Over the last decade, DDoS attacks have proliferated, possibly becoming the primary threat for every website or web application.

The ultimate goal is to bring down sites by flooding them with fake requests, usually from multiple locations.

The outcome of such attacks ranges from slow page loads to blocking legitimate traffic.

Among the thousands of DDoS attacks that happen every day, you’ll find attacks that last a number of days, as opposed to short-duration attacks that only take a few minutes for attackers to coordinate and launch at a time.

These attacks are becoming much more commonplace, whether the goal is to take a site down or if they’re used as a smokescreen to divert site owners’ attention.

In this article, I would like to share our real life experience with short-duration DDoS attacks, addressing what happens when this type of attack targets multiple sites simultaneously.

5 Short Attacks in 3 Days

We recently witnessed a three day, continuous attack that targeted two domains of a well-known bank.

On the first day, the bank suffered a significant volumetric attack that lasted five to six minutes, but consumed bandwidth at a rate of dozens of gigabytes per second.

Another attack, that lasted fifteen minutes, took place on the second day, targeting the second domain of the bank.

On the third day, the same domain that was targeted the previous day was hit with a long duration attack.

We could see that the first and second attacks were reconnaissance attacks, executed to evaluate which of the two domains was more vulnerable.

It is clear that the second domain was more susceptible since it was hit much harder in the third attack.

In parallel, we detected that there was another short-duration spike attack that targeted one of our Telco customers.

Just two hours later, there was another attack against a large utility organisation.

Because of this pattern, we were able to identify that all three attacks were performed by the same attacker and could warn and better protect our customers against further attacks.

Comparing the volume of bandwidth we’ve encountered on the first day of the attacks, to a DDoS attack’s average peak size of 7.39 Gbps, as reported by SCMagazine, we can see that short-duration attacks use large volumes of traffic in short, shotgun-like bursts.

Attackers leverage these short-duration attacks to evaluate which companies and organisations are easiest to infiltrate.

We assume that this also has to do with the availability of resources. These types of attacks are more likely to come from smaller, private groups that are shorter on resources, as opposed to criminal groups or countries which have access to unlimited resources and can therefore launch long-duration attacks from day-one.

Here’s what we’ve seen over time:


When it comes to short-burst attacks, time is of the essence. Attacks are likely to go under the radar and leave no time to respond.

Organisations managing multiple web domains must have the ability to centralise incoming data, preferably by working with the same security vendor across all their domains. This enables them to predict attacks by analysing trends and patterns across their sites.

Organisations should demand this capability from their security vendors, who should also be willing to use data from various customers in order to predict potential attacks on other customers, as described in the above case study.

We see a growing number of short duration attacks across our customer base.

Awareness to this new pattern is key: customers typically assume that the attack is over, while this may actually be a sign for a much larger attack coming through.

In light of this new pattern using services and tools that can aggregate attack information across customers and websites is an ideal way to predict and avoid the massive DDoS attacks about to come.

Source: http://www.thecsuite.co.uk/CIO/index.php/security/289-ddos-attack-tactics-3343

Connectivity at MTN’s Gallo Manor data centre has been fully restored after the Johannesburg site was hit by a distributed denial of service (DDoS) attack earlier this afternoon.

MTN alerted clients just after 3pm today that it had suffered a DDoS attack, which resulted in packet loss and a disturbance to clients’ cloud services.  At the time the company said MTN Business’ network operations centre was working on resolving the problem to avoid any further attacks.

This comes less than two days after a power outage at the same data centre caused loss of connectivity.

MTN chief technology officer Eben Albertyn says, while the DDoS attack today hampered the company’s ability to provide connectivity services, engineers worked “fervently” to fully restore services and avert further attacks, and connectivity was restored soon after.

“The interruption lasted only a few minutes and is completely unrelated to the outage experienced on Monday. MTN wishes to apologise profusely to its customers for any inconvenience caused.”

On Sunday evening just after 6pm, MTN’s Gallo Manor data centre went offline, causing major disruptions to clients’ services, including Afrihost.

MTN put the outage down to a power outage. The problem persisted until the next day, with services being restored around 11am on Monday.

Digital Attack Map defines DDoS attack as: “An attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.”  The live data site notes these attacks can target a wide variety of important resources, from banks to news Web sites, and present a major challenge to making sure people can publish and access important information.

Source: http://www.itweb.co.za/index.php?option=com_content&view=article&id=142968:MTN-weathers-DDOS-attack

The recent DDoS attacks aimed at GreatFire, a website that exposes China’s internet censorship efforts and helps users get access to their mirror-sites, and GitHub, the world’s largest code hosting service, have been linked to the Great Cannon, an attack tool co-located with the Great Firewall of China.

“A report released by GreatFire.org fingered malicious Javascript returned by Baidu servers as the source of the attack. Baidu denied that their servers were compromised,” Citizen Lab researchers noted, then explained: “The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.”

GreatFire says that the attack against their servers started on March 17, and Citizen Lab pinpoints their end to April 8, 2015. A blog post published on Friday by Niels Provos, an engineer with Google’s Security Team, shows this information is correct, as its Safe Browsing infrastructure picked up this attack, too.

“While Safe Browsing does not observe traffic at the network level, it affords good visibility at the HTTP protocol level. Using Safe Browsing data, we can provide a more complete timeline of the attack and shed light on what injections occurred when,” he noted.

The data shows that content injections against baidu.com domains on March 3, 2015, and ended on April 7. Also, that the attack was carried out in multiple phases:

Phase 1: March 3 – March 6. Target: This was a testing stage.
Phase 2: March 10 – March 13. Targets: Hosts under the sinajs.cn and cloudfront.net domains.
Phase 3: March 14 – March 17. Target: Another host under the cloudfront.net domain.
Phase 4: March 18 – March 25. Targets: Additional Five cloudfront hosts. “At some point during this phase of the attack, the cloudfront hosts started serving 302 redirects to greatfire.org as well as other domains. Substitution of Javascript ceased completely on March 20th but injections into HTML pages continued.”
Phase 5: March 25 – April 7. Targets: github.com/greatfire/wiki/wiki/nyt/, github.com/greatfire/, github.com/greatfire/wiki/wiki/dw/, and github.com/cn-nytimes/.

All in all, eight baidu.com domains and corresponding IP addresses were injected with Javascript replacement payloads and HTML injections.

Apart from giving more insight in the attacks, this report shows that hiding such attacks from detailed analysis after the fact is difficult. Even though this data can’t be used to identify the attackers, it is Provos’ hope that “external visibility of this attack will serve as a deterrent in the future.”

“Had the entire web already moved to encrypted traffic via TLS, such an injection attack would not have been possible. This provides further motivation for transitioning the web to encrypted and integrity-protected communication,” he noted. “Unfortunately, defending against such an attack is not easy for website operators. In this case, the attack Javascript requests web resources sequentially and slowing down responses might have helped with reducing the overall attack traffic.”

Source: http://www.net-security.org/secworld.php?id=18312

According to Neustar’s 2015 North American Denial of Service (DDoS) Attacks & Impact Report, 32 percent of U.S. companies say a DDoS attack would cost them more than $100,000 in revenue per hour.

Eleven percent say DDoS attacks can lead to more than $1 million in hourly revenue losses.

The report, based on a survey of more than 500 U.S. executives and senior professionals, also found that 40 percent of businesses say DDoS attacks are a growing threat to their organization.

Among companies that have been hit by DDoS attacks, 85 percent were hit multiple times, and 30 were attacked more than 10 times per year. Over a quarter of those attacked said they suffered a loss of customer trust and brand damage as a result.

“A website attack that was once considered to be an IT problem now reverberates and can cause significant brand damage that affects all organizational employees and its customers,” Neustar director of security services Margee Abrams said in a statement.

The Neustar report also found that 51 percent of respondents say they’re investing more in DDoS protection solutions than they were a year ago.

Notably, 45 percent of businesses say it takes them more than an hour to detect a DDoS attack — and after detection, 51 percent say it takes them more than an hour to respond.

But according to NSFOCUS’ biannual DDoS Threat Report, that response would come far too late in the vast majority of cases — the report states that 90 percent of DDoS attacks in 2014 lasted less than 30 minutes in total.

“This shorter attack strategy is being employed to improve efficiency as well as distract the attention of IT personnel away from the actual intent of an attack: deploying malware and stealing data,” the NSFOCUS report states. “These techniques indicate that today’s attacker continues to become smarter and more sophisticated.”

In one attack event in December 2014, NSFOCUS found that one third of attack sources were smart devices such as webcams and routers.

Such devices, the NSFOCUS report notes, offer several key benefits to attackers, including relatively high bandwidth, a long upgrade cycle (many are never upgraded after deployment), and 24/7 online availability.

“In 2H 2014, the reflective amplification distributed denial of service attacks that abuse the Simple Service Discovery Protocol (SSDP) emerged as the most potent and increasingly favored attack vector,” the report states.

NSFOCUS says more than 7 million smart devices could be exploited globally to launch such attacks, which can amplify attack bandwidth by as much as 75 times.

“With IoT bringing billions of such devices online, there will be an exponential growth in SSDP-type attacks,” the report notes.

The NSFOCUS report also predicts that 2015 will see the peak traffic of DDoS attacks reach 1 Tbps.

Source: http://www.esecurityplanet.com/network-security/for-many-u.s.-enterprises-ddos-attacks-can-cost-over-100000-per-hour.html

Indian telecom regulator TRAI’s official website was on Monday brought down by a hacker group called Anonymous India following the public release of email IDs from which the government body received responses regarding net neutrality.
The group also warned TRAI of being hacked soon.
“TRAI down! Fuck you http://trai.gov.in  for releasing email IDs publicly and helping spammers. You   will be hacked soon,” AnonOpsIndia tweeted.
The group claimed to launch a DDoS (distributed denial-of-service) attack on the website to make it inaccessible.
Slamming the government portal, the group posted: “#TRAI is so incompetent lol They have any clue how to tackle a DDoS?”
“But just an alarm for whole #India. You trust incompetent #TRAI who don’t know how to deal with DDoS? Seriously sorry guys. Goodluck!,” it added.
Taking a dig at the personnel at TRAI, it tweeted: “Somebody call ‘brilliant minds’ at TRAI and tell them to stop eating samosas and get back to work coz DDoS attack has stopped from here.”
In a response to a Twitter user about the attack, Anonymous India said it was “just preventing spammers from accessing those Email IDs posted by Trai publicly.”
It said that TRAI is incompetent in dealing with internet.
“So those who still think that #TRAi can “handle” the Internet, we just proved you wrong.They just got trolled by bunch of kids.#Incompetence,” the hacker group tweeted.
Following tweets suggesting the hacker group to stop their actions, Anonymous India did same. However, the group compalined that no action was taken on those email ids which were revealed.
“Guys http://trai.gov.in  is back online and they still haven’t done anything about those Email IDs. You guys told us to stop. We did,” it tweeted.
“So if you guys still think you can have a chat with incompetent #TRAi, go ahead. But WE ARE WATCHING!,” the group posted.
Source: http://indiablooms.com/ibns_new/news-details/N/10099/hacker-group-brings-down-trai-s-website.html