Defend Against DDoS Archive

It’s bad news: your organisation’s website has been hit by a distributed denial of service (DDoS) attack.

Rather than sweeping the incident under a virtual rug and not reporting it to state police, there are various steps that can be taken by cyber crime units, according to one law enforcement expert. Speaking at SecureSydney 2012, New South Wales Police fraud and cyber crime squad Detective Inspector, Bruce van der Graaf, told delegates that every state in Australia has an equivalent cyber crime squad team while the Australian Federal Police (AFP) operate a high tech crime centre.

How to prepare for a hacktivist attack

However, according to van der Graaf, some recent reports of DDoS attacks on online shopping websites that have been accompanied by extortion threats have gone unreported this year. “There were three unreported extortion attempts in 2012, not one single police officer in Australia was informed of these attempts,” he says. “That’s not good because there are some things we can do in these cases.”

Contacting the right agency

If the company subjected to a cyber attack is a major financial institution, in charge of critical infrastructure such as SCADA or is a victim of a copyright offence, they should contact the AFP, says van der Graaf.

“For every other form of cyber crime, come and see your relevant state jurisdiction,” he says,

How to report the threat

For AFP-related cyber crimes, these should be reported through the AFP website or by calling the High Tech Crimes Operation centre.

Within NSW, the Cyber Crime unit requires victims to visit their local police station.

“I know it’s not that easy to go into a police station and explain to the constable behind the desk that your company has just experienced a DDoS attack,” van der Graaf says.

“We don’t mind if you call us as we can walk you through the process of reporting the incident at the local police station–they will then refer the matter to us.”

In addition, he adds that organisaitons should contact CERT Australia due to their expertise in dealing with DDoS and other forms of attacks.

Making a police report

When filing a report to a state police cyber crime unit, the report should include full disclosure of everything that took place during the incident.

“For example, a victim of a cyber incident had a complaint with a former employee who walked off and got access to certain systems,” van der Graaf says. “There was a fairly nasty exchange of phone messages between them. To his credit, the victim showed us the entire exchange.”

According to van der Graaf, state police need to know this information at the start of the investigation rather than have the individual be “caught out” in the witness box by withholding information.

“Early on in the process we also ask for a documented incident report. It may be preliminary, as long as the report tells us what is going on. There are some people who think they can make a phone call to us and everything is going to happen after that,” he says.

In addition, investigators require “full and frank” access to any IT consultants that have been engaged to look at the cyber incident.

“For example, a certain agency had a website hack in NSW and wanted us to solve it,” he says. “We asked the organisation who they had engaged to solve the problem and it was one of the big four telcos who fixed the problem.”

According to van der Graaf, the cyber crime squad asked to see the report but was told that this was privileged information. The consequence was that police were unable to investigate the incident.

“Immediate access to security logs and third party providers is essential,” he says.

For immediate DDoS protection for your website click here.


Market research firm Infonetics Research released excerpts its latest DDoS Prevention Appliances vendor market share and forecast report, which tracks distributed denial of service (DDoS) appliances deployed to protect enterprise and carrier data centers, mobile networks, wired carrier transport and broadband networks, and government transport networks.


“While the market for dedicated DDoS prevention solutions remains strong, going forward the overall performance of the market and the vendors in it will be challenged by the widening availability of hosted/SaaS solutions and new integrated security platforms that include DDoS prevention as a feature,” notes Jeff Wilson, principal analyst for security at Infonetics Research. “Arbor Networks and Alcatel-Lucent recently announced a combined offering that couples Alcatel-Lucent routers and a specialized DDoS mitigation blade from Arbor. And F5 recently launched a specialized data center firewall product based on its BigIP traffic management platform, with DDoS prevention as a cornerstone feature.”

Wilson adds: “We expect other major security vendors to build specialized security platforms with integrated DDoS prevention that will go head-to-head with mid-range offerings from the dedicated DDoS appliance vendors.”


— Sustained DDoS activity will drive the prevention market to 24% growth in 2012 over 2011

— The data center segment of the DDoS prevention market is growing fast and is expected to pass the carrier transport segment by the end of 2012

— Arbor Networks, the largest vendor in the DDoS prevention appliance market, maintains a commanding overall lead with nearly 3/5 of global revenue, although Radware is challenging in the government network segment

— Combined, all segments of the DDoS prevention market–data center, carrier transport, mobile, and government–are forecast by Infonetics to top $420 million by 2016

— Mobile networks will see the strongest growth in the DDoS prevention market, with a 30% CAGR over the 5 years between 2011 and 2016


Infonetics’ biannual DDoS Prevention Appliance report provides vendor market share, market size, and forecasts through 2016 for DDoS appliance revenue by deployment location (enterprise and carrier data centers, mobile networks, government networks, and carrier transport and wired broadband networks) and by region (North America, EMEA, Asia Pacific, Central and Latin America, worldwide). The report also provides DDoS unit market share and forecasts by region.


The scene outside the Supreme Court after the justices narrowly upheld the Affordable Care Act looked chaotic, yet the scene on the back end of SCOTUSblog wasn’t — due in part to some serious planning.

SCOTUSblog is a website dedicated to news and analysis of the Supreme Court of the United States, run as a separate business by the lawyers at Washington, D.C.-based law firm Goldstein and Russell. It averages about 30,000 hits a day, but in the months leading up to the court’s ruling on the Patient Protection and Affordable Care Act, it became clear that something would have to be done to support a huge amount of traffic.

The blog staff knew that they were in for traffic problems when page views spiked during oral argument in March. Over a three-day period, the site received more than a million hits, creating a slow experience for users that was punctuated by crashes during peak hours.

“We were just really, really struggling to serve that audience,” said Max Mallory, deputy manager of the blog.

Mallory, a self-described liberal arts-type who learned IT on the fly after becoming deputy manager of the blog, said that the staff took stock of what they had and decided there was no way for them to rework it on their own. To accommodate the blog  traffic they expected when they reported on the court’s decision, they would need to get outside help.

SCOTUSblog planned for huge traffic boost
Options on what to do ranged from completely redesigning the entire site to optimizing what they already had and adding more servers.

“There was tons of stuff being thrown around,” Mallory said.

The bloggers decided to bring in a team of developers who, over the course of the two months between the argument and the decision, reworked various aspects of the website. Mallory said they fixed Javascript conflicts and plug-in issues, cleared out extraneous data, compressed the database and made cosmetic changes to the website that simplified loading.

Monday, June 18 was the earliest the court could have made its decision and served as the first testing day for the site’s changes. They decided to redirect traffic from the homepage to the live blog page, something they normally do on breaking news days. At one point, 40,000 simultaneous users were on the live blog, a fraction of what they expected on the big day, but it still revealed difficulties on the back end.

By Thursday, they had implemented a new plan — split the traffic between three servers. The main blog page would be hosted on Media Temple, the service they had been using all along. That page would redirect to a landing page that housed just the live blog, which would be hosted by WP Engine. Once those readers clicked to activate the live blog, that traffic would be hosted by third-party live blogging service CoverItLive.

In anticipation of a decision that still hadn’t come that day, traffic again spiked and the site stayed afloat, but still moved slowly. The WP Engine server handled the live blog page, but the Media Temple server was swamped by redirect requests.

“Friday morning I knew there was no way based on that performance we were going to be able to handle it,” Mallory said.

So Mallory reached out to Datagram, a server provider that handles hosting for some large blogs, and asked them to put him in touch with “the best optimizer of WordPress sites.” Datagram gave him the name of Andy LoCascio and his company, Sound Strategies. By the end of the day, LoCascio was in charge of rebuilding everything from the ground up.

After bringing LoCascio on board, the team learned all their work over the previous two months was essentially a waste.

“Literally everything that [could be] wrong was wrong,” Mallory said.

LoCascio’s team worked all day Friday and Saturday, adding a high-powered NGINX deployment on top of the Media Temple server, rewriting all Apache and MySQL configurations, fixing plug-ins and reworking caching. By Sunday, everything was finished.

Most court watchers expected the decision to come down on Monday. The blog surpassed its all-time traffic record by 2 p.m. and had more than 100,000 viewers on the live blog. Everything went well, but the big day had yet to come.

Finally, the media learned Thursday was going to be the day and the team was prepared to sit and wait. But on Tuesday evening they experienced a distributed denial of service (DDoS) attack, which left them scrambling to find a way to protect themselves from a nefarious attempt to crash the site.

They decided to eliminate the chain of servers at different companies and consolidate resources. The night before decision day, they set up four satellite servers off the main Media Temple server, each of which would host a cached version of the site that would be updated on a fixed, periodic schedule.

Two more DDoS attacks came the morning of the decision, but neither worked. Then, the news they and their audience had been waiting for broke.

“Right at 10:03 a.m. Thursday, we were getting more than 1,000 requests every second,” Mallory said.

In the end, SCOTUSblog received 5.3 million page views with no crashes or lag time. Load time never climbed above one second and CPU usage never ventured above 1%, a vindication of the new design. The site previously operated around 60% to 80% CPU usage with a hundredth of the traffic.

Traffic has since subsided and is expected to fade as the court heads for its summer recess. Mallory said the system set up for the health care decision will be shut off for now, but added that he and his colleagues will be prepared for the next major Supreme Court decision.


Kaspersky Lab, a developer of content management solutions, has warned end users to be on their guard against cyber criminals using the Olympics to launch phishing scams and DDoS attacks.

Kaspersky spokesperson Jagannath Patnaik said that end users might find themselves under siege from cyber criminals attempting to cash-in on the event. “One of the dangers is people being lured by mistake to an illegitimate site set up by someone who wants to profit from the event by pretending to sell items, like merchandise or tickets, that they are not authorised to,” he said.

“This could result in people giving up their personal information or surrendering a sum of money and being defrauded by scammers. This is a problem that may have been exacerbated by the ticket selling process the organisers have used,” he further added.

“Tickets have become available in stages and sponsors have had them to giveaway, whereas – if they were all sold at once – it might be easier to say the tickets that are appearing on sale after a certain date are unlikely to be genuine,” he said.

“There are going to be lots of people wanting to update Twitter and Facebook, access news sites and, possibly, shift money around between bank accounts to free up money for their trip. They should be wary about what connections they use to do this. It may not be an illegitimate Wi-Fi network set up by a crook, but it might be a publicly available one that someone can intercept the traffic of,” he said.


Anita Sarkeesian wanted to make a web series about how women are portrayed in video games. She asked the world for $US6000. Some of the people who thought that was interesting and worth doing have given her just shy of $US159,000.

Some of the people who thought it was not worth doing have defaced her Wikipedia page, written vile things to her on YouTube and… well, that’s what she already told us about in mid-June. But, wait, there’s more, as Sarkeesian explains in a new post on the Feminist Frequency blog:

In addition to the aggressive actions against me that I’ve already shared, the harassers launched DDoS attacks on my site, attempted to hack into my email and other social media accounts and reported my Twitter and YouTube accounts as “terrorism”, “hate speech” or “spam”. They also attempted to “dox” and distribute my personal contact info including address and phone number on various websites and forums (including hate sites).

Tropes Vs Women: Video Games is the name of the project. It’ll be a video series. It hasn’t even been made yet. That hasn’t stopped the trolling. I guess I should quote the mission statement of Sarkeesian’s project, though that implies that there is some mission statement out there that she could have had that would have merited this reaction — and that the only reason this reaction is condemnatory is because Sarkeesian’s mission statement doesn’t seem to merit the attacks sent her way.

Here’s the beginning of her Tropes Vs. Women: Video Games mission statement, to the extent that it even matters:

I love playing video games but I’m regularly disappointed in the limited and limiting ways women are represented. This video project will explore, analyse and deconstruct some of the most common tropes and stereotypes of female characters in games. The series will highlight the larger recurring patterns and conventions used within the gaming industry rather than just focusing on the worst offenders. I’m going to need your help to make it happen!

World-ending stuff, huh?

It’s not always that easy to be a woman in the world of gaming, but this is ridiculous.

Sarkeesian writes: “After struggling with whether or not to make the extent of the attacks public I’ve decided that it’s ultimately important to shed light on this type of abuse because online harassment and bullying are at epidemic levels across the internet.”

Agreed. It’s absurd. There are far smarter and funnier ways to disagree.