Researchers have uncovered software available on the Internet designed to overload the struggling website with more traffic than it can handle.

“ObamaCare is an affront to the Constitutional rights of the people,” a screenshot from the tool, which was acquired by researchers at Arbor Networks, declares. “We HAVE the right to CIVIL disobedience!”

In a blog post published Thursday, Arbor researcher Marc Eisenbarth said there’s no evidence has withstood any significant denial-of-service attacks since going live last month. He also said the limited request rate, the lack of significant distribution, and other features of the tool’s underlying code made it unlikely that it could play a significant role in taking down the site. The tool is designed to put a strain on the site by repeatedly alternating requests to the and addresses. If enough requests are made over a short period of time, it can overload some of the “layer 7″ applications that the site relies on to make timely responses.

The screenshot below shows some of the inner workings of the unnamed tool.

The tool fits a pattern seen in the previous years of hacktivist software available for download that’s customized to take on a specific cause or support a particular ideology.

“ASERT has seen site specific denial of service tools in the past related to topics of social or political interest,” Eisenbarth wrote, referring to the Arbor Security Engineering and Response Team. “This application continues a trend ASERT is seeing with denial of service attacks being used as a means of retaliation against a policy, legal rulings or government actions.”

The full text of the screenshot reads:

Destroy Obama Care.

This program continually displays alternate page of the ObamaCare website. It has no virus, trojans, worms, or cookies.

The purpose is to overload the ObamaCare website, to deny service to users and perhaps overload and crash the system.

You can open as many copies of the program as you want. Each copy opens multiple links to the site.

ObamaCare is an affront to the Constitutional rights of the people. We HAVE the right to CIVIL disobedience!

Of course, there’s no way of knowing who wrote and posted the tool, which has been mentioned on social media sites. It’s certainly possible that it’s the work of critics of President Obama’s healthcare legislation. But until we learn more, there’s no way to rule out the possibility that it was developed by an Obamacare supporter with the hope of discrediting critics.


DDoS attacks

IBM’s recently discovered an alarming fact: distributed denial-of-service (DDoS) attacks are rapidly increasing. The company released a report that offers insight on the attacks and reasons to why they’re being performed. According to the IBM Cyber Security Intelligence Index the average number of attacks on a single organization in a week is 1,400 attacks, with an average of 1.7 incidents per week.

DDoS Attacks? What Are Those?
You might be wondering, what exactly is a DDoS attack? And what’s the difference between attacks and incidents? IBM defines attacks as security events that correlation and analytic tools identify as malicious activity trying to collect, degrade, or destroy information system resources or the data itself. This includes URL tampering, denial of service, and spear phishing. Incidents, on the other hand, are attacks that human security analysts review and deem a problem worthy of deeper investigation.

Who’s Targeted and Why
Malicious codes and sustained probes are the two most common attacks that make up for over 60 percent of incidents. A sustained scan is reconnaissance activity that’s designed to gather information, like operating systems or open ports, about targeted systems. Malicious codes can be Trojan software, keyloggers, or droppers. It is software created to gain unauthorized access into systems and gather information.

The manufacturing industry is the number one targeted industry with 26.5 percent of DDoS attacks directed towards it. Almost 21 percent of attacks are directed at finance and insurance, and 18.7 percent at information and communication. Health and social services and retail and wholesale are targeted 7.3 and 6.6 percent of the time, respectively.

There are a handful of reasons perpetrators execute their invasions. Nearly half of all attacks are opportunistic, meaning that they takes advantage of existing vulnerabilities without any motivation other than to do damage. Twenty three percent are done because of industrial espionage, terrorism, financial crime, or data theft. Perpetrators discontented with their employers or job account for 15 percent of attacks, while only seven percent constitute attacks done in the name of social activism or civil disobedience.

How Do We Stop the Attacks?
Humans are the number one cause of vulnerability in organizations. Forty-two percent of the breaches that happen are due to misconfigured systems or applications. End-use errors make up 31 percent of the breaches, while 6 percent is because of both vulnerable codes and targeted attacks. It’s important to crack down on online security protocol with employees to prevent your business from falling victim to these attacks.

IBM offers two essential pieces of advice to help organizations prevent incidents: building a risk-aware culture and managing incidents and response. There should be no tolerance if colleagues are careless about security; it is the management’s job to enforce stricter regulations on company security and to track company progress. It is crucial to implement company-wide intelligent analytics and automated response capabilities. Enterprises can easily monitor and respond to systems that are automated and unified.

Click on the image below to view the full infographic.

new DDoS full

Back in July, domain name registrar giant Network Solutions experienced a significant Distributed Denial of Service (DDoS) attack. As I noted at the time, given that this was the second time in recent months they had been a target, and given they are such an inviting one because of the critical place they occupy in how the Internet functions, they seemed to be ill-prepared. This included a lack of preparation before the attack to assure rapid remediation, a lack of transparency during the attack in terms of keeping customers informed, and what appears to be a lack of ability to learn from their mistakes in anticipation of what had to be assumed would be continued testing by those with malicious intent.

Unfortunately, if you are not painfully aware already, it should come as no surprise that Network Solutions is once again experiencing problems, and as baseball sage Yogi Berra is famously quoted as saying, “It is , Déjà vu all over again!:

First let go to the Twitter feed of the company #netosl.

Let’s just say frustration abounds now that we appear to be roughly in hour three of the as-yet -unidentified problem.

I think one tweet from the website I like when three are such problems, kind of says it all.

In fact, here is the latest from

Worst of all, and this is what is so disturbing is the current view from To save you a visit and disappointment there is NOTHING there to indicate there is a problem. In fact, indulge yourself in a little exercise and go to Twitter #netsol again and click the other links for getting company info. It might compel you to send a few words.

It appears that things are getting back to normal for most if not all Network Solutions customers, and that is a good thing. What is not so good, and I am trying hard to give the company the benefit of the doubt given that they are dealing with this in real-time and may not have a complete view of why the outage occurred, is the continued lack of customer engagement.

This is really getting repetitive and management should take a good hard look in the mirror and figure out if they would put up with such behavior from a “trusted” vendor.

image via shutterstock

As King Henry V intones in his famous, “Cry God for Harry, England, and Saint George!” speech in William Shakespeare’s play Henry V, Act III (penned in 1598), “Once more into the breach!”

We will let you know what’s known about the outage once there is clarity. Hopefully, that will be sooner rather than later.


“Headless” browsers pummeled a trading platform’s website this past week in a rare form of distributed denial-of-service (DDoS) attack that lasted for 150 hours.

The attack employed some 180,000 IP addresses — and as of today continues to rebound in smaller pockets — according to cloud-based DDoS mitigation service provider Incapsula, which discovered and mitigated the massive attack for its customer.

The company declined to name the targeted organization, only saying it was a trading platform and that the attackers were likely motivated for competitive reasons. “The order of magnitude was significant,” says Marc Gaffan, co-founder of Incapsula. “No one has 180,000 IPs at their disposal unless it’s an amalgamation of separate botnets they are using interchangeably. This was a sophisticated and thought-out process.”

DDoS attacks increasingly have moved up the stack to the application layer, mainly for more targeted purposes, such as disrupting transactions or access to databases, for instance. According to new data from Arbor Networks, DDoS attacks in general are getting more powerful but their duration is declining: the average DDoS attack size thus far is 2.64 Gbps for the year, an increase of 78 percent from 2012, and some 87 percent of attacks last less than one hour.

That makes the recent headless browser attack even more unusual, given that its duration was so long. “That’s pretty long. Obviously, someone was upset at them,” says Marc Eisenbarth, manager of research for Arbor.

The attack also was unusual in that it employed a version of the Phantom JS headless browser toolkit, which is a Web app developer’s tool for testing and simulating user browsing of an application. “This was the first time we saw this technology in a DDoS attack,” Gaffan says. “It mimics human behavior so effectively that it’s a challenge for mitigation services to deal with.”

Phantom JS is basically test tool that uses a bare-bones or “headless” browser – no buttons, address bar, etc. – with an API so programmers can test-run and automate their apps. “They can do a load test to websites simulating browser behavior and run JavaScript and accept cookies,” for example, Gaffan says.

Arbor’s Eisenbarth says he rarely sees Phantom JS being abused the way Incapsula has described this DDoS attack on its customer. “We don’t see Phantom JS as much. What we do see are attackers creating hidden IE [Internet Explorer] browsers that actually are full-function browsers and are even more sophisticated at bypassing detection mechanisms,” Eisenbarth says.

The attackers also employed some 861 different variants of the headless browser, and were generating some 700 million hits per day on the targeted website, according to Incapsula. “It’s really an evasion technique. We try to catch what they are doing, and they try to evade us,” Gaffan says. “Our job is to filter out the good guys [legitimate visitors] and let them pass … the site still needs to operate. And then keep the bad traffic out.”

Dan Holden, director of security research at Arbor Networks, says these Layer 7 DDoS attacks take more effort to execute. “There’s got to be something financial” motivating the attackers here, he says. “These are more common when you’ve got very focused and targeted attacks.”

Incapsula’s Gaffan says application-layer DDoS attacks are becoming more popular, and often accompany network-layer attacks. “That leaves you scrambling on all fronts,” he says. “An application-layer attack is easier to perpetrate because it requires less resources, but you need expertise” to pull it off, he says.

The victim organization’s business in the end suffered little impact since Incapsula was able to mitigate the attack, he says. But the DDoS hasn’t disappeared yet, either: “It started last week, and to some extent, it’s still ongoing,” Gaffan says. “There’s an ongoing process [by the attackers] of updating and changing” the headless browsers in the attack, he says.


Given that Distributed Denial of Service (DDoS) attacks are becoming more frequent, it is a good time to review the basics and how you can fight back.

A DDoS is an attack method used to deny access for legitimate users of an online service.  This service could be a bank or e-commerce website, a SaaS application, or any other type of network service. Some attacks even target VoIP infrastructure.

An attacker uses a non-trivial amount of computing resources, which they either built themselves or, more commonly, by compromising vulnerable PC’s around the world, to send bogus traffic to a site.   If the attacker sends enough traffic, legitimate users of a site can’t be serviced.

For example, if a bank website can handle 10 people a second clicking the Login button, an attacker only has to send 10 fake requests per second to make it so no legitimate users can login.  There are a multitude of reasons someone might want to shut a site down: extortion, activism, competitive brand damage, and just plain old boredom.

DDoS attacks vary in both sophistication and size.  An attacker can make a fake request look like random garbage on the network, or more troublesome, make the attack traffic look exactly like real web traffic.  In addition, if the attacker has enough computing resources at their disposal, they can direct enough traffic to overwhelm the target’s bandwidth.

The simplest types of attacks are Layer 3 and 4 attacks (IP and UDP/TCP in the OSI stack).  These simply flood the network and servers such that they can no longer process legitimate network traffic because the attacks have saturated the network connectivity of the target.  A more complex Layer 7 attack “simulates” a real user trying to use a web application by searching for content on the site or clicking the “add to cart” button.

There are four main types of protection from DDoS attacks:

* Do It Yourself.  This is the simplest and least effective method.  Generally someone writes some Python scripts that try to filter out the bad traffic or an enterprise will try and use its existing firewalls to block the traffic.  Back in the early 2000s, when attacks were pretty simple, this could work. But these days, attacks are far too large and complex for this type of protection.  A firewall will melt quite quickly under the load of even a trivial attack

* Specialized On-Premises Equipment. This is similar to “Do It Yourself” in that an enterprise is doing all the work to stop the attack, but instead of relying on scripts or an existing firewall, they purchase and deploy dedicated DDoS mitigation appliances.  These are specialized hardware that sit in an enterprise’s data center in front of the normal servers and routers and are specifically built to detect and filter the malicious traffic.  However, there are some fundamental problems with these devices:

• They are costly CAPEX purchases that may sit around and do nothing until you get attacked.  They also can be expensive to operate.  You need skilled network and security engineers to work these devices – there is no magic “mitigate DDoS” button.

• They must be constantly updated by the operations team to keep up to date with the latest threats.  DDoS tactics change almost daily.  Your team must be prepared to update these devices to the latest threats.

• They can’t handle volumetric attacks.     It’s unlikely that an enterprise would have enough bandwidth coming in to handle the very large DDoS attacks occurring today. These hardware appliances don’t do any good when the attack exceeds network capacity.

* Internet Service Provider (ISP). Some enterprises use their ISP to provide DDoS mitigation.  These ISP’s have more bandwidth than an enterprise would, which can help with the large volumetric attacks, but there are three key problems with these services as well:

• Lack of core competency: ISP’s are in the business of selling bandwidth and don’t always invest in the required capital and resources to stay ahead of the latest DDoS threats.  It can become a cost center to them – something they have to provide, so they do it as cheaply as possible.

• Single provider protection:  Most enterprises today are multi-homed across two or more network providers to remove the single point of failure of a provider.  Having two providers is a best practice to maximize uptime.  ISP DDoS mitigation solutions only protect their network links, not the other links you might have, so now you need DDoS mitigation services from different providers, doubling your cost.

• No cloud protection:  Similar to the above, a lot of Web applications these days are split between enterprise-owned data centers, and cloud services like Amazon AWS, GoGrid, Rackspace, etc.  ISP’s can’t protect traffic on these cloud services.

* Cloud Mitigation Provider.  Cloud mitigation providers are experts at providing DDoS mitigation from the cloud.  This means they have built out massive amounts of network bandwidth and DDoS mitigation capacity at multiple sites around the Internet that can take in any type of network traffic, whether you use multiple ISP’s, your own data center or any number of cloud providers. They can scrub the traffic for you and only send “clean” traffic to your data center.

Cloud mitigation providers have the following benefits:

• Expertise:  Generally, these providers have network and security engineers and researchers who are monitoring for the latest DDoS tactics to better protect their customers.

• Lots of bandwidth: These providers have much more bandwidth than an enterprise could provision on its own to stop the biggest volumetric attacks.

• Multiple types of DDoS mitigation hardware:  DDoS attacks are extremely complex. There is a need for multiple layers of filtering to be able to keep up with the latest threats.  Cloud providers should take advantage of multiple technologies, both commercial off the shelf (COTS) and their own proprietary technology to defend against attacks

Cloud mitigation providers are the logical choice for enterprises for their DDoS protection needs.  They are the most cost effective and scalable solution to keep up with the rapid advances in DDoS attacker tools and techniques.