DDoS Archive

DDoS attacks are more prevalent than ever and enterprises can’t always rely on their service providers for protection. Learn what enterprises should do for effective DDoS mitigation.

Moving unified communications applications to the cloud can simplify business operations. But cloud infrastructure can present vulnerabilities that attract malicious attacks like distributed denial of service (DDoS). And with many enterprises using service providers for their UC applications, DDoS attacks can be more damaging than ever.

As the threat of DDoS attacks loom, there is a disconnect between enterprises and their service providers taking responsibility during an attack, according to a report from DDoS mitigation service provider Black Lotus Communications, which surveyed 129 service providers and the impact of DDoS on their business.

According to the report, many organizations believe they can rely on their service provider to manage a DDoS attack and its impact on their business. But the reality is most providers believe they are solely responsible for making sure their infrastructure remains intact during an attack and that the direct impact of an attack is the customer’s responsibility.

“Service providers with undeveloped DDoS mitigation strategies may choose to sacrifice a customer by black hole routing their traffic or recommending a different service provider in order to protect the service of other customers,” said Chris Rodriguez, network security senior analyst at Frost & Sullivan. Enterprises can lose anywhere from $100,000 to tens of millions of dollars per hour in an attack, the report found.

Just over one-third of service providers reported being hit with one or more DDoS attacks weekly, according to the report. Managed hosting services, VoIP and platform as a service were the three industries most affected by DDoS.

During an attack, 52% of service providers reported temporarily blocking the targeted customer, 34% reported removing the targeted customer, 32% referred customers to a partner DDoS mitigation provider and 26% encouraged an attacked customer to find a new service provider. But by removing or blocking a customer, service providers have effectively helped the attackers achieve their goal and leave enterprises suffering the consequences, according to the report.

Communicating DDoS concerns

Three-quarters of service providers reported feeling very to extremely confident they could withstand a catastrophic DDoS attack, and 92% of providers have protections in place. But the report found that the majority of providers use traditional protections that have become less effective in mitigating DDoS.

To maximize DDoS protection, Nemertes Research CEO Johna Till Johnson offered four questions that enterprises should ask when evaluating service provider security and DDoS protection.

  1. What protections does the service provider have in place in the event of an attack?Don’t be afraid to ask service providers questions regarding the DDoS mitigation products and services they use, what their DDoS track record is or how many clients have been victims of an attack. “If they refuse to answer, it tells you something about the vendor,” Johnson said. “Any legitimate provider has this information and will share it with customers.”
  2. Is the service provider willing to put DDoS mitigation in a service-level agreement (SLA)? The provider may already include DDoS protection or may require the enterprise to buy a service. But if a provider won’t include DDoS mitigation in an SLA, find out why. “If you’re not going to put it in black and white, you’re at risk,” she said.
  3. What third-party services does the provider recommend? Service providers may have third-party partnerships that can deliver DDoS protection.
  4. What is your organization’s stance on security? Johnson recommends having a line item in the budget for DDoS that covers a DDoS mitigation service or product.

Making DDoS mitigation plans

If a service provider is hit with a DDoS attack, there are two issues facing enterprises, Johnson said. The first issue is if the enterprise experienced a small hit in the attack. “If you’ve gotten a gentle probe, then attackers may be coming after you,” she said.

Just like when a credit card number is stolen and the thief spends a small amount of money to test the number before making the large, fraudulent charges, attackers are testing for vulnerabilities. Enterprises should immediately figure out where they’re at risk and what they can do to protect themselves now, Johnson said.

The second issue, she said, is that DDoS isn’t just an attack, it’s an earthquake. A disaster recovery plan is required so enterprises know what to do if a core application is suddenly unavailable.

“DDoS attack techniques continue to change, and enterprises must be proactive in their defenses,” Rodriguez said.

He said a hybrid approach to DDoS mitigation has emerged as an effective strategy. Hybrid DDoS mitigation requires an on-premises DDoS mitigation appliance to protect an enterprise’s infrastructure and a cloud-based DDoS mitigation service that routes traffic to a scrubbing center and returns clean traffic. The on-premises appliance is used during smaller attacks; and when attacks reach a certain size, the appliance can signal for the cloud-based service to take over.

“This allows the organization to use the DDoS services sparingly and only when necessary, with a seamless transition between the two services,” he said.

Source: http://searchunifiedcommunications.techtarget.com/news/4500245890/Enterprises-must-be-proactive-in-DDoS-mitigation

Over the last decade, DDoS attacks have proliferated, possibly becoming the primary threat for every website or web application.

The ultimate goal is to bring down sites by flooding them with fake requests, usually from multiple locations.

The outcome of such attacks ranges from slow page loads to blocking legitimate traffic.

Among the thousands of DDoS attacks that happen every day, you’ll find attacks that last a number of days, as opposed to short-duration attacks that only take a few minutes for attackers to coordinate and launch at a time.

These attacks are becoming much more commonplace, whether the goal is to take a site down or if they’re used as a smokescreen to divert site owners’ attention.

In this article, I would like to share our real life experience with short-duration DDoS attacks, addressing what happens when this type of attack targets multiple sites simultaneously.

5 Short Attacks in 3 Days

We recently witnessed a three day, continuous attack that targeted two domains of a well-known bank.

On the first day, the bank suffered a significant volumetric attack that lasted five to six minutes, but consumed bandwidth at a rate of dozens of gigabytes per second.

Another attack, that lasted fifteen minutes, took place on the second day, targeting the second domain of the bank.

On the third day, the same domain that was targeted the previous day was hit with a long duration attack.

We could see that the first and second attacks were reconnaissance attacks, executed to evaluate which of the two domains was more vulnerable.

It is clear that the second domain was more susceptible since it was hit much harder in the third attack.

In parallel, we detected that there was another short-duration spike attack that targeted one of our Telco customers.

Just two hours later, there was another attack against a large utility organisation.

Because of this pattern, we were able to identify that all three attacks were performed by the same attacker and could warn and better protect our customers against further attacks.

Comparing the volume of bandwidth we’ve encountered on the first day of the attacks, to a DDoS attack’s average peak size of 7.39 Gbps, as reported by SCMagazine, we can see that short-duration attacks use large volumes of traffic in short, shotgun-like bursts.

Attackers leverage these short-duration attacks to evaluate which companies and organisations are easiest to infiltrate.

We assume that this also has to do with the availability of resources. These types of attacks are more likely to come from smaller, private groups that are shorter on resources, as opposed to criminal groups or countries which have access to unlimited resources and can therefore launch long-duration attacks from day-one.

Here’s what we’ve seen over time:


When it comes to short-burst attacks, time is of the essence. Attacks are likely to go under the radar and leave no time to respond.

Organisations managing multiple web domains must have the ability to centralise incoming data, preferably by working with the same security vendor across all their domains. This enables them to predict attacks by analysing trends and patterns across their sites.

Organisations should demand this capability from their security vendors, who should also be willing to use data from various customers in order to predict potential attacks on other customers, as described in the above case study.

We see a growing number of short duration attacks across our customer base.

Awareness to this new pattern is key: customers typically assume that the attack is over, while this may actually be a sign for a much larger attack coming through.

In light of this new pattern using services and tools that can aggregate attack information across customers and websites is an ideal way to predict and avoid the massive DDoS attacks about to come.

Source: http://www.thecsuite.co.uk/CIO/index.php/security/289-ddos-attack-tactics-3343

Connectivity at MTN’s Gallo Manor data centre has been fully restored after the Johannesburg site was hit by a distributed denial of service (DDoS) attack earlier this afternoon.

MTN alerted clients just after 3pm today that it had suffered a DDoS attack, which resulted in packet loss and a disturbance to clients’ cloud services.  At the time the company said MTN Business’ network operations centre was working on resolving the problem to avoid any further attacks.

This comes less than two days after a power outage at the same data centre caused loss of connectivity.

MTN chief technology officer Eben Albertyn says, while the DDoS attack today hampered the company’s ability to provide connectivity services, engineers worked “fervently” to fully restore services and avert further attacks, and connectivity was restored soon after.

“The interruption lasted only a few minutes and is completely unrelated to the outage experienced on Monday. MTN wishes to apologise profusely to its customers for any inconvenience caused.”

On Sunday evening just after 6pm, MTN’s Gallo Manor data centre went offline, causing major disruptions to clients’ services, including Afrihost.

MTN put the outage down to a power outage. The problem persisted until the next day, with services being restored around 11am on Monday.

Digital Attack Map defines DDoS attack as: “An attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.”  The live data site notes these attacks can target a wide variety of important resources, from banks to news Web sites, and present a major challenge to making sure people can publish and access important information.

Source: http://www.itweb.co.za/index.php?option=com_content&view=article&id=142968:MTN-weathers-DDOS-attack

The recent DDoS attacks aimed at GreatFire, a website that exposes China’s internet censorship efforts and helps users get access to their mirror-sites, and GitHub, the world’s largest code hosting service, have been linked to the Great Cannon, an attack tool co-located with the Great Firewall of China.

“A report released by GreatFire.org fingered malicious Javascript returned by Baidu servers as the source of the attack. Baidu denied that their servers were compromised,” Citizen Lab researchers noted, then explained: “The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.”

GreatFire says that the attack against their servers started on March 17, and Citizen Lab pinpoints their end to April 8, 2015. A blog post published on Friday by Niels Provos, an engineer with Google’s Security Team, shows this information is correct, as its Safe Browsing infrastructure picked up this attack, too.

“While Safe Browsing does not observe traffic at the network level, it affords good visibility at the HTTP protocol level. Using Safe Browsing data, we can provide a more complete timeline of the attack and shed light on what injections occurred when,” he noted.

The data shows that content injections against baidu.com domains on March 3, 2015, and ended on April 7. Also, that the attack was carried out in multiple phases:

Phase 1: March 3 – March 6. Target: This was a testing stage.
Phase 2: March 10 – March 13. Targets: Hosts under the sinajs.cn and cloudfront.net domains.
Phase 3: March 14 – March 17. Target: Another host under the cloudfront.net domain.
Phase 4: March 18 – March 25. Targets: Additional Five cloudfront hosts. “At some point during this phase of the attack, the cloudfront hosts started serving 302 redirects to greatfire.org as well as other domains. Substitution of Javascript ceased completely on March 20th but injections into HTML pages continued.”
Phase 5: March 25 – April 7. Targets: github.com/greatfire/wiki/wiki/nyt/, github.com/greatfire/, github.com/greatfire/wiki/wiki/dw/, and github.com/cn-nytimes/.

All in all, eight baidu.com domains and corresponding IP addresses were injected with Javascript replacement payloads and HTML injections.

Apart from giving more insight in the attacks, this report shows that hiding such attacks from detailed analysis after the fact is difficult. Even though this data can’t be used to identify the attackers, it is Provos’ hope that “external visibility of this attack will serve as a deterrent in the future.”

“Had the entire web already moved to encrypted traffic via TLS, such an injection attack would not have been possible. This provides further motivation for transitioning the web to encrypted and integrity-protected communication,” he noted. “Unfortunately, defending against such an attack is not easy for website operators. In this case, the attack Javascript requests web resources sequentially and slowing down responses might have helped with reducing the overall attack traffic.”

Source: http://www.net-security.org/secworld.php?id=18312

According to Neustar’s 2015 North American Denial of Service (DDoS) Attacks & Impact Report, 32 percent of U.S. companies say a DDoS attack would cost them more than $100,000 in revenue per hour.

Eleven percent say DDoS attacks can lead to more than $1 million in hourly revenue losses.

The report, based on a survey of more than 500 U.S. executives and senior professionals, also found that 40 percent of businesses say DDoS attacks are a growing threat to their organization.

Among companies that have been hit by DDoS attacks, 85 percent were hit multiple times, and 30 were attacked more than 10 times per year. Over a quarter of those attacked said they suffered a loss of customer trust and brand damage as a result.

“A website attack that was once considered to be an IT problem now reverberates and can cause significant brand damage that affects all organizational employees and its customers,” Neustar director of security services Margee Abrams said in a statement.

The Neustar report also found that 51 percent of respondents say they’re investing more in DDoS protection solutions than they were a year ago.

Notably, 45 percent of businesses say it takes them more than an hour to detect a DDoS attack — and after detection, 51 percent say it takes them more than an hour to respond.

But according to NSFOCUS’ biannual DDoS Threat Report, that response would come far too late in the vast majority of cases — the report states that 90 percent of DDoS attacks in 2014 lasted less than 30 minutes in total.

“This shorter attack strategy is being employed to improve efficiency as well as distract the attention of IT personnel away from the actual intent of an attack: deploying malware and stealing data,” the NSFOCUS report states. “These techniques indicate that today’s attacker continues to become smarter and more sophisticated.”

In one attack event in December 2014, NSFOCUS found that one third of attack sources were smart devices such as webcams and routers.

Such devices, the NSFOCUS report notes, offer several key benefits to attackers, including relatively high bandwidth, a long upgrade cycle (many are never upgraded after deployment), and 24/7 online availability.

“In 2H 2014, the reflective amplification distributed denial of service attacks that abuse the Simple Service Discovery Protocol (SSDP) emerged as the most potent and increasingly favored attack vector,” the report states.

NSFOCUS says more than 7 million smart devices could be exploited globally to launch such attacks, which can amplify attack bandwidth by as much as 75 times.

“With IoT bringing billions of such devices online, there will be an exponential growth in SSDP-type attacks,” the report notes.

The NSFOCUS report also predicts that 2015 will see the peak traffic of DDoS attacks reach 1 Tbps.

Source: http://www.esecurityplanet.com/network-security/for-many-u.s.-enterprises-ddos-attacks-can-cost-over-100000-per-hour.html