Stop DDoS Attacks Archive

Popular chat service Discord experienced issues today due to network problems at Cloudflare and a wider internet issue. The app was inaccessible for its millions of users, and even Discord’s website and status pages were struggling. Discord’s problems could be traced to an outage at Cloudflare, a content delivery network. Cloudflare started experiencing issues at 7:43AM ET, and this caused Discord, Feedly, Crunchyroll, and many other sites that rely on its services to have partial outages.

Cloudflare says it’s working on a “possible route leak” affecting some of its network, but services like Discord have been inaccessible for nearly 45 minutes now. “Discord is affected by the general internet outage,” says a Discord statement on the company’s status site. “Hang tight. Pet your cats.”

“This leak is impacting many internet services including Cloudflare,” says a Cloudflare spokesperson. “We are continuing to work with the network provider that created this route leak to remove it.” Cloudflare doesn’t name the network involved, but Verizon is also experiencing widespread issues across the East Coast of the US this morning. Cloudflare notes that “the network responsible for the route leak has now fixed the issue,” so services should start to return to normal shortly.

Cloudfare explained the outage in an additional statement, commenting that “Earlier today, a widespread BGP routing leak affected a number of Internet services and a portion of traffic to Cloudflare. All of Cloudflare’s systems continued to run normally, but traffic wasn’t getting to us for a portion of our domains. At this point, the network outage has been fixed and traffic levels are returning to normal.”


As DDoS attacks grow more frequent, more powerful, and more sophisticated, many organizations turn to DDoS mitigation providers to protect themselves against attack.

Before evaluating DDoS protection solutions, it is important to assess the needs, objectives, and constraints of the organization, network and applications. These factors will define the criteria for selecting the optimal solution.

Below are eight questions to ask when considering DDoS protection:

  1. What are my data center plans? Many organizations are migrating their data center workloads to cloud-based deployments. The decision of whether to invest in new equipment or to use to a cloud service depends heavily on this consideration. Organizations that are planning to downscale (or completely eliminate) their data centers might consider a cloud service. However, if you know for sure that you are planning to maintain your physical data center for the foreseeable future, then investing in a DDoS mitigation appliance could be worthwhile.
  2. What is my threat profile? Which protection model is best for you also depends heavily on the company’s threat profile. If a company is constantly attacked with a stream of non-volumetric DDoS attacks, then a premise-based solution might be an effective solution. However, if they face large-scale volumetric attacks, then a cloud-based or a hybrid solution would be better.
  3. Are my applications mission-critical? Some DDoS protection models offer faster response (and protection) time than others. Most applications can absorb short periods of interruption without causing major harm. However, if your service cannot afford even a moment of downtime, that should factor heavily into the decision-making process.
  4. How sensitive are my applications to latency? Another key consideration is the sensitivity of the organization and its applications to latency. Cloud-based services tend to add latency to application traffic, so if latency is a big issue, then an on-premise solution – either deployed inline or out-of-path – might be relevant.
  5. Am I in a regulated industry? Some organizations are within regulated industries that handle sensitive user data. As a result, they’re prevented from – or prefer not to – migrate services/data to the cloud.
  6. How important is control for me? Some organizations place a big emphasis on control, while others prefer that others handle the burden. A physical device will provide you with more control, but will also require additional overhead. Others, however, might prefer the lower overhead usually offered by cloud services.
  7. OPEX vs. CAPEX? Solutions which include hardware devices (such as a premise-based DDoS appliance) are usually accounted for as a capital expenditure (CAPEX), whereas ongoing subscription services (such as cloud DDoS protection services) are considered operating expenses (OPEX). Depending on accounting and procurement processes, some organizations may have a preference for one type over the other.
  8. What is my budget? Finally, when selecting a DDoS protection solution, many times the decision comes down to costs and available funds. That’s why it is important to be cognizant of the total cost of ownership (TCO), including added overhead, infrastructure, support, staff and training.

Depending on the answers to those questions, organizations can define the criteria for what’s important for them in a DDoS solutions, and base their choice based on that.

  • Typically, for organizations seeking data center protection, or have mission critical and latency-sensitive applications they need to protect, a hybrid solution will provide optimal protection.

Hybrid DDoS protection combines both premise-based and cloud-based components. It provides both low latency and uninterrupted protection, as well as the high capacity required to mitigate large-scale volumetric DDoS attacks.

  • For organizations looking to protect applications hosted on public cloud providers (such as AWS or Azure), or customers who frequently come under attack, an cloud-based always-on solution will usually be best.

Always-On cloud service provides constant, uninterrupted cloud-based DDoS protection. However, since all traffic is routed through the provider’s scrubbing network, it may add latency to requests.

  • Finally, for customers who are infrequently attacked, or otherwise have a limited budget, a cloud-based on-demand solution will usually suffice.

On-Demand cloud service is activated only when organizations come under DDoS attack. However, detection and diversion usually take longer than in other models, meaning that the customer may be exposed for longer periods.

The parameters of the optimal DDoS solution will inevitably vary from organization to organization. Use these questions to help guide you to the solution that is best for you.


There have been two notable evolutions made by hackers recently in the DDoS arena. First, there’s been an expansion of botnets. They’ve moved beyond PCs to compromised Internet of things (IoT) devices and cloud services. That’s vastly expanded the possible sources of attacks.

The second has been the use of highly distributed attack patterns, commonly referred to as carpet-bombing. The two are connected and reflect a sophisticated understanding by the attackers of the limitations of current DDoS defensive technologies.

Most DDoS defenses rely on a simple baseline model to identify ‘abnormal’ surges in traffic towards a specific target. This is an imprecise identification that lacks context, resulting in a lot of false positives. Suspect traffic is routed by a backhaul link to a mitigation appliance; however, much of the re-routed traffic can actually be legitimate. Thus, the process is resource intensive and costly

It also lacks the network-wide visibility to map attacks back to actual user experience, making it difficult to keep affected (and poor quality-intolerant) customers appraised of the situation.

In the age of IoT and cloud, it’s getting worse for these traditional defenses. Because the botnets that carry out the attacks have vastly expanded, it is now possible to carry out terabit-level attacks from hundreds of thousands and — not too far off — even millions of compromised devices. Traditional defenses have a harder time dealing with so many flows coming from so many different directions. They are not good at multi-vector attacks.

For example, the attack on the DNS provider DYN, back in October 2016, caused the entire network that DYN was on to suffer massive slow-down. Carried out by the Mirai botnet, which had hundreds of thousands of badly secured IoT devices and compromised cloud servers enslaved, it affected thousands of users. Although it had been initiated by a single attacker, the attack took down the entire infrastructure for a number of hours.

The challenge, if you’re a DNS provider like DYN, is that this DNS-based attack traffic looks like all the other traffic on your network — the perfect diversion. So while you struggle to find out what’s going on with your DNS service, the hijacked cloud servers come into play delivering a high impact, high-bandwidth TCP attack that takes the servers out altogether.

This combination of different attack sources and different attack vectors created the most impactful attack that we have ever seen.

An example of the other side of the coin is a carpet-bomb attack that often results in false negatives. As a method of attack, it evades the “big surge” method of detection. It doesn’t just affect a single target, although a single organization may, in the end, be the target. It affects tens of thousands of users and makes it harder to see who the target actually is.

Fortunately, as we’ve said, there are innovations on the defensive side that can help. We have identified five principles of the new approach to fighting DDoS:

  1. Global-level monitoring: use information about the entire internet and network to understand the context of what is occurring. For instance, is the surge just an AWS file transfer or an attack? If you have an accurate, global database of IP endpoints, you can know what the source is and whether it’s reliable, thus minimizing false positives.
  2. Ratio-based detection: as opposed to big surge detection, this method of identification takes a holistic view of the network. It looks for patterns of attack or signatures. For instance, an imbalance between SYN and SYN ACK, which is the telling signature of a SYN flood attack, will trigger an alert, even if no baseline trigger caused an alert.
  3. Use your routers: mitigation appliances or scrubbers are expensive solutions and inherently limited; routers are already in place and can easily block multiple attack vectors without taking a performance hit. If through global detection you understand all the endpoints from which the attack is coming, you simply create ACLs to drop this traffic at your peering routers.
  4. Protect your network out of the box: most DDoS defense solutions today are an afterthought. Layer in a defensive approach from the beginning. Build holistic network intelligence into your architecture and then use your routers to provide the first layer of blocking or re-routing. This will deal with a majority of the nuisance traffic and reserve the scrubbers for the attacks that require more stateful analysis.
  5. Map it back to quality of experience (QoE):  The key point for network operators is that there is no reasonable amount of poor quality streaming, according to the customer. They don’t care why they have been receiving SD video for 40 minutes, they just want it to improve or they’ll complain.

Quality issues like this are a large driver for customer churn, so visualizing and remediating the attack quickly is of utmost importance.

These are some of the principles that can help prepare us for the next level of battle with the ever-imaginative hacker communities. The costs of DDoS attacks are many. Make sure you’re fully prepared with a multi-dimensional, holistic approach to security.


Device manufacturers can no longer afford to take a back seat when it comes to IoT security.

The use of Internet of Things (IoT) technology is growing rapidly as more consumers and businesses recognise the benefits offered by smart devices. The range of IoT hardware available is huge, including everything from smart doorbells and connected kettles to children’s toys. What’s more, this is not only limited to smart home tech for consumers. IoT sensors are being increasingly used by businesses of all sizes across numerous industries including healthcare and manufacturing. However, despite its life-enhancing and cost-saving benefits, the IoT is a security minefield. So, is it even possible to secure the IoT?

This was one of the themes discussed at this year’s Mobile World Congress (MWC). IoT technology featured heavily at the trade show, with connected items ranging from a passenger drone to the next generation of smart city technology, and IoT security taking centre stage. One session focused on how blockchain might help to secure IoT devices in the future. Best known as the backbone of cryptocurrency Bitcoin, blockchain is a shared ledger where data is automatically stored across multiple locations. The indisputable digital paper trail makes it ideal for financial applications, but it could also be applied to IoT.

IoT devices increase the amount of entry points into a home or business network, which in turn could give hackers access to devices such as computers that contain sensitive data. Using blockchain technology could reduce the risk of IoT devices being put at risk by a security breach at a single point. By getting rid of a central authority in IoT networks, blockchain would enable device networks to validate and protect themselves. For example, devices in a common group could potentially stop or alert the user if asked to carry out tasks that appear unusual, such as being commandeered by hackers to carry out Distributed Denial of Service (DDoS) attacks.

IoT security and drones

Also highlighted at MWC was the importance of securing IoT technology for use by drones. Drone technology is a rapidly emerging sector within IoT and the risk of hacking could not only cause a data breach, it could also pose a major risk to public safety. Thanks to their versatile application and access to real-time data, commercial drones are used across a wide variety of sectors including agriculture, military, construction and have even been used to deliver packages, while consumer drones have also grown in popularity in recent years. However, as with many IoT devices, security is often an afterthought leaving many drones vulnerable to hackers.

If a drone’s own telemetry data is accessed, hackers could take control of it while in the air. This could place people in physical danger if the drone was purposely crashed or hijacked to carry harmful substances such as explosives or chemical agents. A hacked drone could also be used for spying through on-board cameras, or malware could be installed enabling hackers to strip out sensitive data collected by the drone, including pictures and video.

While there is an increasing amount of drone legislation being introduced, much of the focus is on air space and where drones are allowed to fly. However, the importance of securing the network that drones submit data on should not be underestimated.

Why is securing IoT technology such a big challenge?

Securing IoT devices is challenging for a number of reasons. A rapidly increasing number of gadgets are being turned into smart devices and as manufacturers roll out new products more quickly, little priority is given to security. Eventually we could see almost every home device connected to the Internet, not necessarily with any consumer benefit but instead geared towards data collection, which is incredibly valuable for manufacturers. A lack of awareness among consumers and businesses is also a major obstacle to security, with the convenience and cost-saving benefits of IoT tech appearing to outweigh the potential risks.

Another challenge is securing not only the IoT devices but also the networks over which their data is transferred. In the past, businesses haven’t always focused on building end-to-end security into the network. This is set to change as attitudes evolve, with 46 per cent of organisations ranking ‘securing IoT within the organisation’ as a high priority for 2018, according to the Hiscox Cyber Readiness Report.

What happens next?

So, is it really impossible to secure the Internet of Things? While it’s certainly a challenge, the industry is developing new ways to protect IoT devices from increasingly sophisticated hackers, and there will be significant opportunities for those working in the IoT security space. Blockchain may well be part of the solution, though a group effort will be needed to ensure that IoT technology evolves in a way that is both beneficial to consumers and businesses and secure from hackers.

Education is also key and makers of IoT devices, ISPs and the government must play a vital role in boosting awareness of IoT security among consumers and businesses. At a government level, it may also be necessary to provide education to boost the digital literacy of policymakers. More regulation and standardisation is needed to ensure that IoT devices adhere to a certain level of security, while manufacturers must develop clear privacy policies for their IoT devices and ensure that consumers know how to adjust the security settings. Even simple steps such as not setting default passcodes as ‘0000’ or ‘1234’ could help keep devices more secure in the future.

While security has too often taken a back seat in the development of IoT technology, manufacturers must begin to build protection into their devices. Network providers can also help address the IoT security threat by creating end-to-end infrastructure that meets industry-wide standards. Providers that offer a secure network will have a competitive advantage in the long run.


“White hat” hackers and cyber-cops fight crime in Taiwan’s heavily attacked cyberspace.

Cybercrime is a growing problem in Taiwan and around the world, cybersecurity experts and law enforcement officers agree.

“It’s absolutely on the rise because everything is connected to the internet – you can shop online, can do anything,” says Wu Fu-mei, acting director of the Information and Communications Security Division within the Ministry of Justice Investigation Bureau. Along with network and mobile devices, the proliferation of connected IoT (internet of things) devices has created a vastly expanded pool of potential targets, many of which are only lightly protected from infection.

Incidences of software supply chains being infected with malware rose 200% last year, while targeted attacks were up 10% and mobile malware rose by 54% in 2017 in annual comparisons, according to global cybersecurity firm Symantec. The company notes that ransomware, in which an organization’s data is infected and encrypted by a hacker – to be decrypted only after payment of a ransom – has become so routine that the average amount of ransom demanded has dropped to only US$522 in 2017, less than half the 2016 average.

The Dark Web and the sudden rise of cryptocurrencies are key enablers of cybercrime. The Dark Web, that part of the internet accessible only through encrypted browsers such as TOR, provides criminals with an untraceable space for conducting illicit business ranging from hiring killers to obtaining illegal drugs – and buying and selling personal data stolen in data breaches. These transactions are now mostly done in Bitcoin or other cryptocurrencies, which use transparent blockchain technology but are anonymous.

“Both the Dark Web and digital currency are very difficult to trace,” notes MJIB’s Wu. “When we are investigating crimes we need to find two things: the cash flow and the information flow. The use of digital currency can hide the cash flow, and use of the Dark Web can hide the information flow.”

She adds that the relative ease and safety of cybercrime contributes to its appeal. “It’s a fairly easy way of doing crime. You don’t have to invest a lot, and you can commit a lot of crime by just sitting at a desk,” she says.

To cybersecurity experts, Taiwan’s digital landscape is a dystopian cyber-wilderness where malware bots hunt; hackers blackmail, rob, and vandalize; and our connected devices are able to be possessed by viruses and turn against us.

Shaking the doorknob

Taiwan receives tens of millions of attacks every month, most of them little more than “shaking the doorknob” to see if somebody forgot to secure an entry point. Many full-on attacks also occur that have resulted in massive data breaches and ransom payments. A lack of basic password protection on the part of an alarming number of firms and individuals means that hackers need not bother searching for back doors when the front door is wide open for intrusion and infestation.

Once inside, the malware takes increasing control over the device or server, often without impacting its usual functions. Cases of IP cameras that continue to record video even after being turned off and IoT household appliances recruited into a virtual army for distributed denial of service (DDOS) attacks at the behest of unseen masters have been widely reported in the media.

Doing battle against these hidden attackers is Taiwan’s army of “white hat” hackers in both the government cybersecurity agencies and the private sector. “It’s like a war,” says Allen Own, co-founder and CEO of cybersecurity consulting startup Devcore. “And there is an information disparity. The attackers always know more than the enterprise.”

Malware bots are endlessly scanning the internet for system and device vulnerabilities, and even the smallest lapse in password protection, coding, or design can result in a wholesale invasion. “Security is decided by the least secured links, which are everywhere,” says Steven Chen, CEO and co-founder of PFP Cybersecurity startup in Silicon Valley which has entered the Taiwan market.

Cybersecurity systems and technologies have advanced to the point that firewall, APT (Advanced Persistent Threats) deterrence, and other cybersecurity defense systems are now capable of fending off even the most sophisticated hacks. What is generally behind successful cyber-attacks is the weak link of the human factor. Symantec says that 71 % of successful hacks are due to phishing, in which people open up a bogus email that exposes their computer and thus their organization’s servers to infestation. Phishing attacks have brought down even the most internet-savvy people.

According to Hans Barre of Silicon Valley-based digital and social cybersecurity firm RiskIQ, corporate executives and brands from Taiwan and around the world are at huge risk of being “counterfeited.” An individual or organization may set up a profile on LinkedIn, for example, purporting to be a company executive. When this fraudulent identity makes contact with other industry professionals, they are easily fooled into exchanging emails and inviting the hacker right into their corporate networks, exposing all of their private data to theft.

Devcore deals with human error of a different kind, often involving website developers and programmers who make sloppy or inadvertent errors in their product, leaving them exposed to hackers. When programmers code websites with languages such as Java, PHP, or Ruby, mistakes or carelessness in the code might leave the site vulnerable to infection. Such errors can expose the site or other SQL (Structured Query Language) databases to infection, allowing hackers to access databases and basically wreak havoc on the system.

“These mistakes are the fault of the developer,” Own notes, adding that although he and the other 12 consultants at Devcore “might not be as good in these programming languages as actual developers are, “we are good in finding vulnerabilities.”

Devcore’s assignment is to act as the Red Team hackers, a term borrowed from military jargon used in war games, where the Red Team plays the role of attacker, while the Blue Team plays defense. Own’s team hacks the client’s website searching for vulnerabilities, which they usually find not in the main websites, but in developer-created websites that the company might not even be aware of.

Often website developers make a second website that mirrors the main site and is used as a practice and work site for future development. However, the second site is generally not protected as well as the first one, and can be a major point of system infection.

“The enterprise will defend the most important website that they own but the hackers will attack their other, less well-protected sites – the security level is lower,” explains Own. “They know that they have several websites but they don’t know which ones are vulnerable. But we know every website that they have, even if the company itself doesn’t know.”

Own says that along with his role operating his company, he has also been one of the organizers of HITCON – the “Hacks in Taiwan” conference – for 14 years. The main purpose of the conference is to “teach the government and enterprise what security is, and how to keep your website secure.” This year’s HITCON is scheduled for July 27-28 at the Taipei Nankang Exhibition Center.

Benson Wu, co-founder of Taiwanese cybersecurity startup CyCarrier Security, aims to solve the problem of human error by removing humans from the security system as far as possible, relying instead on Artificial Intelligence (AI) for monitoring. He notes that even top-line cybersecurity platforms are only as good as their operators, with most requiring well-trained staff. “But the reality is that you often can’t find such experts because that talent is already working directly in the cybersecurity industry,” he says.

Industry insiders say that AI and Machine Learning (ML) are already being deployed on both sides of the cybercrime battle. Wu says that his company’s system never gets tired, never misses a warning, and can reduce the time for discovery of a system breach from months to a matter of days. As such efficiency doesn’t come cheap, Wu says CyCarrier Security is targeting only the top-tier companies in Taiwan and abroad that have the money and awareness to pay for a top-line cybersecurity platform. He adds that he doesn’t need to do much of sales pitch. He simply sets up the platform to evaluate how many times and for how long the company has been breached. “They sign up right away after they see the results,” he says.

Threats against Taiwan are usually attributed to China, but recent experience shows that is not always true, including the heists of First Bank by Russian hackers and the Far Eastern Bank by the North Korean-linked Lazarus gang. Taiwan produces its own home-grown hackers as well, as a recent case cited by the MJIB cybercrimes unit attests.

In that case, securities firms were threatened with a DDOS attack if they didn’t pay a ransom in Bitcoin to the hacker. “Most companies paid the ransom, but one did not and his whole computer system was hacked and paralyzed,” says MJIB’s Wu. The MJIB was called in and traced the hacker through the email that he had sent to the company. The culprit turned out to be a 20-year-old Taiwanese who told investigators that he had pulled off similar attacks numerous times, but had already spent the money he gained. He now faces up to five years in prison.

With the threat of cyberattacks now being taken more seriously in Taiwan, demand for cybersecurity talent is increasing and salaries are rising accordingly. But Taiwan’s cybersecurity professionals are also fervently committed to the cause.

“Making money is necessary, but doing business is not my only concern,” says Devcore’s Own. “My company and I are passionate about cybersecurity in Taiwan.”