Defend Against DDoS Archive

VANCOUVER, British Columbia, March 19, 2019 /PRNewswire/ — DOSarrest Internet Security announced today that they have released a new service offering called DOSarrest Traffic Analyzer (DTA). This new service allows subscribers to send their Netflow, Sflow or Jflow network data from their routers and switches to DOSarrest’s Big Data cluster, then login to their portal and graphically see what types and volumes of traffic are flowing in and out of their networks in almost real-time. Using this traffic intelligence, network operators can pinpoint the cause of any congestion, create their own ACLs to white-list or black-list any malicious networks. It gives engineers the intelligence they need to understand how their network is being used and for what purpose.

Some of the real-time graphical and historical information available in the dashboard is

Top 10 Source Countries
Top 10 Source Networks
Top 10 Source ASNs
Top 10 Source Netblocks
Top 10 Destination IPs
Top 10 Destination IPs
Top 10 Protocols and Ports

DOSarrest CTO, Jag Bains states, “I have been running Internet backbones for over 20 years and having something that is this cost effective has always been a problem, most solutions require expensive hardware and licensing or extensive software development. Setup is easy with DTA, just add 1 line to the router config and you’re done.”

This new service can also be combined with DOSarrest’s existing DDoS protection for network infrastructure service, where customers, using the same dashboard can automatically stop any DDoS attack on a customer’s data center or corporate network.

CEO Mark Teolis adds, “This service is really in its infancy, we are already working on version 2 and we plan on releasing a new version every 90 days thereafter. Once the network flow information is in the big data platform, there’s so much that can be done to extract network intelligence, it’s almost impossible to predict today what and how it can help network operators going forward. We are starting to test with some machine learning models to see what it can do.”

About DOSarrest Internet Security:
DOSarrest founded in 2007 in Vancouver, B.C., Canada specializes in fully managed cloud based Internet security services including DDoS protection services, Data Center Defender (DCD), Web Application Firewall (WAF), DDoS Attack testing, as well as cloud based global load balancing.

More information at http://www.DOSarrest.com

Source: https://www.prnewswire.com/news-releases/dosarrest-launches-new-cloud-based-network-traffic-analyzer-service-300814472.html

Distributed denial of service (DDoS) attacks are a particularly pernicious form of cyberattack where the bad actor seeks to take down a web site or even an entire corporate network by flooding it with malicious traffic.

DDoS attacks have been around for years – and many cybersecurity vendors have risen to the challenge, bringing increasingly sophisticated DDoS mitigation technologies to market.

The bad actors’ response is woefully predictable: increasingly advanced approaches to DDoS, leading to an escalating cat-and-mouse game, as enterprises and governments seek to stay ahead of the deluge of bad traffic hitting their networks.

Bring in the Bots

DDoS attackers use numerous Internet protocols, from the HTTP at the core of the web to simpler, lower-level protocols that do little more than request a brief acknowledgement from a server as part of an ongoing interaction. Request too many acknowledgements at one time, however, and the server can bog down.

At the next level of sophistication, hackers send such malicious requests from a ‘spoofed’ IP address, fooling the target server into sending a response to a different server, which is the true target. In this way, hackers dupe unwitting organizations into playing a role in the attack, while the victim only sees traffic from presumably trustworthy sites or services, thus amplifying the effect of an attack by a factor of one hundred or more.

DDoS attacks, however, have reached an even higher level of sophistication, as hackers are now able to compromise millions of computers, smartphones, and even Internet of Things (IoT) devices like security cameras and baby monitors, recruiting these devices into botnets that can launch increasingly massive, unpredictable attacks on global targets.

 

To make matters even worse, DDoS technology is simple and inexpensive to purchase on the Dark Web – leading to a black market for increasingly innovative DDoS malware. “There has been increased innovation in DDoS attack tools and techniques,” according to the NETSCOUT Threat Intelligence Report. “The availability of such improved tools has lowered the barrier of entry, making it easier for a broader spectrum of attackers to launch a DDoS attack.”

Size Matters

The simplest mitigation is for an enterprise or government agency to have on-premises equipment with sufficient capacity to absorb DDoS traffic, filtering out the malicious messages while allowing legitimate requests through, a process the industry calls scrubbing.

However, with the increasing sizes of the attacks, such a do-it-yourself approach rapidly becomes too expensive. “The increase in the impact and complexity of attacks continues unabated,” says Marc Wilczek, COO of Link11. “When faced with DDoS bandwidths well over 100 Gbps and multi-vector attacks, traditional IT security mechanisms are easily overwhelmed, and unprotected companies risk serious business disruption, loss of revenue and even fines.”

To place 100 gigabits per second (Gbps) into context, the fastest enterprise local-area ‘gigabit Ethernet’ networks generally run at one Gbps, and the fastest home Internet service will run around 100 megabits per second (Mbps) or a bit higher, which equals one tenth as much bandwidth as one Gbps.

Volumetric DDoS attacks – that is, attacks that consist of the sheer volume of traffic – can well exceed 100 Gbps. According to James Willett, VP technology at DDoS mitigation vendor Neustar, his company has mitigated attacks in excess of 460 Gbps. The largest attacks on record have exceeded 1,700 Gbps.

However, such volumetric attacks are easy to detect – and thus mitigation vendors with high mitigation capacities like Neustar’s 10+ Terabit per second (10,000+ Gbps) globally-distributed platform are able to deal with them in a straightforward fashion.

To respond to this mitigation capability, bad actors are mounting more complex attacks that typically involve enough volume to take down average Internet connections, but do so with intermittent bursts of diverse types of traffic over longer periods of time. “One of our clients is a gaming company,” Willett explains. “This client experienced an attack that lasted six days across numerous network protocols. It was an intermittent attack that generated 91 alerts for new attacks. The attacker was probing different network segments, but also using different attack vectors looking for weakness.”

Some attacks take even longer. “The longest DDoS attack in 2016 lasted 292 hours according to Kaspersky Lab’s research, or about 12 days,” according toRuss Madley, cybersecurity specialist at SecureData Europe, formerly head of B2B at Kapersky Lab. “Most online businesses can ill-afford to have their ‘doors closed’ for even an hour, let alone for 292 hours, as criminals take advantage of their poor defences.”

Multifaceted DDoS Mitigation

When a Neustar on-demand customer detects an incoming DDoS attack, it redirects its network traffic to the Neustar network, which scrubs it and returns the bona fide traffic back to the customer’s network.

This mitigation technique requires a level of sophistication commensurate to the attacker’s. “An attacker’s goal is to mimic legitimate traffic as closely as possible, so that it’s harder to figure out what to filter,” Willett explains. “Neustar tweaks and adjusts filtering in real-time, often looking inside the packets to identify patterns of good or bad traffic to help with filtering.”

Understanding what to filter is almost as important as what not to filter. “We use tools like ThousandEyes to determine whether we are scrubbing too much, which impacts clean traffic, or under-scrubbing, which allows too much dirty traffic,” Willett continues. “We also use ThousandEyes and our own monitoring toolsets to monitor clean traffic tunnels at key points in the infrastructure after scrubbing to ensure availability.”

Neustar’s approach is similar to other DDoS mitigation vendors in the market, including Radware, NETSCOUT Arbor (which NETSCOUT acquired in 2015), Akamai Prolexic (acquired in 2014), and F5.

Regardless of the vendor, however, proper configuration is essential. “For DDoS mitigation to continue working properly it needs to be perfectly configured to the specific network it is protecting,” according to The State of DDoS Protection Report by MazeBolt Technologies. “The problem is that enterprise networks are constantly changing with servers and services added to networks to meet new demands. In order to ensure that DDoS mitigation is perfectly configured, enterprises need to match each network change with a respective fine-tuning of their DDoS mitigation posture.”

Industry analysts are also quick to sound a warning around the complexity of DDoS mitigation. “For bad traffic to be diverted to a scrubbing centre in a seamless action to reduce any downtime, organisations need to have seamless integration between cloud and on-premise solutions, implemented in front of an infrastructure’s network to help mitigate an attack before it reaches core network assets and data,” says Sherrel Roche, senior market analyst at IDC.

Gartner IT +0.32% also offers words of caution. “To implement multiple denial-of-service defence measures at different layers would go beyond purchasing a single security product or signing up with a single service provider,” warns Gartner senior research analyst Rajpreet Kaur.

Who are the Bad Actors?

Unless you’re in the business of creating and selling malware on the Dark Web, the path to profit for a DDoS attacker is murkier than, say, cryptojacking or ransomware.

The key question: what’s in it for them? “The DDoS landscape is driven by a range of actors, from malware authors to opportunistic entities offering services for hire. They are a busy group, constantly developing new technologies and enabling new services while utilizing known vulnerabilities, pre-existing botnets, and well-understood attack techniques,” continues the NETSCOUT Threat Intelligence Report.

At the core of such threats: nation-states. “State-sponsored activity has developed to the point where campaigns and frameworks are discovered regularly for a broad tier of nations,” the NETSCOUT report continues. “Our findings include campaigns attributed to Iran, North Korea, Vietnam, and India, beyond the actors commonly associated with China and Russia.”

Kaspersky Lab also has an opinion. “We expect the profitability of DDoS attacks to continue to grow,” Madley adds. “As a result, [we] will see them increasingly used to extort, disrupt and mask other more intrusive attacks on businesses.”

In addition, the situation is likely to get worse. “When cybercriminals do not achieve their goals of earning money by launching simple DDoS attacks, they have two options,” says Alexey Kiselev, business development manager on the Kaspersky DDoS Protection team. “They can reconfigure the capacities required for DDoS attacks towards other sources of revenue, such as cryptomining, or malefactors who orchestrate DDoS attacks have to improve their technical skills.”

Kiselev concludes: “Given this, we can anticipate that DDoS attacks will evolve in 2019 and it will become harder for companies to detect them and stay protected.”

DDoS attacks, therefore, may not be the quickest route to profitability for bad actors, but given the importance of this attack technique to nation-state cyberwar adversaries, we can expect continued innovation on the part of the hackers. Enterprises and government agencies cannot afford to relax their efforts to combat such attacks.

Source:https://www.forbes.com/sites/jasonbloomberg/2019/02/12/are-hackers-winning-the-denial-of-service-wars/#4b701bc228ea

In March of 2018 cybersecurity nonprofit abuse.ch launched a new project called URLhaus. Its goal: to search and destroy compromised web pages that were being used to distribute malware. Fast forward to today and URLhaus has helped cleanse the Web of more than 100,000 malicious pages.

URLhaus is a collaborative effort and some 265 cybersecurity researchershave contributed to the project so far. Abuse.ch reports having received more than 300 malicious page submissions every day.

That number jumped dramatically this month. On January 16 reports more than doubled to 701. Yesterday URLhaus broke the 1,000 submission mark for the first time. Expect those numbers to continue climbing as more members of the cybersec community get involved.

Two strains of malware make up a substantial percentage of the submissions so far. Heodo, a botnet that is commonly used to launch DDoS attacks and distribute additional malware, leads the way with more than 16,000pages blacklisted. In second place is Gozi, a widely-distributed spyware tool that has the ability to record keystrokes and steal login details from web browsers.

Abuse.ch shared some additional statistics about its work so far. Some of the most interesting dealt with the responsiveness of hosting providers around the globe.

Providers in the United States typically took swift action after receiving a notification from URLhaus. Digital Ocean, which saw the most submissions of any provider, averaged about 6 days. Household names GoDaddy and Google were slightly slower at 9 and 8 days, respectively.

Faster is better, naturally. The sooner a malware distribution point is removed from the Web the safer things are for everyone who uses it.

Unfortunately not all content distribution networks respond as quickly. Some providers allowed reported URLs to continue pushing malware for weeks. In one case nearly two months passed between the URLhaus alert and the link’s removal.

The longer these malicious pages remain online, the greater the harm the malware can do. Hopefully providers will start working more closely with URLhaus and bringing their response times down. Swift action on their part means a safer Internet for everyone.

Source: https://www.forbes.com/sites/leemathews/2019/01/23/massive-group-effort-disables-100000-web-pages-that-distributed-malware/#178990873b39

A 34-year-old man from Somerville, Massachusetts, has been sentenced to 10 years in prison for launching distributed denial-of-service (DDoS) attacks against two healthcare organizations in the United States.

Martin Gottesfeld, who identified himself as a member of the Anonymous movement, was accused of launching DDoS attacks against the Boston Children’s Hospital and the Wayside Youth and Family Support Network back in 2014.

The attacks on these organizations were part of a campaign related to Justina Pelletier, a teen who had been the subject of a high-profile custody battle between her parents and the state of Massachusetts.

Boston Children’s Hospital and Pelletier’s parents entered a dispute over a diagnosis and a judge awarded custody of the teen to the state. Pelletier was later moved to Wayside Youth and Family Support Network, a residential treatment facility.

Gottesfeld posted a video on YouTube in the name of Anonymous urging others to launch DDoS attacks on the Boston Children’s Hospital until Pelletier was released.

According to authorities, the DDoS attack aimed at the hospital was powered by tens of thousands of bots. The attack caused disruptions not only to the Boston Children’s Hospital, but also several other medical facilities in the Longwood Medical Area.

The Boston hospital claimed that the attack had cost it over $300,000 and led to the organization losing roughly $300,000 in donations due to the attack disabling its fundraising portal.

Gottesfeld became a suspect a few months after the attacks were launched. His home was searched and his devices were seized, but he was not charged at the time. In February 2016, he and his wife attempted to flee the country on a small boat, but they returned to the US on a Disney Cruise Ship that had rescued them off the coast of Cuba.

Gottesfeld was arrested upon his return. He was convicted by a jury on August 1, 2018, of one count of conspiracy to damage protected computers and one count of damaging protected computers.

He has now been sentenced to 121 months in prison and ordered to pay nearly $443,000 in restitution.

According to Reuters, Gottesfeld plans on appealing the sentence, but says he has no regrets.

Source: https://www.securityweek.com/hacktivist-gets-10-year-prison-sentence-ddos-attack-hospitals

What just happened? At least three men and over a dozen websites got an early Christmas present from the FBI. In cooperation with California and Alaska authorities the US Federal Bureau of Investigation seized several website offering DDoS services and arrested three individuals running some of the sites.

On Thursday, federal authorities seized 15 different “booter” websites and charged three individuals with crimes. Booter sites, also known as “stresser” services allow individuals without any hacking experience to execute distributed-denial-of-service (DDoS) attacks for a fee.

As of this morning, the FBI has taken down the following “attack-for-hire” domains:

  • Anon Security Team
  • Booter
  • BullStresser
  • Critical BOOT
  • DEFCON PRO
  • Defiance Protocol
  • Downthem
  • Layer7-Stresser
  • Netstress
  • Quantum Stress
  • Ragebooter
  • RequestRip
  • Str3ssed Networks
  • TOR Security Team
  • vBooter

“While this week’s crackdown will have a significant impact on this burgeoning criminal industry, there are other sites offering these services – and we will continue our efforts to rid the internet of these websites,” said United States Attorney Nick Hanna in a press release. “We are committed to seeing the internet remain a forum for the free and unfettered exchange of information.”

These sites have mostly flown under the FBI’s radar because they advertise themselves as services to be used for stress testing domains that are owned by the subscriber. However, they have long been used to interrupt other websites, usually out of anger or spite. Many of the seized domains have been identified as being behind recent DDoS attacks of serval gaming websites.

“The action against the DDoS services comes the week before the Christmas holiday, a period historically plagued by prolific DDoS attacks in the gaming world,” said an FBI press release.

In addition to the seizure warrants executed against the websites, two men have been charged with conspiracy to violate the Computer Fraud and Abuse Act. Matthew Gatrel and Juan Martinez have both been indicted with crimes relating to their operation of websites Downthem and Ampnode respectively.

A third individual, David Bukowski has been charged with aiding and abetting computer intrusions. Bukowski allegedly operated Quantum Stresser, which was one of the longest running of the DDoS services on the web. The FBI estimates that the site was behind over 50,000 successful and attempted attacks in 2018 and had over 80,000 subscribers since 2012.

While no users of these services have been arrested, authorities caution that they can and will seek prosecution of anyone paying for cyber attacks.

“Whether you launch the DDoS attack or hire a DDoS service to do it for you, the FBI considers it criminal activity,” said FBI Assistant Director Matthew Gorham. “Working with our industry and law enforcement partners, the FBI will identify and potentially prosecute you for this activity. We will use every tool at our disposal to combat all forms of cybercrime including DDoS activity.”

Source:https://www.techspot.com/news/77969-fbi-charges-three-connection-ddos-hire-website-seizures.html