Several Thai government websites have been hit by a suspected distributed-denial-of-service (DDoS) attack, making them impossible to access.

The sites went offline at 22:00 local time (15:00 GMT) on Wednesday. Access was restored by Thursday morning.

It appeared to be a protest against the government’s plan to limit access to sites deemed inappropriate.

Tens of thousands of people have signed a petition against the proposal they call the “Great Firewall of Thailand”.

The name is a reference to the so-called “Great Firewall of China” commonly used to refer to the Chinese government’s censorship over internet content.

‘Inappropriate websites’

A DDoS attack works by exceeding a website’s capacity to handle internet traffic. They are usually orchestrated by a program or bot.

But on Wednesday, calls went out on social media in Thailand encouraging people to visit the websites and repeatedly refresh them.

Among the targets were the site of the ministry of information, communications and technology (ICT) and the main government website

ICT Deputy Permanent Secretary Somsak Khaosuwan said the site did not crash because of an attack but because it was overloaded by visitors checking to see whether and attack was happening, the Bangkok Post reports.

‘Single gateway’

Since seizing power, the Thai military government has increased censorship, blocked websites and criminally charged critics for comments made online.

News it was planning to set up a single government-controlled gateway as a “tool to control inappropriate websites and information flows from other countries” emerged last month.

Internet gateways are the point at which countries connect to the world wide web.

Analysis: Jonathan Head, BBC News, Bangkok

What are Thais angry about?

The cabinet had ordered a single gateway to be imposed in order to block “inappropriate websites” and control the flow of information from overseas. That the decision, made at a cabinet meeting on 30 June, was kept secret has caused more alarm.

Why does the government want a single gateway?

A statement by Minister for Information Uttama Savanayana that the decision was not yet final, and that the single gateway was only intended to reduce the cost of internet access. This was met with disbelief by many Thais, and then the shutdown of government websites.

Will the DDoS have any impact?

Thai netizens insist this is not an attack, but a form of civil disobedience. The military may still push ahead with its firewall, whatever the opposition. The need for control, as it confronts the task of managing a sensitive royal succession, will probably trump any concerns it may have for the digital economy.

Thailand used to have just a single gateway but slow internet speeds led to the liberalisation of the industry and today there are 10, operated by private and state-owned companies.

The apparent attack renewed the vibrant debate over the single gateway plan on social media, with many users declaring the end of privacy.

“Thailand is developing. Thailand is developing into North Korea,” one Twitter user said.

“I personally & professionally support free flow of information & fair competition on ICTs,” said Supinya Klangnarong from the National Broadcasting and Telecommunication Commissions (NBTC) on Facebook.

“Hope NBTC’s website won’t be attacked tonight. An open debate is definitely better than a cyber warfare. Voices of reason shall be heard.”


Distributed denial-of-service (DDoS) attacks have become a popular and inexpensive form of cyber attack. Malicious actors can buy cheap DDoS kits online or hire others to do their dirty work. When we see reports about DDoS in the news, they are usually referring to large-scale network attacks that are focused on Layers 3 and 4 of the network stack. From a mitigation point of view, network-layer attacks are unsophisticated. The ability to mitigate this type of attack always comes down to a simple question: who has more network capacity, the attacker or the mitigation service?

But there is another type of DDoS out there, and it’s a horse of a very different color. It’s called an application-layer DDoS attack, sometimes referred to as a “Layer 7” DDoS attack. This type of network assault is difficult to detect and even more difficult to defend against. It’s the kind of attack that can go unnoticed until not only your website is down, but several back-end systems are as well, leading to the panicked call that every CTO dreads.

Because your website along with the supporting systems, applications and so on are exposed to the outside world, they are ripe targets for more-sophisticated attacks designed to either exploit uncorrected flaws or the way the various systems work. As application development continues to move to the cloud, this attack will continue to be difficult to defend against. When trying to protect your network from these stealthy and complex methods, success depends not on how big you are, but rather how smart your security technology is and how well you can employ it.

Run Silent, Run Deep

Rather than relying on the brawn of network capacity, effective mitigation of the Layer 7 DDoS attack relies on the ability to accurately profile incoming traffic: to distinguish between humans, human-like bots and hijacked web browsers and connected devices, such as home routers. As a result, the Layer 7 mitigation process is often much more complex than the attack itself. This complexity, combined with the fact that—if done right—the attack will remain transparent, contributes to the lack of headlines on this subject. The security industry in general prefers to talk in terms of network capacity, which of course says nothing about your resilience against application-layer attacks.

The typical attacks that focus on Layers 3 and 4 overwhelm specific functions or features of a website with the intention of disabling them. An application-layer attack is different because many vulnerabilities that exist in the proprietary code of web applications are unknown to existing security-defense solutions.

The new normal in application development is the cloud and pervasive cloud-based platforms. Though a boon in many ways, they have increased the attack surface for many organizations. To defend against the ever-changing DDoS landscape, developers need to integrate security measures while in the application’s development phase.

They can get educated on some of the current web threats by reading “Top Ten Most Critical Web Application Security Risks” by the Open Web Application Security Project (OWASP). Although the report outlines 10 of the most prevalent application-layer risks, this information is only released every three years. In the meantime, new and more-sophisticated attack methods are being perpetrated at an alarming rate. Until developers ingrain security solutions into their products, it will be up to security teams to be ever vigilant by implementing solutions that are designed to identify anomalous behavior in the network on ingress.

The Multipurpose Threat

The application layer can be targeted in an even more sinister way than mere disruption of the network. It was reported earlier this year that attackers are employing methods that are short in duration but are large in traffic volume. Hackers employ these methods for a variety of reasons. Shopping (e-commerce) websites, for example, are particularly prone to this type of attack, in which paying customers are blocked at the last minute, forcing them to abandon their purchase.

Another less obvious but more nefarious use of Layer 7 attacks is to identify the vulnerability of a network’s resources, such as how much memory or bandwidth there is, to determine the amount of traffic that will be needed to flood the network. Once determined, the hackers will use a volumetric attack to distract IT personnel while accessing the application layer from the back end. This type of attack typically will have been preceded by the injection of malware or the identification of a security flaw that allows the attacker to gain a measure of control.

What IT security teams need to be able to do is determine whether or not incoming traffic is legitimate. In other words, what is a bot and what is a customer? Advanced security tools will be needed to execute this type of protection.

Mitigation: A Four-Step Process

In light of the serious potential consequences of Layer 7 attacks, IT-security professionals and software developers should follow these recommendations:

  1. Learn about the latest threats. Get to know the web-application security risks that have already been identified. The OWASP Top 10 web-application security risks list is a great start.
  2. Check content and security policies. Can your company’s current strategy protect critical data assets from DDoS attacks? Is it current? Are you meeting compliance regulations? Are all company divisions involved? Remember, representation from business, IT and security should all be a part of the software-development life cycle.
  3. Get expert insights. Learn from industry experts. Whether it’s a solution provider or an analyst firm, look to the professional to learn what best practices are recommended in today’s threat environment and develop a mitigation plan that accounts for all threats, including the hard-to-spot Layer 7 DDoS attack.
  4. Secure the network from within. This task will require appliances that are custom built to detect and mitigate application-layer (Layer 7) attacks intelligently and quickly. Such protection is available as a feature of other network/security appliances, but complete protection requires custom-built anti-DDoS appliances.

Application-layer attacks are sophisticated and effective, which means that cyber thugs will continue to launch them. While you go about your daily security duties, a Layer 7 attack is slowly eating up network resources or testing your bandwidth for a later exfiltration assault. Though these attacks are hard to detect, IT-security personnel are not defenseless. Educate yourself on the latest threats and use a combination of policies and security appliances to create a comprehensive security strategy.


Low-level persistent DDoS masks the real attack, warns report

Cybercriminals are using low-level DDoS attacks to mask malware injections, according to a report from information security services firm Neustar.

Half of the 800 executives surveyed for the report, titled North America and EMEA: The Continual Threat to Digital Brands for 2015, said they had suffered a DDoS attack in 2014 and early 2015, of which 80 per cent said they had suffered multiple attacks.

While 60 per cent of DDoS attacks still use heavy traffic to try and knock websites offline, 40 per cent are relatively small, at less than 5 Gbps, according to the report.

A total 36 per cent of executives surveyed said that, following a DDoS attack, they found malware installed in their systems. In the financial services sector, this rose to 54 per cent experiencing a DDoS of 4Gbps or less in strength and 43 per cent of all DDoS attacks leaving behind malware.

The results also show that companies in EMEA seem to be at greater risk both of DDoS attacks and subsequent malware injections. Of the almost 300 EMEA executives surveyes, 80 per cent said they had suffered a DDoS attack, of which 92 per cent reported a coinciding breach. Of that 92 per cent, two thirds experienced theft.

“These results really point to targeted attacks targeting a specific organisation for a specific purpose,” Margee Abrams, director of security services product marketing at Neustar told IT Pro.

Abrams said this also represents a particular, and recent, change of tactics.

“At the beginning of 2014, when we first did the report, we saw larger volumes of data in DDoS attacks and they would take the devices offline. Now what we’re seeing is, with these smaller volumes, they can keep the devices online so that they can do other things – they don’t want to totally saturate the device,” she said.

Mitigating an attack involves more than just the IT team as well, now.

“When a DDoS attack occurs, everyone, including the communications, marketing, risk and compliance teams are all mobilised, as well as IT, to mitigate it,” said Abrams. This is, potentially, in recognition of the brand damage an attack of this kind can do.

Businesses are continuing to fight back against the attackers at a technical level as well, though, with 73 per cent of those surveyed saying they are investing more in DDoS-specific protection and 46 per cent in hybrid technologies and counter-measures, which use both on-premise and cloud-based DDoS mitigation technologies to overcome attacks.


Enterprises in Canada and the U.S. are increasingly being targeted by new distributed denial of service attacks from a Bitcoin extortionist group dubbed DD4BC, according to a new report from Akamai Technologies.

“The latest attacks – focused primarily on the financial service industry – involved new strategies and tactics intended to harass, extort and ultimately embarrass the victim publically,” Stuart Scholly, the content delivery provider’s senior vice-president and general manager of its security division, said in a statement.

No victim organizations were named.

Some attacks have been measured at up to 50 Gigabits per second.  Typically the group uses use of multi-vector DDoS attack campaigns, revisiting former targets and also incorporating Layer 7 DDoS in multi-vector attacks, specifically concentrating on the WordPress pingback vulnerability, the report says. This vulnerability is exploited to repeatedly send reflected GET requests to the target to overload the website. Akamai said its researchers have seen this attack method incorporated into DDoS booter suite frameworks.

Akamai has been tracking the group since some customers were targeted 12 months ago. Since April it identified 114 DD4BC attacks alone, including more aggressive measures that target brand reputation through social media.

The attacks initially started against organizations in North America and Asia, then shifted to Europe before focussing on companies in Korea, China, Australia, and New Zealand for a period.

But more recently the past year the group expanded its extortion and DDoS campaigns to target a wider array of business sectors – including financial services, media and entertainment, online gaming and retailers, the report says.  An attack start with an e-mail to a target that a low-level DDoS attack will be launched against the organization’s website. After that attack there is demand to pay Bitcoin within 24 hours to protect the company from a larger DDoS attack that would make its website inaccessible.

A typical recent email has the cheek to introduce the group to the victim by including a link to an April post by Akamai describing DD4BC

Akamai has seen initial demand requests averaging 10-20 bitcoin (the exchange rate is about US$230 per bitcoin), although it has been as much as 100 bitcoins.

To protect enterprises Akamai recommends CISOs deploy anomaly- and signature-based DDoS detection methods to identify attacks before a website becomes unavailable to users, distribute resources to increase resiliency and avoid single points of failure due to an attack and to implement Layer 7 DDoS mitigation appliances on the network in strategic locations to reduce the threat for critical application servers.

Bad news for CISOs: Akamai believes copycats will adopt DD4BC’s strategies.


His lawyers claim that their client was only on the “periphery” of a conspiracy to take down UK government and FBI sites, but a UK teen who didn’t mind boasting online about those crimes now faces the possibility of jail time.

Charlton Floate, 19, of Solihull, England, already admitted to three counts of computer misuse under the Computer Misuse Act and three counts of possessing prohibited images at Birmingham Crown Court.

The attacks took place in January 2013, when Floate and a team of other cyber criminals crippled government sites with deluges of digital traffic sent from malware-infected computers.

Such computers are often called zombie computers, and they’re widely used in botnets to gang up on sites with what’s known as a distributed denial of service (DDoS) attack.

The gang managed to knock out the UK’s Home Office site – a heavily used site that provides information on passports and immigration among other things – for 83 minutes. The group also took down an FBI site – that allowed users to report crime – for over five hours.

The prosecutor, Kevin Barry, reportedly said that in November 2012, Floate carried out two test runs, remotely attacking the computers of two men in the US.

Floate uploaded a sexually explicit video to YouTube to “mock and shame” one of his victims, and he “taunted” the other victim about having control of his computer.

Modest, he was not – Floate also reportedly bragged about the government site attacks on Twitter and on a forum frequented by hackers.

Judicial officer John Steel QC rejected Floate’s legal team’s contention that he was on the “periphery” of the cyber gang, saying that evidence pointed to his actually being central to the crimes, including organizing the attacks.

He said Floate was “clearly a highly intelligent young man”, who had become an expert in computer marketing, had written a book on the subject, and succeeded in taking down an website – what he called the “Holy Grail” of computer crime:

A successful attack on the website is regarded by hackers as the Holy Grail of hacking. It was this which he attempted and, indeed, achieved.

He was the person who instituted such attacks and assembled the tools and personnel for doing so.

The Holy Grail it may be but in this case I beg to differ about how successful Floate was in getting his hands on it.

A DDoS attack isn’t a form of sophisticated lock picking, it’s just a noisy way to board the door shut from the outside.

Floate may well be bright but he stumbled once, and that’s all that investigators needed. Namely, he used his own IP address – he worked out of his mother’s home – to check up on how the attacks had gone.

Police traced the address to Floate’s mother’s home, where they seized Floate’s computer and mobile phone.

They also found evidence that he’d tried to recruit others into the gang and that he’d discussed possible weaknesses in certain websites as well as potential future targets – including the CIA and The White House.

Sentencing was adjourned until 16 October, pending a psychiatric report. Floate is currently remanded on conditional bail.

Steel said he hadn’t yet made up his mind about sentencing but added there’s “clearly potential for an immediate custodial sentence” and that Floate “should be mentally prepared for it.’