DoS Attacks Archive

Executives express mixed feelings and a surprisingly high level of confidence in Radware’s 2018 Web Application Security Report. 

As we close out a year of headline-grabbing data breaches (British Airways, Under Armor,  Panera Bread), the introduction of GDPR and the emergence of new application development architectures and frameworks, Radware examined the state of application security in its latest report. This global survey among executives and IT professionals has yielded insights about threats, concerns and application security strategies.

The common trend among a variety of application security challenges including data breaches, bot management, DDoS mitigation, API security and DevSecOps, was the high level of confidence reported by those surveyed. 90% of all respondents across regions reported confidence that their security model is effective at mitigating web application attacks.

Attacks against applications are at a record high and sensitive data is shared more than ever. So how can execs and IT pros have such confidence in the security of their applications?

To get a better understanding, we researched the current threat landscape and application protection strategies organizations currently take. Contradicting evidence stood out immediately:

  • 90% suffered attacks against their applications
  • One in three shared sensitive data with third parties
  • 33% allowed 3rd parties to create/modify/delete data via APIs
  • 67% believed a hacker can penetrate their network
  • 89% see web-scraping as a significant threat to their IP
  • 83% run bug bounty programs to find vulnerabilities they miss

As it turned out there are quite a few threats to application services that are not properly addressed as traditional security approaches are challenged and stretched. In parallel, the adoption of emerging frameworks and architectures, which rely on numerous integrations with multiple services, adds more complexity and increases the attack surface.

Current Threat Landscape

Last November, OWASP released a new list of top 10 vulnerabilities in web applications. Hackers continue to use injections, XSS, and a few old techniques such as CSRF, RFI/LFI and session hijacking to exploit these vulnerabilities and gain unauthorized access to sensitive information. Protection is becoming more complex as attacks come through trusted sources such as a CDN, encrypted traffic, or APIs of systems and services we integrate with. Bots behave like real users and bypass challenges such as CAPTCHA, IP-based detection and others, making it even harder to secure and optimize the user experience.

Web application security solutions must be smarter and address a broad spectrum of vulnerability exploitation scenarios. On top of protecting the application from these common vulnerabilities, it has to protect APIs and mitigate DoS attacks, manage bot traffic and make a distinction between legitimate bots (search engines for instance) and bad ones like botnets, web-scrapers and more.

DDoS Attacks

63% suffered denial of service attack against their application. DoS attacks render applications inoperable by exhausting the application resources. Buffer overflow and HTTP floods were the most common types of DoS attacks, and this form of attack is more common in APAC. 36% find HTTP/Layer-7 DDoS as the most difficult attack to mitigate. Half of the organizations take rate-based approaches (such as limiting the number of request from a certain source or simply buying a rate-based DDoS protection solution) which are ineffective once the threshold is exceeded and real users can’t connect.

API Attacks

APIs simplify the architecture and delivery of application services and make digital interactions possible. Unfortunately, they also introduce a wide range of risks and vulnerabilities as a backdoor for hackers to break into networks. Through APIs, data is exchanged in HTTP where both parties receive, process and share information. A third party is theoretically able to insert, modify, delete and retrieve content from applications. This is nothing but an invitation to attack:

  • 62% of respondents did not encrypt data sent via API
  • 70% of respondents did not require authentication
  • 33% allowed third parties to perform actions (GET/ POST / PUT/ DELETE)

Attacks against APIs:

  • 39% Access violations
  • 32% Brute-force
  • 29% Irregular JSON/XML expressions
  • 38% Protocol attacks
  • 31% Denial of service
  • 29% Injections

Bot Attacks

The amount of both good and bad bot traffic is growing. Organizations are forced to increase network capacity and need to be able to precisely tell a friend from a foe so both customer experience and security are maintained. Surprisingly, 98% claimed they can make such a distinction. However, a similar amount sees web-scraping as a significant threat. 87% were impacted by such an attack over the past 12 months, despite a variety of methods companies use to overcome the challenge – CAPTCHA, in-session termination, IP-based detection or even buying a dedicated anti-bot solution.

Impact of Web-scraping:

  • 50% gathered pricing information
  • 43% copied website
  • 42% theft of intellectual property
  • 37% inventory queued/being held by bot
  • 34% inventory held
  • 26% inventory bought out

Data Breaches

Multinational organizations keep close tabs on what kinds of data they collect and share. However, almost every other business (46%) reports having suffered a breach. On average an organization suffers 16.5 breach attempts every year. Most (85%) take between hours and days to discover. Data breaches are the most difficult attack to detect, as well as  mitigate, in the eyes of our survey respondents.

How do organizations discover data breaches?

  • 69% Anomaly detection tools/SIEM
  • 51% Darknet monitoring service
  • 45% Information was leaked publicly
  • 27% Ransom demand


Negative consequences such as loss of reputation, customer compensation, legal action (more common in EMEA), churn (more common in APAC), stock price drops (more common in America) and executives who lose their jobs are quick to follow a successful attack, while the process of repairing the damage and rebuild of a company’s reputation is long and not always successful. About half admitted having encountered such consequences.

Securing Emerging Application Development Frameworks

The rapidly growing amount of applications and their distribution across multiple environments requires adjustments that lead to variations once a change to the application is needed. It is nearly impossible to deploy and maintain the same security policy efficiently across all environments. Our research shows that ~60% of all applications undergo changes on a weekly basis. How can the security team keep up?

While 93% of organizations use a Web Application Firewall (WAF), only three in ten use a WAF that combines both positive and negative security models for effective application protection.

Technologies Used By DevOps

  • 63% – DevOps and Automation Tools
  • 48% – Containers (3 in 5 use Orchestration)
  • 44% – Serverless / FaaS
  • 37% – Microservers

Among the respondents that used micro-services, one-half rated data protection as the biggest challenge, followed by availability assurance, policy enforcement, authentication, and visibility.


Is there a notion that organizations are confident? Yes. Is that a false sense of security? Yes. Attacks are constantly evolving and security measures are not foolproof. Having application security tools and processes in place may provoke a sense of being in control but are likely to be breached or bypassed sooner or later. Another question we are left with is whether senior management is fully aware of the day to day incidents. Rightfully so, they look to their internal teams tasked with application security to manage the issue, but there seems to be a mismatch between their perceptions of the effectiveness of their organizations’ application security strategies and the actual exposure to risk.


Stealth, persistence mechanism and ability to infect a wide swath of devices make malware dangerous and very different from the usual Mirai knockoffs, Avast says.

A dangerous and potentially destructive new IoT malware sample has recently surfaced that for the first time this year is not just another cheap Mirai knockoff.

Researchers from security vendor Avast recently analyzed the malware and have named it Torii because the telnet attacks through which it is being propagated have been coming from Tor exit nodes.

Besides bearing little resemblance to Mirai in code, Torii is also stealthier and more persistent on compromised devices. It is designed to infect what Avast says is one of the largest sets of devices and architectures for an IoT malware strain. Devices on which Torii works include those based on x86, x64, PowerPC, MIPS, ARM, and several other architectures.

Interestingly, so far at least Torii is not being used to assemble DDoS botnets like Mirai was, or to drop cryptomining tools like some more recent variants have been doing. Instead it appears optimized for stealing data from IoT devices. And, like a slew of other recent malware, Torii has a modular design, meaning it is capable of relatively easily fetching and executing other commands.

Martin Hron, a security researcher at Avast says, if anything, Torii is more like the destructive VPNFilter malware that infected some 500,000 network attached storage devices and home-office routers this May. VPNFilter attacked network products from at least 12 major vendors and was capable of attacking not just routers and network attached storage devices but the systems behind them as well.

Torii is different from other IoT malware on several other fronts. For one thing, “it uses six or more ways to achieve persistence ensuring it doesn’t get kicked out of the device easily on a reboot or by another piece of malware,” Hron notes.

Torii’s modular, multistage architecture is different too. “It drops a payload to connect with [command-and-control (CnC)] and then lays in wait to receive commands or files from the CnC,” the security researcher says. The command-and-control server with which the observed samples of Torii have been communicating is located in Arizona.

Torii’s support for a large number of common architectures gives it the ability to infect anything with open telnet, which includes millions of IoT devices. Worryingly, it is likely the malware authors have other attack vectors as well, but telnet is the only vector that has been used so far, Hron notes.

While Torii hasn’t been used for DDoS attacks yet, it has been sending a lot of information back to its command-and-control server about the devices it has infected. The data being exfiltrated includes Hostname, Process ID, and other machine-specific information that would let the malware operator fingerprint and catalog devices more easily. Hron says Avast researchers aren’t really sure why Torii is collecting all the data.

Significantly, Avast researchers discovered a hitherto unused binary on the server that is distributing the malware, which could let the attackers execute any command on an infected device. The app is written in GO, which means it can be easily recompiled to run on virtually any machine.

Hron says Avast is unsure what the malware authors plan to do with the functionality. But based on its versatility and presence on the malware distribution server, he thinks it could be a backdoor or a service that would let the attacker orchestrate multiple devices at once.

The log data that Avast was able to analyze showed that slightly less than 600 unique client devices had downloaded Torii. But it is likely that the number is just a snapshot of new machines that were recruited into the botnet for the period for which Avast has the log files, the security vendor said.


The government department says the attack did not expose any sensitive or confidential information.

The South African Department of Labour has confirmed a recent cyberattack which disrupted the government agency’s website.

In a statement, the Department of Labour said that a distributed denial-of-service (DDoS) attack was launched against the organization’s front-facing servers over the weekend.

According to the department’s acting chief information officer Xola Monakali, the “attempt was through the external Domain Name Server (DNS) server which is sitting at the State Information Technology Agency,” and “no internal servers, systems, or client information were compromised, as they are separated with the relevant protection in place.”

The government agency has asked external cybersecurity experts to assist in the investigation.

DDoS attacks are often launched through botnets, which contain countless enslaved devices — ranging from standard PCs to IoT devices — which are commanded to flood a domain with traffic requests.

DDoS attack volumes have increased by 50% to an average of 3.3 Gbps during May, June and July 2018, compared to 2.2 Gbps during the previous quarter, according to Link11. Attacks are also becoming increasingly complex, with 46% of incidents using two or more vectors.

DDoS attacks outside business hours

While attack volumes increased, researchers recorded a 36% decrease in the overall number of attacks. There was a total of 9,325 attacks during the quarter: an average of 102 attacks per day.

While the number of attacks decreased overall – possibly as a result of DDoS-as-a-service website Webstresser being closed down following an international police operation, both the scale and complexity of the attacks increased. The LSOC registered a 50% increase in hyper-scale attacks (80 Gbps+). The most complex attacks seen used 13 vectors in total.

Link11’s Q2 DDoS Report revealed that threat actors targeted organisations most frequently between 4pm CET and midnight Saturday through to Monday, with businesses in the e-commerce, gaming, IT hosting, finance, and entertainment/media sectors being the most affected.

The report reveals that high volume attacks were ramped up via Memcached reflection, SSDP reflection and CLDAP, with the peak attack bandwidth recorded at 156 Gbps. Other key findings from the Q2 report include:

  • The total duration of attacks during the quarter was 1,221 hours
  • 17% of attacks used two vectors, while 16% used three
  • The most frequently observed attacks were UDP floods (59.7%), TCP SYN floods (3.3%) and ICMP floods (0.9%)
  • Memcached was the most used reflection amplification technique, with 773 attacks observed using this technique, highlighting that Memcached is still an issue. The SSDP reflection technique generated the greatest proportion of DDoS packets.

DDoS attacks outside business hours

“Attacks in Q2 2018 continued to grow in scale and complexity. Nearly half of attacks were multi-vector, making them harder to defend against, and with the rapid growth in ‘hyper attacks’ with volumes of over 80 Gbps, we must now consider these large, complex attacksto be the new normal,” said Aatish Pattni, Regional Director UK & Ireland for Link11.

“It’s only a matter of time until a new DDoS-for-hire service emerges to replace Webstresser, so attacks will inevitably increase over the coming months. Given the scale of the threat that organizations are facing, and the fact that the attacks are deliberately aimed at causing maximum disruption, it’s clear that businesses need to deploy advanced techniques to protect themselves against DDoS exploits,” added Pattni.


Understand the essence of cyber security and the issues facing digital, internet and mobile users.

What is cyber security, and what kinds of security threats and implications face personal and business users of the internet and digital realm? These questions often confuse and occasionally overwhelm, as we’re bombarded on an almost daily basis with horror stories of major hacks, data breaches, and abuses of online privacy.

Building on our basic introduction to malware, viruses, and spyware online, in this article we’ll be looking not only to answer the question “What is cyber security?” but also to simplify some of the complexity surrounding its methods, and the security issues facing individuals and corporate users of digital, internet, and mobile technologies.

We’ll start with the basics.

What Is Cyber Security?

The word “cyber” is a fairly recent addition to the English vocabulary, and is a general term used to describe things in the world of computers, information and digital technology. And “security” is a term that’s been around for a very long time, which concerns the safety of people, corporate entities, and institutions, in the face of threats and dangers.

So it should come as little surprise that cyber security is a blanket term covering the people, processes, and technology involved in protecting computers, networks, mobile devices, software applications, and data from attacks and attempts to gain unauthorised access.

Cyber security embraces individuals, organisations, networks, and the infrastructure that connects them. And it runs the gamut from the protection of physical assets and hardware, through to the technology and procedures used in safeguarding digital assets such as software and information, and the assessment and management of the risks facing each of these environments.

Risk Management

Total security is an impossible ideal. No matter how “foolproof” a system or business process may seem, there’s always scope for something to go wrong. And with the ingenuity and resources available to hackers and cyber criminals, new threats and new methods of exploiting weaknesses in techniques and technologies are constantly developing.

The best that individuals and corporate bodies can hope to achieve is to manage the risks that they face in the best way possible. A risk management strategy for cyber security requires an understanding of the threat landscape, knowledge of the risks that are most likely to be relevant, and the establishment of procedures for reducing vulnerability to these threats.

Basically, this all boils down to:

  1. Becoming aware of what’s out there, and what’s likely or possible to hit you, then
  2. Taking steps to reduce the likelihood of you being affected, and
  3. Making plans for how to respond, and minimise the damage in the event that your precautions fail.

Cyber Security Tools and Methods

There’s an entire industry that’s grown out of the sale of cyber security tools like anti-virus applications, password managers, and data encryption software (which scrambles information, so that it can’t be read), as well as dedicated security hardware, and the contracting out of related services.

But tools and talent will only go so far. A comprehensive approach to cyber security requires not only these assets, but also the information and methodology needed to make the strategy effective.

Cyber Security and Regulatory Frameworks

Frameworks are sets of rules, guidelines, and best practices which provide a formalised structure for individual operators and corporate bodies to follow in order to beef up their security stance, or meet the requirements of regulatory compliance regimes and the law.

Frameworks for cyber security typically take the form of a set of recommendations. They may also describe procedures and tools that may be used to put those recommendations into practice.

Ten Steps to Cyber Security, a report issued by the National Cyber Security Centre (NCSC, a division of UK intelligence headquarters GCHQ) to help business executives get to grips with the subject, is an example of this approach.

In terms of regulatory compliance, frameworks will typically spell out the exact conditions that organisations or individuals will have to satisfy in order to continue operating in a particular industry, discipline, or market sector, without running the risk of fines or legal action.

The recently launched General Data Protection Regulation or GDPR is one such framework, created by the European Union (EU) to set conditions guarding the data privacy of its citizens and residents.

There are many different frameworks in existence, and organisations have to be careful to choose the ones that are most effective and appropriate for them. After all, what is cyber security to one business may be too complex, or not far-reaching enough, for others.

Security Policies

Based on the demands of the law, regulatory requirements, and the conditions of their own working environment, organisations are usually advised to draw up a formalised policy, laying out how security matters should be handled.

Security policies will usually spell out what practices are permissible and which ones aren’t, in promoting and maintaining cyber security for the enterprise. They’ll also specify the powers and privileges that every member of the organisation has in respect to things like network and database access, control of intellectual property, and other issues. Fines and penalties for abusing corporate security policy may also be laid out here.

Security Architecture

The security architecture of an establishment is the structure of physical hardware, software applications, procedures, partnerships, and related services that maintain and monitor the cyber security of the enterprise. These may include:

  • Physical security measures: Gates, security cameras, scanners, locks, identity tags, and associated hardware.
  • Access control: The mechanisms and procedures that keep unauthorised users or visitors at bay.
  • Authentication and validation: Methods of ensuring that only authorised members of an organisation or invited guests can check in and out of the networks and resources they’re entitled to.
  • Intrusion detection and/or intrusion prevention: Hardware and software that guard against attempts to infiltrate networks and systems by hackers and spies.
  • Monitoring: Qualified security and IT personnel, dedicated hardware, and/or automated systems running constant checks against threats and signs of infection or system compromise.
  • Incident Response: Deployment of specialised teams of responders, in the case of alerts or confirmed evidence of an attack.

Cyber Threat Intelligence

With new attack methods and new strains of malware (malicious software) emerging or being developed even as we speak, much of the security challenge for private individuals and businesses lies in staying on top of the latest happenings in the world of cyber security. This is where cyber threat intelligence comes into play.

As its name suggests, cyber threat intelligence consists of detailed information (or intelligence) on current security threats, the people, technology, and criminal organisations currently responsible for them, and the latest methods for combating the threats that they pose.

Cyber threat intelligence may come in several forms. Common among these are online databases, white papers (advisory documents), discussion forums, specialist consultants, and pools of shared knowledge drawn from experts in the field, and from organisations that have been affected by cyber threats of various kinds.

Security Awareness Training

With human error, poor judgement, and just plain foolishness often assisting hackers and cyber criminals more than the malicious software and other tools they use, it’s important for network and internet users to become aware of the threats they actually face, and the best methods for avoiding them. That’s where cyber security awareness training comes into the picture.

Aside from raising awareness, the aim of security awareness training is to instil a culture and attitude that makes cyber security and risk management a part of daily life.

This training may be formally conducted (e.g., by a business organisation), or sought out independently. Interactive exercises, tests, and engaging presentation techniques are typically used to explain prevailing cyber threats, the risks to individuals and businesses, and best practices for staying safe.

Penetration Testing

All the tools and security training in the world don’t help if systems and people crumple under the pressure of a real security incident or hacking attack. So many business enterprises conduct what are known as random penetration tests. These are the equivalent of live drills, for fire or emergency response.

In penetration testing, external contractors are usually called in and given a free hand to stage a cyber attack on an organisation’s network and personnel, using various methods such as brute force assaults on passwords, email and message phishing (trying to fool people into giving up sensitive information, visiting booby-trapped websites, or opening file attachments loaded with malware), or overloading system resources.

The goal of these exercises is to gauge and monitor the performance of workers and incident response teams under the pressure of a real attack, and to highlight areas where the security defences of an enterprise can be improved.

Penetration testing is typically performed by security professionals who have a familiarity with the latest hacking techniques, but use these skills for benevolent purposes. So if you ever come across terms like “white hat hackers” or “ethical hacking”, this is what they’re referring to.

Security Threats to Personal Users

In terms of what is cyber security for the individual, the sad truth is that it’s a precarious environment out there, and pretty much always has been. Among the numerous security threats facing personal users of networks, the internet, and mobile devices are:

  • Malicious software or malware, in general: Traditional computer viruses, Trojans or Trojan Horse programs (look like one thing, actually do another), and worms (software capable of reproducing itself so that it can spread from one computer to the next over a network), plus things like spyware, adware, and key-loggers (which can record your strokes on the keyboard, or mouse movements) are all examples.
  • Ransomware: A specialised breed of malware that can immobilise complete systems by encrypting all the information on them, so that the owner can’t understand or access it. Victims are extorted for money (usually in the form of Bitcoin or some other cryptocurrency), for the keys to unlock their devices. The likes of WannaCry and Petya have wreaked havoc and made considerable sums for the criminals distributing them.
  • Crypto-jacking software: Programs hidden inside otherwise legitimate software or websites that hijack a user’s or visitor’s system resources to mine for cryptocurrencies.
  • Phishing and social engineering: Bogus messages (email, SMS, false advertising, or voice calls) aimed at getting victims to divulge useful information, or at leading them to download malicious file attachments or visit web sites booby-trapped with malware.
  • Identity theft: Gathering of personal and business information (from browsing activity, social media, company profiles, etc.) that enables cyber criminals to impersonate victims, or sell their digital identities on to third parties.
  • Information leaks: Exposure of personal, financial, and other sensitive data due to hacks, security breaches, mobile apps with links to third parties, or indiscreet practices online.

Security Threats to Businesses

Business organisations are composed of individual people, so of course all of the above security threats apply to businesses as well. But in addition to the personal threats, there are other more institutional cyber security risks that businesses have to consider. These include:

  • Infiltration of corporate networks: This may occur through direct action (such as successful attempts at password breaking) or indirectly (e.g. using spyware slipped to an employee through a phishing email).
  • Corruption of corporate data: If hackers gain access to corporate information, in some cases they can insert their own data as acts of sabotage or market manipulation.
  • Theft of intellectual property or copyright infringement: Secret projects, hot new products, or top-selling existing material that can be pirated for profit or claimed as someone else’s are all vulnerable, here.
  • Leakage of company credentials: Often as a result of workers using office email and other credentials on public sites like social media, which are then hacked.
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks: Organised assaults against online services, networks, and web applications that clog the system so that users can’t get through.
  • System hijacking: In extreme cases (or as the final pay-off for sustained attacks known as APTs or advanced persistent threats), individual systems or entire networks may fall under the control of cyber criminals.
  • Insider threats: Often overlooked as a possibility until it’s too late, the work of disgruntled former employees or dissatisfied current ones can lead to mistakes or deliberate attempts at sabotage that give the upper hand to cyber criminals.

Final Thoughts

So, what is cyber security, and what does it involve? All of the above, plus techniques and tools to bolster your security stance and provide protection against known and unknown threats. We’ll be considering some of those in our next instalment of this series.

In the meantime, you can check out the security advice and commentary on the FileHippo blog and news feeds, and get access to some great software that’s all available to download for free.