Back in July, domain name registrar giant Network Solutions experienced a significant Distributed Denial of Service (DDoS) attack. As I noted at the time, given that this was the second time in recent months they had been a target, and given they are such an inviting one because of the critical place they occupy in how the Internet functions, they seemed to be ill-prepared. This included a lack of preparation before the attack to assure rapid remediation, a lack of transparency during the attack in terms of keeping customers informed, and what appears to be a lack of ability to learn from their mistakes in anticipation of what had to be assumed would be continued testing by those with malicious intent.

Unfortunately, if you are not painfully aware already, it should come as no surprise that Network Solutions is once again experiencing problems, and as baseball sage Yogi Berra is famously quoted as saying, “It is , Déjà vu all over again!:

First let go to the Twitter feed of the company #netosl.

Let’s just say frustration abounds now that we appear to be roughly in hour three of the as-yet -unidentified problem.

I think one tweet from the website I like when three are such problems, kind of says it all.

In fact, here is the latest from

Worst of all, and this is what is so disturbing is the current view from To save you a visit and disappointment there is NOTHING there to indicate there is a problem. In fact, indulge yourself in a little exercise and go to Twitter #netsol again and click the other links for getting company info. It might compel you to send a few words.

It appears that things are getting back to normal for most if not all Network Solutions customers, and that is a good thing. What is not so good, and I am trying hard to give the company the benefit of the doubt given that they are dealing with this in real-time and may not have a complete view of why the outage occurred, is the continued lack of customer engagement.

This is really getting repetitive and management should take a good hard look in the mirror and figure out if they would put up with such behavior from a “trusted” vendor.

image via shutterstock

As King Henry V intones in his famous, “Cry God for Harry, England, and Saint George!” speech in William Shakespeare’s play Henry V, Act III (penned in 1598), “Once more into the breach!”

We will let you know what’s known about the outage once there is clarity. Hopefully, that will be sooner rather than later.


“Headless” browsers pummeled a trading platform’s website this past week in a rare form of distributed denial-of-service (DDoS) attack that lasted for 150 hours.

The attack employed some 180,000 IP addresses — and as of today continues to rebound in smaller pockets — according to cloud-based DDoS mitigation service provider Incapsula, which discovered and mitigated the massive attack for its customer.

The company declined to name the targeted organization, only saying it was a trading platform and that the attackers were likely motivated for competitive reasons. “The order of magnitude was significant,” says Marc Gaffan, co-founder of Incapsula. “No one has 180,000 IPs at their disposal unless it’s an amalgamation of separate botnets they are using interchangeably. This was a sophisticated and thought-out process.”

DDoS attacks increasingly have moved up the stack to the application layer, mainly for more targeted purposes, such as disrupting transactions or access to databases, for instance. According to new data from Arbor Networks, DDoS attacks in general are getting more powerful but their duration is declining: the average DDoS attack size thus far is 2.64 Gbps for the year, an increase of 78 percent from 2012, and some 87 percent of attacks last less than one hour.

That makes the recent headless browser attack even more unusual, given that its duration was so long. “That’s pretty long. Obviously, someone was upset at them,” says Marc Eisenbarth, manager of research for Arbor.

The attack also was unusual in that it employed a version of the Phantom JS headless browser toolkit, which is a Web app developer’s tool for testing and simulating user browsing of an application. “This was the first time we saw this technology in a DDoS attack,” Gaffan says. “It mimics human behavior so effectively that it’s a challenge for mitigation services to deal with.”

Phantom JS is basically test tool that uses a bare-bones or “headless” browser – no buttons, address bar, etc. – with an API so programmers can test-run and automate their apps. “They can do a load test to websites simulating browser behavior and run JavaScript and accept cookies,” for example, Gaffan says.

Arbor’s Eisenbarth says he rarely sees Phantom JS being abused the way Incapsula has described this DDoS attack on its customer. “We don’t see Phantom JS as much. What we do see are attackers creating hidden IE [Internet Explorer] browsers that actually are full-function browsers and are even more sophisticated at bypassing detection mechanisms,” Eisenbarth says.

The attackers also employed some 861 different variants of the headless browser, and were generating some 700 million hits per day on the targeted website, according to Incapsula. “It’s really an evasion technique. We try to catch what they are doing, and they try to evade us,” Gaffan says. “Our job is to filter out the good guys [legitimate visitors] and let them pass … the site still needs to operate. And then keep the bad traffic out.”

Dan Holden, director of security research at Arbor Networks, says these Layer 7 DDoS attacks take more effort to execute. “There’s got to be something financial” motivating the attackers here, he says. “These are more common when you’ve got very focused and targeted attacks.”

Incapsula’s Gaffan says application-layer DDoS attacks are becoming more popular, and often accompany network-layer attacks. “That leaves you scrambling on all fronts,” he says. “An application-layer attack is easier to perpetrate because it requires less resources, but you need expertise” to pull it off, he says.

The victim organization’s business in the end suffered little impact since Incapsula was able to mitigate the attack, he says. But the DDoS hasn’t disappeared yet, either: “It started last week, and to some extent, it’s still ongoing,” Gaffan says. “There’s an ongoing process [by the attackers] of updating and changing” the headless browsers in the attack, he says.


Given that Distributed Denial of Service (DDoS) attacks are becoming more frequent, it is a good time to review the basics and how you can fight back.

A DDoS is an attack method used to deny access for legitimate users of an online service.  This service could be a bank or e-commerce website, a SaaS application, or any other type of network service. Some attacks even target VoIP infrastructure.

An attacker uses a non-trivial amount of computing resources, which they either built themselves or, more commonly, by compromising vulnerable PC’s around the world, to send bogus traffic to a site.   If the attacker sends enough traffic, legitimate users of a site can’t be serviced.

For example, if a bank website can handle 10 people a second clicking the Login button, an attacker only has to send 10 fake requests per second to make it so no legitimate users can login.  There are a multitude of reasons someone might want to shut a site down: extortion, activism, competitive brand damage, and just plain old boredom.

DDoS attacks vary in both sophistication and size.  An attacker can make a fake request look like random garbage on the network, or more troublesome, make the attack traffic look exactly like real web traffic.  In addition, if the attacker has enough computing resources at their disposal, they can direct enough traffic to overwhelm the target’s bandwidth.

The simplest types of attacks are Layer 3 and 4 attacks (IP and UDP/TCP in the OSI stack).  These simply flood the network and servers such that they can no longer process legitimate network traffic because the attacks have saturated the network connectivity of the target.  A more complex Layer 7 attack “simulates” a real user trying to use a web application by searching for content on the site or clicking the “add to cart” button.

There are four main types of protection from DDoS attacks:

* Do It Yourself.  This is the simplest and least effective method.  Generally someone writes some Python scripts that try to filter out the bad traffic or an enterprise will try and use its existing firewalls to block the traffic.  Back in the early 2000s, when attacks were pretty simple, this could work. But these days, attacks are far too large and complex for this type of protection.  A firewall will melt quite quickly under the load of even a trivial attack

* Specialized On-Premises Equipment. This is similar to “Do It Yourself” in that an enterprise is doing all the work to stop the attack, but instead of relying on scripts or an existing firewall, they purchase and deploy dedicated DDoS mitigation appliances.  These are specialized hardware that sit in an enterprise’s data center in front of the normal servers and routers and are specifically built to detect and filter the malicious traffic.  However, there are some fundamental problems with these devices:

• They are costly CAPEX purchases that may sit around and do nothing until you get attacked.  They also can be expensive to operate.  You need skilled network and security engineers to work these devices – there is no magic “mitigate DDoS” button.

• They must be constantly updated by the operations team to keep up to date with the latest threats.  DDoS tactics change almost daily.  Your team must be prepared to update these devices to the latest threats.

• They can’t handle volumetric attacks.     It’s unlikely that an enterprise would have enough bandwidth coming in to handle the very large DDoS attacks occurring today. These hardware appliances don’t do any good when the attack exceeds network capacity.

* Internet Service Provider (ISP). Some enterprises use their ISP to provide DDoS mitigation.  These ISP’s have more bandwidth than an enterprise would, which can help with the large volumetric attacks, but there are three key problems with these services as well:

• Lack of core competency: ISP’s are in the business of selling bandwidth and don’t always invest in the required capital and resources to stay ahead of the latest DDoS threats.  It can become a cost center to them – something they have to provide, so they do it as cheaply as possible.

• Single provider protection:  Most enterprises today are multi-homed across two or more network providers to remove the single point of failure of a provider.  Having two providers is a best practice to maximize uptime.  ISP DDoS mitigation solutions only protect their network links, not the other links you might have, so now you need DDoS mitigation services from different providers, doubling your cost.

• No cloud protection:  Similar to the above, a lot of Web applications these days are split between enterprise-owned data centers, and cloud services like Amazon AWS, GoGrid, Rackspace, etc.  ISP’s can’t protect traffic on these cloud services.

* Cloud Mitigation Provider.  Cloud mitigation providers are experts at providing DDoS mitigation from the cloud.  This means they have built out massive amounts of network bandwidth and DDoS mitigation capacity at multiple sites around the Internet that can take in any type of network traffic, whether you use multiple ISP’s, your own data center or any number of cloud providers. They can scrub the traffic for you and only send “clean” traffic to your data center.

Cloud mitigation providers have the following benefits:

• Expertise:  Generally, these providers have network and security engineers and researchers who are monitoring for the latest DDoS tactics to better protect their customers.

• Lots of bandwidth: These providers have much more bandwidth than an enterprise could provision on its own to stop the biggest volumetric attacks.

• Multiple types of DDoS mitigation hardware:  DDoS attacks are extremely complex. There is a need for multiple layers of filtering to be able to keep up with the latest threats.  Cloud providers should take advantage of multiple technologies, both commercial off the shelf (COTS) and their own proprietary technology to defend against attacks

Cloud mitigation providers are the logical choice for enterprises for their DDoS protection needs.  They are the most cost effective and scalable solution to keep up with the rapid advances in DDoS attacker tools and techniques.


Interested in denying someone access to the Internet? Ten dollars provides a very nice DDoS (Distributed Denial of Service) platform, featuring one 60-second long attack that can be used as often as needed for an entire month. For those wanting more, 169 dollars provides the ultimate DDoS, three two-hour long attacks, also rentable by the month.

Bewildered by all the different suppliers? This forum reviewed the major cloud-based DDoS platforms, coming up with these favorites.

top10Booters 2.jpg

Notice the slide’s title refers to Booters; the industry calls for-hire DDoS attacks booters when they have an online customer interface. The slide also refers to stressers [sic]. That’s an attempt to align with legitimate businesses that stress-test websites on how well they handle large volumes of incoming traffic.

I first became aware of booters when my friend and security blogger, Brian Krebs, reported in this post that someone initiated a Booter DDoS attack against his blog site. After reading Brian’s post, I realized DDoS attacks were no longer just in the realm of experienced and knowledgeable hackers. For a nominal fee, anyone can easily wreak havoc on someone else’s Internet experience.

Wanting to learn more, I did some digging: coming across an interesting paper by Mohammad Karami and Damon McCoy of George Mason University, “Understanding the Emerging Threat of DDoS-As-a-Service.”

Mohammad and Damon start out by mentioning that researchers know little about the operation, effectiveness, and economics of Booters. A fortunate event changed that. It seems the operations database for one specific Booter — twBooter— became public, allowing Mohammad and Damon to gain significant insight into the inner workings, including:

  • The attack infrastructure
  • Details on service subscribers
  • Information on the targets

In an interesting departure from typical DDoS operations, Mohammad and Damon noticed Booter developers prefer to rent servers instead of compromising individual PCs: “Compared to clients, servers utilized for this purpose could be much more effective as they typically have much higher computational and bandwidth capacities, making them more capable of starving bandwidth or other resources of a targeted system.”

Next, Mohammad and Damon were able to piece together twBooter’s two main components: the attack infrastructure and the user interface (shown below).


twBooters 5.jpg

The user interface slide has a window showing the different available attack techniques. Using the database, Mohammad and Damon isolated the most popular attacks:


[T]wBooter employs a broad range of different techniques for performing DDoS attacks. This includes generic attack types such as SYN flood, UDP flood, and amplification attacks; HTTP-based attacks including HTTP POST/GET/HEAD and RUDY (R-U-Dead-Yet); and application-specific attacks, such as slowloris, that targets Apache web servers with a specific misconfiguration.

The gentlemen mentioned the above DDoS techniques accounted for more than 90 percent of the twBooter attacks. To determine the effectiveness of twBooter, Mohammad and Damon subscribed to twBooter, and set about attacking their own server. First up, the UDP attack: “The UDP flood used a DNS reflection and amplification attack to generate 827 MBit/sec of DNS query response traffic directed at our server by sending out large numbers of forged DNS request queries that included our server’s IP address as the IP source address.”

Next, the SYN attack: “For the SYN flood, we observed 93,750 TCP SYN requests per second with randomly spoofed IP addresses and port numbers directed at our server in an attempt to utilize all of its memory by forcing it to allocate memory for a huge number of half-open TCP connections.”

The following slide provides details.


table.Booters 6.jpg

To recap, twBooter exemplifies the new trend in DDoS platforms: a reasonably-priced, user-friendly DDoS platform fully capable of bringing down websites, even those with significant bandwidth accommodations.

Something else I found interesting, even though twBooter did not make the Top 10 (maybe the data leak had something to do with it), Mohammad and Damon determined twBooter earned its owners in excess of 7,000 dollars a month. That amount resulted from customers launching over 48,000 DDoS attacks against 11,000 separate victims.


Final thoughts

Oddly enough, booters started out filling a niche, one that allowed online gamers to momentarily knock opponents out of the game, gaining themselves a distinct, albeit unfair, advantage. Other enterprising underworld individuals decided to repurpose booters into powerful DDoS platforms for hire — simple, yet effective.


When hackers take down a website, their weapon of choice is often a less-than-subtle technique known as a denial of service attack, which merely overwhelms a site’ servers with junk traffic. But the trick that the hacker group known as the Syrian Electronic Army pulled against the New York Times, Twitter, and the Huffington Post UK Tuesday seems to have been very different–and potentially far more invasive.

On Tuesday evening, Australian domain registrar Melbourne IT confirmed the security community’s suspicions that it was the weak link that allowed the outages of the Times’ website, and very likely the attacks on Twitter and the Huffington Post as well. Melbourne IT, like other domain registrars, serves as an authority for the Web’s domain name system, (DNS) telling DNS servers how to translate the domain names users type into their browsers or click on into the numerical IP addresses of the servers that host those websites. According to Melbourne IT, one of its resellers’ accounts was compromised, giving the attackers the ability to change which DNS servers resolve their clients’ sites, essentially hijacking the sites’ traffic potentially including all web traffic and email. (The battle for control of the domains still continues for the Times– remained offline as of Wednesday night.)

“We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement bodies,” Melbourne IT’s head of corporate communications wrote to me in an emailed statement.

The pro-Syrian government provocateur hackers known as the Syrian Electronic Army, however, haven’t left the attack’s source to the imagination. “Hi @Twitter, look at your domain, its owned by #SEA :)” the group tweeted Tuesday afternoon, along with the link to Twitter’s domain information, showing that they had changed it to the SEA’s. The group also temporarily replaced the Times’ site with a page showing their logo, and a message that read “Hacked by Syrian Electronic Army.”

That level of takeover is far more serious than merely knocking a site offline or defacing it, points out David Ulevitch, who runs the DNS service OpenDNS and monitored the day’s hijinks. “This isn’t just an embarrassment for the New York Times, but a serious security threat,” he says. He suggests that confidential emails–say, from sensitive sources in Syria–could have been compromised, too. “If email could be redirected and captured by the Syrian Electronic Army, you’ve blown your confidential status.”

Worse yet, an attacker could use the trick to set up a fake version of the site, complete with a seemingly valid SSL encryption certificate, and siphon users’ credentials, suggests HD Moore, chief research officer at the security firm Rapid7. “You wouldn’t have to man-in-the-middle a site for very long to get a crapload of credentials,” he says. “They could have harvested for 15 minutes and gotten 10,000 passwords.”

I’ve reached out to the New York Times and Twitter for more information about the extent of these potential breaches, and I’ll update this post if I hear back from them.

Update: Twitter security spokesperson Jim Prosser writes back that the Melbourne IT attackers had only limited access to its domain registration details and couldn’t have pulled off the scenario that Moore describes, only changed the “Whois” details. “The perpetrators weren’t able to change the actual DNS address of the domain — just the written registration details,” writes Prosser. He declined to comment further on the record, and referred me to Twitter’s official statement on the hack, which states that “no Twitter user information was affected by this incident.”

Moore points out that Melbourne IT may have been lucky that its Syrian attackers limited their attack to Twitter, the Times, and the Huffington Post UK. In fact, 26 of the top 250 sites on the Web based on Alexa rankings use Melbourne IT as a domain registrar, including,,,, and It’s not clear why the hackers didn’t use their access to go after more of those high-profile sites. “Someone could have gone much further with this and had a much more devastating impact,” he says.

In its statement, Melbourne IT says that some of its clients were protected by a “registry lock” feature that would require further verification for any changes to a domain registry. “For mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain name registries including .com,” the statement reads. “Some of the domain names targeted on the reseller account had these lock features active and were thus not affected.”

But Moore says he checked’s domain registration as the attack took place and could see that it had implemented what looked like that “lock” safeguard, which seems to have failed to prevent the domain hijacking. “Whatever Twitter did, it didn’t make a difference,” he says. (Update: As I noted above, Twitter disputes this.)

The Syrian Electronic Army, which supports Syrian dictator Bashar Al-Assad’s regime in the country’s widening civil war, has emerged over the last year as a frequent disruptive force online. Using phishing attacks, it’s hijacked the Twitter feeds of Justin Bieber, Angelina Jolie, the BBC, CBS, NPR, and even the Onion. In April, it used the AP feed to deliver false news that President Obama had been injured in an explosion at the White House, causing a temporary 150 point dive in the stock market’s Dow Jones Industrial Average.

Though the Times continues to battle its Syrian foes, Moore argues that the SEA could have used its Melbourne IT attack to inflict far more serious damage than any of those previous hacks. “This comes off as kind of clumsy and a waste of a serious bug,” he says. “It could have gone a whole lot worse.”