Stop DoS Archive

An Akron man is facing federal charges after he was arrested Thursday morning for allegedly hacking the city of Akron and Akron Police Department websites last year.

According to an FBI spokesperson, 32-year-old James Robinson was charged with knowingly causing the transmission of a program, information, code and command, and intentionally causing damage to a protected computer.

Authorities say Robinson carried out the cyber attacks on Aug. 1, 2017. The distributed denial of service (DDoS) attack overwhelmed both websites and took them down for a period of time.

On the day of the attack, a Twitter user named @AkronPhoenix420 tweeted a link to a YouTube video claiming credit for taking the websites out of service. The tweets included the hashtags #Anonymous and #TangoDown, authorities said.

The video showed a person in a Guy Fawkes mask and the statements “it’s time to teach the law a lesson,” and “Akron PD abuses the law.” The video also stated, “this week the city of Akron experienced system failures on multiple domains including their emergency TCP ports.”

Evidence linked the attack’s point of origin to an internet connection registered to Robinson. Additional evidence showed his phone was associated with the @AkronPhoenix420 Twitter account, police said.

The same Twitter account also claimed responsibility for numerous other DDoS attacks targeted at the Ohio Department of Public Safety, Department of Defense, and others. Police said the characteristics of those attacks had similarities with the one carried out in Akron.

Police executed a search warrant on Robinson’s home on May 9. Inside, they found a Guy Fawkes mask and a cell phone with a cracked screen that was seen in the video. Authorities said Robinson told them he was responsible for the Akron cyber attack as well as the DDoS attacks against the Department of Defense.


A crowdfunding initiative run by Together for Yes has suffered a DDoS attack.

The digital campaigning element of the imminent referendum in Ireland has seen a massive amount of change in a relatively short time.

Only this week did Facebook and Google place curtailments on digital advertising around the referendum, as Google banned all online ads relating to the Eighth Amendment from its platforms, while Facebook restricted advertising to registered Irish organisations and groups. As the online advertisements mention abortion, they would be restricted by Twitter’s existing ad policies.

Crowdfunding site hit

In another twist, a crowdfunding website for the national civil society group campaigning for a Yes vote was hit by a DDoS attack yesterday evening (9 May). The website, hosted by CauseVox, experienced a DDoS attack from within Ireland. It momentarily disrupted service and brought down CauseVox’s security infrastructure. The attack took place at 5.45pm, which would ordinarily have been a peak time for donations, and the website shut down for 30 minutes.

CauseVox also hosts crowdfunding pages for Amnesty International Ireland and Terminations for Medical Reasons – both groups that are campaigning for a Yes vote later in the month. Amnesty Ireland director Colm O’Gorman confirmed its website was down for approximately 45 minutes.

Sarah Monaghan, Together for Yes spokesperson, said: “We are continuing to investigate this extremely serious incident and are actively consulting security experts in the field to help identify the specific source of the attack, and have made a report to Gardaí.

“Together for Yes is a national grassroots movement which relies on small donations from large numbers of people. Our crowdfund initiative is a core element of the manner in which we resource our campaign and therefore we would take extremely seriously any attempt to undermine it.”

A spokesperson for Amnesty International explained the issue further to “We were informed by CauseVox, the hosting platform, that there was a DDOS attack originating from Ireland. The website was interrupted at 5.45pm for around 45 minutes.

“This is obviously a serious issue, but also an indication of the lengths some will go to try shut down our efforts to counter such misinformation. We will continue our online campaign to counter misinformation across as many platforms as possible.”

The spokesperson noted that CauseVox is a reputable platform and that the site was up and running soon after the initial attack. They added that CauseVox had assured them that steps to mitigate such attacks in future were being taken. The incident is still under investigation.

DDoS explained

A DDoS (distributed denial of service) attack’s main aim is to make a target website, machine or network resource unavailable.

Usually, this type of cyberattack is accomplished by drowning a system (a server, for example) with data requests. This can then cause the website to crash. A database could also be hit with a massive volume of queries. In this particular case, the result is an overwhelmed website.

Impact from DDoS attacks can vary from mild disruption to total denial of service to entire websites, apps or even businesses.

DDoS attacks have grown exponentially in scale, and occur quite often in the cybercrime world. In the 1990s, a DDoS incident would have typically involved 150 requests per second, but attacks these days can exceed 1,000Gbps.

The Mirai botnet is a prime example of a modern DDoS attack. A massive attack also occurred on GitHub earlier in 2018, using a new technique called ‘memcaching’.

Updated, 4.28pm, 10 May 2018: This article was updated to include comments from an Amnesty International spokesperson.

Updated, 6.21pm, 10 May 2018: A correction has been made to clarify that individual websites hosted by CauseVox, and not the entire platform, were affected by this attack.


CANADIAN cybersecurity company DOSarrest has released a new service which allows organizations to test their systems’ resilience against distributed denial of service attacks.

The Cyber Attack Preparation Platform (CAPP) allows anyone to choose from a variety of options which specify the attack type, velocity, duration, and vector. The service is paid for according to the options chosen, and can be used by anyone – previously, only DOSarrest’s clients had access to this type of facility.

The attacking machines are distributed across the world and employ a variety of methods, thus accurately emulating an attack “in the wild.”

The company’s literature states that in some cases, larger hosts (such as cloud provider services like AWS or Google Cloud) simply scale up their hosted sites’ provisions in order to mitigate an attack: in short, when the going gets tough, the tough throw resources.

However, this style of mitigation can cost companies large sums of money if they are funding their cloud computing activities on the basis of pay-as-you-use.

Users of DOSarrest’s service can choose to pick specific attack types from a range of TCP attacks, plus a focussed range of attacks usually aimed at web services.

DOSarrest’s CTO, Jag Bains commented:

“It’s interesting to see how different systems react to attacks; CAPP not only shows you the traffic to the victim but also shows you the traffic response from the victim. A small attack [on] a target can actually produce a response back that’s 500 times larger […] This is the best tool I’ve seen to fine tune your cybersecurity defenses, if you fail you can make changes and launch the exact same attack again, to see if you can stop the attack.”

The company advises that attacks are chosen carefully as it is plainly possible to bring down an entire enterprise’s systems – by equal measures alarming and reassuring that large attacks can be emulated.

The company provides a handy pricing calculator by which interested parties can scope out what their testing might cost them: a ballpark of $US1,500 might be considered a bare minimum.

Of course, the cost of an attack by unknown actors will be much more, by some significant factor, and DOSarrest’s facility should hopefully go some way in mitigating the chances of such an attack being successful.


We explain why and how you should guard against distributed-denial-of-service incidents.

The distributed-denial-of-service (DDoS) attack landscape is constantly evolving, and is now routinely populated by hacktivists, trolls, extortioners and even used as a distraction from data exfiltration elsewhere on your network.

According to A10 Networks’ DDoS: A Clear and Present Danger report, the average organisation suffers more than 250 hours of DDoS business disruption each year.

Rather than asking if you can afford the cost of dedicated DDoS mitigation, maybe you should be asking if you can afford not to.

And while DDoS attacks still mainly target large or high-profile organisations, small businesses are increasingly being affected. An Akamai study reported a 180% annual increase in the number of DDoS attacks against small organisations.

We explain how to protect against a DDoS attack on the next page, but first, let’s take a look at why you should.

What is a DDoS?

According to the Oxford Dictionary, a Distributed Denial of Service (DDoS) attack is the the “intentional paralysing of a computer network by flooding it with data sent simultaneously from many individual computers”.

While technically true, it is a very basic description of a tactic that has evolved to become one of most complex and efficient threats facing a digital economy. To understand how far it has come, you need to first look back at the roots of DDoS attacks.

A very brief history of DDoS

The methodology we know today as DDoS is widely considered to have first emerged in 1995 during the Net Strike attacks against sites owned by the French government. Attacks had become somewhat automated by 1997, primarily due to the FloodNet tool created by the Electronic Disturbance Theater group.

Following an attack by Anonymous in 2010, the DDoS tactic would be firmly planted on the threat map. Using a tool dubbed the ‘Low Orbit Ion Cannon’, the group was able to successfully flood targeted servers with TCP or UDP packets, facilitated through a point-and-click interface.

Recent attacks

DDoS has since evolved further, with two recent attacks demonstrating the ease at which criminals are able to take down targeted servers.

In October 2016, an 18-year-old allegedly configured his Twitter account and website to contain a redirect link that when clicked would automatically make a 911 call. Emergency services in the towns of Surprise and Peoria, Arizona, as well as the Maricopa County Sheriff’s Office were inundated with fake calls as a result.

Surprise received over 100 calls in the space of a few minutes, while Peoria PD received a “large volume of these repeated 911 hang up calls”, which, given enough data traffic, could have knocked the 911 service offline for the whole of the Maricopa county.

More details of how the attack was actually carried out can be found here.

The second notable incident it the DDoS attack on DNS provider Dyn, which took place at about the same time as the Surprise 911 overload. It’s thought that attack was powered by Mirai, a piece of malware that recruits IoT devices into a botnet.

Dyn said it had observed tens-of-millions of discrete IP addresses associated with Mirai were part of the attack, with an army of 150,000 internet-connected CCTV cameras thought to have been a core part of the botnet.

More details of the Dyn DDoS attack and Mirai can be found here and here.

Who’s doing it and what do they use?

Don’t think that DDoS is a legitimate form of political protest. Impairing the operation of any computer is a crime.

It’s is also used as a smokescreen for other criminal activity, like when TalkTalk had data on four million customers exfiltrated while it was dealing with one.

DDoS is now almost exclusively the territory of botnets-for-hire, no longer populated just by compromised PCs and laptops: the Mirai botnet last year connected together hundreds of thousands of IoT devices to power a DDoS attack. Devices such as routers and even CCTV cameras have default credentials that often don’t get changed by owners, leaving hackers an easy route to infection and control.

A botnet comprising close to 150,000 digital CCTV cameras was thought to be used in the DDoS attack against DNS provider Dyn, an attack that took a swathe of well-known internet services offline.

How do they work again?

DDoS attacks come in many technical guises, and some are more common than others. Nearly all, however, involve flooding to some degree or other. Be it a User Diagram Protocol (UDP), Transmission Control Protocol (TCP) Synchronize (SYN), GET/POST or Ping of Death flood, they all involve sending lots of something that eats up server resources in trying to answer or checking for authenticity.

The more that are sent, the less resource the server has to respond until eventually it collapses under the strain.

What about cost?

That depends if you mean cost to the organisation who has fallen victim, or the perpetrators, of a DDoS attack. Kaspersky Labs reckons the average cost to an organisation is US$106,000 if you take everything from detection through to mitigation and customer churn into account. For small businesses, that figure is still a significant US$52,000.

For the attacker it’s less expensive, with DDoS-for-hire services ranging from US$5 for a few minutes to US$500 for a working day.

The bottom line is if you can’t afford your network, website or other digital channels to go down for any significant period of time, you need to prepare for a DDoS attack.

So how can you best mitigate against a DDoS attack? Here’s what you need to know.

Basic safeguards with your router

Rather than over-provisioning, simple things such as bandwidth buffering can help handle traffic spikes including those associated with DDoS attack and give you time to both recognise the attack and react to it.

This requires getting a business-grade router, if you haven’t already. Then you can put into place other basic safeguards that can gain you a few precious minutes: rate-limiting your router, adding filters to drop obvious spoofed or malformed packets and setting lower drop thresholds for ICMP, SYN and UDP floods. All these will buy you time to try and find help.

Incident response planning

The first thing every organisation should do when suspecting a DDoS attack is confirm it. Once you’ve discounted DNS errors or upstream routing problems, then your security response plan can kick in.

What should be in that response plan? First, you need to put together an incident response team that includes managers and team leaders likely to be affected by an outage, as well as your organisation’s key IT and cyber security people. Only by talking to all the right people can you formulate a comprehensive response plan.

Then contact your ISP, but don’t be surprised if it black-holes your traffic. A DDoS attack costs it money, so null routing packets before they arrive at your servers is often the default option. It may offer to divert your traffic through a third-party scrubber network instead; these filter attack packets and only allow clean traffic to reach you.

Be warned, this is likely to be a more expensive emergency option than had you contracted such a content distribution network (CDN) to monitor traffic patterns and scrub attack traffic on a subscription basis.

Prioritise, sacrifice and survive

Ensure the limited network resources available to you are prioritised – make this is a financially driven exercise as it helps with focus. Sacrifice low-value traffic to keep high-value applications and services alive. Remember that DDoS response plan we mentioned?

This is the kind of thing that should be in it, then these decisions aren’t being taken on the fly and under time pressure. There’s no need to allow equal access to high-value applications – you can whitelist your most trusted partners and remote employees using a VPN to ensure they get priority.

Multi-vector attacks

Multi-vector attacks, such as when a DDoS attack is used to hide a data exfiltration attempt, are notoriously difficult to defend against. It’s all too easy to say that you must prioritise the data protection, but the smokescreen DDoS remains a very real attack on your business.

The motivation behind a DDoS is irrelevant; they should all be dealt with using layered DDoS defences. These can include the use of a CDN to deal with volumetric attacks, with web application firewalls and gateway appliances dealing with the rest. A dedicated DDoS defence specialist will be able to advise on the best mix for you.

DDoS mitigation services

It’s worth considering investing in DDoS mitigation services if your network or digital channels are critical to your business – and particularly if you’re likely to be a target of a DDoS attack (for example, if you’re a well-known business) – or at least knowing about what’s out there, just in case.

One of the biggest and best known is Cloudflare, which has made headlines offering DDoS mitigation services to the likes of Wikileaks as well as working to mitigate wider attacks like the WireX botnet and the 2013 Spamhaus attack.

Cloudflare isn’t the only game in town, though, and many network and application delivery optimisation firms offer DDoS mitigation services.

Other well-known brands include Akamai, F5 networks, Imperva, Arbor Networks and Verisign. Less well known options that are also worth considering include ThousandEyes, Neustar and DOSarrest.

Some of these providers offer so-called emergency coverage, which you can buy when an attack is underway to mitigate the worst of it, while others require a more long-term contract.

If you’re already using other products from any of these companies, you may want to look into adding DDoS protection to your package. Alternatively, if you use another network optimisation firm not mentioned here, it’s worth seeing if it offers DDoS protection and how much it would cost.

As mentioned above, your ISP may also offer some form of DDoS protection, particularly in an emergency, but it’s worth seeing quite how comprehensive this would be beforehand, as well as the processes involved and how much it will cost.

And even if you don’t subscribe to any of these services, knowing who to turn to in an emergency should be part of your response plan.


Sharing economy apps are prime targets for malicious attacks.

The boom of mobile applications has superseded traditional services, revolutionising customer experience as we know it. In Australia, peer-to-peer services are being embraced by millions of consumers. A 2017 report by RateSetter revealed, 65% of Australians used sharing economy services like Uber and Airbnb in the past 6 months, with that set to increase to 75% in the next six months.

With users willing to share personal details and financial information for the benefit of convenience or speed, these apps themselves are now a prime target for malicious attacks. These attacks paralyse services potentially for ransom, or worse, to unleash or amplify Distributed Denial of Service (DDoS) attacks to exploit users’ data.

The very nature of DDoS attacks are changing to reflect the app boom. Old fashioned ‘network-layer’ DDoS attacks (the big bandwidth volumetric ones we read about) are being overtaken by smarter ‘application-layer’ attacks which interject the good application requests with the bad, harder to identify ones.

As sharing economy apps become prime targets for malicious attacks, so do the services they connect to – and digital transformation means that many of those services are now in the cloud, or were born there natively. Big brands that have a huge amount of consumer data like Airbnb or Uber are moving quickly to the cloud. Airbnb migrated almost all of its cloud computing functions to Amazon Web Services (AWS) only after a year of starting and Uber has been in talks with the likes of Google, Microsoft and Amazon.

The underlying danger of DDoS

According to Neustar’s 2017 ‘Worldwide DDoS Attacks and Cyber Insights Research Report’, 84% of organisations surveyed globally were hit by a DDoS attack in the last 12 months, and 86% of these organisations were hit multiple times.

Within the broader spectrum of risks for corporate security and IT decision makers, DDoS attacks present a growing challenge for several reasons. Firstly, the number of vulnerable devices has dramatically increased and so too has the level to which DDoS attacks have become automated and commoditised. Where a connection to the Internet previously required something that was more traditionally like a computer, IoT and cloud convergence have enabled even light bulbs to be connected to a network – providing an increased number of sources generating traffic.

Secondly, according to Telstra’s 2017 cybersecurity report, 59% of Australian businesses experienced a DDoS attack on at least a yearly basis, with only 36% reporting a recovery time of within 30 minutes – and that’s a potential 30 minutes of app downtime in an economy where the patience of web and mobile users is measured in seconds.

Security must be embedded in company culture

Large scale DDoS attacks, like the Mirai botnet, gained significant media coverage after successfully impacting sites and services like Amazon, PayPal, Reddit and Twitter. If DDoS can disrupt giants like Amazon, then sharing economy apps like GoGet and Airtasker can become prime targets too, resulting in loss of revenue or customer loyalty.

Organisations should strengthen their stance against all types of attacks and invest in smarter cyber security solutions. An important first step should be to cultivate a culture of cyber security awareness to create on-going conversations across all business units and functions. Anyone who has low awareness of cyber security and does not embrace good digital hygiene can be a weak link.

Most importantly, security assessments must be an integral part of the application development framework, not an afterthought. Having securely coded applications will not only protect critical data at source, but will also enhance customer experiences and their confidence in an organisation.

Ultimately, these simple yet effective measures integrated into every aspect of the organisation will ensure that customer trust is retained and the organisation’s bottom line is protected.

Whilst the sharing economy is a prime target for attacks, with well-designed security infrastructure and best practices in place, we can be confident that it will continue to thrive and users’ personal data will remain secure.