Defend Against DDoS Archive

UK’s largest hosting biz titsup in DDoS outrage

By Anna Leach

Posted in CIO, 23rd May 2012 12:36 GMT

A “massive” distributed-denial-of-service attack emanating from China has taken down 123-reg, the UK net biz that hosts 1.4 million websites.

In a statement on the its service status page just after midday today, 123-reg blamed attackers in China:

From 11:30 to 22:50 our network was undergoing a massive distributed denial of service attack from China. Due to the nature and size of this attack the firewall systems in place needed to be reconfigured to block the bad traffic and allow the good traffic through.

The attack, which appears to be ongoing, caused patchy service from the sites hosted by the company, which also has more than 4 million domains on its books. 123-reg promised that no emails would be lost, and messages would be queued up by the mail servers and sent shortly.

123-reg’s own site was down too in the aftermath of the traffic blast, which proved to be frustrating for users trying to find out what was going on. A 123-reg tweet at 12.30pm said that they were working through final issues and that services should be returning to normal.

123-reg is a brand name of Webfusion Ltd, part of the Host Europe group. WebFusion isn’t picking up the phone so we can’t get more detail on the hacks at this time. ®
Updated to add

A spokeswoman for 123-reg got in touch this afternoon to say:

We had contained the primary attack within 15 minutes of it happening. As the largest domain provider in the UK, and coupled with the increase of these types of attacks across Europe in particular, we know we are a prime target. We are still in the process of resolving this.

Source: http://www.theregister.co.uk/2012/05/23/123reg_ddos_attack/

By: Jeremy Nicholls

The internet is an ideal destination for like-minded people to come together.

This is as true for people who are reaching out to friends, colleagues and strangers to raise money for charity as it is for groups of individuals who plan to use cyber attacks to make political or ideological statements.

It is the latter group, ‘hacktivists’ as they have come to be called, who are having a profound impact on today’s security threat landscape.

Research from Arbor Networks’ annual Worldwide Infrastructure Security Report (a survey of the internet operational security community published in February) supports this. Ideologically motivated hacktivism and vandalism were cited by a staggering 66 per cent of respondents as a motivating factor behind distributed denial-of-service (DDoS) attacks on their businesses.

One of these attacks last month targeted the BBC – the attack took down email and other internet-based services and the BBC suspected the attack was launched by Iran’s cyber army in a bid to disrupt BBC Persian TV. Then there was the takedown of the Home Office website with the promise of a series of weekly attacks against the Government.

But it’s not just high-profile, politically connected organisations at risk. Any enterprise operating online, which applies to just about any type and size of business operating in the UK, can become a target because of who they are, what they sell, who they partner with or for any other real or perceived affiliations. Nobody is immune.

An influx of new attack tools entering the market are readily available and fast to download. This video demonstrates how many tools are available today to anyone with a grievance and an internet connection; furthermore, the underground economy for botnets is booming.

Botnets ‘for hire’ are popular – unskilled attackers are able to hire botnet services for bargain-basement prices. Just as an enterprise can subscribe to a technology provider or a cloud-based DDoS mitigation service, hacktivists can subscribe to a DDoS service to launch attacks.

While hacktivism has gained tremendous press attention recently, there is evidence of DDoS attacks being used for competitive gain. For example, the Russian security service FSB arrested the CEO of ChronoPay, the country’s largest processor of online payments, for allegedly hiring a hacker to attack his company’s rivals. He was charged with a DDoS attack on rival Assist that paralysed the ticket-selling system on the Aeroflot website.

This all has overwhelming implications for the threat landscape, risk profile, network architecture and security deployments for all service providers and enterprises.

With the democratisation of DDoS has come a change in the attacks themselves. The methods hackers use to carry out DDoS attacks have evolved from the traditional high-bandwidth/volumetric attacks to stealth-like application-layer attacks and state attacks on firewalls and IPS, with a combination of any or all three being used in some cases.

Multi-vector attacks are becoming more common. A high-profile attack on Sony in 2011 had the company blinded of security breaches that compromised user accounts on the PlayStation Network, Qriocity and Sony Online Entertainment, because it was distracted by DDoS attacks.

Whether used for the sole purpose of shutting down a network or as a means of distraction to obtain sensitive data, DDoS attacks continue to become more complex and sophisticated. While some DDoS attacks have reached levels of 100Gbps, low-bandwidth, application-layer attacks have become more prominent as attackers exploit the difficulties in detecting these ‘low-and-slow’ attacks before they impact services.

Of the respondents surveyed in Arbor’s report, 40 per cent reported an inline firewall and/or IPS failure due to a DDoS attack, and 43 per cent reported a load-balancer failure.

While these products have a place and are an important part of an organisation’s overall IT security portfolio, they are not designed to protect availability. To ensure the best possible protection, organisations should adopt a multi-layered approach – combining a purpose-built, on-premise device with an in-cloud service.

DDoS mitigation is not a short-term fix. At Arbor Networks, we believe that this is something that should sit within a company’s overall risk-planning considerations. Just as physical security can be impacted by fire or extreme weather, digital security includes evaluating threats to availability, namely DDoS attacks.

It is becoming increasingly important to develop a plan to identify and stop them before they impact services, just as you would with natural disasters such as earthquakes or floods.

It is time for companies to start considering DDoS in their business-continuity planning. If they don’t, and they are targeted, the resulting chaos and lack of tools extends the outage and increases the costs both from an immediate financial perspective, and in terms of longer-term brand damage.

 

Source: http://www.scmagazineuk.com/the-changing-face-and-growing-threat-of-ddos/article/241020/

TechWeekEurope learns an Anonymous splinter group took down Theresa May’s website, whilst targeting the ICO and the Supreme Court

On May 14, 2012 by Tom Brewster

Home secretary Theresa May saw her website taken down last night, in what TechWeekEurope understands was part of a widespread distributed denial of service (DDoS) campaign carried out by an Anonymous splinter group this weekend.

May’s website (tmay.co.uk) was down from around 9pm last night until approximately 10am this morning, it is believed.

Websites of the Supreme Court and the Information Commissioner’s Office (ICO) were down for large chunks of Sunday afternoon and evening too, although neither would confirm whether their sites were out of action due to a DDoS.

“We believe the website was targeted with a distributed denial of service. Mrs May treats threats of disruption to her website very seriously,” a spokesman for Theresa May said.

“Access to the ICO website was not possible yesterday afternoon,” an ICO spokesperson said. “We provide a public facing website which contains no sensitive information.”
Agent Smith talks…

The “voice” of a UK-based Anonymous group calling itself the ATeam told TechWeekEurope it had targeted and successfully taken down all three sites as part of the  campaign against the UK’s attitude to extradition.

Talking over Skype, the spokesperson, going by the name of Winston Smith, said the attack on the Theresa May website was part of OpTrialAtHome, which is protesting against the UK’s extradition treaty with the US. In particular, Smith pointed to the case of Gary Mckinnon, who remains in limbo over whether he will be extradited to the US on hacking charges.

The government has come under fire for leniency to the US. The debate over the extradition treaty was given a fresh lease of life in March, when the home secretary approved the extradition of British student Richard O’Dwyer, who is facing charges of conspiracy to commit copyright infringement and criminal infringement of copyright for his role in the TV Shack website.

“The Computer Misuse Act should be applied at the location of the crime, not at the alleged source,” he said. “The US-UK judiciary change source and location application of the law when it suits them. That was one aspect of the protest”

As for the ICO, the ATeam claimed it hit the data protection regulator because of a “failure to protect privacy.” “The ICO are not equiped, nor have the motivation to ensure that we are protected,” Smith said.

The hacktivist collective is also protesting the Leveson Inquiry, which it believes has not worked effectively in punishing the media for hacking offences. Smith said Leveson was a “complete failure”.

Smith, who claimed to be a former investment banker, said the ATeam, also known as the Anonymous Team, consisted of 10 people who were “the best in the world.” The group does not directly work with other Anonymous cells.

He said the average age of the group was around 40, making it different from the other Anonymous groups, which consist largely of “children” who “cause more harm than good” and have “no understanding of what they are doing”.

“There are many  anons who are actual extremists hiding behind the mask,” Smith added. “We believe the mask has to come off.”

Smith said another key protest will focus on the draft Communications Data Bill, which was announced in the Queen’s Speech last week. Via a source within government, TechWeekEurope exclusively revealed the Coalition was already believed to be backing away from one of the key aspects of the bill – the black boxes in which citizens’ comms data would be stored within ISPs.

In the coming weeks, the ATeam hopes to take down more websites, including those of the Leveson Inquiry, the Home Office and the Supreme Court.

Smith and Anonymous have been linked with previous hits on the Home Office websites, as well as attempts on GCHQ.

Anonymous has had another busy year. Earlier this month, the group took responsibility for hits on ISPs TalkTalk and Virgin in protest at the Pirate Bay ban they were forced to impose. However, the Pirate Bay posted a public notice denouncing the use of DDoS as a protest tool.

UPDATE: This afternoon, the ICO website has been experiencing further problems, with its website inaccessible at the time of publication. The same Anonymous team told TechWeekEurope it had hit the watchdog’s site, whilst the ICO said it was looking into the matter.

“We are reviewing the underlying causes for the website being down with the providers of our web hosting,” an ICO spokesperson said.

Smith said the group had targeted the ICO as part of a protest against the Leveson Inquiry. “The information commissioner has failed to address the multiple data protection breaches of citizens by the media,” he added.

 

Source: http://www.techweekeurope.co.uk/news/anonymous-strikes-down-theresa-may-website-in-extradition-protest-77894

By David Meyer , 9 May, 2012 09:11

Hackers associated with Anonymous forced Virgin Media’s website offline for at least an hour on Tuesday, but the file-sharing service whose blockage sparked the protest has condemned the attack.

In an operation dubbed OpTPB, Anonymous hackers apparently subjected Virgin’s site to a distributed denial-of-service (DDoS) attack that began at 5pm. Twitter messages referring to OpTPB suggested that it was a response to Virgin Media’s blocking of The Pirate Bay (TPB), which began last week after a court ordered it.

Although Virgin admitted to an hour-long downtime, the site was still not working at the time of writing, around 16 hours after the attack began.

“DDoS and blocks are both forms of censorship,” The Pirate Bay told followers on its Facebook page, referring to “some random Anonymous groups [having] run a DDoS campaign against Virgin Media and some other sites”.

“We’d like to be clear about our view on this: We do NOT encourage these actions,” TPB said. “We believe in the open and free internets, where anyone can express their views. Even if we strongly disagree with them and even if they hate us. So don’t fight them using their ugly methods.”

The file-sharing service went on to suggest that those wanting to help it could set up a tracker, join or start a local Pirate Party, write to their political representatives or develop a new P2P protocol.

According to the BBC, Virgin said in a statement that it has to comply with court orders, but believes that “tackling the issue of copyright infringement needs compelling legal alternatives, giving consumers access to great content at the right price, to help change consumer behaviour”.

“Copyright defenders, including the British recorded music industry body BPI, have argued that illegal copies of films, books and music made available on file-sharing sites destroy creative industry jobs and discourage investment in new talent,” the ISP added.

The court order followed a ruling in February which established that TPB was infringing on copyright by providing a service that people use to unlawfully share copyrighted material.

TPB was not itself represented at the hearing that led to that ruling, but the judge, Mr Justice Arnold, argued that there was little point in trying to get the site’s proprietors into court when even the authorities in Sweden, TPB’s home country, had failed to do so.

Virgin Media was the first ISP to carry out the block ordered last week, but others covered by the same court order include Sky, Everything Everywhere, TalkTalk and O2. BT is not yet subject to the order as it has requested more time to assess the implications.

Source: http://www.zdnet.co.uk/blogs/communication-breakdown-10000030/pirate-bay-condemns-virgin-media-hack-10026118/

Guest post written by Jonathan Lewis

5/08/2012 @ 10:02PM

As cyber security moves from a purely technical issue to a major business concern, CIOs are faced with the thorny problem of how to best protect their company without over-spending on security.  Security is about protecting confidentiality, integrity and network availability. Thus far, security spending has largely been focused on confidentiality and integrity with relatively little spending on protecting network availability. Research shows that it’s time for this approach to change.

Loss of data center availability due to Distributed Denial of Service (DDoS) attacks has emerged as one of the most prevalent and costly forms of cybercrime. Motivations include extortion, revenge and competitive advantage, as well as a recent explosion of politically motivated attacks, also known as “hacktivism.”

The means to carry out sophisticated and effective attacks are within easy reach of anyone with a PC and an Internet connection. Do-it-yourself DDoS attack tools are readily available and easy to use. Botnets for rent and DDoS attack services are available to anyone with as little as $50 and a grudge. A quick search on YouTube for “DDoS Service” shows how openly these attack services are being sold. As a result, enterprises and service providers are experiencing attacks on their data centers more often and with more severe business consequences than ever before.

The goal of the attacker is to prevent a data center from performing its core function – whether that be transacting e-commerce; delivering e-mail or voice services; providing DNS services; serving up Web content delivery; hosting games; and so on. Because the attacker is trying to create maximum disruption, attacks are most likely to occur at the worst possible time for the victim. For example, online retailers are especially vulnerable during the peak shopping period between Thanksgiving and Christmas and especially on Cyber Monday.

CIOs should take a proactive approach for incorporating the DDoS threat into security and business continuity planning. The steps are straightforward. First, gain an understanding of the cost of service outages. In other words, determine what the hourly cost will be to your business if the data center is down or disabled due to an attack. Second, understand the probability that your business will be attacked and experience service outages. Lastly, take a risk management approach and consider the business impact of extended outages (i.e. 24 hours or more), weighing the expected costs/risks against the cost of investing in DDoS protection to ensure service availability.

The hourly cost of downtime will be unique to your business but generally comprises the following elements:

  • Operations: What is the number of IT personnel that will be tied up addressing the attack and what is the hourly cost of that?
  • Help Desk: If systems are shut down, how many help desk calls will be received and what is the cost per call?
  • Recovery: How much manual work will be required to re-enter transactions?
  • Lost Worker Output: What is the level of employee output lost to downtime and the costs associated with that?
  • Lost Business: How much business will be lost for every hour the network is down?
  • Lost Customers: How many existing customers will defect to the competition? What is the lifetime value of these customers?
  • Penalties: How much will it cost in terms of service level agreement (SLA) credits or other penalties?
  • Lost Future Business: How much will your ability to attract new customers be affected? What is the full value of that lost business?
  • Brand and Reputation Damage: What is the cost to the company in terms of brand value?

Compare your results to industry averages. The Ponemon Institute surveyed 41 business managers from 16 different industry segments on the costs their operations had incurred due to unplanned data center outages. The hourly cost of downtime ranged from $8,500 to $210,000 per 1000 square feet of data center space in operation. Financial services and online commerce showed the highest costs per hour.

Next, consider the risk of attack. If your business has already been a victim of DDoS, the likelihood of subsequent attacks is high – you are already a target. Even if you have not been attacked before there is still substantial risk. Once again, industry averages provide helpful guidance for risk planning. The most recent figures indicate expected annual downtime due to DDoS for an average data center is about 12 hours.

Combining the expected annual downtime with the hourly cost of downtime provides a good guideline as to the annual cost (or “annual loss expectancy”) your business is likely to incur if you do not deploy effective DDoS protection. However, this does not provide the complete picture. There is the question of managing risk. DDoS attacks can bring down or seriously degrade services for days at a time. While the average expected annual outage time is about 12 hours, there is a smaller but real risk of extended downtime from DDoS. Outages of 24 hours and more are not uncommon. Thus DDoS should figure into business continuity planning much in the same way as fire and natural disaster do. In short, while the annual loss expectancy due to DDoS is an important economic consideration, it may be even more important to protect the business from catastrophic loss if it can be done at a cost that is both manageable and predictable.

DDoS attacks are trending upward in frequency, size, duration and effectiveness. The good news is that there are solutions available that can prevent these attacks from bringing down data center services. CIOs who understand the economic value of data center services to their business, and who are aware of costs associated with DDoS threat, are well positioned to make the right business decisions with regard to investments in network availability protection.

 

Source: http://www.forbes.com/sites/ciocentral/2012/05/08/figuring-ddos-attack-risks-into-it-security-budgets/