DDoS Defense Archive

Companies using web hosting services expect high availability and lightning-fast performance for their online applications. That’s why hosting providers should be concerned about the rapidly growing Distributed Denial of Service (DDoS) threat. Driven by commercial, political and other motives, today’s DDoS attacks use computers distributed across the Internet to clog a network connection or overload server resources until the targeted website becomes unavailable for service.

What makes DDoS attacks particularly thorny for hosting providers is that multiple clients share resources and Internet connections. This means that a DDoS attack preventing users from accessing one hosted site can cause performance degradation and even downtime to other “innocent” sites and services being run out of that same data center.

To learn more about defending your hosting business against harmful DDoS attacks, download this WHIR white paper.

The Financial Impact of a DDoS Attack

The impact of a DDoS attack on an online business is clear: every minute of downtime means a loss of revenue. To quantify this impact, Incapsula commissioned a survey of 270 North American companies of various sizes.

The findings showed that some 45 percent had been hit at least once by a DDoS attack. The average cost of a DDoS attack is $40,000 dollars per hour, while nearly half of all DDoS attacks last between 6 to 24 hours. And that’s just the impact on the targeted business. What about the other hosting clients sharing the gateway that is being flooded by the DDoS attack? Hosting providers have an obligation to them as well.

DDoS Botnets on the Rise

Most DDoS attacks make use of botnets, which are a network of bots (“zombies”) that can be commanded as a group to launch DDoS attacks. As published in our 2013-2014 DDoS Threat Landscape Report, we recorded an average of 12+ million unique DDoS sessions per week in early 2014, representing a 240 percent increase over the same period in 2013.

DDoS attacks come in two flavors. High-volume network (Layer 3 & 4) attacks, such as SYN floods and DNS amplification, often exceed 200 Gbps. Application (Layer 7) attacks, on the other hand, are much leaner, since even 50-100 requests per second to a resource-heavy asset are enough to overload the typical mid-sized application server.

Regardless of the flavor, what is common to all types of DDoS attacks is that they are executed via botnets comprised of hijacked devices (computers, servers, etc.). Hackers typically compromise these machines by taking advantage of logic or security vulnerabilities, enabling them to gain full control of these resources for use in DDoS attacks.

Mega Vulnerabilities Help Accelerate Botnet Expansion

During 2014 a number of mega vulnerabilities were discovered. Unlike most vulnerabilities that are specific to a particular OS, browser or software application, this type of vulnerability (e.g., Heartbleed and Poodle) relates to the core Internet infrastructure (e.g., SSL and Linux devices).

Due to the huge number of systems affected worldwide by these vulnerabilities, their appeal to hackers is almost irresistible. Even after these vulnerabilities are patched, persistent hackers are likely to find plenty of under-maintained servers they can exploit. In this way, mega vulnerabilities fuel and accelerate the expansion of malicious botnets.

This new dynamic can be seen in the recent Shellshock mega vulnerability, discovered in Bash (the most common command-line shell used in Linux/Unix systems). Once exploited, this vulnerability allows attackers to completely take over the server, making it an available resource for executing DDoS attacks.

Following Shellshock’s discovery and the release of a patch, Incapsula saw exploit attempts increase from around 400 offending IPs at zero day to over 15,000 four weeks after discovery. Most of these were attempts by hackers to hijack vulnerable Linux and Unix servers.

What to Look for in 2015

The endless chess game between savvy adversaries and security teams will continue in 2015. DDoS attacks will keep growing in size and sophistication, while at the same time more mega vulnerabilities will be discovered by security researchers. The almost inevitable result will be an increase in the exploitation of mega vulnerabilities to build botnets and carry out DDoS attacks.

Similarly, we expect that open website platforms (e.g., Drupal, WordPress, etc.) will also be prime targets for hackers, who can exploit security holes in these platforms to steal data or to launch DDoS attacks as part of a botnet.

While DDoS attacks threaten the core of the hosting business, they also represent a new business opportunity for providers. Most clients need much more than “pure” web hosting – this includes security, storage, backup, etc. By offering them DDoS mitigation services, hosting providers can meet clients’ needs for high availability and performance, while increasing revenues and enhancing their service portfolio.

Source: http://www.thewhir.com/web-hosting-news/web-security-outlook-2015-mega-vulnerabilities-expected-fuel-ddos-attacks

Arbor Networks says that the number and size of DDoS attacks against French websites spiked considerably after 3.7 million people took to the streets to protest against terrorism.

The firm leveraged its Arbor Atlas initiative, which receives anonymised internet traffic and DDoS event data from 330 internet service providers (ISPs) worldwide, to view events in France in the days after the protest, which was in response to the Charlie Hebdo shootings that left 20 people dead.

The magazine was targeted by ISIS sympathisers and others unhappy with the satirical magazine’s ridiculing of Islam, including its depiction of the Prophet Muhammed. The publication also satirised other religions.

Comparing the DDoS attacks between January 3-10 and 11-18, the US security firm found that there were 1,342 unique attacks – an average of 708 attacks a day – during the two week period.

However, the firm noted in a recent blog post that the number of DDoS attacks after the march rose by 26 percent with the average size of DDoS attack growing 35 percent. In the eight days prior to the attack, the average size was 1.21Gbps but this later increased to 1.64Gbps.

The vast majority of these DDoS attacks were low-level although the number of attacks larger than 5Gbps did double in the days after the protest. Arbor reports that one attack measured as high as 63.2 Gbps on January 11.

“This is yet another striking example of significant online attacks paralleling real-world geopolitical events, wrote Arbor’s threat intelligence and response manager Kirk Soluk.

Speaking to SC after it first emerged that ‘thousands’ of French websites were facing cyber-attacks, Corero Network Security CEO Ashley Stephenson said that DDoS attacks were increasingly being used as an attack tool during international conflicts.

“Whatever the motivation – cyber-terrorism, retaliation, religious incitement, radicalisation… It is clear that modern conflicts will be fought in the cyber-world as well as the real world,” he said via email.

“The internet should be better protected against all of these associated cyber-threats. Increasingly we are seeing DDoS used as a tool in and around these conflicts and we should be prepared to institute increased cyber-security to protect this vital resource.”

Last week, Admiral Arnaud Coustilliere, head of cyber-defence at the French military, said that about 19,000 French websites had faced cyber-attacks in the days after the shootings, although one source closely connected with the clean-up operation for some of these sites later told SC that hacking groups from Tunisia, Syria, Morocco, the Middle East and Africa had largely ignored DDoS as an attack vector because such attacks “didn’t work”.

Instead, Gérôme Billois, senior manager of Solucom, said that these groups – also believed to often be ISIS sympathisers – had looked to scan thousands of websites to identify and exploit common WordPress, Joomla and other content management system (CMS) vulnerabilities.

Source: http://www.scmagazineuk.com/french-ddos-attacks-spike-after-terror-protest/article/393796/

It’s impossible to predict when distributed denial of service (DDOS) attacks will hit so companies must take measures to mitigate such an incident.

So says Martin Walshaw, senior engineer at F5 Networks, who notes barely a month goes by without media reports of a Web site or service being brought down by a DDOS attack. Sony’s PlayStation Network again became the victim of such an attack recently, while hacking group Anonymous is on a disabling offensive of extremist Web sites, he says.

According to research conducted by B2B International and Kaspersky Lab, 38% of companies providing online services, such as online shopping and online media, fell victim to DDOS attacks over the past 12 months.

Doros Hadjizenonos, sales manager at Check Point Technologies in SA, says DDOS criminal activity was used to attack the Web sites of various gaming platforms last year. This attack involves many computers continuously requesting certain information from the attacked network until saturation and, therefore, its downfall, Hadjizenonos explains.

Walshaw says DDOS attacks can come in a variety of shapes and sizes. “However, the aim of a DDOS attack is always the same – to saturate a server with so many requests that it simply cannot cope, leaving legitimate users unable to connect.

“Attackers will sometimes use their own network of computers to launch DDOS attacks, but what is now more common is for them to use a network of PCs across the world that have been infected with malware that is capable of joining in a DDOS attack without the owner’s knowledge,” Walshaw explains.

Legitimate traffic

The results of a DDOS attack can be disastrous: loss of revenue-generating applications as well as reputational damage can negatively impact a business for years.

However, Walshaw notes: “There are ways a company can keep its applications, services and even its whole network online without stopping legitimate traffic.”

He believes a sophisticated firewall manager, application security manager and local traffic manager combined provide the protection needed to mitigate DDOS attacks, from blocking attack traffic to re-routing legitimate requests to ensure uptime.

Analysis is also key, says Walshaw, adding understanding who is attacking you, as well as how and why, can help prevent an attack from causing too much damage and protect against future attacks.

Establishing which layer is being attacked (application, network or session, for example) will help a company know where to focus its resources, and intelligent firewall management will be able to inspect all traffic coming into a network and stop traffic that is coming from a DDOS attack, he points out.

Fire drills

According to Neil Campbell, group GM for Dimension Data’s Security Business Unit, IT security ‘fire drills’, supported by executive management and the risk committee should be conducted regularly in organisations in order to understand the appropriate course of action in advance of a security breach.

He believes technologies and services focused on incident response – rather than only incident prevention – should be one of the trends high on the agendas of security professionals in 2015.

“It’s inevitable that security incidents will occur. It’s, therefore, critical that organisations begin to focus on identifying what we call ‘indicators of compromise’, putting a comprehensive incident response plan in place, and performing regular IT security ‘fire drills’,” explains Campbell.

He points out the regular fire drills – or rehearsals – will ensure that, in the event of an incident, IT and management teams are clear about what needs to be done, and the business is less at risk. This includes recovering evidence, identifying and resolving the root cause of the incident (not just the symptoms), and undertaking a forensic investigation.

Source: http://www.itweb.co.za/index.php?option=com_content&view=article&id=140563:DDOS-attacks-prepare-for-the-worst&catid=71

Kaspersky Labs principal researcher David Emm tells TechWeekEurope how businesses can stay safe in the face of continued assault

It was a miserable Christmas for gamers, with both Sony’s PlayStation Network and Microsoft’s Xbox Live forced offline on Christmas Day by Distributed Denial of Service (DDoS) attacks (hacking group Lizard Squad claimed responsibility for the attacks). Millions of anxious gamers were left unable to play with their new games or consoles, with the reason given for the attack: “because we can”.

Unfortunately, the attacks on Sony and Microsoft are just the latest in a stream of DDoS attacks to target high-profile organisations. Yet, while high-profile attacks like this make the papers, many others do not. Unlike Advanced Persistent Threat (APT) campaigns, such as Red October, NetTraveler, MiniDuke,and Careto, Distributed Denial of Service (DDoS) attacks rarely hit the headlines, so it’s easy to assume they are rare. But in reality, the DDoS attack is one of the most popular weapons in the cybercriminals’ arsenal.

Understanding the danger

A typical DDoS attack involves a huge number of calls to a server or other Internet resource (such as a web site). These calls overload the victim’s equipment so that the servers lose their ability to service their genuine clients properly.

Today DDoS attacks can be set up cheaply and easily, even without needing to have underworld contacts among hackers. Hackers no longer need to create huge botnets before launching their attacks, while criminal sites offering this kind of criminal service can be easily found on the Internet; and a DDoS attack is available at an affordable price

According to our recent study with B2B International, almost half of IT companies have encountered a DDoS attack. However, most businesses that suffer from these attacks prefer to deal with the problem on their own, so as not to attract press coverage. Not only do such attacks lead to financial losses from unplanned downtime, but they can also cause severe reputational damage that can lead to the loss of valuable customers. The threat from DDoS attacks is real and the impact is significant.  So it’s important that businesses of all sizes need to find an effective way to safeguard their organisations from such attacks.

How to stay protected

The key to defending against DDoS attacks lies in early detection of an attack and mitigating the effects of the attack by filtering out the traffic generated by the attackers.  There are different approaches to this and dozens of companies on the market that provide services to protect against them. Some install appliances in the client’s information infrastructure, some use capabilities within ISP providers, and others channel traffic through dedicated cleaning centres. Three of the most popular approaches are:

Install filtration equipment within the company IT infrastructure: It is possible to install special equipment within the company’s IT infrastructure. However this method has some serious drawbacks. Firstly, it requires IT professionals to control the filtration equipment. And secondly, it may clog the entire Internet channel, not just the company equipment.

Ask your Internet provider to filter the traffic: Another option is a contract with a company specialising in protection against DDoS attacks, such as an Internet service provider (ISPs). ISPs use a wide channel, giving them a significant safety margin that enables them to provide their customers with communication even when they are under attack. However, a wide channel and filtering services are only effective if the filtration rules are continually improved to combat the latest DDoS techniques. Not all providers offer such a service, As a result, they can only filter out the crudest, most obvious attacks. If a company is able to employ true specialists its protection will be much more effective, but they also have to rent a wide channel from a provider, which drives up the cost of protection.

Turn to the experts: The most effective method of protection involves experts who not only modify filtering equipment but also study the tricks used by the fraudsters, develop new defensive technologies, monitor the situation and are ready to quickly improve filtering mechanisms. Specifically, if the attacker probes a victim’s resources in search of the most effective means of attack available, only expertise in this area can help to quickly find the appropriate filters and avoid resource overload.

In addition, partnership with an Internet provider can help to provide still more effective filtering. In some cases it is possible to weed out crude attacks entirely on the provider’s equipment while referring more sophisticated junk traffic to special cleaning centres. This approach also reduces the cost of customer protection since it can work in an online channel with relatively small bandwidth.

Online activities now play an increasingly important role in virtually every business’s day-to-day interactions with customers, suppliers and employees, so no business can afford to ignore the risk posed by DDoS attacks. By putting in place a stringent security policy, supported by the right technology and expertise, businesses can be confident that their organisation remains protected, should the worst happen.

Source: http://www.techweekeurope.co.uk/security/cyberwar/kaspersky-labs-defend-ddos-attacks-159664


Last month, attackers took down the PlayStation Network for several days, embarrassing Sony and leaving tons and tons of gamers unable to feed their Destiny addictions for almost a week. This is all thanks to what’s called a Distributed Denial of Service attack, where a person or a group of people send an inflated amount of traffic to a network in hopes of overloading and crippling the servers.

DDoS attacks are easy to pull off and extremely difficult to stop, which is why it’s kinda nice to see the White House coming out with an Official Stance against them. In fact, President Obama just released a statement saying he’s working on legislation to expand federal authority when it comes to fighting this sort of malicious internet behavior.

Check out the press release (emphasis mine):

Modernizing Law Enforcement Authorities to Combat Cyber Crime: Law enforcement must have appropriate tools to investigate, disrupt and prosecute cyber crime.  The Administration’s proposal contains provisions that would allow for the prosecution of the sale of botnets, would criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers, would expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft, and would give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity. 

It also reaffirms important components of 2011 proposals to update the Racketeering Influenced and Corrupt Organizations Act (RICO), a key piece of law used to prosecute organized crime, so that it applies to cybercrimes, clarifies the penalties for computer crimes, and makes sure these penalties are in line with other similar non-cyber crimes. Finally, the proposal modernizes the Computer Fraud and Abuse Act by ensuring that insignificant conduct does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information to use it for their own purposes.

The feds going after botnets—groups of computers that can work together to perform an activity, like flooding a target with artificial or inflated traffic—would certainly make it tougher for people to get their hands on the tools needed to execute DDoS attacks. This seems like an excruciatingly difficult battle to fight, but it sure is worth fighting.

The Entertainment Software Association—the lobbying group for video game companies—sent out a statement expressing support for this new initiative, attributed to president Michael Gallagher:

Cyber attacks threaten our country’s security and prosperity. We commend President Obama’s leadership in providing law enforcement the tools necessary to detect and prosecute organized digital crime. Consumers need to be protected from illegal, malicious botnets and denial-of-service attacks. They deserve to enjoy an innovative and dynamic Internet free of this criminal activity. The Entertainment Software Association will work with the White House and Congressional leaders to fine tune these proposals and help enhance penalties for those who inflict consumer damage on a mass scale.

Will any of this actually lead to legislation? No idea. But in the wake of a very frustrating Christmas Day for gamers worldwide, it’s comforting to know that the government is at least talking about this stuff.

Source: http://kotaku.com/the-white-house-is-now-taking-steps-to-fight-ddos-attac-1679505712