DDoS Defense Archive

Several recent cyber incidents targeting critical infrastructure prove that no open society is immune to attacks by cybercriminals. The recent shutdown of key US energy pipeline marks just the tip of the iceberg.

Critical infrastructure is becoming more dependent on networks of interconnected devices. For example, only a few decades ago, power grids were essentially operational silos. Today, most grids are closely interlinked — regionally, nationally, and internationally as well as with other industrial sectors. And in contrast to discrete cyberattacks on individual companies, a targeted disruption of critical infrastructure can result in extended supply shortages, power blackouts, public disorder, and other serious consequences.

According to the World Economic Forum (WEF), cyberattacks on critical infrastructure posed the fifth-highest economic risk in 2020, and the WEF called the potential for such attacks “the new normal across sectors such as energy, healthcare, and transportation.” Another report noted that such attacks can have major spillover effects. Lloyd’s and the University of Cambridge’s Centre for Risk Studies calculated the prospective economic and insurance costs of a severe cyberattack against America’s electricity system could amount to more than $240 billion and possibly more than $1 trillion.

Given these potential far-reaching consequences, cyberattacks on critical infrastructure have become a big concern for industry and governments everywhere — and recent events haven’t done much to allay these fears.

A Worldwide Phenomenon
In May 2021, a huge distributed denial-of-service (DDoS) attack crippled large sections of Belgium’s Internet services, affecting more than 200 organizations, including government, universities, and research institutes. Even parliamentary debates and committee meetings were stalled since no one could access the online services they needed to participate.

A few days later, a ransomware attack shut down the main pipeline carrying gasoline and diesel fuel to the US East Coast. The Colonial Pipeline is America’s largest refined-products pipeline. The company says it transports more than 100 million gallons a day of fossil fuels, including gasoline, diesel, jet fuel, and heating oil — or almost half the supply on the East Coast, including supplies for US military facilities.

In August 2020, the New Zealand Stock Exchange (NZX) was taken offline for four trading days after an unprecedented volumetric DDoS attack launched through its network service provider. New Zealand’s government summoned its national cybersecurity services to investigate, and cyber experts suggested the attacks might have been a dry run of a major attack on other global stock exchanges.

In October 2020, Australia’s Minister for Home Affairs, Peter Dutton, said his country must be ready to fight back against disastrous and extended cyberattacks on critical infrastructure that could upend whole industries.

Obvious Uptick in DDoS Attacks
During the pandemic, there’s been a huge increase in DDoS attacks, brute-forcing of access credentials, and malware targeting Internet-connected devices. The average cost of DDoS bots has dropped and will probably continue to fall. According to Link11’s Q1/2021 DDoS report, the number of attacks witnessed more than doubled, growing 2.3-fold year-over-year. (Disclosure: I’m the COO of Link11.)

Unlike ransomware, which must penetrate IT systems before it can wreak havoc, DDoS attacks appeal to cybercriminals because they’re a more convenient IT weapon since they don’t have to get around multiple security layers to produce the desired ill effects.

The FBI has warned that more DDoS attacks are employing amplification techniques to target US organizations after noting a surge in attack attempts after February 2020. The warnings came after other reports of high-profile DDoS attacks. In February, for example, the largest known DDoS attack was aimed at Amazon Web Services. The company’s infrastructure was slammed with a jaw-dropping 2.3 Tb/s — or 20.6 million requests per second — assault, Amazon reported. The US Cybersecurity and Infrastructure Security Agency (CISA) also acknowledged the global threat of DDoS attacks.

Similarly, in November, New Zealand cybersecurity organization CertNZ issued an alert about emails sent to financial firms that threatened a DDoS attack unless a ransom was paid.

Predominantly, cybercriminals are just after money. The threat actors behind the most recent and ongoing ransom DDoS (RDDoS or RDoS) campaign identify themselves as state-backed groups Fancy Bear, Cozy Bear, Lazarus Group, and Armada Collective — although it remains unclear whether that’s just been a masquerade to reinforce the hacker’s demands. The demanded ransoms ranged between 10 and 20 Bitcoin (roughly worth $100,000 to $225,000 at the time of the attacks), to be paid to different Bitcoin addresses.

Mitigating the Risk
Critical infrastructure is often more vulnerable to cyberattacks than other sectors. Paying a ransom has ethical implications, will directly aid the hackers’ future operations (as noted by the FBI), and will encourage them to hunt other potential victims. Targeted companies are also urged to report any RDoS attacks affecting them to law enforcement.

Organizations can’t avoid being targeted by denial-of-service attacks, but it’s possible to prepare for and potentially reduce the impact should an attack occur. The Australian Cyber Security Centre notes that “preparing for denial-of-service attacks before they occur is by far the best strategy; it is very difficult to respond once they begin and efforts at this stage are unlikely to be effective.”

However, as the architecture of IT infrastructure evolves, it’s getting harder to implement effective local mitigation strategies. Case in point: Network perimeters continue to be weak points because of the increasing use of cloud computing services and devices used for remote work. Also, it is increasingly infeasible to backhaul network traffic, as legitimate users will be banned, too — potentially for hours or days. To minimize the risk of disruption and aim for faster recovery time objectives (RTOs) after an attack, organizations should become more resilient by eliminating human error through stringent automation. These days, solutions based on artificial intelligence and machine learning offer the only viable means of protection against cyberattacks.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across … View Full Bio

Source: https://www.darkreading.com/attacks-breaches/critical-infrastructure-under-attack-/a/d-id/1340960

For many enterprises, 2020 was a tough year for cyberattacks, with dozens suffering from devastating DDoS attacks due to the newfound reliance on digital tools, according to a new report from cybersecurity firm Akamai.

In its report, “Retrospective 2020: DDoS was Back — Bigger and Badder than Ever Before,” the company found that it had more customers attacked in November 2020 than any prior month going back to 2016. The company had more customers attacked over 50Gbps in August 2020 than any month before, another record that dates back to 2016.

“In fact, across all attacks, 7 of the 11 industries we track saw more attacks in 2020 than any year to date. Think about that. This was led by huge jumps in Business Services (960%), Education (180%), Financial Services (190%), Retail & Consumer Goods (445%), and Software & Tech (196%),” the report said.

“During Cyberweek 2020 alone we saw: 65% more attacks launched against our customers vs Cyberweek 2019, the number of customers targeted was up 57% YoY, and threat actors launching attacks across an expanded industry base.”

Tom Emmons, Akamai’s principal product architect, said in an interview that he and other researchers observed a “significant evolution in DDoS attacks throughout 2020, maybe the most DDoS disruption of any year on record.”

For Emmons, the rise in the number of customers seeing attacks, the steady growth in large attacks, and the shift in industries targeted were startling and disturbing for him to see.

“As more and more activity moved online (work, shopping, learning, etc) due to COVID-19-related restrictions and behavioral adjustments, it made internet-facing infrastructure more important. Not long after COVID-19 hit, attacks started trending up and really just continued to accelerate as the year progressed. The basic idea here is the more important something is, the more likely to be attacked,” Emmons said.

“We saw attackers who clearly did their homework on scouting out targets in a well-coordinated manner. The most interesting thing the DDoS extortionists are doing is choosing good targets, and managing to get their emails and chats through to the right folks, navigating spam filters, and unread boxes.”

The report cites a number of record-breaking attacks, including a 1.44 Tbps attack against a major bank in Europe as well as an 809 Mpps attack on an internet hosting provider. According to the study’s findings, some of the largest DDoS extortion campaigns took place in 2020 and the numbers only continued to grow throughout the year.

Akamai reported that more of its customers were attacked than any other year on record since 2003, with one industry seeing a 960% increase in the number of attacks.

The steep increase in attacks was attributed to COVID-19, which forced almost every enterprise into using some form of digital tools in order to survive. Emmons also noted that there have been improvements in the tools used for DDoS attacks, allowing less experienced attackers to go after big targets.

When researchers mapped it out, the timing of the increases in attacks coincides perfectly with the start of the COVID-19 pandemic, particularly in Europe and the US.

“Customers and prospects shifted to focus on protecting VPNs and communications endpoints more than ‘generic’ data centers, as their risk profile and postures rapidly evolved,” the report said. “Looking back, as businesses across all industries had to adapt to remote work and the increasing reliance on internet connectivity, it’s clear that more and more types of organizations would be attractive and lucrative targets for DDoS threat vectors.”

The report adds that the complexity of the attacks was also concerning considering the number of attack vectors and botnet tools used. In 2020, Akamai reported that 65% of the DDoS attacks they dealt with involved “multi-vector assaults” and “as many as 14 different DDoS vectors were noted in a single attack.”

There was a significant increase in extortion-related DDoS attacks that began in August but the unnerving aspect for Akamai researchers was the specificity of the surveillance done before the attacks.

“A notable characteristic of this campaign was the level of reconnaissance conducted by the attackers prior to sending the extortion letters. The bad actors were highly targeted in their threats and wanted victims to know that they had uncovered specific weaknesses across internet-facing infrastructure or had identified revenue-impacting IPs that would be taken offline unless their Bitcoin extortion demands were met,” the report said.

“The 2020 campaign also signaled a significant shift in the types of industries typically targeted — a foreshadowing of future DDoS activity — with the threat actors pivoting from one vertical to the next depending on the week, in some cases circling back to organizations who had been previously victimized. As is the case with extortion, criminal rings won’t stop until arrests are made, and the fact that the extortion campaigns are ongoing indicates businesses are caving to their demands, which further incentivizes the activity.”

When asked about the motivations behind this increase in attacks, Emmons said most were generally launched for money, either through extortion or by attempting to damage an organization financially through disruption.

Society’s overwhelming reliance on digital tools made it easy for attackers to go after “low hanging fruit.”

The study notes that Akamai continues to see extortion-related attacks that led to a “record emergency onboarding of new customers,” with the report adding that this was a signal that the problem seems likely to persist well into 2021.

All signs point to continued DDoS attack growth. Not one of the indicators we track is flat or trending down,” Emmons said.

“We’ve got more new customers doing emergency integrations than ever, and the percentage of customers running always on vs. on-demand defenses is at an all-time high. When in doubt follow the customers.”

Source: https://www.techrepublic.com/article/bad-actors-launched-an-unprecedented-wave-of-ddos-attacks-in-2020/

Kaspersky identified a significant increase in DDoS attacks year-on-year.

According to cybersecurity firm Kaspersky, it’s been a busy year for cybercriminals who favour DDoS as their method of attack.

The Russian firm’s DDoS protection tool reportedly blocked 44 percent more attacks in Q4 2019 than in the same period the previous year.

Sundays were also busier than ever, highlighting the ever present nature of the threat posed by cybercrime. More than a quarter (28 percent) of all attacks happened on weekends, and the share of attacks performed on Sundays grew by 2.5 percent (to 13 percent overall).

Despite DDoS attacks growing year-on-year, they haven’t risen dramatically quarter-on-quarter. There was a “marginal” 8 percent increase between Q3 and Q4 2019, Kaspersky says.

A more notable rise (27 percent) was spotted in so-called smart DDoS attacks, which focus on the application layer and are usually carried out by skilled attackers.

“Despite the significant growth in general, the season turned out to be quieter than expected,” said Alexey Kiselev, Business Development Manager on the Kaspersky DDoS Protection team.

“Attackers can still find a way to spoil your leisure time, as cybercrime is not an ordinary nine-to-five job, so it is important to ensure that your DDoS prevention solution can automatically protect your web assets.”

Source: https://www.itproportal.com/news/ddos-attacks-through-the-roof-in-q4-2019/


An American businessman who co-founded a cybersecurity company has admitted to hiring criminals to carry out cyber-attacks against others.

Tucker Preston, of Macon, Georgia, confessed to having paid threat actors to launch a series of distributed denial-of-service (DDoS) attacks between December 2015 and February 2016.

DDoS attacks prevent a website from functioning by bombarding it with so much junk internet traffic that it can’t handle visits from genuine users.

In a New Jersey court last week, 22-year-old Preston pleaded guilty to one count of damaging protected computers by transmission of a program, code, or command. Preston admitted to causing at least $5,000 of damage to the business he targeted.

“In or around December 2015, Preston arranged for an entity that engages in DDoS attacks to initiate attacks against a company. The entity directed DDoS attacks against the victim company, causing damage and disrupting the victim’s business,” wrote the Department of Justice in a statement released on January 16.

The count to which Preston pleaded guilty is punishable by a maximum penalty of 10 years in prison and a fine of up to $250,000 or twice the gross gain or loss from the offense.

US Attorney Craig Carpenito credited special agents of the FBI, under the direction of Special Agent in Charge Gregory W. Ehrie in Newark, New Jersey, with the investigation that led to Preston’s guilty plea.

The identity of the company that Preston paid criminals to attack has not been revealed, but Carpenito has confirmed that the targeted business had servers in New Jersey.

Preston co-founded the cloud-based internet security and performance company BackConnect Security LLC, which claims to be “the new industry standard in DDoS mitigation” and is currently online using an invalid certificate.

Preston was featured in the 2016 KrebsOnSecurity story “DDoS Mitigation Firm Has History of Hijacks,” which detailed how BackConnect Security LLC had developed the unusual habit of hijacking internet address space it didn’t own in a bid to protect clients from DDoS attacks.

Preston will reappear before the court on May 7 for sentencing.

Source: https://www.infosecurity-magazine.com/news/backconnect-founder-funded-ddos/

Hackers target businesses with malware, for the sake of disrupting their operations, experts claim.

A third of all reported incidents against businesses were caused by ransomware, destructive malware and distributed denial of service (DDoS) attacks, according to cloud-delivered endpoint protection firm CrowdStrike.

The company’s latest cybersecurity report, argues that cybercriminals are increasingly seeing business disruption as their main attack objective.

It was also said that they were able to hide their activities from cybersecurity departments much longer – 95 days on average (up from 85 days a year ago). CrowdStrike believes that businesses still lack the technology they need to reinforce their defences, prevent being exploited and mitigate potential risks.

“As adversaries are stealthier than ever, with new attack vectors on the rise, we must remain agile, proactive and committed to defeat them, “commented Shawn Henry, chief security officer and president of CrowdStrike Services.

“They still seek the path of least resistance — as we harden one area, they focus on accessing and exploiting another.”

It added that hackers would often target third-party service providers to create a sort of a force multiplier for the attacks. Cloud infrastructure as a service (IaaS) is often targeted, and Macs are no longer ignored as a platform.

Patching vulnerable systems and software would mitigate many of these problems, but patching remains a pain point, as many organisations don’t have “basic cyber-hygiene”. Even the security systems they have are often not set up properly, and as such aren’t as effective as they could be.

“The failure to enable critical settings not only leaves organizations vulnerable but also gives them a false sense of security,” the report concludes.

Source: https://www.itproportal.com/news/business-disruption-is-now-a-bigger-cyber-threat/