DDoS Archive


Previous characterizations of activist DDOS campaigns have traditionally fallen into one of two camps: those that unilaterally condemn activist DDOS campaigns as bullying and censorship, and those that align such actions with IRL sit ins.  Both these characterizations, however, cannot be applied to the entire landscape of activist DDOS campaigns as a whole. Rather, each campaign must be examined individually before a judgement can be made regarding its validity as a protest action.  DDOS as a tool cannot be wholly condemn or lauded without its surrounding context.

In this talk, I’ll be examining those previous characterizations, and at different DDOS campaigns that do and do not fit those models.  Next I’ll be outlining the current state of play of activist DDOS.  Finally I’ll be presenting a new analytical model for looking at activist DDOS campaigns, and presenting an analysis of the December 2010 Operation PayBack DDOS campaign against PayPal.  Also, to reward all you find people for coming out so late for this talk, there will be lots of pictures of cats.



The “censorship” characterization of activist DDOS as espoused by folks like Oxblood Ruffin from the Cult of the Dead Cow and others, claims that DDOS is equivalent to “shouting down” an opponent in a public forum, and that DDOS attacks deny individuals and organizations their rights to free speech.  In some but not all cases, this is a valid criticism, but before such a characterization can be made, we need to look at the motivation and intended effect of an action, the actual effects of the action and the technology used.

In July of 1997, a large scale DDOS attack was launched against the Institute for Global Communications (IGC), a non-profit internet service provider. The number of participants and the original organizers of the campaign are not known.

The attack was part of a wide spread public campaign to pressure the ISP to remove the website of the Basque publication Euskal Herria Journal, which was thought to have ties to the militant group, ETA.

The campaign was a combination of mailbombing and network-based DDOS attacks.  This was a populist-minded action; at one point, the major Spanish newspaper El Pais threw its support behind the mailbombing campaign and published target email addresses for the IGC in its digital edition, though it later retracted its support and removed the addresses from its website.

The IGC’s servers were knocked offline, rendering inaccessible the websites and email of over 13,000 subscribers.  While the IGC did eventually remove the Euskal Herria Journal‘s content from its servers, it replaced it with a statement decrying what it saw as vigilante censorship on the internet, and was supported in its arguments by groups like NetAction, Computer Professionals for Social Responsibility, and the Association for Progressive Communications.

The goal of the IGC action was to force IGC to remove the Euskal Herria Journal‘s website from its servers.  This was an objection to content being available on the internet. For as long as it was successfully running, the DDOS attack rendered that content unavailable to the internet.  So in actual effect, the IGC action was not so much a protest so much as it was the will of one group being forced on another.  “If you don’t take it down, we’ll take it down for you.”  No public debate was sought, and most of the publicity associated with the campaign revolved around recruiting participants, not articulating grievances.  The goal of the DDOS action was a permanent imposition of its immediate effects.  While DDOS actions are often condemned for being as good as censorship, the goal of the IGC action was censorship, and in the end, the condemnation it suffered was as much for its goal as for its tactics.  However, where the “censorship” condemnation falls short is in its assigning equal value to any potential target on the web.  The IGC attack targeted politically vulnerable speech online, and obliterated the Euskal Herria Journal‘s ability to reach its audience and crippled the IGC’s ability to perform its professional function.  However, targeting the website of a large corporation or government agency often has little effect on the actual operations of that entity or its ability to communicate with the public through media appearances and press releases. It would be absurd to declare an ethical equivalency between seeking to silence content  entirely, which is reprehensible, and the relative inconvenience suffered by large corporations whose online posters have briefly been torn down (to paraphrase XKCD).


The “electronic sit in” characterization was first clearly articulated by the Critical Art Ensemble, a performance art/activism collective in their essay “Electronic Civil Disobedience.”  There, they drew an equality between the monopolization of resources that takes place during an IRL sit-in, and the monopolization of resources which occurs on the technological level during a DDOS campaign.  This characterization draws heavily on the history of sit-ins in social movements for much of its validity.

In 2001, the Electronic Disturbance Theater, a spin-off of the Critical Art Ensemble, launched a campaign called the “Deportation Class Action.” Estimates put the number of participants at around 13,000, recruited primarily through activist and performance art mailing lists and websites.

The goal of the action was to draw public attention to the the German government’s use of the airline’s flights to deport immigrants, and through that public pressure change Lufthansa’s behavior as a corporation.  The online action was powered by FloodNet, a brower-based DDOS tool developed by the EDT in 1998.  The tool allowed users to participate in pre-planned DDOS campaigns, but required that users take the positive steps of navigating to the FloodNet page and choosing to participate in the action.  The FloodNet action was augmented by press releases and protests at Lufthansa stockholder meetings.

The action did result in some downtime for the Lufthansa homepage.  Shortly after the action, Lufthansa stopped allowing the German government to use its flights to deport immigrants.

The Lufthansa action resulted in the arrest and trial of Andreas-Thomas Vogel, who had run a website, libertad.de, which posted a call to action for the Lufthansa protest.  A lower court in Frankfurt initially found Vogel guilty of using force against Lufthansa, based on the economic losses the airline had suffered during the campaign.  Upon appeal, however, a higher court overturned the verdict, finding, “…the online demonstration did not constitute a show of force but was intended to influence public opinion.”

The stated goal of the Lufthansa action was to draw public attention to a specific aspect of the airline’s business, and through that attention change its behavior.  Though the DDOS attack took place on the internet, the effect it sought to have was not limited, was not even present, in the online realm.  It is important to note that, in and of itself, the DDOS attack could not have achieved what the EDT and Vogel set out to accomplish.  They set out to change the behavior of a corporation.  It took positive action on the part of Lufthansa for that to happen.  It could not be accomplished by fiat by activists on the outside.  One of the benefits of the “electronic sit in” characterization is that it references a tactic with a very visible history: most people already know what a sit-in looks like.  The comparison holds up provided the technology used remains heavily reliant on individual agency, with participants either using manual DDOS tools like FloodNet or participate in strictly voluntary botnets.  The use of sophisticated traffic multipliers, exploits or non-voluntary botnets complicates the situation enormously, and can make the use of this characterization seem overly simplistic and self-congratulatory.



The primary goals of many popular DDOS campaigns, or those which actively seek the participation of large numbers of people, are to direct media coverage, and to impact the identity of those participating in the action.  Like the Lufthansa campaign, these actions ultimately seek societal and policy changes that cannot be achieved simply by taking down a website.  Rather, the goal is to attract significant attention to a set of issues, and to cultivate a population that considers themselves activists, and who can be called on to participate in future actions.


It is much more difficult now than it was in 1997 or 2001 to bring down a corporate site through the power of individual activists alone.  Traffic multipliers and non-volunteer botnets can give all-volunteer efforts the boost needed to bring down a large site, but those tactics have the potential to delegitimize activist DDOS in the eyes of the media, policy makers, and participants.


The Electronic Disturbance Theater primarily spread word of its actions via activism and performance art centered email lists and message boards.  As a result, their participants were, more often than not, experienced activists well versed in the practices and risks of on-the-streets activism.  While they may have had an incomplete understand on the online space they were moving to, it is safe to assume that they had an understanding of the legal risks often associated with acts of civil disobedience.  As the Electronic Disturbance Theater was primarily engaged in drawing an explicit linkage between traditional forms of civil disobedience and digital actions like DDOS attacks, they were also aware, by association, of the illegal nature of the acts they were undertaking and the risks they were exposed to.

This has not necessarily been the case with more recent DDOS campaigns.  Activism-minded individuals have come onto the scene with little activism experience, either IRL or digital.  Their tactics are often innovative and interesting, but they lacked a core awareness of the basic risks they are exposing themselves to.  The media attention attracted by these actions attracts more neophytes to the cause, which is great for expanding the active population, but puts more pressure on those in leadership positions to educate newcomers.  The relative ease with which individuals can become involved, in a piecemeal fashion, with different campaigns also leads to high turnover in the active population, which makes things difficult for a political culture which is trying to establish its own internal norms and modes, as well as its legitimacy to outsiders.


Just in case there is any doubt, as of this talk, DDOS attacks remain illegal in most jurisdictions, including the United States, where it is a felony.  Participating in one remains a high risk activity, unlike many other activities associated with IRL activism, including street marches and sit-in.  The onus to educate inexperienced participants about these risks falls to the organizers, as does the ethical quandary of whether or not these types of actions are, at this time, worth the legal risk.


Finally, there are shifting views as to what constitutes a “successful” DDOS campaign.  Many activists are moving away from a strict binary “website up/website down” conception of success to more nuanced views, like number of participants, number of participants who stick around for other campaigns or levels of media coverage.


So in order to take into account both the new developments in activist DDOS campaigns and to allow for an accurate analysis of the use of the tactic, I propose an analytical model. Rather than reacting based on an objection to DDOSes as a whole or comparisons to already existing activist tactic, this model looks at the motivations behind a campaign, its intended effects, its actual effects, and the technologies used before coming to a conclusion on the legitimacy of an activist action.

Using this model we can look at Anonymous’s December 2010 Operation PayBack DDOS campaign against PayPal and other sites in the same way that we looked at the campaigns analyzed earlier.

While Operation PayBack began as an opposition to the MPAA and other copyright organizations, December 6, 2010 marked the beginning of the second stage, sometimes known as Operation Avenge Assange.  These attacks were powered by the LOIC DDOS tool, volunteer botnets running through the LOIC Fucking Hivemind mode, and non-volunteer botnets.

This stage of the campaign targeted organizations and individuals Anonymous believe were acting against the interests of Wikileaks, either by cutting off its channels of financial support, refusing to provide hosting to the website and its domain name, or by speaking out against the organization publicly.  The overall  goal was the draw attention to the ongoing banking blockade against Wikileaks, and to force media coverage of the issue.  Over the course of four days, Anonymous would launch DDOS attacks against the websites of the Swedish Prosecution Authority, EveryDNS, Senator Joseph Lieberman, MasterCard, two Swedish politicians, Visa, PayPal, and Amazon.com, forcing many of the sites to experience at least some amount of downtime.

The campaign led to massive amounts of media coverage, mostly of Anonymous itself, but also of the banking blockade and various other grievances publicized in Anonymous press releases and calls to action.  It brought extraordinary public attention to Anonymous, and with that many new participants.  It also led to the arrest of over a dozen participants in the United States, who were charged with felony violations of the Computer Fraud and Abuse act, with more individuals being arrested internationally.  Others had their homes raided by the FBI and their possessions seized.

The December DDOS attacks of Operation Payback bear a far closer resemblance to the Electronic Disturbance Theater’s 2001 Lufthansa action than they do to the IGC attacks of 1997.  Though the diffuse, unorganized, and leaderless Anons bear a much closer resemblance to the participant population of the IGC attacks, made up as it was of individuals recruited through enthusiastic media coverage, disparate people coming together for a moment around one emotional issue, the motivation and actual effects of Operation Payback are far more akin to the Electronic Disturbance Theater’s push for popular attention and policy change.  A primary goal of Operation Avenge Assange was to bring widespread attention to the plight of Wikileaks, and in that it succeeded.  A secondary goal was to cause financial damage and embarrassment to the corporations targeted, but as stated above, bringing down a corporate webpage does not restrict that corporation’s ability to function.  Rather, the corporations targeted by Anonymous had caused more harm to Wikileak’s ability to function by unilaterally cutting off its means of financial support and refusing to host it.  These actions in and of themselves constitute “denial of service” attacks in the most basic sense of the term.  The use of non-volunteer botnets to achieve downtime in the targeted servers in troubling, as is the lack of success in educating participants on the legal risks they were taking.  I feel that neither of these facts are troubling enough to completely delegitimize Operation PayBack as a reasonable act of civil protest, but they are mistakes that need to be learned from for future actions.


In conclusion, there are uses of DDOS that are more appropriate and acceptable in an activist context than others.  Not every DDOS attack that claims the activist label does so appropriately.  It is also possible to say that though the technological effects of one DDOS attack may be indistinguishable from another, the actual effects differ widely based on the circumstances and contexts of a given action.  Paradoxically, an attack on the homepage of a large corporation may draw a large amount of media attention, but have little immediate effect on the corporation itself, while an attack on a smaller, internet based organization may completely wipe it out while attracting no attention or criticism at all.

What may be considered censorship in one instance can be reasonably considered to not be censorship in another, though the technological facts remain the same.  When attempting to determine the validity of an activist DDOS action, or any contentious computer action, it is vital that we not privilege technological facts over the motivations and stated goals of the participants and the actual effects of the action.  To do so would ignore the fact that identical technological states can be arrived at under vastly differing circumstances, and ultimately devalues human agency in our dealings with technology.

Source: http://oddletters.com/2012/07/15/hope9-talk-activist-ddos-when-similes-and-metaphors-fail/

Botnet operators are changing their methods for conducting distributed denial of service (DDoS) attacks.

A customer study from security firm Prolexic found that over the last quarter, DDoS attacks used less bandwidth and took place over shorter durations of time. Additionally, botnet operators were more aggressive with the time they did spend, increasing packet-per-second volume by 63 per cent.

Researchers believe that the trend indicates a tendency for botnet operators to be more cautious with their attacks, conducting shorter operations in order to reduce the risk of detection and the possible loss of their networks.

“As perpetrators realise their DDoS attacks are being blocked by a mitigation provider, they are moving on to easier targets sooner than in the past,” the company said in the report.

Despite being more cautious in their activity, botnet herders showed no sign of letting up. The study found that DDoS attacks were on the rise across all sectors of the business space. The report found that the total number of reported attacks had doubled over the same period in 2011.

The survey found that attacks on the routing and transport layers of infrastructure components accounted for 81 per cent of attacks, while application layer attacks were down on the quarter.

Prolexic researchers believe that the trend indicates a growth in the popularity of DDoS attacks and easier management and infection tools.

“This indicates the technical barrier to entry has been significantly lowered for malicious actors who seek to participate in denial of service attacks through improved accessibility to no-cost and simple, yet powerful tools,” the company said.

Source: http://www.v3.co.uk/v3-uk/news/2191368/ddos-attacks-becoming-shorter-and-more-intense-as-botnet-operators-get-cautious

Late last month, two members of the hacker group LulzSec pleaded guilty to launching distributed denial-of-service (DDoS) attacks against entities ranging from the state of Arizona to Nintendo to the CIA. Yet despite extensive media coverage of such attacks, chief information security officers are still surprised when their companies get hit.

This is not an unforeseeable lightning bolt from the blue, people. The cyber world is full of anonymous arsonists, and too many businesses are operating without a fire department on call. A few sprinklers won’t cut it when things flare out of control. Firewalls and intrusion-prevention system appliances are no substitute for specialized DDoS backup when an attack escalates.

Proactively securing a mitigation service can be a good insurance policy–in fact, it’s better than insurance, which pays off only after damage is done. That’s because mitigation services are designed to prevent destruction from occurring in the first place. Not only can a mitigation service act as a deterrent–many attackers will move on to easier prey when they see an initial DDoS attack fail–but these providers have the capacity and expertise to rapidly scale DDoS countermeasures against coordinated, professional attacks. That can mean keeping your website online even under heavy bombardment.

Big And Small Companies At Risk

Denial-of-service attacks used to be something that happened to other people, those with high online visibility. Not anymore. “We’ve seen very small companies come to us and they can’t figure out why they’re under attack,” says Chris Richter, VP of security products and services at Savvis. They ask, “‘What have we done?'”

Blame the proliferation of prepackaged DDoS toolkits, such as the Low Orbit Ion Cannon and Dirt Jumper, for the fact that no one’s safe. Like any brute-force tactic, DDoS relies on the fact that any attack, even the most rudimentary, repeated with sufficient volume and frequency, can effectively shut down a network or website. Botnets often span thousands or millions of systems worldwide; Akamai, for example, provides a real-time attack heat map. In early July, attack rates were almost 30% above normal, with hot spots in Delaware and Italy. Geographic dispersion, coupled with network traffic crafted to look like legitimate connections from normal users, makes DDoS attacks both extremely effective and difficult to defeat if you’re not an expert with the right tools.

There are three main distributed denial-of-service categories:

>> Volumetric attacks overwhelm WAN circuits with tens of gigabits per second of meaningless traffic–so-called ICMP or UDP floods.

>> Layer 3 attacks abuse TCP. For example, SYN floods overload network equipment by starting but never completing thousands of TCP sessions using forged sender addresses. SYN floods can be in excess of 1 million packets per second, largely in response to the wider deployment of hardware countermeasures on firewalls and other security appliances, says Neal Quinn, COO of DDoS mitigation specialist Prolexic.

>> Layer 7 floods use HTTP GET or POST requests to overload application and Web servers. From the attacker’s perspective, L7 exploits aren’t anonymous. The attacking client’s identity (IP address) is exposed because a TCP handshake must be completed. Attackers who use this approach consider the risk outweighed by the technique’s effectiveness at much lower volumes and the traffic’s stealthy nature. Requests are designed to look like normal Web traffic, factors that make L7 attacks hard to detect.

Our InformationWeek 2012 Strategic Security Survey shows that the increasing sophistication of threats is the most-cited reason for worry among respondents who say their orgs are more vulnerable now than in 2011, and L7 attacks are certainly sophisticated. They’re also getting more common: Mark Teolis, founder and CEO of DOSarrest, a DDoS mitigation service, says 85% of the attacks his company sees have a Layer 7 component. Attackers leveraging L7 are often developers; they may do some reconnaissance on a website, looking for page requests that aren’t cacheable and are very CPU-intensive–things like filling a shopping cart, searching a database, or posting a complex form.

Teolis says that a mere 2 to 3 Mbps increase in specially crafted L7 traffic can be crippling. “We’ve had gaming sites tell us they can handle 30,000 customers, but if 100 hit this one thing, it’ll bring down the entire site,” he says.

Layer 7 attacks are tough to defeat not only because the incremental traffic is minimal, but because it mimics normal user behavior. Teolis has seen attacks where an individual bot may hit a site only once or twice an hour–but there are 20,000 bots involved. Conventional network security appliances just can’t handle that kind of scenario. And meanwhile, legitimate customers can’t reach your site.

Why Us?

The motivations for a DDoS attack are as varied as the perpetrators. For many, it’s just business, with targets strategically chosen by cyber criminals. Others are political–a prime example is LulzSec hitting the Arizona Department of Public Safety to protest the state’s strict immigration law, SB 1070. And for some, it’s just sport.

Given this randomness, it’s impossible to predict the need for professional distributed denial-of-service mitigation. For example, Teolis says one of DOSarrest‘s customers was the Dog Whisperer, that guru of man’s best friend. “If Cesar Millan can get attacked, anyone is fair game,” he says.

Purchasing mitigation services requires the same kind of budgeting as any form of IT security: What you spend on controls should be proportional to the value of the data or website. So, while any organization with an online presence is at some risk, those with financial or reputational assets that could be seriously damaged by going dark should take DDoS mitigation most seriously.

Everyone should take these preparatory steps.

>> Do online reconnaissance: Follow what’s being said about your company online, particularly on public social networks, and look for chatter that might hint at extortion or hacktivism. Subscribe to security threat assessment reports covering the latest DDoS techniques and incidents. Prolexic is one source for threat advisories; US-CERT also has overviews, like this one on Anonymous.

>> Heed threat mitigation recommendations: DDoS threat reports typically include details about the attack signature and recommended mitigation steps. For example, a recent Prolexic report on the High Orbit Ion Cannon identifies specific attack signatures, in this case HTTP requests, and content filter rules to block them. For L3/L4 attacks, incorporate these rules into your firewall; do likewise for L7 attacks if your firewall supports application-layer filtering.

>> Have a communications strategy: Know what you’ll tell employees, customers, and the media should you be the victim of an attack. Don’t wait to make statements up on the fly.

>> Have an emergency mitigation backup plan: Although most DDoS mitigation services operate on a monthly subscription basis, if you haven’t signed up and an attack overwhelms your defenses, at least know who you’re gonna call. Quinn and Teolis say their services can be operational and filtering DDoS traffic within minutes, though of course it will cost you.

What To Look For In DDoS Mitigation

At the risk of oversimplification, DDoS mitigation services are fundamentally remote network traffic filters. Once your system detects an attack affecting your network or servers, you redirect traffic to the service; the service filters out the junk and passes legitimate packets to their original destinations. In this sense, it’s like a cloud-based spam filter for websites.

This traffic redirection, so-called on-ramping, is typically done via DNS. The mitigation provider creates a virtual IP address, the customer makes a DNS A record (hostname) change pointing to the remote VIPA, traffic flows through the mitigation provider’s filters, and the provider forwards only legitimate traffic on to the original site. Those facing attacks on multiple systems can divert entire subnets using Border Gateway Protocol advertisements, using Generic Routing Encapsulation tunneling to direct traffic to the mitigation provider. Advertising a new route to an entire address block protects an entire group of machines and, says Quinn, has the advantage of being asymmetrical, in that the mitigation service is used only for inbound traffic.

The most important DDoS mitigation features are breadth of attack coverage, speed of service initiation (traffic on-ramping), and traffic capacity. Given the increasing popularity of application-layer attacks, any service should include both L3/4 and L7 mitigation technology. Services may segment features into proactive, before-the-attack monitoring and reactive, during-the-incident mitigation.

Customers with monthly subscriptions should demand typical and maximum mitigation times–measured in minutes, not hours–backed up by a service-level agreement with teeth. Even those procuring emergency mitigation services should expect fairly rapid response. Most DDoS specialists staff operations centers 24/7.

With DDoS mitigation, procrastination can be expensive. For those 70% of customers who first turn to DOSarrest in an emergency, the setup fee for the first month is around $3,500 to $4,000, depending on the complexity of the site. In contrast, an average monthly cost on a subscription basis is $700 per public-facing IP address.

Filtered bandwidth is another way to differentiate between services. Some, like Prolexic, adopt an all-you-can-eat pricing model. For a flat fee per server, customers can use the service as often as they need with as much bandwidth as required. Others, like DOSarrest, keep the “use as often as you like” model but include only a certain amount of clean bandwidth (10 Mbps in its case) in the base subscription, charging extra for higher-bandwidth tiers. Teolis says 10 Mbps is sufficient for at least 90% of his company’s customers.

A few services use a pricing model akin to an attorney’s retainer, with a low monthly subscription but hefty fees for each DDoS incident. Richter says Savvis is moving to this model, saying that customers want usage-based pricing that resembles other cloud services. Prolexic’s Quinn counters that this pricing structure leads to unpredictable bills.

Bottom line, there’s a DDoS service to suit your tolerance for risk and budgetary volatility.

Optional services available from some providers include postattack analysis and forensics (what happened, from where, and by whom) and access to a managed network reputation database that tracks active botnets and sites linked to fraudulent or criminal activity, a feature that facilitates automated blacklisting to help prevent attacks in the first place.

Aside from looking at service features, evaluate each company’s technical expertise and track record. DDoS mitigation specialists, for whom this is a core business (or perhaps their only business) arguably have more experience and focus than Internet service providers or managed security providers for which DDoS mitigation is just a sideline. Not surprisingly, Quinn, whose company was among the first to offer DDoS mitigation as a service, suggests customers should make vendors show evidence that DDoS mitigation is something they do regularly, not as a rare occurrence.

Make sure the service has highly qualified staff dedicated to the task. Ask whether the provider has experts available 24/7 and how long it will take to access someone with the technical ability and authority to work on your problem.

Unfortunately there’s no rule of thumb for measuring the DDoS mitigation return on investment; it’s really a case-by-case calculation based on the financial value of the site being attacked. It relies on factors such as the cost in lost revenue or organizational reputation for every minute of downtime. Quinn cites a common analyst cost estimate, which Cisco also uses in its product marketing, of $30 million for a 24-hour outage at a large e-commerce site.

There’s a cruel asymmetry to DDoS attacks: They can cost thousands to mitigate, inflict millions in damage, and yet attackers can launch them on the cheap. A small botnet can be rented for as little as $600 a month, meaning a serious, sustained attack against multiple targets can be pulled off for $5,000 or $10,000.

With damages potentially two or three orders of magnitude higher than the DDoS mitigation costs, many organizations are finding mitigation a worthwhile investment. In fact, three-quarters of DOSarrest‘s customers don’t wait for a DDoS attack to flip the switch, but permanently filter all of their traffic through the service. That makes sense, particularly if it’s a high-value or high-visibility site, if your traffic fits within the cap, or if you’re using an uncapped service like Prolexic. These services use the same sorts of colocation hosting centers where companies would typically house public-facing websites, and they do geographically distributed load balancing and traffic routing to multiple data centers. That makes the risk of downtime on the provider’s end minimal. And this approach could actually reduce WAN costs since it filters junk before it ever touches your systems.


If a mitigation service is too expensive, there are things IT can do to lower the exposure and limit the damage from DDoS attacks (discussed more in depth in our full report):

1. Fortify your edge network: Ensure that firewall and IDS systems have DoS features turned on, including things like dropping spoofed or malformed packets, setting SYN, ICMP, and UDP flood drop thresholds, limiting connections per server and client, and dynamically filtering and automatically blocking (at least for a short time) clients sending bad packets.

2. Develop a whitelist of known good external systems: These include business partner gateways, ISP links and cloud providers. This ensures that stringent edge filtering, whether done on your firewall or by a DDoS service, lets good traffic through.

3. Perform regular audits and reviews of your edge devices: Look for anomalies like bandwidth spikes. This works best if the data is centrally collected and analyzed across every device in your network.

4. Understand how to identify DDoS traffic: Research attack signatures and have someone on your network team who knows how to use a packet sniffer to discriminate between legitimate and DDoS traffic.

5. Prepare DNS: Lower the DNS TTL for public-facing Web servers, since these are most likely to be attacked. If you need to protect an entire server subnet, have a plan to readvertise BGP routes to a mitigation service.

6. Keep public Web servers off your enterprise ISP link: With Web servers being the most common DDoS target, Michael Davis, CEO of Savid Technologies and a regular InformationWeek contributor, recommends Web hosting with a vendor that doesn’t share your pipes. “Your website may be down, but at least the rest of your business is up,” says Davis.

7. Practice good server and application security hygiene: Layer 7 attacks exploit operating system and application security flaws, often using buffer overflows to inject attack code into SQL databases or Web servers, so keep systems patched.

For DDoS protection please click here.

Source: Darkreading

It’s bad news: your organisation’s website has been hit by a distributed denial of service (DDoS) attack.

Rather than sweeping the incident under a virtual rug and not reporting it to state police, there are various steps that can be taken by cyber crime units, according to one law enforcement expert. Speaking at SecureSydney 2012, New South Wales Police fraud and cyber crime squad Detective Inspector, Bruce van der Graaf, told delegates that every state in Australia has an equivalent cyber crime squad team while the Australian Federal Police (AFP) operate a high tech crime centre.

How to prepare for a hacktivist attack

However, according to van der Graaf, some recent reports of DDoS attacks on online shopping websites that have been accompanied by extortion threats have gone unreported this year. “There were three unreported extortion attempts in 2012, not one single police officer in Australia was informed of these attempts,” he says. “That’s not good because there are some things we can do in these cases.”

Contacting the right agency

If the company subjected to a cyber attack is a major financial institution, in charge of critical infrastructure such as SCADA or is a victim of a copyright offence, they should contact the AFP, says van der Graaf.

“For every other form of cyber crime, come and see your relevant state jurisdiction,” he says,

How to report the threat

For AFP-related cyber crimes, these should be reported through the AFP website or by calling the High Tech Crimes Operation centre.

Within NSW, the Cyber Crime unit requires victims to visit their local police station.

“I know it’s not that easy to go into a police station and explain to the constable behind the desk that your company has just experienced a DDoS attack,” van der Graaf says.

“We don’t mind if you call us as we can walk you through the process of reporting the incident at the local police station–they will then refer the matter to us.”

In addition, he adds that organisaitons should contact CERT Australia due to their expertise in dealing with DDoS and other forms of attacks.

Making a police report

When filing a report to a state police cyber crime unit, the report should include full disclosure of everything that took place during the incident.

“For example, a victim of a cyber incident had a complaint with a former employee who walked off and got access to certain systems,” van der Graaf says. “There was a fairly nasty exchange of phone messages between them. To his credit, the victim showed us the entire exchange.”

According to van der Graaf, state police need to know this information at the start of the investigation rather than have the individual be “caught out” in the witness box by withholding information.

“Early on in the process we also ask for a documented incident report. It may be preliminary, as long as the report tells us what is going on. There are some people who think they can make a phone call to us and everything is going to happen after that,” he says.

In addition, investigators require “full and frank” access to any IT consultants that have been engaged to look at the cyber incident.

“For example, a certain agency had a website hack in NSW and wanted us to solve it,” he says. “We asked the organisation who they had engaged to solve the problem and it was one of the big four telcos who fixed the problem.”

According to van der Graaf, the cyber crime squad asked to see the report but was told that this was privileged information. The consequence was that police were unable to investigate the incident.

“Immediate access to security logs and third party providers is essential,” he says.

For immediate DDoS protection for your website click here.

Source: http://www.cio.com.au/article/430537/how_report_cyber_threat_australian_police/

Market research firm Infonetics Research released excerpts its latest DDoS Prevention Appliances vendor market share and forecast report, which tracks distributed denial of service (DDoS) appliances deployed to protect enterprise and carrier data centers, mobile networks, wired carrier transport and broadband networks, and government transport networks.


“While the market for dedicated DDoS prevention solutions remains strong, going forward the overall performance of the market and the vendors in it will be challenged by the widening availability of hosted/SaaS solutions and new integrated security platforms that include DDoS prevention as a feature,” notes Jeff Wilson, principal analyst for security at Infonetics Research. “Arbor Networks and Alcatel-Lucent recently announced a combined offering that couples Alcatel-Lucent routers and a specialized DDoS mitigation blade from Arbor. And F5 recently launched a specialized data center firewall product based on its BigIP traffic management platform, with DDoS prevention as a cornerstone feature.”

Wilson adds: “We expect other major security vendors to build specialized security platforms with integrated DDoS prevention that will go head-to-head with mid-range offerings from the dedicated DDoS appliance vendors.”


— Sustained DDoS activity will drive the prevention market to 24% growth in 2012 over 2011

— The data center segment of the DDoS prevention market is growing fast and is expected to pass the carrier transport segment by the end of 2012

— Arbor Networks, the largest vendor in the DDoS prevention appliance market, maintains a commanding overall lead with nearly 3/5 of global revenue, although Radware is challenging in the government network segment

— Combined, all segments of the DDoS prevention market–data center, carrier transport, mobile, and government–are forecast by Infonetics to top $420 million by 2016

— Mobile networks will see the strongest growth in the DDoS prevention market, with a 30% CAGR over the 5 years between 2011 and 2016


Infonetics’ biannual DDoS Prevention Appliance report provides vendor market share, market size, and forecasts through 2016 for DDoS appliance revenue by deployment location (enterprise and carrier data centers, mobile networks, government networks, and carrier transport and wired broadband networks) and by region (North America, EMEA, Asia Pacific, Central and Latin America, worldwide). The report also provides DDoS unit market share and forecasts by region.

Source: http://www.marketwatch.com/story/infonetics-research-forecasts-ddos-prevention-market-to-grow-24-in-2012-as-competition-heats-up-2012-07-09