DDoS Attacks Archive

When there’s a DDoS attack against your voice network, are you ready to fight against it?

An estimated 240 million calls are made to 911 in the US each year. With the US population estimated at more than 328 million people as of November 2018, this means each US resident makes, on average, more than one 911 call per year. 911 is a critical communications service that ensures the safety and individual welfare of our nation’s people.

So, what happens when the system goes down?

Unfortunately, answers can include delays in emergency responses, reputational damage to your brand or enterprise by being associated with an outage, and even loss of life or property. We have seen very recent examples of how disruption in 911 services can impact municipalities. For example, days after Atlanta was struck by a widespread ransomware attack, news broke of a hacking attack on Baltimore’s computer-assisted dispatch system, which is used to support and direct 911 and other emergency calls. For three days, dispatchers were forced to track emergency calls manually as the system was rebuilt — severely crippling their ability to handle life-and-death situations.

In 2017, cybersecurity firm SecuLore Solutions reported that there had been 184 cyberattacks on public safety agencies and local governments within the previous two years. 911 centers had been directly or indirectly attacked in almost a quarter of those cases, most of which involved distributed denial-of-service (DDoS) attacks.

Unfortunately, these kinds of DDoS attacks will continue unless we make it a priority to improve the security of voice systems, which remain dangerously vulnerable. This is true not just for America’s emergency response networks, but also for voice networks across a variety of organizations and industries.

The Evolving DDoS Landscape
In today’s business world, every industry sector now relies on Internet connectivity and 24/7 access to online services to successfully conduct sales, stay productive, and communicate with customers. With each DDoS incident costing $981,000 on average, no organization can afford to have its systems offline.

This is a far cry from the early days of DDoS, when a 13-year-old studentdiscovered he could force all 31 users of the University of Illinois Urbana-Champaign’s CERL instruction system to power off at once. DDoS was primarily used as a pranking tool until 2007, when Estonian banks, media outlets, and government bodies were taken down by unprecedented levels of Internet traffic, which sparked nationwide riots.

Today, DDoS techniques have evolved to use Internet of Things devices, botnets, self-learning algorithms, and multivector techniques to amplify attacks that can take down critical infrastructure or shut down an organization’s entire operations. Last year, GitHub experienced the largest-ever DDoS attack, which relied on UDP-based memcached traffic to boost its power. And just last month, GitHub experienced a DDoS attack that was four times larger.

As these attacks become bigger, more sophisticated, and more frequent, security measures have also evolved. Organizations have made dramatic improvements in implementing IP data-focused security strategies; however, IP voice and video haven’t received the same attention, despite being equally vulnerable. Regulated industries like financial services, insurance, education, and healthcare are particularly susceptible — in 2012, a string of DDoS attacksseverely disrupted the online and mobile banking services of several major US banks for extended periods of time. Similarly, consider financial trading — since some transactions are still done over the phone, those jobs would effectively grind to a halt if a DDoS attack successfully took down their voice network.

As more voice travels over IP networks and as more voice-activated technologies are adopted, the more DDoS poses a significant threat to critical infrastructure, businesses, and entire industries. According to a recent IDC survey, more than 50% of IT security decision-makers say their organization has been the victim of a DDoS attack as many as 10 times in the past year.

Say Goodbye to DDoS Attacks
For the best protection from DDoS attacks, organizations should consider implementing a comprehensive security strategy that includes multiple layers and technologies. Like any security strategy, there is no panacea, but by combining the following solutions with other security best practices, organizations will be able to better mitigate the damages of DDoS attacks:

  • Traditional firewalls: While traditional firewalls likely won’t protect against a large-scale DDoS attack, they are foundational in helping organizations protect data across enterprise networks and for protection against moderate DDoS attacks.
  • Session border controllers (SBCs): What traditional firewalls do for data, SBCs do for voice and video data, which is increasingly shared over IP networks and provided by online services. SBCs can also act as session managers, providing policy enforcement, load balancing and network/traffic analysis. (Note: Ribbon Communications is one of a number of companies that provide SBCs.)
  • Web application firewalls: As we’ve seen with many DDoS attacks, the target is often a particular website or online service. And for many companies these days, website uptime is mission-critical. Web application firewalls extend the power of traditional firewalls to corporate websites.

Further, when these technologies are paired with big data analytics and machine learning, organizations can better predict normative endpoint and network behavior. In turn, they can more easily identify suspicious and anomalous actions, like the repetitive calling patterns representative of telephony DoS attacks or toll fraud.

DDoS attacks will continue to be a threat for organizations to contend with. Cybercriminals will always look toward new attack vectors, such as voice networks, to find the one weak spot in even the most stalwart of defenses. If organizations don’t take the steps necessary to make voice systems more secure, critical infrastructure, contact centers, healthcare providers, financial services and educational institutions will certainly fall victim. After all, it only takes one overlooked vulnerability to let attackers in.

Source: https://www.darkreading.com/attacks-breaches/when-911-goes-down-why-voice-network-security-must-be-a-priority-/a/d-id/1333782

The internet of things (IoT) brings has opened new horizons, from smart-city advancements to transforming how industries produce goods. For example, by connecting assets in a factory, manufacturers can have better insight into the health of their machinery and predict any major problems with their hardware before it happens, allowing them to stay one step ahead of their systems and keep costly outages to a minimum.

But, despite its life-enhancing and cost-saving benefits, IoT has proven to be a minefield to secure.

There are several reasons why. First and foremost is a general lack of awareness among consumers and businesses. The convenience and cost-saving benefits of IoT tech appear to outweigh the potential risks.

Another challenge is securing not just the IoT devices but also the networks over which their data is transferred. IoT devices increase the amount of entry points into a home or business network, which in turn could give hackers access to devices such as computers that contain sensitive data.

Eventually we could see almost every home device connected to the internet, not necessarily with any consumer benefit but instead geared toward data collection. And IoT sensors increasingly are being used by businesses of all sizes across numerous industries including health care and manufacturing. This setup can be incredibly valuable for businesses, but is also highly susceptible to penetration by hackers.

In the past, businesses haven’t always focused on building end-to-end security into the network. This is set to change as attitudes evolve. In fact, thanks to emerging tech platforms, the industry is developing new ways to protect IoT devices from increasingly sophisticated hackers and there will be significant opportunities for those working in the IoT security space.

Let’s look at the impact of some emerging platforms on the security space:

Using blockchain technology can reduce the risk of IoT devices being put at risk by a security breach at a single point. By getting rid of a central authority in IoT networks, blockchain would enable device networks to validate and protect themselves. For example, devices in a common group could stop or alert the user if asked to carry out tasks that appear unusual, such as being commandeered by hackers to carry out distributed denial of service (DDoS) attacks.

Artificial intelligence can help to speed up the process of identifying potential risks. AI is set to be so integral to cybersecurity in the future that it is estimated that the global AI security market will reach $18.2 billion by 2023, according to a recent report.

Meanwhile, just as new technology platforms have opened doors for hackers, new security platforms are being developed to combat the threat. Interactive visual walls, dashboard displays, 3D object recognition and a virtual reality experience provide a glimpse of the security capabilities that can help organizations build and monitor cybersecurity platforms, as suited to their business needs.

Be Ready for Anything

At this point, security breaches have become almost inevitable, rather than something that can be completely avoided. Without adequate security, even innocuous items that generally pose no threat can be transformed into something far more sinister—for example, traffic lights that tell cars and pedestrians to go at the same time.

As a result, it’s important that organizations take time to think about how they can work together to create an end-to-end infrastructure that can deal with the influx of new devices. With this increased threat, the focus is shifting from prevention to resilience.

Education is key and makers of IoT devices, ISPs and the government all must play a vital role in boosting awareness of IoT security among consumers and businesses. At a government level, it also may be necessary to provide education to boost the digital literacy of policymakers. More regulation and standardization are needed to ensure that IoT devices adhere to a certain level of security, while manufacturers must develop clear privacy policies for their IoT devices and ensure that consumers know how to adjust the security settings. Even simple steps such as not setting default passcodes as “0000” or “1234” could help keep devices more secure in the future.

Businesses must talk openly about vulnerabilities, promoting awareness and accountability. Resources that are currently focused on prevention need to be redeployed toward the timely detection of and response to potential security hacks.

The best way to approach this is a layered security solution. That means security at the device level, over the air and once it gets to the network. This approach can secure the end device, over the air like a VPN, the pipe between a device and the network and once it gets onto the network.

With emerging technological platforms such as cloud computing and IoT offering more gateways to hackers, it is now more critical than ever for companies to institute holistic security platforms to deal with these threats. Only with everyone working together toward a common goal will the new technology platforms that have the power to improve our lives be used only to do good.

Source: https://securityboulevard.com/2019/02/the-evolving-approach-to-iot-security/

Cayosin brings together multiple strands of botnet tech and hacker behavior for a disturbing new threat.

 When botnet-as-a-service meets social media marketing, you have a threat poised to rapidly spread. That’s precisely what researchers have found in a quickly evolving botnet called Cayosin (Kay-OH-sin), which combines the most dangerous features of multiple previous botnets and makes them available to a broad audience at a low price.

When researchers at Perch were going through customer telemetry last month, they found strings they hadn’t seen before. In looking through the signatures, Perch senior threat researcher Paul Scott found leads on a Reddit forum dedicated to Linux malware that showed Cayosin was “actually a custom piece of malware developed from multiple public sources,” Scott explains. “So it’s kind of a Frankenstein between Qbot, Marai, and a few other pieces of software. The actors kind of cobbled them all together to make a new thing.”

This new thing is a botnet for hire that draws marketing and support techniques from the best of legitimate commercial activity. “They were primarily renting spots or having subscribers sign up for an account when it was still in early development, and they were charging a very low amount of money, like $5 a spot,” Scott says. Since Cayosin has matured and become more full-featured, though, the developing syndicate (or individual) has raised the price.

Cayosin has been marketed through “legitimate” social media platforms rather than the Dark Web. One of the first marketing instruments was a YouTube video showing its operation. “[Then] in the comments of the YouTube video, they started talking about an Instagram account that was selling it,” Scott says.

The Instagram account of a user called “unholdable” contains multiple articles and videos explaining how to lease space on the Cayosin botnet, how to best use the malware, and how to purchase source code for the original version of the botnet software. “You can kind of see the development of not only Cayosin but other tools that this threat actor has published” in the Instagram posts, Scott says.

Following the social media accounts led researchers to the additional malware and botnets, including Yowai, a botnet described by researchers at Trend Micro. And tThe social media accounts are allowing the developer of Cayosin to engage in market research and customers support on a commercial scale.

“If you were to click on [the post], you can see that he’s like, ‘Hey, can you give me some feedback on the service I’ve been providing to you?'” Scott says. “I mean, he’s very good on customer service — top notch — and his marketing game and advertising is on point. I mean, he is letting everybody see everything through the Instagram Stories that he’s publishing here.”

Cayosin is evolving in both its ability to infect new systems and the payloads it can distribute, he adds. “It’s got a lot of different vulnerabilities packaged into it. It is looking for vulnerabilities in Linux Web servers, Internet of Things devices, and a number of routers,” Scott says.

With the evolution comes increasing business success. “This is just the newest iteration, and they’re actually starting to build up a following and a real service and business for their customers,” he says. “As each of these tools gets burned out because everybody learns the infrastructure, they just republish it under a new name.”

While Cayosin has primarily been used to launch distributed denial-of-service (DDoS) attacks, Scott says the evolving payloads show it’s beginning to see action as a tool for exfiltrating sensitive information, stealing credentials, and other activities that may have a greater economic impact than simple DDoS.

While an individual attack using the new botnet may have an impact, Scott indicates that the greater threat may come from the new business model Cayosin represents. “There’s a whole culture here,” he says. “So this is a generation that’s very comfortable with social media. They’re just making it part of their infrastructure. We’re moving out of the Darknet and into the light.”

Source:https://www.darkreading.com/attacks-breaches/new-botnet-shows-evolution-of-tech-and-criminal-culture/d/d-id/1333792

DDoS attackers who bought and sold services and kits offered in the defunct marketplace webstresser.org are now being targeted for prosecution by authorities in 20 countries.

Following up on the April 2018 takedown of the now disabled webstresser.org in the effort known as Operation Power OFF, investigators are now tracking its 151,000 registered users, reported Europol, which is coordinating efforts with the Joint Cybercrime Action Taskforce (J-CAT), with the support of the Dutch Politie and the British National Crime Agency.

Europol said in a press release that the marketplace was responsible for launching more than 4 million attacks by hackers paying as little as €15 (US$17) a month.

Countries engaged in the Operation Power OFF follow-up include Belgium, Croatia, Denmark, Estonia, France, Germany, Greece, Hungary, Ireland, Lithuania, Portugal, Romania, Slovenia, Sweden, Australia, Colombia, Serbia, Switzerland, Norway and the U.S.

Raj Samani, London-based chief scientist and McAfee fellow, commented to SC that these investigations indicate an intention by “law enforcement to unmask [Webstresser] customers.” In addition, the latest actions show “anonymity in a username simply does not exist,” Samani added.

Samani’s colleague at McAfee, John Fokker, the company’s head of cyber investigations, noted globally coordinated takedowns and prosecutions isn’t a new development. “What is remarkable about Operation Power OFF is the level of active collaboration from several industry stakeholders to gain better insights into the malicious nature of the Booter/Stresser sites,” Fokker added.

Recent examples of actions resulting from Operation Power OFF include:

• In the U.K., more than 250 former Webstresser users face prosecution over their DDoS attacks, and more than 60 personal electronic devices have been seized as evidence after an investigation by the U.K.’s National Crime Agency (NCA). Another 400 former customers of the site are being targeted by NCA.

• A hacker received a sentence of three years in a British prison for carrying out DDoS missives in Liberia that crashed the country’s entire internet access, resulting in millions of dollars in damage

• In the U.S., the FBI on Dec. 15 seized other DDoS-for-hire services Downthem and Quantum Stresser

• Romanian authorities have also seized DDoS platforms and information about their users

“Taking down botnet crime masters heavily relies on international cooperation of various federal agencies,” commented Ondrej Krehel, CEO and founder of the cyber forensics firm LIFARS.  “Threat actors have clear understanding that it takes time to come close to them, and prosecution is often lacking evidence,” he noted.

Krehel pointed out to SC that the dark internet still offers many renting locations for DDoS attacks, and infrastructure for cybercrime is “very affordable, often cents per compromised IP based systems.”

Visitors now to the URL Webstresser.org are told that the domain has been seized by the U.S. Department of Defense, Defense Criminal Investigative Service, Cyber Field Office in accordance with a warrant issued by the United States District Court for the Eastern District of Virginia.

Source: https://www.scmagazine.com/home/security-news/webstresser-takedowns-151000-ddos-minded-users-targeted-by-authorities-in-20-countries/

Although most scrubbing services can help fend off distributed denial of service attacks, a more comprehensive mitigation strategy is required to remain unscathed

What was possibly the world’s biggest distributed denial of service (DDoS) attack in February 2018 was stopped in its tracks after 20 minutes because there was a DDoS protection service in place.

The attack on GitHub, a popular online code management service used by millions of developers, experienced incoming traffic of 1.3Tbps, bombarded by packets at a rate of 126.9 million per second. Within 10 minutes of the attack, GitHub had sounded the alarm and routed its traffic to its DDoS mitigation service Akamai Prolexic, which sorted out and blocked the malicious traffic.

GitHub is not alone, as DDoS attacks have grown in intensity and become more sophisticated. Since 2017, businesses in the Asia-Pacific (APAC) region started to experience DDoS attacks at almost the same rate as North American businesses, which have traditionally been the most targeted, said Shahnawaz Backer, security specialist for APAC at F5 Networks, based on F5’s data.

And ASEAN organisations are not standing still. The DDoS market in ASEAN has seen significant growth, accounting for 20% of the APAC market, according to Frost & Sullivan.

A growing number of enterprises are investing in DDoS solutions, especially cloud-based DDoS mitigation services, with a shift away from a service-provider-centric market.

A DDoS attack is one of the most complex threats that businesses can face. The goal of the individual hacker, organised criminals or state actors is to overwhelm a company’s network, website or network component, such as a router. To begin with, organisations have to determine whether a spike in traffic is legitimate or is an attack.

“Without a solid understanding of baselines and historic traffic trends, organisations are unlikely to detect an attack until it is too late,” said Sherrel Roche, senior market analyst at IDC’s Asia-Pacific business and IT services research group.

Landbank, the largest government-owned bank in the Philippines, has taken the step of implementing F5’s BIG-IP local traffic manager to understand its application traffic and performance better, as well as to gain full visibility into customer data as it enters and leaves an application. This enables the security team to inspect, manage and report fraudulent transactions as soon they are spotted.

Complementing that is an on-premise application level layer 7 DDoS mitigation service to ensure mission-critical applications are protected against application-specific attacks.

It can be relatively simple to launch a DDoS attack with readily available DDoS-for-hire services, and even people with little or no technical skills can launch a damaging attack.

One such attack, which generated over 170Gbps of traffic, was organised over chatrooms on the Steam game distribution platform and IRC (internet relay chat), with many participating members using downloaded tools. These included a YouTube tutorial by a 12-year-old developer, said Fernando Serto, head of security technology and strategy at Akamai Technologies APAC.
Part of the challenge of DDoS is the complexity of these attacks. Not only are there several categories of attack method, but each category has a host of different attacks. The same target can also be attacked using several different attack vectors.

On top of that, some attacks can be hard to detect. One notable attack involved overwhelming the target’s DNS (domain name system) server through a series of bursts that lasted several minutes, instead of a sustained attack.

“This led to defender fatigue as these bursts of traffic were coming in over a long period of time, and detection, let alone mitigation, of these types of attacks becomes very difficult,” said Serto.

DDoS attacks are unlike other cyber attacks, where patches and locally installed security appliances can block an attack altogether. The defence calculus for denial of service is different because no organisation can prevent or block all DDoS attacks on its own, said Gartner senior analyst Rajpreet Kaur.

So the decision to invest in DDoS protection is also not an easy one. DDoS mitigation is an expensive investment, which organisations do not easily choose unless they or their competitors have suffered an attack.

“While multinational and global firms will invest, the cost may deter smaller, local firms,” said Kaur.

Also, IT infrastructure is getting more complex as enterprises move their applications and infrastructure to the cloud, requiring DDoS solutions to cater to different environments, said Frost & Sullivan network security senior industry analyst Vu Anh Tien.

Scrubbing clean

What GitHub relied on to counter the massive attack in February 2018 was scrubbing services, a common DDoS mitigation technique. Using this method, the traffic destined for a particular IP address range is redirected to datacentres, where the attack traffic is “scrubbed” or cleaned. Only clean traffic is then forwarded to the target destination.

Most DDoS scrubbing providers have three to seven scrubbing centres, typically distributed globally, said Gartner’s Kaur. Each centre consists of DDoS mitigation equipment and large amounts of bandwidth, which can be over 350Gbps, that feeds traffic to it. When customers are under attack, they “push the button” to redirect all traffic to the closest scrubbing centre to be cleaned.

Enterprise customers make use of scrubbing centres in two ways – one is to route traffic via the scrubbing centres around the clock, while others prefer to route traffic on demand when an attack occurs.

Given the complexity of security attacks and IT infrastructures, organisations are increasingly adopting hybrid models of protection, in order to protect against the broadest set of potential attack vectors. They often turn to an on-premise system that is the first line of defence, with the scrubbing centre stepping in when the on-premise technology is overwhelmed, said Backer.

IDC’s Roche added: “For bad traffic to be diverted to a scrubbing centre in a seamless action to reduce any downtime, organisations need to have seamless integration between cloud and on-premise solutions, implemented in front of an infrastructure’s network to help mitigate an attack before it reaches core network assets and data.”

Source: https://www.computerweekly.com/news/252456702/How-traffic-scrubbing-can-guard-against-DDoS-attacks