Denial of Service Archive

Enterprises need to exercise vigilance in protecting their networks from botnets.

Beware the botnet. A botnet is a collection of Internet-connected devices, including PCs, servers, mobile devices, and Internet of Things devices, like sensors and home appliances, that are infected and controlled by malware. Owners and users of the Internet-connected devices are usually unaware of a botnet infecting their devices.

The botnet can be used for a distributed denial-of-service (DDoS) attack. The collection of devices, as part of the botnet, consume the bandwidth or resources of a targeted system such as Web servers.

Protection against botnets has become an international issue. Vendors create the products that are susceptible to botnets, and enterprises don’t do enough to combat the problems.

Report to the President
I read the draft, “A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats,” by The Secretary of Commerce and The Secretary of Homeland Security. The draft report, posted on January 5, 2018, included some thoughts that are worth reviewing for the enterprise.

The Departments of Commerce and Homeland Security pursued three Approaches: hosting a workshop, publishing a request for comment (the report mentioned above), and initiating an inquiry through the President’s National Security Telecommunications Advisory Committee (NSTAC). This is aimed at collecting input from experts and stakeholders, private industry, academia, and civil society. The final draft will be based on the received comments before submission, due to the President on May 11, 2018.

Opportunities and Challenges
The draft report highlights the efforts needed to reduce the threats from automated distributed attacks. One of my conclusions is that the time-to-market vendor mentality produces the opportunities for botnet creation. The efforts are divided into six areas:

  • Automated, distributed attacks are a global problem. Most infected devices in recent botnets have been located outside the United States.
  • Effective tools exist, but are not widely used. The tools are available, but they are not part of common practices in product development and deployment. Both product developers and enterprises need to invest more and increase their awareness of the problems.
  • Products should be secured during all stages of the lifecycle, not as an afterthought. Devices are vulnerable at time of deployment. The lack of methods and procedures to patch vulnerabilities after discovery are the fault of the device vendors as well as the enterprises that own the devices.
  • Education and awareness are needed. Knowledge gaps in home and enterprise customers, product developers, manufacturers, and infrastructure operators impede the deployment of the tools, processes, and practices that would create more resiliency.
  • Market incentives are misaligned and are not driven to fully address the botnet threats.
  • Automated, distributed attacks are an ecosystem-wide challenge. There is no single party, vendor, government, academia, or enterprise that can alone mitigate the botnet problems.

The Enterprise Perspective

Enterprise networks, whether they are business, government, or academic institutions, are routinely connected to the Internet. These networks are complex, enterprise owned, and include a number of devices that can be used in the support of botnets. This also includes cloud-based services. These devices can be anything from simple PCs, servers, and mobile, to IoT devices. These enterprise networks can simultaneously be a victim of a botnet or be part of a botnet. Besides the DDoS attacks, botnets can be part of ransomware attacks.

The report envisions the enterprise application of the NIST Cybersecurity Framework. The report postulates that there are five concurrent and continuous functions that need to be applied:

  1. Identify and locate devices that cannot be secured. Enterprises should remove and retire these high-risk devices and replace them with inherently secure devices or those that can be secured.
  2. Protect the system and network architectures to provide additional layers of protection for any remaining high-risk devices and deploy DDoS mitigation services.
  3. Detect using a combination of ISP-based detection services and enterprise-operated network monitoring for both inbound and outbound malicious traffic, and identify infected devices in near real-time.
  4. Respond to attacks by creating policies and procedures to address detected infected devices. Enterprises should have processes and procedures to contact their ISPs and anti-DDoS service providers when attacks are detected.
  5. Recover the enterprises ability to reestablish infected systems instead paying ransomware to resume operations.

A Possible Remedy
My last blog, “Compliance: A Cost or Savings?,” dealt with existing IT and data compliance requirements. No one likes compliance, as compliance regulations demand a number of security functions and implementations. However, compliance regulations can create positive incentives.

My thought is that if there were some government-imposed security compliance requirements for endpoint devices connected to the Internet, that significant fines and penalties could be possible. Those harmed by botnets could sue the botnet creators and those who allow their devices to be used in the botnet. Penalties could be levied. This may go a long way toward creating incentives for vendors and enterprises to select and install devices to improve the resilience against botnets. Setting goals or acknowledging the botnet problems will not stop the botnets.


CANADIAN cybersecurity company DOSarrest has released a new service which allows organizations to test their systems’ resilience against distributed denial of service attacks.

The Cyber Attack Preparation Platform (CAPP) allows anyone to choose from a variety of options which specify the attack type, velocity, duration, and vector. The service is paid for according to the options chosen, and can be used by anyone – previously, only DOSarrest’s clients had access to this type of facility.

The attacking machines are distributed across the world and employ a variety of methods, thus accurately emulating an attack “in the wild.”

The company’s literature states that in some cases, larger hosts (such as cloud provider services like AWS or Google Cloud) simply scale up their hosted sites’ provisions in order to mitigate an attack: in short, when the going gets tough, the tough throw resources.

However, this style of mitigation can cost companies large sums of money if they are funding their cloud computing activities on the basis of pay-as-you-use.

Users of DOSarrest’s service can choose to pick specific attack types from a range of TCP attacks, plus a focussed range of attacks usually aimed at web services.

DOSarrest’s CTO, Jag Bains commented:

“It’s interesting to see how different systems react to attacks; CAPP not only shows you the traffic to the victim but also shows you the traffic response from the victim. A small attack [on] a target can actually produce a response back that’s 500 times larger […] This is the best tool I’ve seen to fine tune your cybersecurity defenses, if you fail you can make changes and launch the exact same attack again, to see if you can stop the attack.”

The company advises that attacks are chosen carefully as it is plainly possible to bring down an entire enterprise’s systems – by equal measures alarming and reassuring that large attacks can be emulated.

The company provides a handy pricing calculator by which interested parties can scope out what their testing might cost them: a ballpark of $US1,500 might be considered a bare minimum.

Of course, the cost of an attack by unknown actors will be much more, by some significant factor, and DOSarrest’s facility should hopefully go some way in mitigating the chances of such an attack being successful.


Latest version targets systems running ARC processors.

The authors of the Satori IoT malware family have dramatically increased their pool of bot recruits for attack botnets with a new version of the tool targeting systems running ARC processors.

The latest Satori variant, the fourth since the malware first surfaced in Dec. 2017, appears to be the first aimed specifically at ARC chipsets, DDoS attack mitigation vendor Arbor Networks said in an advisory this week.

ARC processors are 32-bit power-efficient CPUs that are used in a wide range of applications including automotive, industrial, and IoT. More than 1.5 billion embedded systems containing ARC cores ship every year, including electronic steering controls and infotainment systems in cars, as well as personal fitness bands and digital TV set tops, and smart thermostats.

Like other Satori variants, the newest one also leverages the Mirai code base. Like Mirai, it is designed to propagate through credential scanning, meaning the malware can potentially infect any ARC device with default and easily guessable telnet usernames and passwords. The previous Satori variant specifically targeted Huawei routers.

It’s hard to say which specific ARC-based devices the Satori authors are hoping to target because of the huge installed base of systems, says Peter Arzamendi, security researcher at NETSCOUT, Arbor’s Security Engineering & Response Team.

However, “botnets that target new and novel types of IoT devices is the new normal,” he says. “With the proliferation of IoT and BYOD, enterprises will need to understand how to both defend these devices and be able to respond when they are compromised,” Arzamendi says.

Support for ARC processors allows Satori variants to target a wide range of systems including those based on Intel, ARM, MIPS, PPC, and SuperH processor architectures. All of the variants differ slightly in targeting and in capabilities.

Building malware for a new processor architecture like ARC is not too difficult an endeavor and only requires a compiler that supports the architecture, and some open source tools to help with porting code, says Arzamendi.

“IoT [botnets] depend on compromising as many devices as possible. Threat actors will have less competition by focusing on new types of devices that others are not targeting,” he says of the latest Satori development.

On Defense

With DDoS-capable malware available for a wider range of Internet-connected devices than when Mirai first surfaced in late 2016, network operators need to review their defense strategies, according to Arbor.

In addition to protections against DDoS attacks, businesses need to ensure their own IoT network and device is not being used in DDoS attacks, Arbor said. “The collateral damage due to scanning and outbound DDoS attacks alone can be crippling if network architectural and operational best current practices are not proactively implemented,” the security vendor said in its advisory.

Adam Meyers, vice president of intelligence at CrowdStrike, says organizations need to invest in DDoS protection if they haven’t done so already, and ensure they know what to do in the event of an attack. Tabletop exercises are a great way to ensure that all stakeholders are in lockstep when an attack does occur, he says.

“Protecting against IoT botnets will become increasingly difficult as IoT devices age in place,” Meyers says. “A bulk of these devices is going to remain deployed as long as they continue to function, and patching will not be widespread. In addition, new vulnerabilities in some of these platforms will continue to be identified.”

In addition to DDoS attacks, enterprises should also be aware of the fact that IoT botnets can be used for other purposes such as: creating a non-attribution proxy network for criminal enterprises, distributing spam, and hosting Web content for phishing.


IoT and smart devices will be easy targets for cyber attackers this year.

2017 once again proved that the cyber threat landscape is complex and constantly changing, dictating the need for comprehensive and responsive defences that step up to the real challenges that organisations face. AI-aided attacks, increased regulation and the exponential growth of endpoint and IoT devices present the opportunity for entirely new forms of risks to emerge, ever changing the face of cyber security. Darren Thomson, EMEA Chief Technology Officer at Symantec explores the key trends and threats to anticipate in the coming year.

The Cyber Cold War Escalates

As international tensions continue to go digital, much of this will remain unknown to the world stage. Nation states won’t be able to publicly peacock their cyber arsenal to intimidate or dissuade their enemies, at the risk of revealing their attack vectors and exploits. This underground warfare is already poised to be a major geopolitical weapon for world powers and rogue states in 2018, escalating the already high stakes and potential for destruction. Industries, critical infrastructure, supply chains and people will be the pawns in an escalating modern war unlike any before it.

The Rise of Mass Social Engineering

Mass social engineering will also become a crucial weapon in modern warfare, with machine learning and AI leveraged to construct more complex and highly targeted lures against citizens and organisations. The more mature use of data and analytics will see social media attacks conducted at a more impactful level, with the potential for high-profile impact leading us to question who and what we can trust. While fake news is likely to remain part of the picture in 2018, be prepared for social engineering to take new guises.

Infrastructure as a Priority Target

Stuxnet and Dragonfly already demonstrated the destructive potential of a targeted cyber attack against infrastructure, from banks and hospitals to transportation and even energy providers. These attacks typically exploit basic gaps in cyber defences, yet have the potential to have substantial, lasting damage to our world. 2018 could be a turning point: will organisations and businesses step up to the urgent need to address these major vulnerabilities, or will we see a landmark attack on a nation’s critical infrastructure?

The Dawn of Criminal AI and Machine Learning

No cyber security conversation today is complete without a discussion about AI and machine learning. So far, these conversations have been focused on using these technologies as protection and detection mechanisms. However, this will change in the next year with AI and machine learning being used by cyber criminals to carry out attacks. It is the first year where we will see AI versus AI in a cybersecurity context. Cyber criminals will use AI to attack and explore victims’ networks, which is typically the most labour-intensive part of compromise after an incursion.

The Financial Trojan Gold Rush

Financial trojans were some of the first pieces of malware to be monetised by cyber criminals. From simple beginnings as credential-harvesting tools, they have since evolved to advanced attack frameworks that target multiple banks, and banking systems, sending shadow transactions and hide their tracks. They have proven to be highly profitable for cyber criminals. The move to mobile, application-based banking has curtailed some of the effectiveness, but cyber criminals are quickly moving their attacks to these platforms. Cyber criminals’ profits from financial trojans are expected to grow, giving them higher gains as compared to ransomware attacks.

Supply Chain Attacks Become Mainstream

Supply chain attacks have been a mainstay of classical espionage and signals-intelligence operators, compromising upstream contractors, systems, companies and suppliers. They are highly effective, with nation-state actors using human intelligence to compromise the weakest links in the chain, as well as malware implants at the manufacture or distribution stage through compromise or coercion.

File-less and File-light Malware Explodes

2016 and 2017 have seen consistent growth in the amount of file-less and file-light malware, with attackers exploiting organisations that lack in preparation against such threats. With fewer Indicators of Compromise (IoC), use of the victims’ own tools, and complex disjointed behaviours, these threats have been harder to stop, track and defend against in many scenarios. Like the early days of ransomware, where early success by a few cyber criminals triggered a gold-rush like mentality, more cyber criminals are now rushing to use these same techniques. Although file-less and file-light malware will still be smaller by orders-of-magnitude compared to traditional-style malware, they will pose a significant threat and lead to an explosion in 2018.

Smart Devices Held to Ransom

Ransomware has become a major problem and is one of the scourges of the modern Internet, allowing cyber criminals to reap huge profits by locking up users’ files and systems. The gold-rush mentality has not only pushed more and more cyber criminals to distribute ransomware, but also contributed to the rise of Ransomware-As-A-Service and other specializations in the cyber underworld. These specialists are now looking to expand their attack reach by exploiting the massive increase in expensive connected home devices. Users are generally not aware of the threats to Smart TVs, smart toys and other smart appliances, making them an attractive target for cyber criminals.

IoT Devices Will Be Hijacked and Used in DDoS Attacks 

In 2017, we have seen massive DDoS attacks using hundreds of thousands of compromised IoT devices in people’s homes and workplaces to generate traffic. This is not expected to change with cyber criminals looking to exploit the poor security settings and lax personal management of home IoT devices. Furthermore, the inputs and sensors of these devices will also be hijacked, with attackers feeding audio, video or other faked inputs to make these devices do what they want rather than what users expect them to do.

IoT: A Critical Backdoor
Beyond DDoS attacks and ransomware, home IoT devices will be compromised by cyber criminals to provide persistent access to a victim’s network. Home users generally do not consider the cyber security implications of their home IoT devices, leaving default settings and not vigilantly updating them like they do with their computers. Persistent access means that no matter how many times a victim cleans their machine or protects their computer, the attacker will always have a backdoor into victims’ network and the systems that they connect to.

Draft U.S. government recommendations on ways to reduce the threat of automated botnets launching denial of service attacks and spreading malware are too weak, says a cyber security expert.

The report from the departments of Homeland Security and Commerce issued last week, “definitely did not go far enough,” John Pescatore, director of emerging security trends at the SANS Institute, said in an interview.

While praising the report’s urging that manufacturers and end users follow best practices in cyber hygiene, much of it came down to “let’s do the same thing we’ve been doing, but more – more information sharing, government standards,” Pescatore complained.












Instead, he said the U.S. – and all governments around the world – should use their existing buying and regulatory power to force organizations to better use current technology and force makers of Internet of Things devices to tighten their security.

For example, Pescatore said, the report suggests Washington develop profiles for denial of service protection, then go to the private sector and say it should be providing denial of protection services. “We (already) have denial of service protection services out there,” Pescatore said. “If the government were simply to say every government Web site that touches data or provides information to the public must use denial of service protection services, that would help drive the entire market to ensure they use those types of services.

“And if it said everyone who does business with the (U.S.) government over the Internet must also be using denial of service protection services that also would help. Instead what this report did is say, ‘OK, once we can write documents that would have a government definition of denial of service protection services, then we can talk about doing something.’”

As for IoT manufacturers, Pescatore said there’s no reason for more study. Most governments already have regulatory agencies covering a wide range of products from food to medical devices to transportation that have safety mandates. They should issue cyber security regulations as well, tailored for those industries.

Instead, he said, the report suggests an ecosystem-wide solution is needed. But “making a self-driving car as secure as a medical implant is impossible.”

Pescatore isn’t the first to say regulators have to do more to control IoT devices. U.S. digital security expert Bruce Schneier said much the same thing at last November’s SecTor conference in Toronto. It was also hotly debated at the RSA Conference.