DDoS Defense Archive

DDoS – or distributed denial-of-service attacks – first came to prominence in the late 1990s. Even now, they are one of the biggest threats to any organization doing business on the internet.

What is DDoS?

Distributed denial-of-service (DDoS) attacks are a way of attacking online infrastructure, including websites and online applications, by overwhelming the host servers.

This prevents legitimate users from accessing the services.

The term ‘distributed’ refers to the way these attacks invariably come from a large number of compromised computers or devices.

“They can be a relatively simple type of attack to trigger and for sites without enough protection very effective”, says Gemma Allen, senior cloud security architect at Barracuda Networks.

The aim is to interrupt normal operation of the application or site, so it appears offline to any visitors.

“A DDoS puts so much traffic in the queue that your browser thinks the site is offline, and gives up,” says Brian Honan, Dublin-based security expert at BH Consulting. “The legitimate traffic can’t get through.”

What are the aims of a DDoS attack?

The purpose might be blackmail, to disrupt a rival business, a protest (DDoS attacks are frequently associated with hacktivist groups) or as part of a nation-state backed campaign for political, or even quasi-military aims.

The 2007 attack on Estonia was a DDoS attack.

Security researchers also point to DDoS attacks being used as a diversion, allowing hackers to launch other exploits against their targets, for example to steal data. This is what is believed to have happened during the attack on TalkTalk in 2015.

And, as Tim Bandos, vice president of cybersecurity at Digital Guardian, warns, DDoS attacks are not limited to online applications or websites. Any internet-connected device is at risk.

That broadens the attack surface to critical national infrastructure, including power and transportation, and the internet of things (IoT) devices.

How does a DDoS attack work?

“In their simplest form, DDoS attacks work by flooding a service with more of something than it can handle,” says Barracuda’s Allen.

“Of course, in reality, it’s not this simple, and DDoS attacks have been created in many forms to take advantage of the weaknesses.”

Allen explains that an attacker will start out with a discovery phase, setting out to identify weakness in the target site or application. They might even use a different form of DDoS to cover up that activity.

Then the attacker choses the best tool to exploit the site. They might buy an exploit on the dark web, or create their own.

On their own, though, most denial-of-service malware will have a limited impact on a well-resourced server. A DDoS attack works by operating at scale.

As Joseph Stalin supposedly said of the Red Army during WW2, “quantity has a quality all [of] its own”. So with DDoS. The exploits themselves are simple, but launch enough of them and they will overwhelm even the best systems.

To do this attackers build, or buy, a large enough “Zombie network” or botnet to take out the target. Botnets traditionally consisted of consumer or business PCs, conscripted into the network through malware. More recently, internet of things devices have been co-opted into botnets.

It’s claimed, for example, that the Marai botnet can be rented for $7,500 per attack.

“If we look at the DynDNS attack of 2016, one of the largest DDoS attacks to date, the attack occurred in phases,” says Allen.

“It first appeared in a single region and then expanded to a concerted global effort from millions of computers that had been breached and turned into a botnet.”

Types of DDoS attacks

A DDoS attack ranges from the accidental – genuine users overwhelming the resources of popular sites, such as in a ‘Reddit hug of death’ – to sophisticated exploits of vulnerabilities.

Simple attacks include the ‘Ping of Death’ – sending more data to the host than the Ping protocol allows, or Syn Flood, which manipulates TCP connection handshakes.

More recent and sophisticated attacks, such as TCP SYN, might attack the network whilst a second exploit goes after the applications, attempting to disable them, or at least degrade their performance.

James Smith, head of penetration testing at Bridewell Consulting, points to three common forms of DDoS attacks:

  • Volumetric attacks
  • Protocol attacks
  • Application (layer) attacks

“All of these render the targets inaccessible by depleting resources in one way or another,” he says.

One of the largest, and most damaging, forms of DDoS is now the UDP amplification attack. UDP is spoof-able. And, as Corey Nachreiner, chief technology officer at WatchGuard Technologies points out, very small UDP requests can generate large bandwidth attacks.

“UDP amplification gives threat actors asymmetric DDoS power. The most recently discovered UDP amplification attacks can magnify the traffic of one host by a factor of 10,000 or more. When combined with traditional botnets, this gives attackers enough DDoS power to affect ISPs.”

Currently, a memcached UDP amplification attack – which don’t need botnets – holds the DDoS record, with 1.7tbps of bandwidth.

What is the impact of a DDoS attack?

A DDoS attack affects victims in a number of ways:

  • Damage to reputation
  • Damage to customer trust
  • Direct financial losses
  • Impact on critical services
  • Impact on third parties and ‘collateral damage’
  • Data loss
  • The direct and indirect cost of restoring systems

What is the cost of a DDoS attack?

According to Kaspersky Labs, the average cost of an enterprise DDoS attack can approach $2 million.

Another report, by Netscout, calculates that the combined annual costs of DDoS attacks to the UK economy is close to £1 billion ($1.3 billion).

Akamai, another vendor in the space, publishes an online DDoS cost calculator.

The exact cost of a DDoS attack will, though, depend on the organization, the product or service it supplies, and the effectiveness of its incident response and post-incident strategy. This could range from a few tens of thousands of dollars to millions.

In the case of a nation-state attack or an attack on critical national infrastructure, the cost could be far higher – leading to social unrest or even the loss of life.

So far, no deaths have been attributed directly to DDoS attacks, but the economic impact is all too real.

How long does a DDoS attack last?

Again, this depends on the attacker, the target and their defenses. An attack might succeed in just a few moments, if the victim’s servers have few defenses. But the consensus in the industry is that an attack will last up to 24 hours.

According to Cloudflare, the largest DDoS attack – so far – against GitHub lasted about 20 minutes, due to the effectiveness of the site’s defenses.

If an attack does not take down the target in 24 hours, it does not mean the victim’s sites or applications are safe. Attackers can simply move on to another botnet, and try again with more data, or by using a different range of exploits.

Are DDoS attacks illegal?

“In the UK the Computer Misuse Act 1990 ‘makes it illegal to intentionally impair the operation of a computer or prevent or hinder access to a program/data on a computer unless you are authorized to do so’. As a result, these types of attacks are criminal under UK law,” says Bridewell Consulting’s Smith.

But law enforcement can only act if they can find the attacker. “The biggest challenge can be finding the people to prosecute,” says Barracuda’s Allen.

“The attacks are distributed and the attacking devices are often unwitting parties. The true attackers are hard to trace and while they may claim an attack, it’s not like they give out their real names.”

Recent DDoS attacks

Not all DDoS attacks are in the public domain, but here are some that made the headlines:

  • UK Labour Party, November 2019: Hacker group Lizard Squad claimed responsibility for an attack which attempted – but failed – to take down the political party’s website.
  • Wikipedia, September 2019: The site was subject to a three-day long attack, which took it offline in EMEA and slowed it down in the US and Africa
  • Telegram, June 2019: This attack is attributed mostly to China-based IP addresses
  • UPNProxy, November 2018: the Eternal Blue and Eternal Red attacks involved 45,113 infected routers.
  • GitHub, February 2018: Still cited as the largest-ever DDoS attack, at a massive 1.7tbps.
  • Dyn, 2016: Attack against US DNS provider, best known because the attack used IoT devices running Mirai malware

How to prevent a DDoS attack from happening

Dozens of vendors offer web application firewalls (WAFs), often directly through hosting providers, with the cost starting at just a few dollars a month. Businesses can also implement hardware-based DDoS mitigation hardware, at their network edge.

At the enterprise scale, the large distributed network companies, such as Akamai and Cloudflare, offer high-end, distributed DDoS protection. So do vendors, such as Verisign, HPE, and Cisco.

The most basic defense against DDoS is a DIY approach, monitoring and then shutting down requests from suspect IP addresses.

Although this approach is largely free, Brian Honan warns it is unlikely to be effective, especially against sophisticated, large-scale attacks. He also recommends that organizations place their defenses as far away as they can from their servers.

“You might be able to deal with a DDoS in your datacenter, but all of your internet pipe will be used up. So it is questionable how effective that will be,” he said.

Planning is another key element of any DDoS mitigation strategy.

“Having a plan and procedure in place in case of a DDoS attacks is paramount and having monitoring capabilities in place to detect attacks is highly advised,” says Bridewell’s James Smith.

“Organizations also need to have a well implemented patching policy and ensure anything externally facing is up-to-date to help guarantee that any service software that may contain DDoS vulnerabilities is patched in a timely manner.”

Source: https://portswigger.net/daily-swig/what-is-ddos-a-complete-guide

Vancouver, Canada, December 10, 2019 –(PR.com)– DOSarrest rolls out new advanced mitigation capabilities for their cloud based DDoS protection for infrastructure platform known as “Data Center Defender (DCD).” With the addition of AI to this platform, DOSarrest can now automatically mitigate even the most sophisticated attacks on this service. This major upgrade with real-time AI created algorithms does not even require a learning period. Packet by packet analysis enables the system to weed out even the most elusive attacks and automatically block them.

DOSarrest CTO, Jag Bains states, “While the DCD Network has been very successful in dealing with volumetric and protocol flood attacks for a number of years now we remain committed to upgrading and evolving the service. In conjunction to continually increasing the capacity of the DCD Network, we’ve also upgraded the capabilities of DCD with automated routing isolation of targeted IP’s through sophisticated analysis on our Big Data Platform. The targeted IP is automatically routed to an additional layer, that allows for more sophisticated challenges and mitigation capabilities of malicious traffic.”

Jag Bains adds, “This new capability doesn’t require any learning mode making mitigation ultra fast, it can pick-up anomalies based on combinations of source/destination ports, IP Protocols, TTL, packet lengths and payload patterns, and much more. It even detects and stops malicious traffic that has anomalous TCP flag combinations.”

DOSarrest CEO, Mark Teolis comments, “The traffic isolation and mitigation operates asymmetrically and happens within seconds, all automatically. The ability to automatically isolate targeted IPs gives us a future roadmap to add even more sophisticated security measures that will scale easily…Watch this space.”

About DOSarrest Internet Security:
DOSarrest founded in 2007 in Vancouver, B.C., Canada specializes in fully managed cloud based Internet security services including DDoS protection services, Data Center Defender (DCD), Web Application Firewall (WAF), DDoS Attack testing, as well as cloud based global load balancing.

Source: https://www.pr.com/press-release/801141

A Chinese government-backed DDoS operation has been resurrected to disrupt pro-democracy supporters in Hong Kong, according to AT&T Cybersecurity.

The firm revealed in a new blog post yesterday that it spotted activity from the so-called “Great Cannon” starting on August 31, with the most recent DDoS attempts coming on November 25.

Specifically, it was observed trying to take offline the LIHKG website, which is used by Hong Kongers to share info and plan protests across the Special Administrative Region (SAR) of China wracked by unrest over the past few months.

The Great Cannon works by intercepting traffic from websites hosted in China and inserting malicious JavaScript in legitimate analytics scripts, thereby forcing users’ machines to covertly make requests against targeted sites.

The code not only attempts to repeatedly request the LIHKG home page but also multiple sites and memes that appear on the forum, so as to blend in with normal traffic, according to Chris Doman of AT&T Cybersecurity’s Alien Vault business.

“It is unlikely these sites will be seriously impacted. Partly due to LIHKG sitting behind an anti-DDoS service, and partly due to some bugs in the malicious JavaScript code that we won’t discuss here,” he explained.

“Still, it is disturbing to see an attack tool with the potential power of the Great Cannon used more regularly, and again causing collateral damage to US-based services.”

The tool itself first came to prominence around four years ago when it was used to target anti-censorship organization Greatfire.org. The researchers that revealed the cannon for the first time claimed it was co-located with China’s notorious Great Firewall censorship infrastructure.

Global anger spread after the Great Cannon was then turned on developer site Github, which at the time hosted anti-censorship tools.

Researchers warned that the same tool could very easily be repurposed to deliver malware rather than DDoS attacks.

Source: https://www.infosecurity-magazine.com/news/chinas-great-cannon-fires-on-hong/

Internet service providers in South Africa fell prey to massive distributed denial of service (DDoS) attacks this past weekend.

RSAWEB subscribers were among the first to feel it, with the company issuing a notice at 01:56 on Friday morning stating that it was under attack. By 12:38, RSAWEB reported that the DDoS attack had abated and that services were stable.

Cool Ideas was next to be hit. It sent out a notice to subscribers on Saturday morning to say that it was experiencing problems on its network.

It later confirmed that it was facing the largest DDoS attack it had ever seen on its network. Cool Ideas co-founder Paul Butschi told MyBroadband that the size of the attack exceeded 300Gbps.

Butschi said the attack traffic statistics came from Cogent Communications and Hurricane Electric in London. Of the total traffic hitting their network, roughly 40Gbps was legitimate.

Attack on Afrihost, Axxess, and Webafrica

On the evening of Saturday, 23 November, the upstream provider supplying services to Afrihost, Axxess, and Webafrica came under attack. All three ISPs use Echo Service Provider.

Echo, in turn, appears to have a partnership with Liquid Telecom for international transit — Internet traffic that goes outside South Africa.

During previous attacks on Echo SP, Liquid Telecom helped to mitigate the attack. MyBroadband asked Liquid Telecom for details regarding the attack that crippled Afrihost, Axxess, and Webafrica on Saturday.

“Liquid Telecommunications can confirm that during the course of [Saturday] night an attack was initiated against one of our South African clients,” a spokesperson for the company said.

“This attack was similar in size and scale to previous attacks reported on. The attack was mitigated within minutes of being seen and the network has been stable without incident since the mitigation was performed.”

The previous attack on Echo SP on 27 October was in excess of 100Gbps. Liquid Telecom’s comments suggest that the most recent attack was around the same size.

Afrihost clients continued to complain that they were having trouble connecting to international services on Saturday evening.

On Sunday morning, MyBroadband forum members noticed that outbound international traffic from Afrihost was no longer flowing over Liquid Telecom’s network, but Telkom’s.

Another forum member found that Echo SP had only switched away from Liquid Telecom for outbound international traffic from South Africa. Inbound traffic from international sources was still being routed over Liquid Telecom’s network.

MyBroadband asked Afrihost, Webafrica, and Echo Service Provider for comment, but they did not respond by the time of publication.

Distributed denial of service and carpet bombing

A DDoS attack is a flood of garbage Internet traffic sent to servers, routers, and other computers on a network with the aim of making it impossible to communicate with them.

Under ordinary circumstances, generating 100Gbps or 300Gbps of traffic would require tremendous resources.

However, techniques such as DNS Amplification have made it easier and cheaper for attackers to generate large volumes of attack traffic than ever before.

DNS Amplification attacks, also referred to as DNS reflection, use improperly configured Domain Name System (DNS) servers to flood computers with network traffic. If the flood of bogus traffic is able to overwhelm the computer, it can’t respond to legitimate requests and appears offline to anyone on the Internet trying to reach it.

Reflection attacks work by requesting information from a server on the Internet, but then tricking it to send its response to the target computer the attacker wants to flood.

DNS servers are a popular choice for such attacks because they are critical Internet infrastructure designed to field millions of requests per second. They are also usually connected to high-bandwidth links to enable them to deal with large amounts of traffic.

Most importantly, attackers can often cause a DNS server to generate a response that is several times larger than their spoofed request. In other words, attackers use DNS servers to amplify their attack bandwidth. Hence the term “DNS Amplification”.

When the target of such an attack is a web server or critical network infrastructure, such a DDoS attack causes an outage. Network providers have developed methods to mitigate such attacks, and so attackers have found new ways of launching effective assaults.

One such technique is “carpet bombing“, where an Internet service provider’s individual customers are sent large volumes of garbage network traffic.

In some cases, the individual connections of customers are flooded. However, even when the traffic is not enough to flood a subscriber’s connection, the overall traffic on the network eventually adds up to a point where the ISP’s core network infrastructure can not cope with the load.

Carpet bombing attacks are specifically used against organisations like ISPs with the aim of bringing down their whole network.

Data centre operators, web hosting companies, and large corporate networks – anyone who runs their own pool of IP addresses – are also examples of potential targets of carpet bombing attacks.

Source: https://mybroadband.co.za/news/internet/329539-massive-ddos-attacks-south-african-internet-providers-crippled.html

A new botnet named Roboto is targeting Linux servers running Webmin app, according to security researchers at 360 Netlab. Roboto is a peer-to-peer botnet that has been active since summer and is exploiting a vulnerability in the Webmin app. The app offers a web-based remote management system for Linux servers and is installed on as many as 215,000 servers.

The vulnerability, identified as CVE-2019-15107, allows bad actors to compromise older Webmin servers by running malicious code and gaining root privileges. The vulnerability was identified and patched by the company behind Webmin. However, many users have not installed the latest version with the patch, and Roboto botnet is targeting such servers.

According to security researchers, the Roboto botnet has DDoS attack capability in its code, and it is the main feature of the botnet. The bad actors behind the botnet aim to expand it by conducting DDoS attacks via vectors such as HTTP, ICMP, UDP, and TCP.

Also, once the botnet compromises a Linux system running the older version of the Webmin app, it can perform actions like collecting system, network, and process information. It further uploads collected data to a remote server, executes Linux commands, and initiates a file downloaded from a remote URL.

What makes Roboto botnet unique is its peer-to-peer network structure.Roboto linux

To evade this attack, we recommend our users to update the Webmin app to version 1.930, or you can disable the ‘user password change’ option in the app.


Source: https://fossbytes.com/linux-servers-webmin-targeted-ddos-attacks/