Using Service Providers to Manage DDoS Threats

As you’ve no doubt seen in recent years, hactivists (hackers who attack for a cause) such as Anonymous and LulzSec are becoming increasingly bold in their attacks on corporate ­America. Using the Internet as a venue, they are levying attacks using hundreds or thousands of zombie computers to overwhelm victims’ bandwidth and servers. These distributed denial-of-service (DDoS) attacks can last for minutes or days, while leaving your employees and ­customers without access to online resources.

Many options are available for protecting against, and mitigating the effects of, a DDoS attack. However, with the increasing use of third-party service providers, your organization must consider whether and how these providers can fit into a comprehensive and strategic DDoS protection plan. The good news is that these providers likely have far more resources and know-how than your own organization when it comes to fighting against DDoS attacks. The trick will be to proactively engage with providers to ensure that the full force of these ­resources will be effectively leveraged for your own organization’s needs.

In this report, we examine how you can combine your protections with those of third-party service providers to protect against and/or withstand DDoS attacks. One of the most ­important takeaways is that you must prepare in advance. You cannot wait until after the DDoS hits to implement these technologies or coordinate protection with your service providers.

Source and to download this report: http://reports.informationweek.com/abstract/21/8817/security/strategy-using-service-providers-to-manage-ddos-threats.html

By Brian Bloom, ComputerWorld Canada

May 29, 2012, 8:53 PM — Depending on how unscrupulous your business practices are, a denial-of-service attack can give you a competitive advantage. From keeping competitors offline to engaging in outright extortion, there are organizations (some more obviously criminal than others) now using DDoS attacks to make big money.

For those on the receiving end, DDoS attacks are expensive. If you want to avoid losing a lot of money, it pays to be insured. And it’s better to get your protection from the good guys.

Corero Network Security is a company that fits into a small but growing sector of the information security community. It looks at ways to combat the increasingly sophisticated — and often untraceable — denial-of-service attacks targeting organizations of all kinds. The company says the bulk of the attacks today are not the spectacular, ideology-driven kinds that grab headlines.

“Most of the attacks, we know, involve things like unfair competition,” says Neil Roiter, research director of Corero Network Security Inc. “In other words, another company in your own market, your own sector, hitting you to knock you offline, to chase away customers, to lure customers to their own site.”

Roiter adds that when Corero surveyed companies in the U.S. subjected to DDoS attack, more than half believed they had been targeted by the competition. Then there are other attacks: ones that are essentially information age protection rackets.

“It’s like the old protection racket where guys come into your shop, your store, like in the movies and they say, ‘You have a nice place here. It would be a shame if something bad happened to it. Or happened to you.’

“You’ll get an email or phone call saying, ‘Pay us $50,000 by such and such a time, transfer it to this account, or we’re going to knock your site offline.'”

At first glance, Canada appears to have avoided the scourge of these sorts of “professional” DDoS attacks. David Black, manager of the RCMP technology crime branch’s cyber crime fusion team, says he hasn’t encountered many cases of DDoS extortion in Canada, though the threat is certainly present.

“Any company is vulnerable to this, in a sense,” says Black. “If their business depends on 24/7 network connection, extortion could be a reality.”

He adds that it’s “very rare” to catch a company knocking down a competitor’s site in Canada. But again, he cautions that this doesn’t mean they won’t occur in the future.

“We are at high risk, don’t get me wrong,” Black says. “Just the examples aren’t there.”

But Roiter suggests there may plenty of examples that the police simply don’t know about. Extortion, he says, is a crime that usually goes unreported, making it impossible to know how prevalent it is. While countries do differ in terms of the types of DDoS attacks they experience, certain industries are magnets for these types of crimes, Roiter says. He notes, for example, that Canada has a “healthy online gambling industry.”

“Gambling sites are very popular targets. There’s a lot of that that goes on in online gambling. And usually they’ll pay the ransom. Think of it this way: somebody gives you that call before World Cup match when you know you’re going to be doing hundreds of thousands, maybe a million dollars in business, and they say, ‘pay us $50,000′ or ‘£30,000′ or whatever it is. You’re going to pay.”

Roiter says part of the reason that companies are forced to give into criminals’ demands is not necessarily that they haven’t taken protective measures, but that they haven’t taken the right ones. They may be protected from network-based attacks and aren’t ready for the newer application-level attacks.

“The networking flooding attacks, the SYN flood, the UDP attacks, the ICMP attacks, those sorts of things are becoming less prevalent, and application-layer attacks, which use far less bandwidth and are much harder to detect and mitigate, are becoming dominant.”

To combat such attacks, Corero’s security platform uses analysis to examine whether a protocol is behaving properly and a rate-limiting technique that assigns it either a credit or demerit point. With enough demerits, the system will perceive a threat and immediately block it off.

The company has more than 20 major Canadian clients, including financial and government institutions. Dave Millier, CEO of Toronto-based Sentry Metrics Inc., says his company was the primary reseller for Top Layer Networks Inc., a company Corero acquired in 2011 that was one of the biggest players in the DDoS market.

Millier says in general, Corero’s “claim to fame” in preventing DDoS attacks is their ability to ensure business continuity in the midst of an attack. “They can sustain multi-hundred megabit attacks, while still allowing acceptable performance of the Web services that are running on the systems inside the network itself.”

This is accomplished by placing the Corero boxes outside of the network and firewall to identify and block threats more quickly. “All the data still comes to the Corero box, but it’s intelligent enough to actually in effect drop the connections before they ever get to the devices that are trying to be connected to.”

From the RCMP’s perspective, says Black, one of the best ways to combat DDoS crime in Canada is to seek guidance from the Canadian Cyber Incident Response Centre (CCIRC). Businesses can also report cyber threat incidents to the Centre. And as they increase, it will play an increasingly important role, he says.

“As this business grows and matures, for advice on how to prevent … (that’s) a great role for CCIRC,” he says.

Source: http://www.itworld.com/security/279089/new-ddos-silent-organized-and-profitable

NEW DELHI: A day after messing with servers maintained by Reliance Communications, Anonymous, an international hacker collective, defaced two websites belonging to BJP on Sunday. Through its Twitter account (@opindia_back) it announced thatwww.mumbaibjp.org and www.bjpmp.org.in were hacked by the group. After the hacking, the group posted a message to web users, asking them to organize protests against “web censorship” in India on June 9.

While the message was displayed on the homepage of www.mumbaibjp.org, on www.bjpmp.org.in it was inserted as a page at bjpmp.org.in/ads/anon.html. On Mumbai BJP website the message was accompanied by a catchy tune embedded through a YouTube link.

“Today they took away your right to use a few websites… day after tomorrow they will take away your freedom of speech and no one will be there to speak for you. Speak Now or Never,” the message read. The hackers said that people should print out or buy Guy Fawkes Masks and wear them while protesting against web censorship in Bangalore, Mangalore, Kochi, Chennai, Vizag, Delhi, Mumbai and Hyderabad on June 9.

TOI reached out to Anonymous though Twitter, asking why it defaced BJP websites. “”Just needed a website to display our message,” said the person managing @opindia_back.

The Ion, who is likely a part of Anonymous and who uses @ProHaxor alias on Twitter, added, “BJP are the opposition they should have stopped this or should have organised a protest they did not do any.”

Incidentally, CERT-IN, the nodal agency in India for monitoring security and hacking incidents within the country’s cyberspace, said in a report on Sunday that hackers are targeting Indian websites. “It is observed that some hacker groups are launching Distributed Denial of Service (DDoS) attacks on websites of government and private organizations in India,” the report said and asked network administrators to keep vigil.

Anonymous started attacking websites belonging to government agencies and companies like Reliance Communications last week after internet service providers blocked several websites in the country on the basis of an order by Madras high court. Anonymous says the blocking of websites is illegal and suppression of freedom of speech. On Friday it held a virtual ‘press conference’ and released a list of websites that were allegedly blocked on the internet service provided by Reliance Communications even though there was no legal requirement for the ISP to do so. The hackers said they stole the list from Reliance’ servers. At the same ‘press briefing’ the group called on Indian people to organize protests against web censorship on June 9.

In the last few months, Anonymous has organized or played a dominant role in real world protests against what it perceives censorship and abuse of power. The most popular of these protests has been Occupy Wall Street in the US. Though there were a number of groups and individuals involved in these protests Anonymous had played a key role in spreading the word.

Source: http://timesofindia.indiatimes.com/tech/news/internet/Anonymous-hacks-BJP-websites-wants-people-to-protest-against-web-censorship/articleshow/13576173.cms

André Stewart, president international at Corero Network Security, argues that the Serious Organised Crime Agency should have taken a recent DDoS attack more seriously…

The response by the Serious Organised Crime Agency (SOCA) to the distributed denial of service (DDoS) attack directed at its public website is somewhat disappointing for the nation’s leading anti-crime organisation. The agency’s statement that it does not consider investing in DDoS defence protection “a good use of taxpayers’ money” fails to take into account potentially serious security consequences. Further, it sends the wrong message to cyber criminals at a time when businesses and organisations in the United Kingdom and around the world operate under continuous threat of attack.

The attack against the SOCA website used a network-layer DDoS attack which is a very publicly visible form of cyber crime. The attackers’ intent is to slow or bring down a website for the entire world to see. The victim organisation has to own up to what has happened and, in the case of government entities, explain why it will not or cannot respond effectively.

However, hacktivist groups and criminals frequently use DDoS attacks as a smokescreen to hide more surreptitious intrusions aimed at stealing data. For example, the theft of 77 million customer records from the Sony PlayStation Network was preceded by a severe DDoS attack. In discussing its 2012 Data Breach Investigations Report, Verizon’s Bryan Sartin said that diversionary DDoS attacks are common practice to mask data theft, including many of the breaches by hacktivists which totalled some 100 million stolen records.

This raises the question about SOCA’s approach to securing its networks and the protection of critical information from more sinister, stealth cyber attacks. Criminals want to create diversions and remain unnoticed while they infiltrate deeper into a network and steal data. Most data breaches go undetected for weeks, months, even years in some cases. Can we be confident, based on SOCA’s response to its public website being hit for the second time in less than a year, that it is addressing more critical security risks? The response to the latest incident could undermine confidence in the quality of the agency’s security program. How deep does its estimable high regard for taxpayer money go?

Just last June, the LulzSec group claimed credit for taking SOCA offline with a DDoS attack. One has to wonder if SOCA is truly dismissive of these attacks or simply has been slow to address the issue. Whilst the agency is dismissive of the latest DDoS attack its inability to protect itself nearly a year after the first public attack plants a seed of doubt about the calibre of its security program.

Perhaps most concerning is that SOCA is conceding the initiative to criminals who are attacking the agency directly. Would the police stand by, for example, while some hooligan scrawled graffiti on a local station with the explanation that they had more important things on which to spend time and money? Would the public tolerate that response?

Whilst putting its foot down on spending public funds is commendable, failing to respond to a direct criminal attack on law enforcement’s public face seems an odd place for SOCA to draw a line in the sand.

Source: http://www.publicservice.co.uk/feature_story.asp?id=19768

UK’s largest hosting biz titsup in DDoS outrage

By Anna Leach

Posted in CIO, 23rd May 2012 12:36 GMT

A “massive” distributed-denial-of-service attack emanating from China has taken down 123-reg, the UK net biz that hosts 1.4 million websites.

In a statement on the its service status page just after midday today, 123-reg blamed attackers in China:

From 11:30 to 22:50 our network was undergoing a massive distributed denial of service attack from China. Due to the nature and size of this attack the firewall systems in place needed to be reconfigured to block the bad traffic and allow the good traffic through.

The attack, which appears to be ongoing, caused patchy service from the sites hosted by the company, which also has more than 4 million domains on its books. 123-reg promised that no emails would be lost, and messages would be queued up by the mail servers and sent shortly.

123-reg’s own site was down too in the aftermath of the traffic blast, which proved to be frustrating for users trying to find out what was going on. A 123-reg tweet at 12.30pm said that they were working through final issues and that services should be returning to normal.

123-reg is a brand name of Webfusion Ltd, part of the Host Europe group. WebFusion isn’t picking up the phone so we can’t get more detail on the hacks at this time. ®
Updated to add

A spokeswoman for 123-reg got in touch this afternoon to say:

We had contained the primary attack within 15 minutes of it happening. As the largest domain provider in the UK, and coupled with the increase of these types of attacks across Europe in particular, we know we are a prime target. We are still in the process of resolving this.

Source: http://www.theregister.co.uk/2012/05/23/123reg_ddos_attack/