, as do many other security software companies.

A Brief History of DDoS Attacks: Reaper, Zeus and Mirai Botnets

In recent years, there have been several high-profile botnet attacks that have rocketed around the internet, causing varying levels of devastation to IT environments.

According to CSO Online, the Mirai botnet was actually created by Paras Jha, then an undergraduate at Rutgers University, who became interested in how DDoS attacks could be used for profit, especially by using DDoS attacks to disable rival servers that might be used to host the online game Minecraft.

The major Mirai botnet attack took down the security blog KrebsOnSecurity in September 2016, and its source code was published online a few weeks later. Then came the major attack on Dyn. “The FBI believes that this attack was ultimately targeting Microsoft game servers,” which can be hosted and used to generate money from Minecraft players, CSO reports. The attack spread to vulnerable devices “by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords,” Krebs reports.

Although Mirai is still causing problems across the web, the Justice Department in December 2017 secured guilty pleas from Jha and Josiah White for their roles in developing and using Mirai.

Another recent botnet that made waves is Reaper, which is built on parts of Mirai’s code. However, as Wired details, it is different in dangerous ways. “Instead of merely guessing the passwords of the devices it infects, it uses known security flaws in the code of those insecure machines, hacking in with an array of compromise tools and then spreading itself further,” the publication reports, meaning that it could “become even larger — and more dangerous — than Mirai ever was.” The botnet surfaced in January when it was used to target financial services firms in the Netherlands, Security Week reports.

In 2014, the GameOver Zeus botnet rose to prominence, and was “responsible for the theft of millions of dollars from businesses and consumers in the U.S. and around the world,” according to the FBI.

“GameOver Zeus is an extremely sophisticated type of malware designed specifically to steal banking and other credentials from the computers it infects,” the FBI noted. “It’s predominantly spread through spam e-mail or phishing messages.”

In February 2015, the FBI announced a $3 million bounty for information leading to the arrest and conviction of Evgeniy Mikhailovich Bogachev, a Russian national the government believes is responsible for building and distributing the Zeus banking Trojan.

How Feds Can Respond to the Botnet Threat

The DHS/Commerce report offers agencies guidance on how they can combat DDoS and botnet attacks.

First, the report says that stakeholders and subject matter experts, in consultation with the National Institute of Standards and Technology, should lead the development of a Framework for Improving Critical Infrastructure Cybersecurity Profile for enterprise DDoS prevention and mitigation.

“The profile would help enterprises identify opportunities to improve DDoS threat mitigation and aid in cybersecurity prioritization by comparing their current state with the desired target state,” the report says. “The profile would likely include multiple levels to support industry sectors with different resilience requirements.”

After that is created, the report says agencies “should implement basic DDoS prevention and mitigation measures for all federal networks to enhance the resilience of the ecosystem and demonstrate the practicality and efficacy of the profile.”

In the past, the report notes, “hackers have leveraged federal networks in DDoS attacks using open resolvers and other agency resources to amplify their attacks.” DNS primarily translates hostnames to IP addresses or IP addresses to hostnames. As TechTarget notes, DNS resolvers are “servers that client systems use to resolve domain names.”

The report says that “poorly administered enterprise resources, such as open DNS resolvers, are often leveraged to amplify attacks.” Many network vendors, including Cisco Systems, offer agencies and other organizations best practices for guarding against DNS attacks.

“The federal government should lead by example, ensuring that federal resources are not unwitting participants and that federal networks are prepared to detect, mitigate, and respond as necessary,” the DHS/Commerce report states.

The administration should mandate implementation of the federal cybersecurity framework profile for DDoS prevention and mitigation by all government agencies within a fixed period after completion and publication of the profile, the report advises.

“The federal government should evaluate and implement effective ways to incentivize the use of software development tools and processes that significantly reduce the incidence of security vulnerabilities in all federal software procurements, such as through attestation or certification requirements,” the report adds.

To establish market incentives for secure software development, the government should “establish procurement regulations that favor or require commercial off-the-shelf software that is developed using such processes, when available,” and “should also ensure that government-funded software development projects use the best available tools to obtain insight into the impact of these regulations.”

Source: https://fedtechmagazine.com/article/2018/09/what-feds-can-do-guard-against-ddos-attacks-and-botnet-threat-perfcon

Report fingers students and staff for academic cyber-attacks

Who’s hacking into university systems? Here’s a clue from the UK higher education tech crew at Jisc: the attacks drop dramatically during summer break.

A new study from Jisc (formerly the Joint Information Systems Committee) has suggested that rather than state-backed baddies or common criminals looking to siphon off academic research and personal information, staff or students are often the culprits in attacks against UK higher education institutions.

The non-profit body, which provides among other things internet connectivity to universities, analysed 850 attacks in the 2017-18 academic year and found a consistent pattern that occurred during term time and the UK working day.

Holidays brought with them a sharp reduction in attacks, from a peak 60-plus incidents a week during periods of the autumn term to a low of just one a week at times in the summer. It acknowledged that part of the virtual halt in summer may be down to cops and Feds cracking down on black hat distributed denial-of-service tools in the months prior, however.

Jisc is perhaps better known among Reg readers for providing the Janet network to UK education and research institutions.

Its data covered cyber-attacks against almost 190 universities and colleges and focused on denial-of-service and other large-scale infosec hits rather than phishing frauds and malware.

Staff and students with a grudge or out to cause mischief are more credible suspects in much of this rather than external hackers or spies. More sophisticated hackers might be inclined to use DDoS as some sort of smokescreen.

In a blog post, Jisc security operations centre head John Chapman admitted some of the evidence suggesting staff and students might be behind DDoS attacks is circumstantial. However, he pointed out evidence from law enforcement and detected cyber assaults supported this theory. For example, a four-day DDoS attack the unit was mitigating against was traced back to a university hall of residence – and turned out to be the result of a feud between two rival gamers.

Whoever might be behind them, the number of incidents is growing. Attacks are up 42 per cent to reach this year’s 850; the previous academic year (2016-17) witnessed less than 600 attacks against fewer than 140 institutions.

Matt Lock, director of solutions engineers at Varonis, said: “This report is another reminder that some of the biggest threats facing organisations today do not involve some hoodie-wearing, elusive computer genius.”

Education is targeted more often than even the finance and retail sectors, according to McAfee research (PDF).

Nigel Hawthorn, data privacy expert at McAfee, commented in March:

“The kind of data held by universities (student records/intellectual property) is a valuable commodity for cyber criminals, so it is crucial that the security and education sectors work together to protect it.

Source: https://www.theregister.co.uk/2018/09/17/cyber_attack_uk_universities/

DDoS attacks against university campuses are more likely in term time.

Nation-states and criminal gangs often get the blame for cyber attacks against universities, but a new analysis of campaigns against the education sector suggests that students — or even staff — could be perpetrators of many of these attacks.

Attributing cyber attacks is often a difficult task but Jisc, a not-for-profit digital support service for higher education, examined hundreds of DDoS attacks against universities and has come to the conclusion that “clear patterns” show these incidents take place during term-time and during the working day — and dramatically drop when students are on holiday.

“This pattern could indicate that attackers are students or staff, or others familiar with the academic cycle. Or perhaps the bad guys simply take holidays at the same time as the education sector,” said John Chapman, head of security operations at Jisc.

While the research paper notes that in many cases the reasons behind these DDoS campaigns can only be speculated about, just for fun, for the kudos and to settle grudges are cited as potential reasons.

In one case, a DDoS attack against a university network which took place across four nights in a row was found to be specifically targeting halls of residence. In this instance, the attacker was launching an attack in order to disadvantage a rival in online games.

The research notes that attacks against universities usually drop off during the summer — when students and staff are away — but that the dip for 2018 started earlier than it did in 2017.

“The heat wave weather this year could have been a factor, but it’s more likely due to international law enforcement activity — Operation Power Off took down a ‘stresser’ website at the end of April,” said Chapman.

The joint operation by law enforcement agencies around the world took down ‘Webstresser’, a DDoS for hire service which illegally sold kits for overwhelming networks and was, at the time, the world’s largest player in this space. This seemingly led to a downturn in DDoS attacks against universities.

But universities ignore more advanced threats “at their peril” said Chapman. “It’s likely that some of these more sophisticated attacks are designed to steal intellectual property, targeting sensitive and valuable information held at universities and research centres.”

Despite this, a recent survey by Jisc found that educational establishments weren’t taking cyber attacks seriously, as they weren’t considered a priority issue by many.

“When it comes to cyber security, complacency is dangerous. We do everything we can to help keep our members’ safe, but there’s no such thing as a 100% secure network,” said Chapman.

Source: https://www.zdnet.com/article/ddos-attacks-students-blamed-for-many-university-cyber-attacks/

With the help of machine learning and AI, software-defined networks could soon aid businesses with network management.

A network that can fix and optimize itself without human intervention could become a reality soon – but not without some training. With the help of machine learning and artificial intelligence, software-defined networks can learn to help with network management by using operational data.  Initial application of AI to WAN operations includes security functions such as DDoS attack mitigation as well as near real-time, automated path selection, and eventually AI-defined network topologies and basic operations essentially running on ‘auto-pilot’.

Enhancing IT operations with artificial intelligence (AI), including configuration management, patching, and debugging and root cause analysis (RCA) is an area of significant promise – enough so that Gartner has defined the emerging market as “AIOps”. These platforms use big data and machine learning to enhance a broad range of IT operations processes, including availability and performance monitoring, event correlation and analysis, IT service management, and automation (Gartner “Market Guide for AIOps platforms,” August 2017).

Gartner estimates that by 2022, 40 percent of all large enterprises will combine big data and machine learning functionality to support and partially replace monitoring, service desk and automation processes and tasks, up from five percent today.

Limits of automation and policy for NetOps

Given the traditional split between APM (application performance management) and NPM (network performance management), even the best network management tools aren’t always going to help trace the root cause of every application and service interruption. There can be interactions between network and application that give rise to an issue, or a router configuration and issue with a service provider that’s impacting application performance.

Network operations personnel might respond to an incident by setting policies in the APM or NPM systems that will alert us when an unwanted event is going to happen again. The issue with policy-based management is that it is backwards looking. That’s because historical data is used to create into policies that should prevent something from happening again. Yet, policy is prescriptive; it doesn’t deal with unanticipated conditions. Furthermore, changes in business goals again more human intervention if there isn’t a matching rule or pre-defined action.

On the whole, SD-WAN services represent an improvement over management of MPLS networks. Still, the use of an SD-WAN isn’t without its own challenges. Depending on the number of locations that have to be linked, there can be some complexity in managing virtual network overlays. The use of on-demand cloud services adds another layer of complexity. Without sufficient monitoring tools, problems can escalate and result in downtime. At the same time, adding people means adding cost, and potentially losing some of the cost efficiencies of SD-WAN services.

AI is way forward for SD-WAN management

What would AIOps bring to SD-WAN management?

Starting with a programmable SD-WAN architecture is an important first step towards a vision of autonomous networking.  Programmable in this case means API-driven, but the system also needs to leverage data from the application performance and security stack as well as the network infrastructure as inputs into the system so that we can move from simple alerting to intelligence that enables self-healing, managing and optimization with minimal human intervention.

Monitoring all elements in the system in real time (or at least near real time) will require storing and analyzing huge amounts of data. On the hardware side, cloud IaaS services have made that possible. Acting on the information will require artificial intelligence in the form of machine learning.

Use Cases for AI in SD-WAN

There are a variety of ways to apply machine learning algorithms to large datasets from supervised to unsupervised (and points in between) with the result being applications in areas such as:

  • Security, where unexpected network traffic patterns and patterns of requests against an application can be detected to prevent DDoS attacks.
  • Enhancing performance of applications over the internet network with optimized route selection.

Looking more closely at security as a use case, how would AI and ML be able to augment security of SD-WANs? While the majority of enterprises are still trying to secure their networks with on-premise firewalls and DDoS mitigation appliances, they are also facing attacks that are bigger and more sophisticated. According to statistics gathered by Verisign last year:

  • DDoS attacks peaked at over 5Gbps approximately 25% of the time
  • During Q3 2017, 29% of attacks combined five or more different attack types.

Challenge: A multi-vector attack on an enterprise network has affected service availability in Europe.

Response: Application of AIOps to the SD-WAN underlay can automate the response to the attack. Instead of manually re-configuring systems, the network can automatically direct traffic to different traffic scrubbing centers based on real-time telemetry around network and peering point congestion, mitigation capacity, and attack type/source. Because the system can process data from outside sources at speeds far beyond human ability to manage the network, the system can adjust traffic flows back to normal transit routes as soon as the attack subsides, saving money on the cost of attack mitigation. AI and ML in conjunction with a programmable SD-WAN are capable of responding more quickly and in more granular fashion than is possible with standard policy-based “automatic detection” and mitigation techniques.

Where does AI in network go next?

Although the industry is still in the early days of applying machine learning to networking, there are a number of efforts underway to keep an eye on. One is the Telecom Infra Project (TIP), founded by Facebook and telecom first firms such as Deutsche Telecom and SK Telecom, which now counts several hundred other companies as members. The TIP recently started collaborating on AI with an eye towards predictive maintenance and dynamic allocation of resources. Important groundwork for the project will include defining common dataset formats that are used to train systems. That work could lead to further sharing of data between network providers and web companies, offering the prospect of significant improvements to security and threat detection for enterprises and consumers.

Further in the future, we might expect to see an AI designed network topology, combined with SDN control over resources. Networking will have moved from a paradigm of self-contained networks to a network ‘awareness’ overlay which enables coordinated, intelligent actions based on operator intention. Network engineers can put the system on ‘auto-pilot’ during everyday computing, and instead spend time orchestrating resources based on the goals of the business.

Source: https://www.itproportal.com/features/how-to-train-your-network-the-role-of-artificial-intelligence-in-network-operations/

According to the Q2 2018 Threat ReportNexusguard’s quarterly report, the average distributed denial-of-service (DDoS) attack grew to more than 26Gbps, increasing in size by 500%.

The research looked at the same period last year and found that the maximum attack size quadrupled to 359Gbps. Evaluating thousands of worldwide DDoS attacks, researchers reportedly gathered real-time attack data from botnet scanning, honeypots, ISPs and traffic moving between attackers and their targets. Data analysis led researchers to attribute the stark surge to IoT botnets and Satori malware exploits, one of many variants of the Mirai malware.

“Due to the increase in IoT-related malware exploits and the rampant growth of large-scale DDoS attacks, research conclusions point to the continued use of IoT botnets. Cyber-attacks hit the 2018 FIFA World Cup, as well as cryptocurrency-related businesses, maximizing revenue loss,” Nexusguard wrote in a press release. Additionally, attacks on the Verge Network (XVG) resulted in a significant loss of 35 million XVG tokens.

“The biggest zero-day risks can stem from various types of home routers, which attackers can exploit to create expansive DDoS attacks against networks and mission-critical services, resulting in jumbo-sized attacks intended to cripple targets during peak revenue-generating hours,” said Juniman Kasman, chief technology officer for Nexusguard.

“Telcos and other communications service providers will need to take extra precautions to guard bandwidth against these super-sized attacks to ensure customer service and operations continue uninterrupted.”

Nexusguard analysts advise communications service providers (CSPs) and other potentially vulnerable operations to augment their preparedness so that they are able to maintain their bandwidth, especially if they lack full redundancy and failover plans in their infrastructures. CSPs and vulnerable organizations that enhance bandwidth protection will be better positioned to stay ahead of the surging attack sizes.

“In the quarter, increasingly large attacks (a YoY average-size increase of 543.17%) had a severe impact on Communication Service Providers (CSP),” the report said. “Serving as a link between attack sources and victim servers and infrastructures, CSPs bear the burden of the increasing size of traffic, irrespective of its source or destination. As such, Internet service is degraded.”

Source: https://www.infosecurity-magazine.com/news/ddos-attacks-increase-in-size-by/