DDoS Archive

Botnet operators are changing their methods for conducting distributed denial of service (DDoS) attacks.

A customer study from security firm Prolexic found that over the last quarter, DDoS attacks used less bandwidth and took place over shorter durations of time. Additionally, botnet operators were more aggressive with the time they did spend, increasing packet-per-second volume by 63 per cent.

Researchers believe that the trend indicates a tendency for botnet operators to be more cautious with their attacks, conducting shorter operations in order to reduce the risk of detection and the possible loss of their networks.

“As perpetrators realise their DDoS attacks are being blocked by a mitigation provider, they are moving on to easier targets sooner than in the past,” the company said in the report.

Despite being more cautious in their activity, botnet herders showed no sign of letting up. The study found that DDoS attacks were on the rise across all sectors of the business space. The report found that the total number of reported attacks had doubled over the same period in 2011.

The survey found that attacks on the routing and transport layers of infrastructure components accounted for 81 per cent of attacks, while application layer attacks were down on the quarter.

Prolexic researchers believe that the trend indicates a growth in the popularity of DDoS attacks and easier management and infection tools.

“This indicates the technical barrier to entry has been significantly lowered for malicious actors who seek to participate in denial of service attacks through improved accessibility to no-cost and simple, yet powerful tools,” the company said.

Source: http://www.v3.co.uk/v3-uk/news/2191368/ddos-attacks-becoming-shorter-and-more-intense-as-botnet-operators-get-cautious

Late last month, two members of the hacker group LulzSec pleaded guilty to launching distributed denial-of-service (DDoS) attacks against entities ranging from the state of Arizona to Nintendo to the CIA. Yet despite extensive media coverage of such attacks, chief information security officers are still surprised when their companies get hit.

This is not an unforeseeable lightning bolt from the blue, people. The cyber world is full of anonymous arsonists, and too many businesses are operating without a fire department on call. A few sprinklers won’t cut it when things flare out of control. Firewalls and intrusion-prevention system appliances are no substitute for specialized DDoS backup when an attack escalates.

Proactively securing a mitigation service can be a good insurance policy–in fact, it’s better than insurance, which pays off only after damage is done. That’s because mitigation services are designed to prevent destruction from occurring in the first place. Not only can a mitigation service act as a deterrent–many attackers will move on to easier prey when they see an initial DDoS attack fail–but these providers have the capacity and expertise to rapidly scale DDoS countermeasures against coordinated, professional attacks. That can mean keeping your website online even under heavy bombardment.

Big And Small Companies At Risk

Denial-of-service attacks used to be something that happened to other people, those with high online visibility. Not anymore. “We’ve seen very small companies come to us and they can’t figure out why they’re under attack,” says Chris Richter, VP of security products and services at Savvis. They ask, “‘What have we done?'”

Blame the proliferation of prepackaged DDoS toolkits, such as the Low Orbit Ion Cannon and Dirt Jumper, for the fact that no one’s safe. Like any brute-force tactic, DDoS relies on the fact that any attack, even the most rudimentary, repeated with sufficient volume and frequency, can effectively shut down a network or website. Botnets often span thousands or millions of systems worldwide; Akamai, for example, provides a real-time attack heat map. In early July, attack rates were almost 30% above normal, with hot spots in Delaware and Italy. Geographic dispersion, coupled with network traffic crafted to look like legitimate connections from normal users, makes DDoS attacks both extremely effective and difficult to defeat if you’re not an expert with the right tools.

There are three main distributed denial-of-service categories:

>> Volumetric attacks overwhelm WAN circuits with tens of gigabits per second of meaningless traffic–so-called ICMP or UDP floods.

>> Layer 3 attacks abuse TCP. For example, SYN floods overload network equipment by starting but never completing thousands of TCP sessions using forged sender addresses. SYN floods can be in excess of 1 million packets per second, largely in response to the wider deployment of hardware countermeasures on firewalls and other security appliances, says Neal Quinn, COO of DDoS mitigation specialist Prolexic.

>> Layer 7 floods use HTTP GET or POST requests to overload application and Web servers. From the attacker’s perspective, L7 exploits aren’t anonymous. The attacking client’s identity (IP address) is exposed because a TCP handshake must be completed. Attackers who use this approach consider the risk outweighed by the technique’s effectiveness at much lower volumes and the traffic’s stealthy nature. Requests are designed to look like normal Web traffic, factors that make L7 attacks hard to detect.

Our InformationWeek 2012 Strategic Security Survey shows that the increasing sophistication of threats is the most-cited reason for worry among respondents who say their orgs are more vulnerable now than in 2011, and L7 attacks are certainly sophisticated. They’re also getting more common: Mark Teolis, founder and CEO of DOSarrest, a DDoS mitigation service, says 85% of the attacks his company sees have a Layer 7 component. Attackers leveraging L7 are often developers; they may do some reconnaissance on a website, looking for page requests that aren’t cacheable and are very CPU-intensive–things like filling a shopping cart, searching a database, or posting a complex form.

Teolis says that a mere 2 to 3 Mbps increase in specially crafted L7 traffic can be crippling. “We’ve had gaming sites tell us they can handle 30,000 customers, but if 100 hit this one thing, it’ll bring down the entire site,” he says.

Layer 7 attacks are tough to defeat not only because the incremental traffic is minimal, but because it mimics normal user behavior. Teolis has seen attacks where an individual bot may hit a site only once or twice an hour–but there are 20,000 bots involved. Conventional network security appliances just can’t handle that kind of scenario. And meanwhile, legitimate customers can’t reach your site.

Why Us?

The motivations for a DDoS attack are as varied as the perpetrators. For many, it’s just business, with targets strategically chosen by cyber criminals. Others are political–a prime example is LulzSec hitting the Arizona Department of Public Safety to protest the state’s strict immigration law, SB 1070. And for some, it’s just sport.

Given this randomness, it’s impossible to predict the need for professional distributed denial-of-service mitigation. For example, Teolis says one of DOSarrest‘s customers was the Dog Whisperer, that guru of man’s best friend. “If Cesar Millan can get attacked, anyone is fair game,” he says.

Purchasing mitigation services requires the same kind of budgeting as any form of IT security: What you spend on controls should be proportional to the value of the data or website. So, while any organization with an online presence is at some risk, those with financial or reputational assets that could be seriously damaged by going dark should take DDoS mitigation most seriously.

Everyone should take these preparatory steps.

>> Do online reconnaissance: Follow what’s being said about your company online, particularly on public social networks, and look for chatter that might hint at extortion or hacktivism. Subscribe to security threat assessment reports covering the latest DDoS techniques and incidents. Prolexic is one source for threat advisories; US-CERT also has overviews, like this one on Anonymous.

>> Heed threat mitigation recommendations: DDoS threat reports typically include details about the attack signature and recommended mitigation steps. For example, a recent Prolexic report on the High Orbit Ion Cannon identifies specific attack signatures, in this case HTTP requests, and content filter rules to block them. For L3/L4 attacks, incorporate these rules into your firewall; do likewise for L7 attacks if your firewall supports application-layer filtering.

>> Have a communications strategy: Know what you’ll tell employees, customers, and the media should you be the victim of an attack. Don’t wait to make statements up on the fly.

>> Have an emergency mitigation backup plan: Although most DDoS mitigation services operate on a monthly subscription basis, if you haven’t signed up and an attack overwhelms your defenses, at least know who you’re gonna call. Quinn and Teolis say their services can be operational and filtering DDoS traffic within minutes, though of course it will cost you.

What To Look For In DDoS Mitigation

At the risk of oversimplification, DDoS mitigation services are fundamentally remote network traffic filters. Once your system detects an attack affecting your network or servers, you redirect traffic to the service; the service filters out the junk and passes legitimate packets to their original destinations. In this sense, it’s like a cloud-based spam filter for websites.

This traffic redirection, so-called on-ramping, is typically done via DNS. The mitigation provider creates a virtual IP address, the customer makes a DNS A record (hostname) change pointing to the remote VIPA, traffic flows through the mitigation provider’s filters, and the provider forwards only legitimate traffic on to the original site. Those facing attacks on multiple systems can divert entire subnets using Border Gateway Protocol advertisements, using Generic Routing Encapsulation tunneling to direct traffic to the mitigation provider. Advertising a new route to an entire address block protects an entire group of machines and, says Quinn, has the advantage of being asymmetrical, in that the mitigation service is used only for inbound traffic.

The most important DDoS mitigation features are breadth of attack coverage, speed of service initiation (traffic on-ramping), and traffic capacity. Given the increasing popularity of application-layer attacks, any service should include both L3/4 and L7 mitigation technology. Services may segment features into proactive, before-the-attack monitoring and reactive, during-the-incident mitigation.

Customers with monthly subscriptions should demand typical and maximum mitigation times–measured in minutes, not hours–backed up by a service-level agreement with teeth. Even those procuring emergency mitigation services should expect fairly rapid response. Most DDoS specialists staff operations centers 24/7.

With DDoS mitigation, procrastination can be expensive. For those 70% of customers who first turn to DOSarrest in an emergency, the setup fee for the first month is around $3,500 to $4,000, depending on the complexity of the site. In contrast, an average monthly cost on a subscription basis is $700 per public-facing IP address.

Filtered bandwidth is another way to differentiate between services. Some, like Prolexic, adopt an all-you-can-eat pricing model. For a flat fee per server, customers can use the service as often as they need with as much bandwidth as required. Others, like DOSarrest, keep the “use as often as you like” model but include only a certain amount of clean bandwidth (10 Mbps in its case) in the base subscription, charging extra for higher-bandwidth tiers. Teolis says 10 Mbps is sufficient for at least 90% of his company’s customers.

A few services use a pricing model akin to an attorney’s retainer, with a low monthly subscription but hefty fees for each DDoS incident. Richter says Savvis is moving to this model, saying that customers want usage-based pricing that resembles other cloud services. Prolexic’s Quinn counters that this pricing structure leads to unpredictable bills.

Bottom line, there’s a DDoS service to suit your tolerance for risk and budgetary volatility.

Optional services available from some providers include postattack analysis and forensics (what happened, from where, and by whom) and access to a managed network reputation database that tracks active botnets and sites linked to fraudulent or criminal activity, a feature that facilitates automated blacklisting to help prevent attacks in the first place.

Aside from looking at service features, evaluate each company’s technical expertise and track record. DDoS mitigation specialists, for whom this is a core business (or perhaps their only business) arguably have more experience and focus than Internet service providers or managed security providers for which DDoS mitigation is just a sideline. Not surprisingly, Quinn, whose company was among the first to offer DDoS mitigation as a service, suggests customers should make vendors show evidence that DDoS mitigation is something they do regularly, not as a rare occurrence.

Make sure the service has highly qualified staff dedicated to the task. Ask whether the provider has experts available 24/7 and how long it will take to access someone with the technical ability and authority to work on your problem.

Unfortunately there’s no rule of thumb for measuring the DDoS mitigation return on investment; it’s really a case-by-case calculation based on the financial value of the site being attacked. It relies on factors such as the cost in lost revenue or organizational reputation for every minute of downtime. Quinn cites a common analyst cost estimate, which Cisco also uses in its product marketing, of $30 million for a 24-hour outage at a large e-commerce site.

There’s a cruel asymmetry to DDoS attacks: They can cost thousands to mitigate, inflict millions in damage, and yet attackers can launch them on the cheap. A small botnet can be rented for as little as $600 a month, meaning a serious, sustained attack against multiple targets can be pulled off for $5,000 or $10,000.

With damages potentially two or three orders of magnitude higher than the DDoS mitigation costs, many organizations are finding mitigation a worthwhile investment. In fact, three-quarters of DOSarrest‘s customers don’t wait for a DDoS attack to flip the switch, but permanently filter all of their traffic through the service. That makes sense, particularly if it’s a high-value or high-visibility site, if your traffic fits within the cap, or if you’re using an uncapped service like Prolexic. These services use the same sorts of colocation hosting centers where companies would typically house public-facing websites, and they do geographically distributed load balancing and traffic routing to multiple data centers. That makes the risk of downtime on the provider’s end minimal. And this approach could actually reduce WAN costs since it filters junk before it ever touches your systems.


If a mitigation service is too expensive, there are things IT can do to lower the exposure and limit the damage from DDoS attacks (discussed more in depth in our full report):

1. Fortify your edge network: Ensure that firewall and IDS systems have DoS features turned on, including things like dropping spoofed or malformed packets, setting SYN, ICMP, and UDP flood drop thresholds, limiting connections per server and client, and dynamically filtering and automatically blocking (at least for a short time) clients sending bad packets.

2. Develop a whitelist of known good external systems: These include business partner gateways, ISP links and cloud providers. This ensures that stringent edge filtering, whether done on your firewall or by a DDoS service, lets good traffic through.

3. Perform regular audits and reviews of your edge devices: Look for anomalies like bandwidth spikes. This works best if the data is centrally collected and analyzed across every device in your network.

4. Understand how to identify DDoS traffic: Research attack signatures and have someone on your network team who knows how to use a packet sniffer to discriminate between legitimate and DDoS traffic.

5. Prepare DNS: Lower the DNS TTL for public-facing Web servers, since these are most likely to be attacked. If you need to protect an entire server subnet, have a plan to readvertise BGP routes to a mitigation service.

6. Keep public Web servers off your enterprise ISP link: With Web servers being the most common DDoS target, Michael Davis, CEO of Savid Technologies and a regular InformationWeek contributor, recommends Web hosting with a vendor that doesn’t share your pipes. “Your website may be down, but at least the rest of your business is up,” says Davis.

7. Practice good server and application security hygiene: Layer 7 attacks exploit operating system and application security flaws, often using buffer overflows to inject attack code into SQL databases or Web servers, so keep systems patched.

For DDoS protection please click here.

Source: Darkreading

It’s bad news: your organisation’s website has been hit by a distributed denial of service (DDoS) attack.

Rather than sweeping the incident under a virtual rug and not reporting it to state police, there are various steps that can be taken by cyber crime units, according to one law enforcement expert. Speaking at SecureSydney 2012, New South Wales Police fraud and cyber crime squad Detective Inspector, Bruce van der Graaf, told delegates that every state in Australia has an equivalent cyber crime squad team while the Australian Federal Police (AFP) operate a high tech crime centre.

How to prepare for a hacktivist attack

However, according to van der Graaf, some recent reports of DDoS attacks on online shopping websites that have been accompanied by extortion threats have gone unreported this year. “There were three unreported extortion attempts in 2012, not one single police officer in Australia was informed of these attempts,” he says. “That’s not good because there are some things we can do in these cases.”

Contacting the right agency

If the company subjected to a cyber attack is a major financial institution, in charge of critical infrastructure such as SCADA or is a victim of a copyright offence, they should contact the AFP, says van der Graaf.

“For every other form of cyber crime, come and see your relevant state jurisdiction,” he says,

How to report the threat

For AFP-related cyber crimes, these should be reported through the AFP website or by calling the High Tech Crimes Operation centre.

Within NSW, the Cyber Crime unit requires victims to visit their local police station.

“I know it’s not that easy to go into a police station and explain to the constable behind the desk that your company has just experienced a DDoS attack,” van der Graaf says.

“We don’t mind if you call us as we can walk you through the process of reporting the incident at the local police station–they will then refer the matter to us.”

In addition, he adds that organisaitons should contact CERT Australia due to their expertise in dealing with DDoS and other forms of attacks.

Making a police report

When filing a report to a state police cyber crime unit, the report should include full disclosure of everything that took place during the incident.

“For example, a victim of a cyber incident had a complaint with a former employee who walked off and got access to certain systems,” van der Graaf says. “There was a fairly nasty exchange of phone messages between them. To his credit, the victim showed us the entire exchange.”

According to van der Graaf, state police need to know this information at the start of the investigation rather than have the individual be “caught out” in the witness box by withholding information.

“Early on in the process we also ask for a documented incident report. It may be preliminary, as long as the report tells us what is going on. There are some people who think they can make a phone call to us and everything is going to happen after that,” he says.

In addition, investigators require “full and frank” access to any IT consultants that have been engaged to look at the cyber incident.

“For example, a certain agency had a website hack in NSW and wanted us to solve it,” he says. “We asked the organisation who they had engaged to solve the problem and it was one of the big four telcos who fixed the problem.”

According to van der Graaf, the cyber crime squad asked to see the report but was told that this was privileged information. The consequence was that police were unable to investigate the incident.

“Immediate access to security logs and third party providers is essential,” he says.

For immediate DDoS protection for your website click here.

Source: http://www.cio.com.au/article/430537/how_report_cyber_threat_australian_police/

Market research firm Infonetics Research released excerpts its latest DDoS Prevention Appliances vendor market share and forecast report, which tracks distributed denial of service (DDoS) appliances deployed to protect enterprise and carrier data centers, mobile networks, wired carrier transport and broadband networks, and government transport networks.


“While the market for dedicated DDoS prevention solutions remains strong, going forward the overall performance of the market and the vendors in it will be challenged by the widening availability of hosted/SaaS solutions and new integrated security platforms that include DDoS prevention as a feature,” notes Jeff Wilson, principal analyst for security at Infonetics Research. “Arbor Networks and Alcatel-Lucent recently announced a combined offering that couples Alcatel-Lucent routers and a specialized DDoS mitigation blade from Arbor. And F5 recently launched a specialized data center firewall product based on its BigIP traffic management platform, with DDoS prevention as a cornerstone feature.”

Wilson adds: “We expect other major security vendors to build specialized security platforms with integrated DDoS prevention that will go head-to-head with mid-range offerings from the dedicated DDoS appliance vendors.”


— Sustained DDoS activity will drive the prevention market to 24% growth in 2012 over 2011

— The data center segment of the DDoS prevention market is growing fast and is expected to pass the carrier transport segment by the end of 2012

— Arbor Networks, the largest vendor in the DDoS prevention appliance market, maintains a commanding overall lead with nearly 3/5 of global revenue, although Radware is challenging in the government network segment

— Combined, all segments of the DDoS prevention market–data center, carrier transport, mobile, and government–are forecast by Infonetics to top $420 million by 2016

— Mobile networks will see the strongest growth in the DDoS prevention market, with a 30% CAGR over the 5 years between 2011 and 2016


Infonetics’ biannual DDoS Prevention Appliance report provides vendor market share, market size, and forecasts through 2016 for DDoS appliance revenue by deployment location (enterprise and carrier data centers, mobile networks, government networks, and carrier transport and wired broadband networks) and by region (North America, EMEA, Asia Pacific, Central and Latin America, worldwide). The report also provides DDoS unit market share and forecasts by region.

Source: http://www.marketwatch.com/story/infonetics-research-forecasts-ddos-prevention-market-to-grow-24-in-2012-as-competition-heats-up-2012-07-09

The scene outside the Supreme Court after the justices narrowly upheld the Affordable Care Act looked chaotic, yet the scene on the back end of SCOTUSblog wasn’t — due in part to some serious planning.

SCOTUSblog is a website dedicated to news and analysis of the Supreme Court of the United States, run as a separate business by the lawyers at Washington, D.C.-based law firm Goldstein and Russell. It averages about 30,000 hits a day, but in the months leading up to the court’s ruling on the Patient Protection and Affordable Care Act, it became clear that something would have to be done to support a huge amount of traffic.

The blog staff knew that they were in for traffic problems when page views spiked during oral argument in March. Over a three-day period, the site received more than a million hits, creating a slow experience for users that was punctuated by crashes during peak hours.

“We were just really, really struggling to serve that audience,” said Max Mallory, deputy manager of the blog.

Mallory, a self-described liberal arts-type who learned IT on the fly after becoming deputy manager of the blog, said that the staff took stock of what they had and decided there was no way for them to rework it on their own. To accommodate the blog  traffic they expected when they reported on the court’s decision, they would need to get outside help.

SCOTUSblog planned for huge traffic boost
Options on what to do ranged from completely redesigning the entire site to optimizing what they already had and adding more servers.

“There was tons of stuff being thrown around,” Mallory said.

The bloggers decided to bring in a team of developers who, over the course of the two months between the argument and the decision, reworked various aspects of the website. Mallory said they fixed Javascript conflicts and plug-in issues, cleared out extraneous data, compressed the database and made cosmetic changes to the website that simplified loading.

Monday, June 18 was the earliest the court could have made its decision and served as the first testing day for the site’s changes. They decided to redirect traffic from the homepage to the live blog page, something they normally do on breaking news days. At one point, 40,000 simultaneous users were on the live blog, a fraction of what they expected on the big day, but it still revealed difficulties on the back end.

By Thursday, they had implemented a new plan — split the traffic between three servers. The main blog page would be hosted on Media Temple, the service they had been using all along. That page would redirect to a landing page that housed just the live blog, which would be hosted by WP Engine. Once those readers clicked to activate the live blog, that traffic would be hosted by third-party live blogging service CoverItLive.

In anticipation of a decision that still hadn’t come that day, traffic again spiked and the site stayed afloat, but still moved slowly. The WP Engine server handled the live blog page, but the Media Temple server was swamped by redirect requests.

“Friday morning I knew there was no way based on that performance we were going to be able to handle it,” Mallory said.

So Mallory reached out to Datagram, a server provider that handles hosting for some large blogs, and asked them to put him in touch with “the best optimizer of WordPress sites.” Datagram gave him the name of Andy LoCascio and his company, Sound Strategies. By the end of the day, LoCascio was in charge of rebuilding everything from the ground up.

After bringing LoCascio on board, the team learned all their work over the previous two months was essentially a waste.

“Literally everything that [could be] wrong was wrong,” Mallory said.

LoCascio’s team worked all day Friday and Saturday, adding a high-powered NGINX deployment on top of the Media Temple server, rewriting all Apache and MySQL configurations, fixing plug-ins and reworking caching. By Sunday, everything was finished.

Most court watchers expected the decision to come down on Monday. The blog surpassed its all-time traffic record by 2 p.m. and had more than 100,000 viewers on the live blog. Everything went well, but the big day had yet to come.

Finally, the media learned Thursday was going to be the day and the team was prepared to sit and wait. But on Tuesday evening they experienced a distributed denial of service (DDoS) attack, which left them scrambling to find a way to protect themselves from a nefarious attempt to crash the site.

They decided to eliminate the chain of servers at different companies and consolidate resources. The night before decision day, they set up four satellite servers off the main Media Temple server, each of which would host a cached version of the site that would be updated on a fixed, periodic schedule.

Two more DDoS attacks came the morning of the decision, but neither worked. Then, the news they and their audience had been waiting for broke.

“Right at 10:03 a.m. Thursday, we were getting more than 1,000 requests every second,” Mallory said.

In the end, SCOTUSblog received 5.3 million page views with no crashes or lag time. Load time never climbed above one second and CPU usage never ventured above 1%, a vindication of the new design. The site previously operated around 60% to 80% CPU usage with a hundredth of the traffic.

Traffic has since subsided and is expected to fade as the court heads for its summer recess. Mallory said the system set up for the health care decision will be shut off for now, but added that he and his colleagues will be prepared for the next major Supreme Court decision.

Source: http://searchcloudapplications.techtarget.com/news/2240159201/SCOTUSblog-survives-major-traffic-spike