Distributed Denial of Service (DDoS) attacks are back in the news; it seems that barely a month goes by without media reports of a website or service being brought down by a DDoS attack. Sony’s PlayStation Network again became the victim of such an attack recently, while hacking group Anonymous is on a disabling offensive of extremist websites.

DDoS attacks can come in a variety of shapes and sizes. However, the aim of a DDoS attack is always the same: to saturate a server with so many requests that it simply cannot cope, leaving legitimate users unable to connect.

Attackers will sometimes use their own network of computers to launch DDoS attacks, but what is now more common is for them to use a network of PCs across the world that have been infected with malware that is capable of joining in a DDoS attack without the owner’s knowledge.

We’ve written before about the easy availability of DDoS attack kits, which anyone can download and use to launch their own attacks.

DDoS attacks were one of the primary methods used by Anonymous and LulzSec to tackle their victims: the Vatican, the Church of Scientology, the Australian government were all hit, as were Amazon, PayPal, MasterCard and Visa in response to their perceived lack of support for whistleblowing website WikiLeaks.

Some of these big name companies could perhaps have predicted a DDoS attack was on its way; taking a stance against Anonymous would often leave a company in its firing line. In fact, Anonymous often warned targets that an attack was imminent.

But for many other businesses, predicting a DDoS attack is difficult, and the results can be disastrous: loss of revenue-generating applications as well as reputational damage can negatively impact a business for years.

Why would a company be a target for DDoS attacks? Hacktivism is certainly one reason, competition with rival businesses is another. But beyond that, it is tough to establish whether a business is at risk and, if so, from whom? With the exception of the aforementioned Anonymous messages, DDoS attacks can start without warning.

So while predicting an attack may be difficult, protecting against one is less so. There are ways a company can keep its applications, services and even its whole network online without stopping legitimate traffic. A sophisticated firewall manager, application security manager and local traffic manager combined provide the protection needed to mitigate DDoS attacks, from blocking attack traffic to re-routing legitimate requests to ensure uptime.

Analysis is also key: understanding who is attacking you, as well as how and why, can help prevent an attack from causing too much damage and can help protect against future attacks.

Establishing which layer is being attacked (application, network or session, for example) will help a company know where to focus its resources, and intelligent firewall management will be able to inspect all traffic coming into a network and stop traffic that is coming from a DDoS attack.

Source: http://memeburn.com/2015/01/ddos-dilemmas-how-far-can-you-predict-attacks-and-what-can-be-done/

Companies using web hosting services expect high availability and lightning-fast performance for their online applications. That’s why hosting providers should be concerned about the rapidly growing Distributed Denial of Service (DDoS) threat. Driven by commercial, political and other motives, today’s DDoS attacks use computers distributed across the Internet to clog a network connection or overload server resources until the targeted website becomes unavailable for service.

What makes DDoS attacks particularly thorny for hosting providers is that multiple clients share resources and Internet connections. This means that a DDoS attack preventing users from accessing one hosted site can cause performance degradation and even downtime to other “innocent” sites and services being run out of that same data center.

To learn more about defending your hosting business against harmful DDoS attacks, download this WHIR white paper.

The Financial Impact of a DDoS Attack

The impact of a DDoS attack on an online business is clear: every minute of downtime means a loss of revenue. To quantify this impact, Incapsula commissioned a survey of 270 North American companies of various sizes.

The findings showed that some 45 percent had been hit at least once by a DDoS attack. The average cost of a DDoS attack is $40,000 dollars per hour, while nearly half of all DDoS attacks last between 6 to 24 hours. And that’s just the impact on the targeted business. What about the other hosting clients sharing the gateway that is being flooded by the DDoS attack? Hosting providers have an obligation to them as well.

DDoS Botnets on the Rise

Most DDoS attacks make use of botnets, which are a network of bots (“zombies”) that can be commanded as a group to launch DDoS attacks. As published in our 2013-2014 DDoS Threat Landscape Report, we recorded an average of 12+ million unique DDoS sessions per week in early 2014, representing a 240 percent increase over the same period in 2013.

DDoS attacks come in two flavors. High-volume network (Layer 3 & 4) attacks, such as SYN floods and DNS amplification, often exceed 200 Gbps. Application (Layer 7) attacks, on the other hand, are much leaner, since even 50-100 requests per second to a resource-heavy asset are enough to overload the typical mid-sized application server.

Regardless of the flavor, what is common to all types of DDoS attacks is that they are executed via botnets comprised of hijacked devices (computers, servers, etc.). Hackers typically compromise these machines by taking advantage of logic or security vulnerabilities, enabling them to gain full control of these resources for use in DDoS attacks.

Mega Vulnerabilities Help Accelerate Botnet Expansion

During 2014 a number of mega vulnerabilities were discovered. Unlike most vulnerabilities that are specific to a particular OS, browser or software application, this type of vulnerability (e.g., Heartbleed and Poodle) relates to the core Internet infrastructure (e.g., SSL and Linux devices).

Due to the huge number of systems affected worldwide by these vulnerabilities, their appeal to hackers is almost irresistible. Even after these vulnerabilities are patched, persistent hackers are likely to find plenty of under-maintained servers they can exploit. In this way, mega vulnerabilities fuel and accelerate the expansion of malicious botnets.

This new dynamic can be seen in the recent Shellshock mega vulnerability, discovered in Bash (the most common command-line shell used in Linux/Unix systems). Once exploited, this vulnerability allows attackers to completely take over the server, making it an available resource for executing DDoS attacks.

Following Shellshock’s discovery and the release of a patch, Incapsula saw exploit attempts increase from around 400 offending IPs at zero day to over 15,000 four weeks after discovery. Most of these were attempts by hackers to hijack vulnerable Linux and Unix servers.

What to Look for in 2015

The endless chess game between savvy adversaries and security teams will continue in 2015. DDoS attacks will keep growing in size and sophistication, while at the same time more mega vulnerabilities will be discovered by security researchers. The almost inevitable result will be an increase in the exploitation of mega vulnerabilities to build botnets and carry out DDoS attacks.

Similarly, we expect that open website platforms (e.g., Drupal, WordPress, etc.) will also be prime targets for hackers, who can exploit security holes in these platforms to steal data or to launch DDoS attacks as part of a botnet.

While DDoS attacks threaten the core of the hosting business, they also represent a new business opportunity for providers. Most clients need much more than “pure” web hosting – this includes security, storage, backup, etc. By offering them DDoS mitigation services, hosting providers can meet clients’ needs for high availability and performance, while increasing revenues and enhancing their service portfolio.

Source: http://www.thewhir.com/web-hosting-news/web-security-outlook-2015-mega-vulnerabilities-expected-fuel-ddos-attacks

Arbor Networks says that the number and size of DDoS attacks against French websites spiked considerably after 3.7 million people took to the streets to protest against terrorism.

The firm leveraged its Arbor Atlas initiative, which receives anonymised internet traffic and DDoS event data from 330 internet service providers (ISPs) worldwide, to view events in France in the days after the protest, which was in response to the Charlie Hebdo shootings that left 20 people dead.

The magazine was targeted by ISIS sympathisers and others unhappy with the satirical magazine’s ridiculing of Islam, including its depiction of the Prophet Muhammed. The publication also satirised other religions.

Comparing the DDoS attacks between January 3-10 and 11-18, the US security firm found that there were 1,342 unique attacks – an average of 708 attacks a day – during the two week period.

However, the firm noted in a recent blog post that the number of DDoS attacks after the march rose by 26 percent with the average size of DDoS attack growing 35 percent. In the eight days prior to the attack, the average size was 1.21Gbps but this later increased to 1.64Gbps.

The vast majority of these DDoS attacks were low-level although the number of attacks larger than 5Gbps did double in the days after the protest. Arbor reports that one attack measured as high as 63.2 Gbps on January 11.

“This is yet another striking example of significant online attacks paralleling real-world geopolitical events, wrote Arbor’s threat intelligence and response manager Kirk Soluk.

Speaking to SC after it first emerged that ‘thousands’ of French websites were facing cyber-attacks, Corero Network Security CEO Ashley Stephenson said that DDoS attacks were increasingly being used as an attack tool during international conflicts.

“Whatever the motivation – cyber-terrorism, retaliation, religious incitement, radicalisation… It is clear that modern conflicts will be fought in the cyber-world as well as the real world,” he said via email.

“The internet should be better protected against all of these associated cyber-threats. Increasingly we are seeing DDoS used as a tool in and around these conflicts and we should be prepared to institute increased cyber-security to protect this vital resource.”

Last week, Admiral Arnaud Coustilliere, head of cyber-defence at the French military, said that about 19,000 French websites had faced cyber-attacks in the days after the shootings, although one source closely connected with the clean-up operation for some of these sites later told SC that hacking groups from Tunisia, Syria, Morocco, the Middle East and Africa had largely ignored DDoS as an attack vector because such attacks “didn’t work”.

Instead, Gérôme Billois, senior manager of Solucom, said that these groups – also believed to often be ISIS sympathisers – had looked to scan thousands of websites to identify and exploit common WordPress, Joomla and other content management system (CMS) vulnerabilities.

Source: http://www.scmagazineuk.com/french-ddos-attacks-spike-after-terror-protest/article/393796/

It’s impossible to predict when distributed denial of service (DDOS) attacks will hit so companies must take measures to mitigate such an incident.

So says Martin Walshaw, senior engineer at F5 Networks, who notes barely a month goes by without media reports of a Web site or service being brought down by a DDOS attack. Sony’s PlayStation Network again became the victim of such an attack recently, while hacking group Anonymous is on a disabling offensive of extremist Web sites, he says.

According to research conducted by B2B International and Kaspersky Lab, 38% of companies providing online services, such as online shopping and online media, fell victim to DDOS attacks over the past 12 months.

Doros Hadjizenonos, sales manager at Check Point Technologies in SA, says DDOS criminal activity was used to attack the Web sites of various gaming platforms last year. This attack involves many computers continuously requesting certain information from the attacked network until saturation and, therefore, its downfall, Hadjizenonos explains.

Walshaw says DDOS attacks can come in a variety of shapes and sizes. “However, the aim of a DDOS attack is always the same – to saturate a server with so many requests that it simply cannot cope, leaving legitimate users unable to connect.

“Attackers will sometimes use their own network of computers to launch DDOS attacks, but what is now more common is for them to use a network of PCs across the world that have been infected with malware that is capable of joining in a DDOS attack without the owner’s knowledge,” Walshaw explains.

Legitimate traffic

The results of a DDOS attack can be disastrous: loss of revenue-generating applications as well as reputational damage can negatively impact a business for years.

However, Walshaw notes: “There are ways a company can keep its applications, services and even its whole network online without stopping legitimate traffic.”

He believes a sophisticated firewall manager, application security manager and local traffic manager combined provide the protection needed to mitigate DDOS attacks, from blocking attack traffic to re-routing legitimate requests to ensure uptime.

Analysis is also key, says Walshaw, adding understanding who is attacking you, as well as how and why, can help prevent an attack from causing too much damage and protect against future attacks.

Establishing which layer is being attacked (application, network or session, for example) will help a company know where to focus its resources, and intelligent firewall management will be able to inspect all traffic coming into a network and stop traffic that is coming from a DDOS attack, he points out.

Fire drills

According to Neil Campbell, group GM for Dimension Data’s Security Business Unit, IT security ‘fire drills’, supported by executive management and the risk committee should be conducted regularly in organisations in order to understand the appropriate course of action in advance of a security breach.

He believes technologies and services focused on incident response – rather than only incident prevention – should be one of the trends high on the agendas of security professionals in 2015.

“It’s inevitable that security incidents will occur. It’s, therefore, critical that organisations begin to focus on identifying what we call ‘indicators of compromise’, putting a comprehensive incident response plan in place, and performing regular IT security ‘fire drills’,” explains Campbell.

He points out the regular fire drills – or rehearsals – will ensure that, in the event of an incident, IT and management teams are clear about what needs to be done, and the business is less at risk. This includes recovering evidence, identifying and resolving the root cause of the incident (not just the symptoms), and undertaking a forensic investigation.

Source: http://www.itweb.co.za/index.php?option=com_content&view=article&id=140563:DDOS-attacks-prepare-for-the-worst&catid=71

Another teenager has been arrested in the UK, following DDoS attacks on the PlayStation Network and Xbox Live.

Sky News recently reported that a Mereyside, UK teenager has been arrested in a joint British and US investigation.

The UK’s the South East Regional Organised Crime Unit (SEROCU) confirmed that the teenager was arrested on suspicion of unauthorised access to computer material, and was detained for alleged threats to kill.

“We are still at the early stages of the investigation and there is still much work to be done,” said Craig Jones of the SEROCU. “We will continue to work closely with the FBI to identify those who commit offences and hold them to account.”

“This arrest demonstrates that we will pursue those who commit crime with the false perception they are protected within their own homes or hiding behind anonymous online personas,” added Peter Goodman, the Deputy Chief Constable at the Association of Chief Police Officers.

The teenager hasn’t been directly linked to the DDoS attacks on Xbox Live and PlayStation Network over Christmas. This new arrest follows a previous arrest in the UK in early January.

Source: http://stevivor.com/2015/01/another-teenager-arrested-uk-following-christmas-ddos-attacks-psn-xbox-live/