DoS Attacks Archive

The government department says the attack did not expose any sensitive or confidential information.

The South African Department of Labour has confirmed a recent cyberattack which disrupted the government agency’s website.

In a statement, the Department of Labour said that a distributed denial-of-service (DDoS) attack was launched against the organization’s front-facing servers over the weekend.

According to the department’s acting chief information officer Xola Monakali, the “attempt was through the external Domain Name Server (DNS) server which is sitting at the State Information Technology Agency,” and “no internal servers, systems, or client information were compromised, as they are separated with the relevant protection in place.”

The government agency has asked external cybersecurity experts to assist in the investigation.

DDoS attacks are often launched through botnets, which contain countless enslaved devices — ranging from standard PCs to IoT devices — which are commanded to flood a domain with traffic requests.

DDoS attack volumes have increased by 50% to an average of 3.3 Gbps during May, June and July 2018, compared to 2.2 Gbps during the previous quarter, according to Link11. Attacks are also becoming increasingly complex, with 46% of incidents using two or more vectors.

DDoS attacks outside business hours

While attack volumes increased, researchers recorded a 36% decrease in the overall number of attacks. There was a total of 9,325 attacks during the quarter: an average of 102 attacks per day.

While the number of attacks decreased overall – possibly as a result of DDoS-as-a-service website Webstresser being closed down following an international police operation, both the scale and complexity of the attacks increased. The LSOC registered a 50% increase in hyper-scale attacks (80 Gbps+). The most complex attacks seen used 13 vectors in total.

Link11’s Q2 DDoS Report revealed that threat actors targeted organisations most frequently between 4pm CET and midnight Saturday through to Monday, with businesses in the e-commerce, gaming, IT hosting, finance, and entertainment/media sectors being the most affected.

The report reveals that high volume attacks were ramped up via Memcached reflection, SSDP reflection and CLDAP, with the peak attack bandwidth recorded at 156 Gbps. Other key findings from the Q2 report include:

  • The total duration of attacks during the quarter was 1,221 hours
  • 17% of attacks used two vectors, while 16% used three
  • The most frequently observed attacks were UDP floods (59.7%), TCP SYN floods (3.3%) and ICMP floods (0.9%)
  • Memcached was the most used reflection amplification technique, with 773 attacks observed using this technique, highlighting that Memcached is still an issue. The SSDP reflection technique generated the greatest proportion of DDoS packets.

DDoS attacks outside business hours

“Attacks in Q2 2018 continued to grow in scale and complexity. Nearly half of attacks were multi-vector, making them harder to defend against, and with the rapid growth in ‘hyper attacks’ with volumes of over 80 Gbps, we must now consider these large, complex attacksto be the new normal,” said Aatish Pattni, Regional Director UK & Ireland for Link11.

“It’s only a matter of time until a new DDoS-for-hire service emerges to replace Webstresser, so attacks will inevitably increase over the coming months. Given the scale of the threat that organizations are facing, and the fact that the attacks are deliberately aimed at causing maximum disruption, it’s clear that businesses need to deploy advanced techniques to protect themselves against DDoS exploits,” added Pattni.


Understand the essence of cyber security and the issues facing digital, internet and mobile users.

What is cyber security, and what kinds of security threats and implications face personal and business users of the internet and digital realm? These questions often confuse and occasionally overwhelm, as we’re bombarded on an almost daily basis with horror stories of major hacks, data breaches, and abuses of online privacy.

Building on our basic introduction to malware, viruses, and spyware online, in this article we’ll be looking not only to answer the question “What is cyber security?” but also to simplify some of the complexity surrounding its methods, and the security issues facing individuals and corporate users of digital, internet, and mobile technologies.

We’ll start with the basics.

What Is Cyber Security?

The word “cyber” is a fairly recent addition to the English vocabulary, and is a general term used to describe things in the world of computers, information and digital technology. And “security” is a term that’s been around for a very long time, which concerns the safety of people, corporate entities, and institutions, in the face of threats and dangers.

So it should come as little surprise that cyber security is a blanket term covering the people, processes, and technology involved in protecting computers, networks, mobile devices, software applications, and data from attacks and attempts to gain unauthorised access.

Cyber security embraces individuals, organisations, networks, and the infrastructure that connects them. And it runs the gamut from the protection of physical assets and hardware, through to the technology and procedures used in safeguarding digital assets such as software and information, and the assessment and management of the risks facing each of these environments.

Risk Management

Total security is an impossible ideal. No matter how “foolproof” a system or business process may seem, there’s always scope for something to go wrong. And with the ingenuity and resources available to hackers and cyber criminals, new threats and new methods of exploiting weaknesses in techniques and technologies are constantly developing.

The best that individuals and corporate bodies can hope to achieve is to manage the risks that they face in the best way possible. A risk management strategy for cyber security requires an understanding of the threat landscape, knowledge of the risks that are most likely to be relevant, and the establishment of procedures for reducing vulnerability to these threats.

Basically, this all boils down to:

  1. Becoming aware of what’s out there, and what’s likely or possible to hit you, then
  2. Taking steps to reduce the likelihood of you being affected, and
  3. Making plans for how to respond, and minimise the damage in the event that your precautions fail.

Cyber Security Tools and Methods

There’s an entire industry that’s grown out of the sale of cyber security tools like anti-virus applications, password managers, and data encryption software (which scrambles information, so that it can’t be read), as well as dedicated security hardware, and the contracting out of related services.

But tools and talent will only go so far. A comprehensive approach to cyber security requires not only these assets, but also the information and methodology needed to make the strategy effective.

Cyber Security and Regulatory Frameworks

Frameworks are sets of rules, guidelines, and best practices which provide a formalised structure for individual operators and corporate bodies to follow in order to beef up their security stance, or meet the requirements of regulatory compliance regimes and the law.

Frameworks for cyber security typically take the form of a set of recommendations. They may also describe procedures and tools that may be used to put those recommendations into practice.

Ten Steps to Cyber Security, a report issued by the National Cyber Security Centre (NCSC, a division of UK intelligence headquarters GCHQ) to help business executives get to grips with the subject, is an example of this approach.

In terms of regulatory compliance, frameworks will typically spell out the exact conditions that organisations or individuals will have to satisfy in order to continue operating in a particular industry, discipline, or market sector, without running the risk of fines or legal action.

The recently launched General Data Protection Regulation or GDPR is one such framework, created by the European Union (EU) to set conditions guarding the data privacy of its citizens and residents.

There are many different frameworks in existence, and organisations have to be careful to choose the ones that are most effective and appropriate for them. After all, what is cyber security to one business may be too complex, or not far-reaching enough, for others.

Security Policies

Based on the demands of the law, regulatory requirements, and the conditions of their own working environment, organisations are usually advised to draw up a formalised policy, laying out how security matters should be handled.

Security policies will usually spell out what practices are permissible and which ones aren’t, in promoting and maintaining cyber security for the enterprise. They’ll also specify the powers and privileges that every member of the organisation has in respect to things like network and database access, control of intellectual property, and other issues. Fines and penalties for abusing corporate security policy may also be laid out here.

Security Architecture

The security architecture of an establishment is the structure of physical hardware, software applications, procedures, partnerships, and related services that maintain and monitor the cyber security of the enterprise. These may include:

  • Physical security measures: Gates, security cameras, scanners, locks, identity tags, and associated hardware.
  • Access control: The mechanisms and procedures that keep unauthorised users or visitors at bay.
  • Authentication and validation: Methods of ensuring that only authorised members of an organisation or invited guests can check in and out of the networks and resources they’re entitled to.
  • Intrusion detection and/or intrusion prevention: Hardware and software that guard against attempts to infiltrate networks and systems by hackers and spies.
  • Monitoring: Qualified security and IT personnel, dedicated hardware, and/or automated systems running constant checks against threats and signs of infection or system compromise.
  • Incident Response: Deployment of specialised teams of responders, in the case of alerts or confirmed evidence of an attack.

Cyber Threat Intelligence

With new attack methods and new strains of malware (malicious software) emerging or being developed even as we speak, much of the security challenge for private individuals and businesses lies in staying on top of the latest happenings in the world of cyber security. This is where cyber threat intelligence comes into play.

As its name suggests, cyber threat intelligence consists of detailed information (or intelligence) on current security threats, the people, technology, and criminal organisations currently responsible for them, and the latest methods for combating the threats that they pose.

Cyber threat intelligence may come in several forms. Common among these are online databases, white papers (advisory documents), discussion forums, specialist consultants, and pools of shared knowledge drawn from experts in the field, and from organisations that have been affected by cyber threats of various kinds.

Security Awareness Training

With human error, poor judgement, and just plain foolishness often assisting hackers and cyber criminals more than the malicious software and other tools they use, it’s important for network and internet users to become aware of the threats they actually face, and the best methods for avoiding them. That’s where cyber security awareness training comes into the picture.

Aside from raising awareness, the aim of security awareness training is to instil a culture and attitude that makes cyber security and risk management a part of daily life.

This training may be formally conducted (e.g., by a business organisation), or sought out independently. Interactive exercises, tests, and engaging presentation techniques are typically used to explain prevailing cyber threats, the risks to individuals and businesses, and best practices for staying safe.

Penetration Testing

All the tools and security training in the world don’t help if systems and people crumple under the pressure of a real security incident or hacking attack. So many business enterprises conduct what are known as random penetration tests. These are the equivalent of live drills, for fire or emergency response.

In penetration testing, external contractors are usually called in and given a free hand to stage a cyber attack on an organisation’s network and personnel, using various methods such as brute force assaults on passwords, email and message phishing (trying to fool people into giving up sensitive information, visiting booby-trapped websites, or opening file attachments loaded with malware), or overloading system resources.

The goal of these exercises is to gauge and monitor the performance of workers and incident response teams under the pressure of a real attack, and to highlight areas where the security defences of an enterprise can be improved.

Penetration testing is typically performed by security professionals who have a familiarity with the latest hacking techniques, but use these skills for benevolent purposes. So if you ever come across terms like “white hat hackers” or “ethical hacking”, this is what they’re referring to.

Security Threats to Personal Users

In terms of what is cyber security for the individual, the sad truth is that it’s a precarious environment out there, and pretty much always has been. Among the numerous security threats facing personal users of networks, the internet, and mobile devices are:

  • Malicious software or malware, in general: Traditional computer viruses, Trojans or Trojan Horse programs (look like one thing, actually do another), and worms (software capable of reproducing itself so that it can spread from one computer to the next over a network), plus things like spyware, adware, and key-loggers (which can record your strokes on the keyboard, or mouse movements) are all examples.
  • Ransomware: A specialised breed of malware that can immobilise complete systems by encrypting all the information on them, so that the owner can’t understand or access it. Victims are extorted for money (usually in the form of Bitcoin or some other cryptocurrency), for the keys to unlock their devices. The likes of WannaCry and Petya have wreaked havoc and made considerable sums for the criminals distributing them.
  • Crypto-jacking software: Programs hidden inside otherwise legitimate software or websites that hijack a user’s or visitor’s system resources to mine for cryptocurrencies.
  • Phishing and social engineering: Bogus messages (email, SMS, false advertising, or voice calls) aimed at getting victims to divulge useful information, or at leading them to download malicious file attachments or visit web sites booby-trapped with malware.
  • Identity theft: Gathering of personal and business information (from browsing activity, social media, company profiles, etc.) that enables cyber criminals to impersonate victims, or sell their digital identities on to third parties.
  • Information leaks: Exposure of personal, financial, and other sensitive data due to hacks, security breaches, mobile apps with links to third parties, or indiscreet practices online.

Security Threats to Businesses

Business organisations are composed of individual people, so of course all of the above security threats apply to businesses as well. But in addition to the personal threats, there are other more institutional cyber security risks that businesses have to consider. These include:

  • Infiltration of corporate networks: This may occur through direct action (such as successful attempts at password breaking) or indirectly (e.g. using spyware slipped to an employee through a phishing email).
  • Corruption of corporate data: If hackers gain access to corporate information, in some cases they can insert their own data as acts of sabotage or market manipulation.
  • Theft of intellectual property or copyright infringement: Secret projects, hot new products, or top-selling existing material that can be pirated for profit or claimed as someone else’s are all vulnerable, here.
  • Leakage of company credentials: Often as a result of workers using office email and other credentials on public sites like social media, which are then hacked.
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks: Organised assaults against online services, networks, and web applications that clog the system so that users can’t get through.
  • System hijacking: In extreme cases (or as the final pay-off for sustained attacks known as APTs or advanced persistent threats), individual systems or entire networks may fall under the control of cyber criminals.
  • Insider threats: Often overlooked as a possibility until it’s too late, the work of disgruntled former employees or dissatisfied current ones can lead to mistakes or deliberate attempts at sabotage that give the upper hand to cyber criminals.

Final Thoughts

So, what is cyber security, and what does it involve? All of the above, plus techniques and tools to bolster your security stance and provide protection against known and unknown threats. We’ll be considering some of those in our next instalment of this series.

In the meantime, you can check out the security advice and commentary on the FileHippo blog and news feeds, and get access to some great software that’s all available to download for free.


Using automated analysis via a Python script, researchers at eSentire observed an increase in exploitation attempts on gigabit passive optical network (GPON) routers. Though the router attacks had declined since the surge reported back in June, the researchers identified a new, coordinated weaponization campaign targeting D-Link routers on 20 July.

The company reported a botnet recruitment campaign being launched and saw a surge of exploit attempts from over 3,000 different source IPs, introducing a variation of the OS command injection attack against the 2750B D-Link router.

“A sample of packets from various source IPs involved in this event pointed to a single C2 server hosting malware that appeared. VirusTotal results for the malware indicated similarities with the Mirai botnet. Variants of Mirai code have been spotted in the Satori botnet,” researchers wrote.

While none of these exploits appeared to be successful in corporate environments, likely because they lack consumer-grade routers, “it is unknown whether this attack had any success on home networks where these devices are more likely to be deployed. A successful recruitment campaign has the potential to arm the associated threat actor(s) with DDoS artillery and facilitate espionage of private browsing habits,” researchers wrote in a blog post.

The mass number of attacks is indicative of a potential botnet and researchers suggested that the botnets built using the compromised routers could be offered as a service, adding “It is not uncommon for botnet controllers to attempt to increase the number of devices in their botnet by using tactics similar to this. The infected devices can then be used to launch additional attacks such as distributing malicious content or launching DDoS attacks.”

In addition, the company also released an advisory on the topic and noted that only Dasan routers using ZIND-GPON-25xx firmware and some H650 series GPON are vulnerable, and that there are no official patches at this time. Researchers are continuing to monitor the associated signatures.


The leaves may change color, but the roots are the same. Are you ready for AI-based DDoS attacks?

What keeps me awake at night is the thought of artificial intelligence lying in wait in the hands of bad actors. Artificial intelligence combined with the powers of IoT-based attacks will create an environment tapped for mayhem. It is easy to write about, but it is hard for security professionals to combat. AI has more force, severity, and fatality which can change the face of a network and application in seconds.

When I think of the capabilities artificial intelligence has in the world of cybersecurity I know that unless we prepare well we will be like Bambi walking in the woods. The time is now to prepare for the unknown. Security professionals must examine the classical defense mechanisms in place to determine if they can withstand an attack based on artificial intelligence.

Fail to prepare, prepare to fail

The arrival of new technologies comes with an abundance of security threats. New products are released to cover the inadequacies in protocols. With today’s attack surface, no one can ever be fully secure. Being almost secure is good enough for most and security teams work on the basis that it’s not a matter of if, it’s a matter of when.

There are well-known mechanisms to combat distributed denial of service (DDoS) attacks. We can spread the perimeter, offload to a scrubbing center, and tackle the problem head-on. Then along came IoT-based attacks that raised the bar causing respectable networks to fall flat. However, there is only so much bandwidth out there and the headlines are often worse than the capabilities.

What I haven’t heard too much about is the repercussions of artificial intelligence in the hands of bad actors. A combination that will inevitably unlock a more powerful form of DDoS attack. A machine does not stop, get tired, lose concentration or panic. AI-based attacks keep their cool maintaining constant momentum while under pressure from defense mechanisms.

The only way to fight a machine is with another machine. Any other way is useless. Unless you want to be left blindfolded, security professionals must look to introduce artificial intelligence on the defense side and not rely on traditional defense mechanisms. An AI-based defense comes in two flavors, unsupervised learning, and supervised machine learning systems. Unsupervised learning being the superior defense mechanism of the two. L7Defense is a pioneer in the ability to defend from attacks in real-time using unsupervised machine learning.

From scripts with loops to automated AI-based attacks

Did you know the first DoS attack was carried out in 1974? It went mainstream with Classical Bots that started in the early 2000’s and consisted of a manual Denial of Service (DoS) approach. Essentially, DoS is when a bad actor sends traffic to overwhelm a system. Back then, they were pretty basic. Even if tools were not readily available those with medium technicality could carry out an attack. A single machine would send a single attacking signature. The automation was essentially done by manual keyboard entries.

This proved to be inefficient and bad actors quickly moved from manual to semi-manual. For example, this may include a simple script combined with a number of loops enabling a level of automation. However, we still only had a limited number of attacking signatures that were preconfigured in the script and only one IP source was used. The attack surface and vectors used were limited.

We then moved into a semi-automated wave consisting of multiple attacking IP sources. The introduction of command & control (C&C) servers presented a new shift in DoS, known as distributed denial of service (DDoS). C&C servers are centralized machines controlled by bad actors that are able to send commands and receive outputs. The C&C servers were not sophisticated, but they could control a number of infected end host computers, spreading the attack source. These infected computers were known as botnets.

The botnets would receive predefined commands from the C&C servers and carry out a set pattern of attack signatures. The signatures were set in stone regardless of how well the defense side was doing. The botnets were still static because the C&C Servers issue similar commands to each of them. The scale of the attack increased but the intelligence didn’t. We experienced more spread and a larger attacking surface but with the same intelligence.

Malware automation

The major turning point in the evolution of DDoS came with the automatic spreading of malware. Malware is a phrase you hear a lot of and is a term used to describe malicious software. The automatic spreading of malware represented the major route for automation and marked the first phase of fully automated DDoS attacks. Now, we could increase the distribution and schedule attacks without human intervention. Malware could automatically infect thousands of hosts and apply laterally movement techniques infecting one network segment to another. Moving from network segments is known as beacheading and malware could beachhead from one part of the world to another.

There was still one drawback. And for the bad actor, it was a major drawback. The environment was still static, never dynamically changing signatures based on responses from the defense side. The botnets were not variable by behavior. They were ordered by the C&C servers to sleep and wake up with no mind for themselves.

As I said, there is only so much bandwidth out there. So, these type of network attacks started to become less effective. Bad actors started to side step a little and target the application layer instead of the network infrastructure. Reflection style attacks started to appear along with its enhancement known as the amplification. Distributed reflection denial of service attacks was the worse at that time. Reflection attacks are used to abuse user datagram protocol (UDP) services. UDP by design is connectionless in which the receiver does not validate the IP of the source. This is the address of the client requesting a service. The lack of validation makes it possible for someone to pretend to be you using your IP as the source, known as IP spoofing.

Unknowingly the legitimate source that has it’s IP address spoofed is overwhelmed when the UDP server sends back requests. The UDP server is essentially acting as the reflector hiding the identity of the bad actor. Amplification exploits the fact that the size of responses is generally much larger than the size of server requests. A simple request sent to can include a response with many IP addresses along with additional information. If a DNS server can amplify requests to a factor of 200 a bad actor with bandwidth of 100Mbps using both amplification and reflection techniques can generate an attack of 200Gbps. Now, can you imagine what happens if there are thousands of reflectors?

Different variations of layer 3, 4 and 7 based attacks were well underway with readily available tools. It became easy and cheap to launch an attack. The major difference between these attack variations is the ability to create a session, for example, a secure sockets layer (SSL) session for the victim with an attempt to cause session exhaustion higher up in the stack. Alternatively, the bad actor may send a flood of internet control message protocol (ICMP) messages without waiting for a reply, making no attempt to take over the session.

Eventually, a combination developed to form a dangerous mix of layer 3, 4 and 7 based attacks. The classical volumetric was often combined with a layer 7 focusing on the application. The volumetric would simply act as a cover for the layer 7 based attack. Application attacks are heaven for bad actors. Each web application represents an infinite number of attack possibilities with so much variation for them to pick and choose from. There are so many tools available out there that can generate random pages attacks along with randomization techniques. Web security companies are on the back foot. They have the capability to scan and detect for hundreds of thousands of vulnerabilities but not for an infinite number of signatures.

Things got a bit more serious when bad actors started to combine the automatic spreading of malware with IoT. We experienced a mega-attack scale and solid networks started to hit the floor. While traditional C&C’s are not very sophisticated, the big brother IoT C&C servers are more dynamic and can control botnets with a number of optimizations that can change every few seconds based on the defense response.

They are heaps more intelligent than the classical C&C’s. The botnets are no longer static. Each botnet now controls its own unit of work representing many small armies working in isolation attacking a single destination.

The rise of artificial intelligence

Today, we are entering into a different wave of DDoS attack. This new era has all the power of IoT-based attacks along with artificial intelligence combined with various feedback loops and automatic optimizations.

Artificial intelligence is constantly optimizing, changing parameters and signatures automatically in response to the defense without any human interaction. It works alone keeping security professionals up all night unless the right precautions are in place.

There are two flavors of AI-based defenses; supervised and unsupervised machine learning. Supervised learning is similar to having a teacher with a predefined curriculum including specific questions and answers. With unsupervised learning, there is no teacher or a narrow curriculum. The curriculum is developing itself based on changing student’s needs.

Supervised learning needs to be fed with examples in order to deal with the situation. After enough examples, it becomes a closed problem. However, this represents a number of drawbacks in the world of AI-based attacks. If you have malware different from the current exampled one, will the system identify and appropriately deal with it? Probably not and this is where false positives start to increase.

Unsupervised learning is superior in the sense that you don’t need to feed the system with examples. This represents a major shift in how you protect against a machine that is constantly changing in response to the defense side. Unsupervised learning has the ability to change and adapt as the problem itself changes. The real issue hitting supervised learning is that traffic patterns are by their very nature, unpredictable. The source and destination IP endpoints may remain unchanged but there can be numerous alterations in the headers and message body. The variations are a major problem for supervised learning.

No one can predict and create examples for all application traffic profiles and potential attack vectors. As a result, we cannot cover the entire space and feed a supervised machine learning system with enough examples to cover every possible angle. If you can’t cover the entire space, then you need a system that can by itself analyze the environment and figure out by itself without human intervention the best possible path of action while still keep false positives to a minimum. A system that can dynamically learn and adapt to known and unknown environments.

Supervised learning can help to a certain extent but in a world that is full of dynamic variables, you really need a system that can adapt to these changes and predict the unknown future that AI-based attacks will bring.

Within the cybersecurity realm attackers are moving fast. Similar to moving from ice to water, yet the ice is not moving, so you need now, not a hammer for the ice but a device that can analyze the water to determine a poison ingredient in disguise. This is why you need to move from supervised to unsupervised learning.