DDoS Attacks Archive

Despite a recent crackdown by the Federal Bureau of Investigation (FBI), there has been a more than 400% increase in the volume of attacks being launched via DDoS-for-hire sites in the last quarter. That’s according to a new report from Nexusguard, a provider of a cloud service for combatting distributed denial of service (DDoS) attacks.

The “Nexusguard Q1 2019 Threat Report” also notes that DDoS attacks smaller than 1Gbps are becoming more automated and targeted at specific organizations. For example, 17% of all the DDoS attacks launched in Brazil in the last quarter were aimed at one specific banking institution, the report finds.

Donny Chong, product director for enterprise cybersecurity at Nexusguard, said the DDoS-for-hire sites that were taken down last year are now being replaced. The number of DDoS-for-hire websites being tracked by NexusGuard has doubled year over year.

The Nexusguard report also finds this latest generation of DDoS-for-hire cybercriminals is more adept at compromising mobile computing devices to launch their attacks. Botnets employed by these sites have been able to launch attacks lasting more than 40,000 minutes at a time, or more than 27 days, the report finds. In addition to leveraging mobile computing devices, DDoS-for-hire sites are starting to leverage billions of poorly protected internet-of-things (IoT) devices, he said.

Chong noted the latest iteration of DDoS-for-hire websites appears to be trying to fly under the radar of law enforcement. Rather than launching massive attacks, cybercriminals are employing the threat of a DDoS attack to extort payments from organizations both large and small.

At a time when organizations depend heavily on websites to generate revenue, DDoS attacks can have a much bigger financial impact on organizations.

In general, DNS attacks come in a variety of forms, including:

  • Domain hijacking, which results in DNS servers and domain registrar redirecting traffic away from the original servers to new destinations.
  • DNS hijacking (also known as DNS redirection), which involves malware being employed to, for example, alter the TCP/IP configurations so they can point to another DNS server, which will then redirect traffic to a fake website.
  • DNS flooding, which is a distributed denial-of-service (DDoS) attack that seeks to overload a DNS server to the point where it can no longer process requests.
  • Distributed reflection denial-of-service (DRDoS) attacks, which spoof the source address of the DNS service and results in machines replying back and forth until the DNS server becomes flooded.
  • DNS tunneling, which makes use of encoded data from other applications to compromise DNS responses and queries.
  • Random subdomain attacks, which involve sending a lot of DNS queries via compromised systems against a valid and existing domain name.

While there may be no way to terminate every DDoS attack, the good news is organizations at the very least are getting more adept at mitigating them.

Source: https://securityboulevard.com/2019/07/ddos-for-hire-sites-bounce-back/

A botnet of over 400,000 IoT devices held a 13-day distributed denial-of-service (DDoS) siege against the streaming app of a company in the entertainment business.

Directed at the authentication component, the attack started around April 24 and hit with as many as 292,000 requests per second (RPS) at its peak, making it one of the largest Layer 7 DDoS strikes.

It held a constant rate above 100,000 requests and the adversary kept the flow well over 200,000

A Layer 7 (application layer) DDoS attack is not meant to exhaust the internet connection bandwidth, as is the case with volume-based attacks (e.g. UDP, ICMP floods), or a system’s resources (SYN flood). Since the target is an application, the intent is to hit it with so many GET/POST requests that the server crashes.

DDoS mitigation company Imperva held the service running for the entire duration of the attack, observing requests from 402,000 different IP addresses.

Most of the attacking devices were located in Brazil, the company says in a report today, noting that this was the largest Layer 7 DDoS assaults it dealt with.

Spikes as high as 300,000 RPS have been observed in the past. In 2017, the website for the Russian newspaper Meduza was a target of a DDoS attack with requests above the volume observed by Imperva.

Because the attacker also focused on the authentication component of the service, the intent remains unclear in the incident handled by Imperva. The botnet’s main goal may have been testing credentials on the service by brute-forcing the login.

However, this large a volume of requests can lead to a denial-of-service condition when no proper mitigation solutions were in place.

“The attackers used a legitimate User-Agent, the same as used by the entertainment industry customer service application, to mask their attack.” – Imperva’s Vitaly Simonovich

Linking this activity to an IoT botnet was possible by looking at the ports used. Imperva saw that most of the devices sending the requests had ports 7547 and 2000 open.

Port 7547 is a standard one for the Customer Premises Equipment WAN Management Protocol (CWMP) – intended for auto-configuration and remote management of home routers, modems, and other CPEs.

Port 2000 is also linked to routers, MikroTik in particular, as it is used on these devices for the bandwidth test server protocol.

Requests may seem benign

Layer 7 DDoS attacks can be difficult to defend against because applications are designed to accept requests from users and serve them resources.

In this case, the adversary also used the same user agent as the service’s application and targeted the authentication component.

Distinguishing the malicious connections from the botnet became more difficult because the requests came from distinct systems and were for legitimate action.

Furthermore, brute-force protection would not work in this instance, since there were so many bots that could try different credentials. When the limit would be reached, the bot could take a break and then resume activity.

This technique has been named “low and slow” exactly because it takes longer for the adversary to achieve their goal, but it is also harder to defend against since it mimics the activity of a legitimate user.

Source: https://www.bleepingcomputer.com/news/security/streaming-service-suffers-13-day-ddos-siege-by-iot-botnet/

IoT botnet-made up mainly of routers-hit a service provider with nearly 300,000 requests-per-second in a 13-day deluge of data.

A collection of more than 400,000 connected devices – mainly home routers – for 13 days leveled a powerful application-layer attack on a online entertainment-service provider.

The attack used packets designed to appear as valid requests to the targeted application with the aim of chewing up bandwidth and server resources and reached a peak rate of 292,000 requests per second, according to a report released on July 24 by security firm Imperva, which blocked the attack.

The distributed denial of service (DDoS) attack, also known as an application-layer or layer-7 attack, came from devices compromised by the attackers and likely aimed to take down the company’s service, says Vitaly Simonovich, a security researcher for Imperva.

“This is not the first time this customer got attacked,” he says. “In the past, we witnessed this customer get attacked via network-layer DDoS attacks and also attackers have tried to steal their service, or use it without paying them.”

Distributed denial-of-service attacks are now considered the cost of doing business online, and companies need to plan for the attacks. In a survey released on July 24, data-center services firm US Signal found that 83% of organizations had suffered a DDoS attack in the past two years, and the average downtime caused by such an attack was 12 hours. The survey also found that 81% of organizations had their web application targeted in a cyberattack.

“The number of respondents that have experienced DDoS and application attacks is jarring, demonstrating that there is always room for improvement in keeping up with modern cyberthreats,” Trevor Bidle, vice president of information security and compliance officer at US Signal, said in a statement.

Yet, network packet floods continue to set new records in terms of volume and sustained traffic.

The attack on Imperva’s client is not the largest, but represents one of the most significant application-layer attacks. Volumetric attacks, which try to overload a target’s network bandwidth and infrastructure with a massive deluge of data, have exceeded 500 million packets per second, according to Imperva. For comparison, the DDoS attack against GitHub in 2018 exceeded 1.35 terabits per second, or about 130 million packets per second, the company said.

In 2016, the original Mirai malware, along with several variants, were used to conduct massive DDoS attacks against a variety of targets. More than one attack peaked at more than 600 gigabits per second and the attack against infrastructure provider Dyn in October 2016 exceeded 1 terabit per second.

Volumetric and application attacks are different and target different parts of a company’s online infrastructure. Web applications can typically handle tens or hundreds of gigabits of legitimate traffic, but typical Web servers handle perhaps 25,000 requests per second, says Imperva’s Simonovich.

“Today, customers that use cloud services can scale up in no time,” he says. “This means that when the number of requests is growing, the cloud platform can spawn more servers to handle the load. It also means that the customer will pay more to the cloud provider.”

Imperva tracked much of the traffic in the latest attack back to compromised home routers in Brazil. While the company does not believe that the attacks came from the Mirai botnet because the code to the malicious software had been released some time ago, underground developers have modified Mirai to incorporate a variety of attacks.

Because of the large number of Internet-of-things devices — tens of billions of network-connected devices by most accounts — and the lack of security concerns of most manufacturers and consumers, the population of vulnerable devices will only likely continue to grow, Imperva said.

“Botnets of IoT devices will only get larger,” the company said. “We live in a connected world, so the number of IoT devices continues to grow fast and vendors still do not consider security a top priority.”

Source: https://www.darkreading.com/attacks-breaches/mirai-like-botnet-wages-massive-application-layer-ddos-attack/d/d-id/1335331

More than 4 in 5 IT teams are involved in security efforts, and a majority of them report an increase of at least 25 percent in time spent on these efforts over the past 12 months, according to Viavi.

network teams security efforts

The most striking conclusion is that network-based conversation wire data has become the top data source for security incidents, with its use tripling, demonstrating that threat levels have driven enterprises to seek the most reliable forensic data available.

The State of the Network study captured the insights of Network Operations (NetOps) and Security Operations (SecOps) professionals worldwide, highlighting their challenges in security, performance management and deployment of new technologies.

Eighty-three percent of network teams are now engaged in supporting security issues, and of those, 91 percent spend up to 10 hours or more per week dealing with increasingly sophisticated security threats.

As hackers continue to circumvent existing security tools — even those with AI or machine learning — additional strategies are needed to quickly identify and contain security threats, the consequences of which can be devastating.

“This year’s State of the Network study highlights a clear way forward in today’s IT reality with a combination of prevention and ongoing detection to catch threats not flagged by security tools alone, such as an internal data breach by an employee, whether accidental or intentional.

“IT professionals need to better understand what is normal network behavior and what is not, and engage in proactive threat hunting,” said Douglas Roberts, Vice President and General Manager, Enterprise & Cloud Business Unit, VIAVI.

“Findings also show that network teams now depend on wire data as their most important source of information for security incidents, demonstrating that more NetOps teams are turning to the optimum peace of mind for issue resolution and compliance in the event of a breach.”

Key takeaways

Network teams are critical to protecting business resources and strengthening IT security. Increases in threat workloads were reported, with 74 percent of respondents stating they spend up to 10 hours or more per week on security. Three out of four of those teams report an increase of at least 25 percent of time spent over the past 12 months.

When asked how the nature of security threats has changed in the past year, IT teams identified a rise in email and browser-based malware attacks (59 percent), and an increase in threat sophistication (57 percent). Significant numbers of respondents also reported increases in exfiltration attacks on database servers (34 percent), application attacks (33 percent), DDoS attacks (32 percent) and ransomware attacks (30 percent).

Wire data has taken a central role in resolving suspected or known security threats, with 71 percent of respondents reporting that they used packet capture and 46 percent reporting that they used flow data, compared to 23 percent and 10 percent respectively in the 2017 State of the Network study.

NetOps teams play an active role in aiding SecOps before, during and after a threat has been detected, due to an increase in volume and sophistication of security threats.

Respondents highlight the importance of understanding normal network behavior and the ability to quickly hunt for malefactors when suspicious activity is noted.

Collaboration between SecOps and NetOps has accelerated, maximizing security initiatives and minimizing resolution time to limit negative impact to the business and customers.

While NetOps teams pivot to assist with security, they are still challenged to maintain acceptable service performance and end-user experience, despite the rapid deployments of new technologies and large increases in network traffic loads.

Source: https://www.helpnetsecurity.com/2019/07/17/network-teams-security-efforts/

Despite increasing threats, many organizations continue to run with only token cybersecurity and resilience.

According to Ernst & Young’s Global Information Security Survey 2018-19, over half of organizations fail to make organizational protection a key part of their strategic plans. After soliciting the opinions of approximately 1,400 C-suite leaders, EY concludes that larger firms are somewhat more prone to fall short in this area than smaller ones (58% versus 54%).

Overall, EY reports, a solid 77% of organizations still operate with only lackluster cybersecurity and resilience. They may even lack a clear idea of what their most critical information assets are and where they’re located, never mind having adequate safeguards in place to protect them.

Fortunately, cybersecurity budgets are increasing, though bigger firms are more likely to increase their investments in 2019 (63%) and 2020 (67%) than smaller companies (50% and 66%).

System Outages
Whether it’s because of the convergence of operational technology (OT) and IP-based IT networks or the growing use of cloud computing, corporate reliance on the availability of global IT infrastructure is ballooning. And the consequences are rising as well.

Cyberattacks to disrupt the business are now ranked as the third-biggest threat, after phishing (No. 1) and malware (No. 2). This comes as no surprise because distributed denial-of-service (DDoS) attacks, for instance, can trigger a major service interruption that will bring the business to a standstill. Outages have always been painful, but given the trend toward moving workloads and applications off-premises, and operating revenue-critical platforms, business operations virtually come to a stop if the IP network collapses.

“Importantly, more organizations are now beginning to recognize the broad nature of the threat,” says Richard Watson, EY’s Asia-Pacific cybersecurity head. “One thing that has changed for the better over the past 12 months, partly because of some of those big cyberattacks we’ve seen at a global level, is a growing realization that security is also about maintaining the continuity of business operations — and not only about the security of data and privacy.”

No Room for Russian Roulette
Given this reality, it’s jaw-dropping that many organizations seem to think they shouldn’t beef up their cybersecurity practices or dedicate more money to IT unless they’re hit by a major security incident.

For 63% of organizations, a security breach that results in no harm wouldn’t lead to higher spending (although, typically, seemingly innocuous breaches can cause harm that doesn’t manifest until later). Still, many organizations are unclear about whether they’re successfully identifying breaches and incidents.

These firms are playing with fire. As noted in the EY report, the Ponemon Institute estimates the average cost of a security breach to be $3.62 million per incident.

Tackling Corporate Governance
A mere 18% of organizations say that information security has a regular bearing on business strategic plans, a finding that reveals a basic disconnect between cybersecurity and the C-suite. Over half of the EY survey respondents say that information security only somewhat or does not influence their business strategy.

Today, when the digital age and cybercrime is in full bloom, this is somewhere between unwise and unacceptable. In fact, cybersecurity and business strategy must go hand-in-hand and be a continuing agenda item for all executive and non-executive boards, as many of board decisions will influence how well the organization is positioned to deal with a prospective cyberattack.

That said, increasingly, the ultimate responsibility for information security lies with the people at the top levels of the company. For 40% of organizations, the CIO assumes this responsibility. However, in 60% of organizations, the person directly responsible for information security does not sit on the board.

Some 70% of organizations report that their senior leaders have a thorough grasp of security or are taking positive steps to better their knowledge of it. Without question, this trend will increase as security becomes a key driver of growth. Right now, smaller organizations are better at keeping their board informed about information security matters than larger organizations. That said, larger organizations have made more progress: 73% have at least a limited understanding of information security, compared with 68% of their smaller counterparts.

Swinging in the Dark
Less than one in 10 organizations says its information security function fully meets its needs, and many are concerned that much-needed improvements are not yet underway. Seventy-eight percent of larger organizations say their information security function is at least partially meeting their needs, but that number drops to just 65% among their smaller counterparts.

Overall, 92% of organizations are concerned about their information security capabilities in certain important areas. For instance, resources: 30% of organizations are grappling with skills shortages, while 25% report that their budgets are constrained. Smaller firms are particularly worried; 28% of them say their information security function does not currently meet their needs or must be improved. Just over half (56%) report skills shortages or budget constraints.

A paltry 15% of firms say their information security reporting fully meets their expectations. Among those that suffered an incident in the past year, less than a third say their security team discovered the breach. Smaller companies will need to move particularly quickly to address the security reporting issue: almost a quarter (23%) don’t produce information security reports, in contrast with 16% of larger organizations. Only 5% describe the financial implications of each breach.

Addressing the Skills Challenge
Although the right personnel are critical to solving information security challenges, recruiting said personnel is easier said than done. The ongoing and global IT security skills shortage won’t go away anytime soon. Estimates project a worldwide shortfall of about 1.8 million security professionals by 2024 — some studies even predict as much as 3.5 million cyber vacancies. At least the shortfall is democratic: Everyone across the board is running into trouble finding the expertise they need, even in the most well-resourced sectors. Take financial services. “The best graduates no longer want to work in the industry, which is hampering efforts to recruit across the sector,” says Jeremy Pizzala, EY Global Financial Services cybersecurity leader.

The upshot is that depending on an in-house team to deal with IT security is probably an exercise in futility. Today, firms must think laterally and place much more emphasis on machine learning, automation, and AI to either replace or complement external service providers.

Source: https://www.darkreading.com/risk/most-organizations-lack-cyber-resilience/a/d-id/1335149