Distributed denial-of-service (or DDoS) attacks aren’t new – however, the ferocity and volume of attacks has risen sharply over recent months. Just last month, a stream off attacks wreaked havoc across the Internet and continued DDoS attacks shut down one of the world’s largest Bitcoin exchanges, MtGox.

If you think these attacks are orchestrated by highly sophisticated cyber masterminds, think again. As the name implies, a DDoS simply tries to prevent a service from working. In a DDoS, the attacker uses a large number of machines from all over the Internet to send enormous amounts of traffic towards the target.

Usually, the source of the traffic is a network of compromised “zombie” computers (also known as a botnet) that send the traffic. Hacker forums, blogs, and even YouTube share easily accessible information on how to set up a DDoS attack, making it so that practically anyone with an Internet connection can launch their own attack.

However, DDoS attacks are not only obnoxious to deal with – they can have very real detrimental consequences for business.

How can you tell whether you’ve been the victim of DDoS?

When dealing with a DDoS attack it is worth noting that it can be challenging to even determine if your website is down due to legitimate traffic, rather than an attack. The key to telling the difference lies in the length of time the service is down – if slow or denied service continues for days rather than a spike during a campaign it is time to start to look into what’s going on.

Additionally, if the same source address is querying for the same data long before the Time to Live (TTL) has passed, it could be a sign that they are up to no good. Unfortunately, you cannot simply check to see if all of the traffic is coming from one IP, as this is the exact purpose of a DDoS: to have traffic coming from multiple sources.

How can you prepare yourself?

Of course, you won’t want to wait until you have become the latest unfortunate victim of the long line of attacks. There are a number of steps you can take to ensure you won’t make yourself a target and keep your network clean of spammers and other miscreants:

1. Be aware

Invest in technology that allows you to know your network’s normal behaviour and will make you aware of any abnormal incidents such as a DDoS.

2. Boost capacity

Make sure you provision enough server capacity and tune for best performance under high load. Build the biggest network you can with effective elements for advanced mitigation.

3. Practice your defence

Knowing how to use your defensive strategy is just as important as buying and installing it. Practice the drills over and over to get it committed to your staff’s minds.

4. Get help

If you don’t have the resources to deal with attacks in-house your best bet is to outsource to a managed DNS provider who can redirect site visitors to hosts that aren’t down with advanced features like load balancing and performance monitoring.

5. Be prepared

The best way to avoid any disruption from a DDoS attack is to be prepared for it. If you are having a hard time deciding whether or not you actually need to invest in a stronger mitigation technique (e.g. you believe your industry or business is at a low risk of an attack), figure out the impact it would have on your company financially if it were to happen.

Although it may not be an apparent risk, the cost associated with being attacked is usually much higher than the cost to take safeguards.

Source: http://www.itproportal.com/2014/03/06/how-tell-if-youve-been-hit-ddos-attack-and-how-respond/

Cloud DDoS protection provider, DOSarrest’s Proxy Defense has been named ‘security product of the year’ at the first UK Cloud Awards that took place on Wednesday evening during Cloud Expo. Alex Hilton, the Cloud Industry Forum’s CEO, praised the quality of the entries, while the keynote speaker, Outsourcery’s joint-CEO and BBC ‘Dragon’, Piers Linney used the occasion to describe how the cloud has come of age.

“We are delighted to have won this accolade for our DDoS Protection service,” said Mike Gordon from the DOSarrest UK office who collected the award at London’s City Hall. “The service has stopped thousands of attacks on our customers’ websites and it has done so seamlessly. So, to be recognised as the best is a huge achievement.”

The awards, launched by Cloud Pro in association with The Cloud Industry Forum and techUk, celebrate the very best of the industry and the ‘security product of the year’ category recognised the considerable innovation and capability that has been brought to market in the UK to further enhance the cloud’s reputation as a secure and trusted environment.

“The calibre of the entries we received this year made the judging process no easy task. The standard of the entries, and ultimate winners, speaks volumes about tech success and innovation in the UK, and serve as a reminder of the dynamic and forward-looking industry we have in this country. DOSarrest fought off strong competition to take home Security Product of the Year, and I’d like to take this opportunity to congratulate them,” said Alex Hilton, CEO of the Cloud Industry Forum.

DOSarrest’s Proxy Defense is a fully managed, cloud-based DDoS protection service. Once a website is running on Proxy Defense, which takes less than 15 minutes to set up, the site is immediately protected 24/7 from any and all DDoS attacks.

To view the entire winner list click below:


About DOSarrest Internet Security:

DOSarrest founded in 2007 in Vancouver, BC, Canada is one of only a couple of companies worldwide to specialize in only cloud based DDoS protection services. Their global client base includes mission critical ecommerce websites in a wide range of business segments including financial, health, media, education and government. Their innovative systems, software and exceptional service have been leading edge for over 7 years now.

Source: http://www.consumerelectronicsnet.com/article/DOSarrest-Wins-Security-Product-of-the-Year-at-the-UK-Cloud-Awards-2014-3090275

Could it be the end for Bitcoin- a mere five years after its conception? In latest developments, it appears that the largest Bitcoin exchange in the world, MtGox, has simply disappeared along with the CEO, Mark Kepeles who resigned this week. Furthermore, a leaked crisis strategy draft for MtGox, reveals that large amounts of Bitcoin have gone missing.

“At this point 744,408 BTC are missing due to malleability-related theft which went unnoticed for several years. The cold storage has been wiped out due to a leak in the hot wallet,” the document stated.

In a statement, Raj Samani, EMEA CTO for McAfee said: “The news that MtGox has gone offline is yet another example of the volatility facing virtual currencies… [While] it’s true that no currency is immune to attacks by criminal enterprises – both traditional and virtual currencies face other risks such as hyperinflation – however, with a history of cyber-attacks on Bitcoin exchanges, it is hoped that mitigation strategies will be implemented in the future. Failure to do so only undermines confidence in the exchange and ultimately the currency.”

Samani cites the use of DDoS attacks in particular have made things difficult for MtGox and Jag Bains, CTO DOSarrest, a DDoS mitigation firm, agrees:

“The very nature of a “virtual currency” is of course going to be attractive to cyber criminals who see it as an easy target,” he said. “After all, they only have to steal digital information from a computer. The targets are diverse and the blame is shifting as to who is the weakest link, but at the end of the day, the attackers are winning with what is all too often considered a crude tool. It begs the question: Is DDoS still to be considered a blunt instrument? From what I have seen here and analyzing attacks in other sectors, the answer is a resounding no.”

In a joint statement on the Coinbase blog, key Bitcoin community members said:

“This tragic violation of the trust of users of Mt.Gox was the result of one company’s actions and does not reflect the resilience or value of bitcoin and the digital currency industry. There are hundreds of trustworthy and responsible companies involved in bitcoin. These companies will continue to build the future of money by making bitcoin more secure and easy to use for consumers and merchants. As with any new industry, there are certain bad actors that need to be weeded out, and that is what we are seeing today. MtGox has confirmed its issues in private discussions with other members of the bitcoin community.

We are confident, however, that strong Bitcoin companies, led by highly competent teams and backed by credible investors, will continue to thrive, and to fulfill the promise that bitcoin offers as the future of payment in the Internet age.”

So, while it doesn’t appear to be the end just yet, according to both Samani and Bains, those using Bitcoin or similar virtual currencies in business or their day to day life should be wary of the risks involved.

“There’s no doubt that the stakes are high when it comes to Bitcoin- on the one hand, there could be a lot to gain as adoption and popularity rises; and on the other, there is the regulatory uncertainty and likely insurance issues to consider. The best advice is to review the options and decide if the benefits outweigh the potential risks,” Bains concluded.

Source: http://itsecurityguru.org/end-road-bitcoin/#.Uw4NqYWupFd

Attackers abused insecure Network Time Protocol servers to launch what appears to be one of the largest DDoS (distributed denial-of-service) attacks ever, this time against the infrastructure of CloudFlare, a company that operates a global content delivery network.

The attack was revealed Monday on Twitter by Matthew Prince, CloudFlare’s CEO, who said that it’s “the start of ugly things to come” because “someone’s got a big, new cannon.”

The size of the attack appears to have been just shy of 400Gbps, ranking it among the largest DDoS attacks CloudFlare has seen, Prince said Tuesday via email, adding that the company is still gathering data about the incident from upstream providers.

The attack could be larger than the one last March against Spamhaus, a spam-fighting organization and CloudFlare customer whose website was hit by a 300Gbps DDoS attack, which was considered to be the largest in history at the time. CloudFlare reported then that it caused congestion at critical Internet exchange nodes in Europe. However, other companies later challenged the reported impact.

The new attack Monday used a technique called NTP reflection that involves sending requests with spoofed source IP addresses to NTP servers with the intention of forcing those servers to return large responses to the spoofed addresses instead of the real senders.

The attack was directed at a CloudFlare user, Prince said, but he declined to disclose any additional details about the customer citing the company’s policy.

The DDoS traffic hit CloudFlare’s data centers worldwide, but only caused temporary congestion on the company’s network in Europe, he said.

There is also some anecdotal evidence that there were congestion issues in other parts of the Internet infrastructure that are not directly related to CloudFlare, but nothing definitive, he said. “The most likely place that slowness would have been observed is across European peering exchanges. However, our team moved quickly to take traffic off exchanges in order to minimize collateral damage.”

Shortly after Prince revealed the attack on Twitter, Octave Klaba, the founder and CEO of large French hosting provider OVH, reported that his company’s network had also been hit for hours Monday with a DDoS attack that far exceeded 350Gbps.

It’s not clear if the attack against OVH also used NTP reflection or if it’s related to the attack against CloudFlare.

“I would suspect they were likely related due to the similar timing and scale,” Prince said. “However, I don’t have direct evidence of that.”

OVH did not immediately respond to a request for comment.

NTP is just one of several protocols that and can be abused to amplify DDoS attacks. Two others are DNS (Domain Name System) and SNMP (Simple Network Management Protocol).

What these protocols have in common is that they allow a relatively small query to generate a large response and are vulnerable to source IP spoofing if certain precautions are not taken because they work over UDP (User Datagram Protocol).

Instead of hitting a target’s IP address directly with traffic generated by a botnet with a combined bandwidth of, say, 10Gbps, attackers could use the botnet to send spoofed queries to a list of open DNS or NTP servers. Those queries could be crafted to appear as if they came from the victim’s IP address and could trigger large responses from those servers to that address.

In the case of DNS reflection, the amplification factor is 8x, meaning attackers could generate eight times more traffic than they would normally be able to generate with their botnet. However, in the case of NTP and SNMP reflection it can be over 200x and 650x, respectively, CloudFlare said in a blog post in January.

DNS reflection was commonly used in DDoS attacks last year, including in the attack against Spamhaus, prompting calls from Internet infrastructure groups and security researchers to organizations to identify and secure their DNS servers against this type of abuse.

SNMP reflection attacks are relatively rare, because the protocol is usually used with authentication and there are few open SNMP servers on the Internet, CloudFlare said in its January blog post.

However, NTP servers that are vulnerable to reflection attacks are apparently not that rare and attackers have caught on to this. NTP servers are used by computers and other devices to synchronize their clocks so many of them are publicly accessible.

Security vendor Symantec reported in December that it observed a spike in the number of NTP reflection attacks. Then in early January the same technique was used to attack online gaming servers.

“NTP contains a command called monlist (or sometimes MON_GETLIST) which can be sent to an NTP server for monitoring purposes,” CloudFlare explained in January. “It returns the addresses of up to the last 600 machines that the NTP server has interacted with. This response is much bigger than the request sent making it ideal for an amplification attack.”

Organizations can use the Open NTP Project to identify vulnerable NTP servers in their IP address ranges and can follow instructions provided by security research outfit Team Cymru to secure them on different OSes.

The U.S. Computer Emergency Response Team recommends updating NTP servers to at least ntpd (Network Time Protocol daemon) version 4.2.7, which addresses the monlist issue by default. Older versions need to be manually configured to restrict the functionality.

Source: http://www.cio.com/article/748095/Attackers_Use_NTP_Reflection_in_Huge_DDoS_Attack?page=2&taxonomyId=3071

A record-breaking distributed denial-of-service (DDoS) attack Monday peaked at 400 Gbit/s, which is about 100 Gbit/s more than the largest previously seen DDoS attack.

DDoS defense firm CloudFlare disclosed the attack — against one of its customers — Monday. “Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year, tweeted CloudFlare CEO Matthew Prince, referring both to attacks that target vulnerabilities in the Network Time Protocol, as well as the March 2013 DDoS attack against Spamhaus, which peaked at a record-breaking 300 Gbit/s.

Prince said Monday’s attack caused trouble “even off our network,” suggesting that some upstream service providers — particularly in Europe — may have experienced slowdowns.

“Someone’s got a big, new cannon. Start of ugly things to come,” Prince tweeted. “These NTP reflection attacks are getting really nasty,” he added.

Who was the target of the attack? Prince declined to disclose the name of the CloudFlare customer being targeted, saying that unlike the attack against Spamhaus, his company didn’t have permission to name names.

CloudFlare’s assessment of the attack bandwidth appeared to be validated by Oles Van Herman, the head of French hosting firm OVH.com, who reported via Twitter that his company was seeing a DDoS attack with a bandwidth “far beyond” 350 Gbit/s. He confirmed that IP addresses involved in the DDoS attack — which according to one report first began Friday — traced back to his firm’s network, but noted, “Our network is the victim, not the source.”

Van Herman’s statement suggests that attackers spoofed the OVH.com IP address — as part of their record-breaking attack against a CloudFlare customer — which squares with how reflection attacks work. “A reflection attack works when an attacker can send a packet with a forged source IP address,” according to an overview of NTP reflection attacks published by CloudFlare programmer John Graham-Cumming. “The attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately. Because the source IP address is forged, the remote Internet server replies and sends data to the victim.”

Many reflection attacks previously targeted domain name system (DNS) servers. But lately, attackers have also begun to target NTP, which — like DNS — “is a simple UDP-based protocol that can be persuaded to return a large reply to a small request,” said Graham-Cumming.

Monday’s record-breaking DDoS attack isn’t the first time that large reflection attacks have been seen in the wild. According to a threat report released last month by DDoS defense firm Black Lotus, while HTTP and HTTPS attacks — including SYN floods, ACK floods, and application-layer attacks — remain the dominant type of DDoS attacks seen in the wild, “distributed reflection denial of service (DrDoS) attacks began to gain ground moving into 2014,” and were being used to support “huge volumetric attacks exceeding 100 Gbit/s in volume.”

Launching a reflection attack isn’t difficult, especially if the attacker taps a toolkit such as DNS Flooder v1.1, which DDoS defense firm Prolexic said first appeared on underground hacking forums about six months ago. In a threat report released Tuesday, the company warned that the DNS-attack toolkit has since been used to launch a number of reflection attacks, with some successfully amplifying the initial attack bandwidth by a factor of 50.

“This toolkit uses a unique method where attackers assign DNS servers with arbitrary names and utilize them as reflectors,” according to Prolexic’s report. “This new technique allows malicious actors to purchase, set up, and use their own DNS servers to launch reflection attacks, without the need to find open and vulnerable DNS servers on the Internet.”

But most DDoS attackers still rely on blended attacks, which gives them a better chance “to find weaknesses in the target’s defenses and to confuse security engineers who may be trying to mitigate the attack,” according to the Black Lotus report.

The number of DDoS attacks that included NTP reflection-attack techniques increased substantially after January 2, when US-CERT released vulnerability advisory CVE-2013-5211, detailing a network time protocol daemon (ntpd) bug that can be exploited to launch DDoS reflection attacks. “Specifically, an attacker can send a spoofed monlist command to a vulnerable ntpd which will respond to the victim at an amplification factor of 58.5,” according to Black Lotus. The firm said that beginning in early January, it saw “a massive shift in the tactics used by attackers,” when they began tapping the NTP vulnerability en masse.

How can businesses better prevent their servers from being used — or abused — by DDoS attackers who target NTP vulnerabilities? “As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publically accessible to at least 4.2.7,” according to the US-CERT advisory. “However, in cases where it is not possible to upgrade the version of the service, it is possible to disable the monitor functionality in earlier versions of the software.”

To further help lock down vulnerable systems, research firm Team Cymru has released secure NTP templates for Cisco IOS, Juniper Junos, and Unix. In addition, the NTP Scanning Project provides a free service to scan any server for NTP vulnerabilities.

Source: http://www.informationweek.com/security/attacks-and-breaches/ddos-attack-hits-400-gbit-s-breaks-record/d/d-id/1113787?_mc=sm_iwk_edit