Government IT managers should be aware that distributed denial of service (DDOS) attacks may become more than just a frustrating nuisance that they need to deal with on their networks. Such attacks may increasingly be used as a ploy used to create background interference during a major emergency. Think of it as creating a communication traffic jam that keeps first responders stuck in low gear.

But first, a little update on where DDOS stands today. A study by Prolexic Technologies reports a 718 percent increase  this year in the overall bandwidth consumed by DDOS attacks, while a recent report from Verizon says that most recent DDOS attacks have been launched by activist groups. Many Internet service providers have reported a general increase in DDOS-related traffic.

Meanwhile, the Homeland Security Department and the FBI have issued an alert noting that they are aware of dozens of (TDOS) attacks aimed at government or financial communications centers. This variation is similar to DDOS attacks. Computer-controlled calls are made in a high volume, but they target voice lines rather than computers. So far the targets have been mostly administrative, not 911, telephone lines. But that could change.

Evidence of DDOS attacks launched in conjunction with real emergencies is spotty, but there have been instances.

In 2010, after a hurricane in Myanmar/Burma, an international DDOS attack targeted some of the media sites that had relocated after the storm. This made it difficult for them to share government news.

This year, not long after the Boston Marathon bombing, the social news site Reddit set up a section to allow visitors to post photos and share theories about the event. The pages grew in popularity and received attention from the mainstream press, particularly after it has misidentified several people as suspects. Once that happened, the site became the target of a massive DDOS attack which shut off contact for over 50 minutes while site managers worked to re-rout traffic and address security issues. High-traffic sights often use content delivery networks (CDNs), essentially a distributed system of servers housed at multiple data centers. At the peak of the attack, Reddit was hit with more than 400,000 requests per second to its CDN. The requests came from “thousands of separate IP addresses, all hammering illegitimate requests, and all of them simultaneously changing whenever we would move to counter,” according to a statement made by one of the Reddit editors.

The banking industry has been targeted many thousands of times with DDOS attempts, sometimes in conjunction with specific news events related to economic reports.

Government needs to be aware of these connections because, in extreme situations, DDOS could be used to block Internet access to critical services like traffic controls, river or dam monitoring, contact with police and more.

For protection against your eCommerce site click here.

Source: http://gcn.com/Articles/2013/04/26/When-DDOS-attacks-become-real-threat.aspx?Page=2

Distributed Denial of Service attacks have increased in scale, intensity and frequency. The wide range of motives for these attacks – political (hacktivism), criminal (coercion), or social (malice) – makes every merchant or organization with an online presence a potential target. The shared nature of the Internet infrastructure – whether hosting, DNS, or bandwidth – puts many merchants or organizations at risk of becoming collateral damage, as well. If you find that your site or organization is under attack, it’s important that you report such attacks quickly to parties that are best positioned to help you mitigate, weather, and restore normal service.

I’m under attack. What should I do? Whom should I call?

Any Internet service – web, DNS, Internet voice, mail – can be the target of a DDoS attack. If your organization uses a hosting provider for a service that is attacked, first contact the hosting provider. If your organization hosts the network or Internet service that is under attack, first take measures to contain or dampen the attack. Next, call the service provider that provides Internet access for your network. Most hosting providers and ISPs post emergency contacts on their web sites and many include at least general contact numbers on bills. If you only have a general contact number, explain that you are under attack and ask the customer care agent to escalate (forward) your call to operations staff with the ability and authority to investigate.

Helping Hands

Traffic associated with a single DDoS attacks may originate from hundreds or thousands of attack sources (typically compromised PC or servers). In many cases, your hosting provider or your Internet access provider should act on your behalf (and in self-interest). They will contact “upstream” providers and the ISPs that route traffic from the DDoS attack sources to notify these operators of the nature and suspected origins of the attack. These operators will investigate and will typically revoke routes or take other measures to squelch or discard traffic close to the source.

If you cannot find contacts, or if the contacts you find are unresponsive, try contacting a Computer Incident, Emergency, or Security Incident Response Team (CERT/CIRT/CSIRT), or a Trusted Introducer (TI) team. CERT/CIRT organizations (find a national list here) or TI teams will investigate an attack, notify and share information with hosting providers or ISPs whose resources are being used to conduct the attack, and work with all affected parties to coordinate an effective mitigation.

Should I contact Law Enforcement?

Contact your national law enforcement agency if you believe that a crime is being committed; for example, you should contact law enforcement if your organization received a threat prior to the attack, or received a demand for money in return for not being attacked, or if you believe that critical infrastructure or delivery of a critical service (such as Emergency 911) is threatened.

Contact law enforcement to report a crime, not to mitigate an attack. DDoS attacks are criminal acts in many jurisdictions. By filing a report, you and other victims provide valuable information that may be relevant in any subsequent investigation or prosecution of the attackers.

Provide Good Intel

At an operational level, you, your hosting provider or ISP should gather as much information related to the attack as possible. The Operations Security Trust Forum recommends collecting the following kinds information:

  1. Provide as much time information as possible: identify the start of attack, end of attack, whether the attacks are repeated, and whether there are observable patterns or cycles to the attacks.
  2. Share any insights or suspicions you have regarding the nature of the attack. Does it appear to correlate with a geo-political event? Did you receive threatening correspondence prior to or during the attack and if so, what was the nature of the threat?
  3. Provide detailed traffic information including: type of traffic (ICMP, DNS, TCP, UDP, application), source and targeted IP addresses and port numbers, packet rate, packet size, and bandwidth consumed by the attack traffic.
  4. Describe any unique traffic or packet characteristics you observe. Is the attack targeting a particular virtual host or domain? What have you observed from application protocol headers? Have you observed any unusual patterns of flag settings in underlying protocols (TCP, UDP, ICMP, IP)?
  5. Identify any changes you observe in the attack over time (i.e., to packet sizes, rates, unique IPs seen per epoch, protocols, etc.). These may be indications that the attacker is reacting to mitigation efforts you or others have implemented.
  6. Provide your assessment of the impact; for example, explain whether you are managing the attack using mitigations and assistance, or that your services or performance is {moderately, severely} affected, or that your services have been disrupted entirely.

Don’t Wait Until You Are a Victim

If you have not already prepared a plan to respond to a DDoS attack, please consider doing so. The article Preparing for the (Inevitable) DDOS Attack offers a checklist of contacts, information, and mitigation strategies.

For protection against your eCommerce site click here.

Source: http://blog.icann.org/2013/04/how-to-report-a-ddos-attack/

The hacktivist group Anonymous claimed they have taken down the website of the Spanish parliament. The attack came as Spaniards gathered in Madrid for a mass protest.

The distributed denial of service (DDoS) attack jammed the parliament’s servers, rendering the site inaccessible to the public, sources in the legislative body confirmed to El Mundo newspaper.

The attack is apparently ongoing, as the website is working sporadically.

The news comes as the Spanish capital deployed 1,400 police around the parliament building ahead of a planned mass protest. Spaniards will demonstrate against economic hardships and record-high unemployment in the country.

The morning before the demonstration, Spanish police detained 15 people in Madrid. One group had prepared flares and firebombs, while members of another group were caught with sticks and chains, the interior ministry reported. The incendiary devices were part of a plan to torch a bank during the protest, police said.

The protesters are calling for a “siege and liberation” of the parliament.

Organizers hope that the demonstration will be as massive as the protest on September 25 last year, when an anti-austerity action drew some 6,000 people and ended with violent clashes with riot police.

Prime Minister Mariano Rajoy said earlier this week that more austerity measures would be announced on Friday. Currently, 27.2 percent of workers – more than 6 million people – are jobless in the eurozone’s fourth-biggest economy.

For protection against your eCommerce site click here.

Source: http://rt.com/news/anonymous-spain-parliament-protest-384/

For the third time this month, Bitcoin exchange Mt. Gox fell to distributed denial of service attacks (DDoS) today. Some people just aren’t down with alternative currencies, it seems.

The company wrote on its Facebook:

This again appears to be another strong DDoS attack. We are working hard to overcome it and will update when possible. It’s currently 2am in Japan so please forgive us if our Facebook/Twitter updates are not as quick, though the team is certainly not taking any breaks.

Bitcoin is a decentralized Internet currency that has earned much more legitimacy in the last year. Mt. Gox acts as the main marketplace for Bitcoin, but the exchange has been known for its hiccups in times of heavy traffic. Indeed, Bitcoin’s price often fluctuates after Mt. Gox performance issues. Most recently Bitcoins fell 40 percent from $260 per Bitcoin when Mt. Gox went silent in a previous DDoS attack.

It seems the attacks started around 7:40 this morning Pacific time. The company says it is trying to implement stronger protections against these attacks. At the time of writing this post, Mt. Gox looks to be up and functional, though no further updates have come from the company.

Bitcoin’s relevancy may be more influenced by Mt. Gox than we think, says VentureBeat’s Sean Ludwig. Mt. Gox will need to get stronger and more reliable before Bitcoins can really make their place in the world.

For protection against your eCommerce site click here.

Source: http://venturebeat.com/2013/04/21/mt-gox-ddos/

Trading halt issued.

There may be further volatility ahead for the digital peer-to-peer currency Bitcoin today, as the largest exchange, Mt Gox has again come under a denial of service attack.

The exchange conducted network maintenance overnight Australian time, taking systems offline, and said on its Facebook page it came under attack shortly after.

Mt Gox halted trading yesterday for a 12-hour period, to allow the overheated Bitcoin market to cool down.

“Orders will not be accepted for the moment as we need to upgrade our database to accommodate the trading volume,” the exchange said, adding that customers could cancel pending and open orders.

Trading is expected to resume at 11 am Japanese time (12 noon AEST) today.

Yesterday’s crash in the value of Bitcoin was not caused by a denial of service attack on Mt Gox, however. Instead, it was the trader not having the capacity to deal with demand.

“Indeed the rather astonishing amount of new accounts opened in the last few days … plus the number of trades made a huge impact on the overall system that started to lag,” Mt Gox said.

“As expected in such situation people started to panic, started to sell Bitcoin in mass (Panic Sale) resulting in an increase of trade that ultimately froze the trade engine.”

Mt Gox said the number of executed trades tripled in the past 24 hours and 75,000 new accounts were opened in the first few days of April. The exchange claims to have 20,000 new accounts opened every day.

As Mt Gox controls an estimated 80 percent of the Bitcoin exchange market, the effect of the slowdown in trades led the value of the digital currency to drop sharply, as panic set in.

The value of the currency dropped from US$266 to the BTC, to as low as US$105. A brief rally that had Bitcoin testing the US$200 level petered off, and the currency is now trading at approximately US$125.

For protection against your eCommerce site click here.

Source: http://www.itnews.com.au/News/339587,largest-bitcoin-exchange-under-fresh-dos-attack.aspx