Five days ago, Ecuador revoked Julian Assange’s 7-year long asylum and turned him over to the UK authorities, which promptly arrested the Wikileaks chief.
Since then, Ecuador claims to be under siege from Assange supporters and “groups linked” to him.
Patricio Real, Ecuador’s deputy minister for information and communication technology, said in a statement that the webpages for his country’s public institutions experienced 40 million cyber-attacks.
Among the hardest hit were pages for the central bank, the foreign ministry and the president’s office.
“During the afternoon of April 11 we jumped from 51st place to 31st place worldwide in terms of the volume of cyber attacks,” he said.
The deputy minister said that the attacks “principally come from the United States, Brazil, Holland, Germany, Romania, France, Austria and the United Kingdom,” but that countries from South America also show up on the list.
No major hacking groups were named in Ecuador’s statement, though famed Anonymous apparently made a threat.
Real also didn’t specify what type of attacks Ecuador’s website experience. He mentioned that no hacker managed to steal government data but that the attacks prevented some employees and citizens from accessing their accounts.
As Real called the attacks “volumetric,” he most likely referred to a type of DDoS attack in which hackers send a lot of traffic to a website hoping to overwhelm it.
While this is a serious threat to a network, the attack itself can be perpetrated even by those without a lot of technical knowledge.
Ecuador will receive cybersecurity support from Israel to handle the incidents. It has also made motions to arrest a suspect, Swedish citizen close to Assange.
Right now, Julian Assange is in the UK authorities’ hands and waiting to see if he will be extradited to the US to face conspiracy charges.
He was also stripped of his Ecuador citizenship, which was granted in 2017 under a different Ecuadorian regime.
A new type of distributed denial-of-service (DDoS) attack is abusing a common HTML5 attribute to overwhelm targeted victims.
Security firm Imperva reported on April 11 that it has discovered a campaign where hackers abused the <a> tag ping HTML5 attribute in a DDoS attack that generated 70 million requests in four hours. The ping attribute is intended to be used by websites as a mechanism to notify a website if a user follows a given link on a page. Typically, a ping is a single action, but Imperva discovered that hackers have found a way to amplify the ping into a more persistent data flow, triggering the DDoS attack.
Imperva’s analysis of the attack explained that when the user clicks on the hyperlink, a POST request with the body “ping” will be sent to the URLs specified in the attribute. It will also include headers “Ping-From,” “Ping-To” and a “text/ping” content type.
“We observe DDoS attacks daily,” Simonovich said. “We discovered this attack last month. However, when we looked back in our logs, we noticed that the first time the attack occurred on our network in December 2018, it was using the ping feature.”
The attack that Imperva found was able make use of 4,000 user IPs, with a large percentage of them from China. The campaign lasted four hours, with a peak of 7,500 requests per second (RPS), resulting in more than 70 million requests hitting the target victim’s website.
How the Ping Attack Overwhelms a Server
A simple ping on its own is not enough to disturb a web server and, in fact, for basic availability web servers are regularly hit with ping requests. Ping requests are also low bandwidth and would not likely be able to constitute a volumetric DDoS attack, which aims to overwhelm the available bandwidth of a target server.
The DDoS attack discovered by Imperva, however, was not a basic ping and, according to Simonovich, could impact a web application server in a couple ways:
Targeting the web server using high RPS, the server will be forced into processing the DDoS attack and not handle legitimate traffic.
Targeting the web application by finding an injection point will cause a high resource consumption. For example, the login form will cause a query to the database.
“The attack is performed on the application layer aimed to clog server resources by processing several HTTP requests,” Simonovich explained. “As such, attack bandwidth is not the weakest resource in the chain, but CPU or memory of the server.”
He added that 7,500 RPS is far from the most powerful application DDoS attack, which can reach 100,000 RPS and more, but it is enough to deny availability for a midsize website.
Defending Against Ping DDoS
There are several things that organizations can do to minimize the risk of a Ping DDoS attack.
Imperva recommends that organizations that do not need to receive ping requests on a web server block any web requests that contain “Ping-To” and/or “Ping-From” HTTP headers on the edge devices (firewall, WAF, etc.). DDoS services, including the one that Imperva offers, also can be employed to help limit risk.
“Attackers are constantly looking for new and sophisticated methods to abuse legitimate services and bypass mitigation mechanisms,” Simonovich said. “Utilization of the ping functionality is a good example of this, especially since most of the browsers by default support it. The challenge that attackers are facing is how to force legitimate users to visit the malicious page and stay on this page as long as possible to make the attack run longer.”
A new Mirai variant comes with eleven new exploits, the enterprise WePresent WiPG-1000 Wireless Presentation system and the LG Supersign TV being the most notable new devices being targeted.
A previous report by Palo Alto Networks’ Unit 42 from September saw a strain of the Mirai botnet switching targets to attack Apache Struts servers using an exploit also employed during last year’s Equifax breach, while a new Gafgyt version was observed while assailing SonicWall firewalls, as part of a larger move against enterprise assets.
In both those instances, the Unit 42 security researchers saw exploits of older and already patched vulnerabilities used in the attacks, hinting at the threat actors trying to make their work easier by compromising unpatched devices impacted by severe security flaws such as the CVE-2017-5638 for Apache Struts.
Mirai attacks against enterprise devices mounting up
This time, as previously mentioned, the researchers found that, besides its usual marks represented by routers, network video cameras, modem routers, and wireless controllers, the Mirai version detected during January 2019 is now also scanning for and exploiting LG Supersign TVs and WePresent WiPG-1000 Wireless Presentation systems present in enterprise environments.
On top of that, with the 11 new exploits added by its masters to be used in the attacks, the total now reaches 27. As further discovered by Unit 42, the botnet’s malicious payload is hosted on a Colombian company’s server which, ironically, provides “electronic security, integration and alarm monitoring” services.
“These new features afford the botnet a large attack surface. In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks,” according to Unit 42.
The new Mirai variant spotted by Unit 42 also comes with a handful of new features:
Mirai is a self-propagating botnet created by Paras Jha, Josiah White, and Dalton Norman, originally designed to target Internet of Things (IoT) devices such as routers, digital video recorders, and IP cameras, transforming them into “bots” upon successful compromise which can later be used as sources for large-scale Distributed Denial of Service attacks.
During 2016, some malicious actors were advertising huge Mirai botnets of hundreds of thousands of infected devices capable of DDoS attacks over 650Gbps and managing to impact hundreds of thousands of devices [1, 2] during a single campaign.
Mirai still going strong despite creators’ getting caught
It all started after Jha posted the Mirai’s source code on a hacking forum during 2016 and, since then, other bad actors have used to create numerous other botnets using the code he shared as a starting point, most of them being on at least the same level of sophistication but, once in a while, adding newer and more complex attack tools [1, 2, 3, 4, 5, 6].
While their “masterpiece” was and is being improved by others and it still going strong as proven by Unit 42’s newest report on the new Mirai variant, Jha, White, and Norman were indicted and pleaded guilty for their role in the creation of the malware during December 2018, after Jha was first questioned by the FBI in January 2017 and the US authorities charged all three of them in May 2017.
Paras Jha was sentenced during October and ordered “to pay $8.6 million in restitution and serve six months of home incarceration” according to a DoJ release from October 26, 2018.
The group behind Mirai was sentenced to serve a five-year period of probation and do 2,500 hours of community service, as well as pay $127,000 as restitution while also having to abandon the cryptocurrency seized during the investigation. Jail time was removed from the sentence after they assisted the FBI in other cybercriminal investigations.
Most organizations understand that DDoS attacks are disruptive and potentially damaging. But many are also unaware of just how quickly the DDoS landscape has changed over the past two years, and underestimate how significant the risk from the current generation of attacks has become to the operation of their business. Here, I’m going to set the record straight about seven of the biggest misconceptions that I hear about DDoS attacks.
There are more important security issues than DDoS that need to be resolved first.
When it comes to cyber-attacks, the media focuses on major hacks, data breaches and ransomware incidents. DDoS attacks are growing rapidly in scale and severity: the number of attacks grew by 71% in Q3 2018 alone, to an average of over 175 attacks per day, while the average attack volume more than doubled according to the Link11 DDoS Report. The number of devastating examples is large. In late 2017, seven of the UK’s biggest banks were forced to reduce operations or shut down entire systems following a DDoS attack, costing hundreds of thousands of pounds according the UK National Crime Agency. And in 2018, online services from several Dutch banks and numerous other financial and government services in the Netherlands were brought to a standstill in January and May. These attacks were launched using Webstresser.org, the world’s largest provider of DDoS-on-demand, which sold attack services for as little as £11. It costs a criminal almost nothing and requires little to no technical expertise to mount an attack, but it costs a company a great deal to fix the damage they cause.
What’s more, DDoS attacks are often used as a distraction, to divert IT teams’ attention away from attempts to breach corporate networks. As such, dealing with DDoS attacks should be regarded as a priority, not a secondary consideration.
I know that DDoS attacks are common, but I’ve never been affected before
Many companies underestimate the risk of being hit by DDoS because they have never been hit before. The truth is that oftentimes only one attack is already more than enough to cause severe damage in the value chain. This potentially affects any company that is connected to the Internet in any way. Overload attacks not only affect websites, but also all other web services such as e-mail communication, intranet, customer connections, supplier and workflow systems, and more. Today, customers and partners expect 100% availability. Besides the business interruption due to production loss and recovery costs, reputational damage is a common consequence. Total costs for the incidents can quickly go into the millions. On the other hand, the costs for proactive protection against these kinds of attacks are comparably negligible.
There are many providers offering a solution, so DDoS is an easy problem to fix
DDoS is not a new topic, which means that many of the available solutions are outdated. Only a few provider deliver up-to-date, real-time protection that secures against all types of attacks on all network layers. Only a handful of providers can react immediately in an emergency, i.e. if the attack has already taken place, and quickly provide the right protection to organizations.
Reacting to an attack within a few minutes is sufficient
Ideally, the use of intelligent defence systems and always-on protection should prevent a failure in the first place. However, if a new attack pattern appears, the first 30 seconds are crucial. Even if an attack is mitigated after just one minute, subsequent IP connections will already be interrupted (for example, collapsing an IPSec tunnel) and it may take several hours until availability is restored. Although this prevents follow-up actions that can lead to infiltration and data theft, the economic costs of lost revenue, loss of productivity and damage to reputation can still be immense. Therefore, it is vital for organizations to implement a solution that guarantees mitigation in a matter of seconds.
We have our own 24/7 Security Operations Center (SOC), so we are immune
In the flood of security alerts in the SOC it is likely that some events are overlooked or not brought into context with other activities. Furthermore, the sheer amount of necessary analyses and measures is not feasible with people. Only a fully automated process that works based on intelligent and globally networked systems, and which precludes human errors in the process chain can ensure comprehensive security. Industrial-scale attacks can only be countered with industrial-scale defences.
I am already in the cloud and am automatically protected by my cloud provider
The major cloud providers offer some basic DDoS protections. But this is not aimed at preventing targeted, mega-scale attacks. In late 2016, the massive Dyn DDoS attack caused global disruption to public cloud services. In addition, cloud applications are easily attacked by other applications from within the same cloud. Therefore, when running business-critical applications in the cloud, it is important to consider deploying additional DDoS protections to those applications.
I have invested in hardware that offers protection
Although these systems ensure high infrastructure performance, they only provide static protection against DDoS attacks. This means that the DDoS protection there can only be as good as the current version of the filtering software – which is already outdated as soon as it is released. This approach might have worked a couple of years ago. Nowadays, however, with ever more complex and powerful attacks that combine several vectors and target multiple layers at the same time, this kind of protection is unsufficient. Effective protection is only possible via intelligent and networked systems which use advanced machine-learning techniques to analyse traffic and build a profile of legitimate traffic.
In conclusion, DDoS protection needs to be seen as an essential part of the IT security infrastructure. Considering effective solutions in the event of an attack is too late. Through educating about misconceptions in this context and implementing the measures listed in this text, companies can position themselves sustainably in terms of their business continuity strategy.
When someone in your organization starts using internet-connected devices without IT’s knowledge, that’s shadow IoT. Here’s what you need to know about its growing risk.
Shadow IoT definition
Shadow IoT refers to internet of things (IoT) devices or sensors in active use within an organization without IT’s knowledge. The best example is from before the days of bring your own device (BYOD) policies when employees used personal smartphones or other mobile devices for work purposes. “Shadow IoT is an extension of shadow IT, but on a whole new scale,” says Mike Raggo, CSO at 802 Secure. “It stems not only from the growing number of devices per employee but also the types of devices, functionalities and purposes.”
Employees have been connecting personal tablets and mobile devices to the company network for years. Today, employees are increasingly using smart speakers, wireless thumb drives and other IoT devices at work as well. Some departments install smart TVs in conference rooms or are using IoT-enabled appliances in office kitchens, such as smart microwaves and coffee machines.
In addition, building facilities are often upgraded with industrial IoT (IIoT) sensors, such as heating ventilation and air conditioning (HVAC) systems controlled by Wi-Fi-enabled thermostats. Increasingly, drink machines located on company premises connect via Wi-Fi to the internet to accept, say, Apple Pay payments. When these sensors connect to an organization’s network without IT’s knowledge, they become shadow IoT.
How prevalent is shadow IoT?
Gartner predicts that 20.4 billion IoT devices will be in use globally by 2020, up from 8.4 billion in 2017. Shadow IoT has become widely prevalent as a result. In 2017, 100 percent of organizations surveyed reported ‘rogue’ consumer IoT devices on the enterprise network, and 90 percent reported discovering previously undetected IoT or IIoT wireless networks separate from the enterprise infrastructure, according to a 2018 report from 802 Secure.
One-third of companies in the U.S., U.K. and Germany have more than 1,000 shadow IoT devices connected to their network on a typical day, according to a 2018 Infloblox report on shadow devices. Infoblox’s research found that the most common IoT devices on enterprise networks are:
Fitness trackers such as Fitbits, 49 percent;
Digital assistants such as Amazon Alexa and Google Home, 47 percent
Smart TVs, 46 percent
Smart kitchen devices such as connected microwaves, 33 percent
Gaming consoles such as Xboxes or PlayStations, 30 percent.
What are shadow IoT’s risks?
IoT devices are often built without inherent, enterprise-grade security controls, are frequently set up using default IDs and passwords that criminals can easily find via internet searches, and are sometimes added to an organization’s main Wi-Fi networks without IT’s knowledge. Consequently, the IoT sensors aren’t always visible on an organization’s network. IT can’t control or secure devices they can’t see, making smart connected devices an easy target for hackers and cybercriminals. The result: IoT attacks grew by 600 percent in 2018 compared to 2017, according to Symantec.
Vulnerable connected devices are easily discoverable online via search engines for internet-connected devices such as Shodan, Inflobox’s report points out. “Even when searching simple terms, Shodan provides details of identifiable devices, including the banner information, HTTP, SSH, FTP and SNMP services. As identifying devices is the first step in accessing devices, this provides even lower-level criminals with an easy means of identifying a vast number of devices on enterprise networks that can then be targeted for vulnerabilities.”
Why aren’t most shadow IoT devices secure?
When PCs were first released decades ago, their operating systems weren’t built with inherent security, Raggo observes. As a result, securing PCs against viruses and malware remains an ongoing struggle.
In contrast, the iOS and Android mobile operating systems were designed with integrated security, such as app sandboxing. While mobile devices aren’t bullet-proof, they’re typically more secure than desktops and laptops.
With today’s IoT and IIoT devices, “It’s like manufacturers have forgotten everything we’ve learned about security from mobile operating systems,” Raggo says. “There are so many IoT manufacturers, and the supply chain for building the devices is scattered all over the world, leading to a highly fragmented market.”
Because IoT devices tend to be focused on just one or two tasks, they often lack security features beyond basic protocols such as WPA2 Wi-Fi, which has its vulnerabilities. The result: Billions of unsecured IoT devices are in use globally on enterprise networks without IT’s knowledge or involvement.
“I bought 10 or 15 IoT devices a few years ago to check out their security,” says Chester Wisniewski, principal research scientist at Sophos. “It was shocking how fast I could find their vulnerabilities, which means anyone could hack them. Some devices had no process for me to report vulnerabilities.”
Have criminal hackers successfully targeted shadow IoT devices?
Yes. Probably the most famous example to date is the 2016 Mirai botnet attack, in which unsecured IoT devices such as Internet Protocol (IP) cameras and home network routers were hacked to build a massive botnet army. The army executed hugely disruptive distributed denial of service (DDoS) attacks, such as one that left much of the U.S. east coast internet inaccessible. The Mirai source code was also shared on the internet, for criminal hackers to use as building blocks for future botnet armies.
Other exploits are available that enable cybercriminals to take control of IoT devices, according to the Infoblox report. “In 2017, for example, WikiLeaks published the details of a CIA tool, dubbed Weeping Angel, that explains how an agent can turn a Samsung smart TV into a live microphone. Consumer Reports also found flaws in popular smart TVs that could be used to steal data as well as to manipulate the televisions to play offensive videos and install unwanted apps.”
Along with amassing botnet armies and conducting DDoS attacks, cybercriminals can also exploit unsecured IoT devices for data exfiltration and ransomware attacks, according to Infoblox.
In one of the oddest IoT attacks thus far, criminals hacked into a smart thermometer inside a fish tank in a casino lobby to access its network. Once in the network, the attackers were able to steal the casino’s high-roller database.
The future potential of IoT-enabled cyberattacks is enough to give CSOs and other IT security professionals concern. “Consider the damage to vital equipment that could occur if someone connected into an unsecured Wi-Fi thermostat and changed the data center temperature to 95 degrees,” Raggo says. In 2012, for instance, cybercriminals hacked into the thermostats at a state government facility and a manufacturing plant and changed the temperatures inside the buildings. The thermostats were discovered via Shodan, a search engine devoted to internet-connected devices.
To date, the impact of IoT device exploits hasn’t been hugely negative for any particular enterprise, says Wisniewski, in terms of exploiting sensitive or private data. “But when a hacker figures out how to make a big profit compromising IoT devices, like using a brand of smart TVs for conference room spying, that’s when the shadow IoT security risk problem will get everyone’s attention.”
3 ways to mitigate shadow IoT security risks?
Make it easy for users to officially add IoT devices. “The reason you have shadow IT and shadow IoT is often because the IT department is known for saying ‘no’ to requests to use devices like smart TVs,” says Wisniewski. Instead of outright banning IoT devices, fast-tracking their approval whenever possible and feasible—within, say, 30 minutes after the request is made—can help reduce the presence of shadow IoT.
“Publish and circulate your approval process,” Wisniewski adds. “Get users to fill out a brief form and let them know how quickly someone will get back to them. Make the process as flexible and as easy for the requester as possible, so they don’t try to hide something they want to use.”
Proactively look for shadow IoT devices. “Organizations need to look beyond their own network to discover shadow IoT, because much of it doesn’t live on the corporate network,” Raggo says. “More than 80 percent of IoT is wireless-enabled. Therefore, wireless monitoring for shadow IoT devices and networks can allow visibility and asset management of these other devices and networks.”
Traditional security products list devices by a media access control (MAC) address or a vendor’s organizationally unique identifier (OUI), yet they are largely unhelpful in an environment with a plethora of different types of devices, Raggo adds. “IT really wants to know ‘what is that device?’ so they can determine if it’s a rogue or permitted device. In today’s world of deep-packet inspection and machine learning, mature security products should provide human-friendly categorizations of discovered assets to ease the process of asset management and security.”
Isolate IoT. Ideally, new IoT and IIoT devices should connect to the internet via a separate Wi-Fi network dedicated to such devices that IT controls, says Wisniewski. The network should be configured to enable IoT devices to transmit information and to block them from receiving incoming calls. “With the majority of IoT devices, nothing legitimate is ever transmitted to them,” he says.
Anything shadowy is a problem
“Shadow anything is a problem, whether it’s an IoT device or any other addressable, unmanaged item,” says Wisniewski. “The key is controlling access to the network from only authorized devices, keeping an accurate inventory of authorized devices, and having clear policies in place to ensure employees know they aren’t allowed to ‘bring their own’ devices and that HR sanctions will be enforced if they do.”
Illinois man offered “DDoS for hire” services that hit millions of victims.
Sergiy P. Usatyuk, who owned a series of services that collectively launched millions of distributed denial-of-service (DDoS) attacks, has pleaded guilty in federal court to one count of conspiracy to cause damage to Internet-connected computers. The services he owned and offered for use included ExoStress.in (“ExoStresser”), QuezStresser.com, Betabooter.com (“Betabooter”), Databooter.com, Instabooter.com, Polystress.com, and Zstress.net.
The sites were booter services, a class of publicly available, Web-based services that allow cybercriminals to launch DDoS attacks, often for low fees paid by customers who sign up via Web browser and online payment.
According to court documents, Usatyuk ran the network between August 2015 and November 2017. In September 2017, the ExoStresser website advertised that ” … its booter service alone had launched 1,367,610 DDoS attacks, and caused targeted victim computer systems to suffer 109,186.4 hours of network downtime,” one of the documents shows.
Connected devices often get attacked minutes after being plugged in.
IoT devices are being attacked with greater regularity than ever before, new research has suggested.
According to a new report by NETSCOUT, smart products often come under attack within five minutes of being plugged in, and are targeted by specific exploits within a day.
The Threat Landscape Report says IoT device security is ‘minimal to non-existent’ on many devices. That makes the IoT sector among the most vulnerable ones, especially knowing that medical equipment and connected cars fall under the IoT category.
DDoS, in general, is still on the rise, the report adds. The number of such attacks grew by a quarter last year. Attacks in the 100-400 Gbps range ‘exploded’, it says, concluding a ‘continued interest’ hackers have in this attack vector.
The global maximum DDoS attack size grew by 19 per cent last year, compared to the year before.
International institutions, such as the UN or the IMF, have never been this interesting to hackers. DDoS attacks against such organisations had risen by almost 200 per cent last year.
Hackers operate similarly to the way legitimate businesses operate. They employ the affiliate model, allowing them to rake up profits quite quickly.
“Our global findings reveal that the threat landscape in the second half of 2018 represents the equivalent of attacks on steroids,” said Hardik Modi, NETSCOUT’s senior director of Threat Intelligence. “With DDoS attack size and frequency, volume of nation state activity and speed of IoT threats all on the rise, the modern world can no longer ignore the digital threats we regularly face from malicious actors capable of capitalizing on the interdependencies that wind through our pervasively connected world.”
Federal authorities have arrested two alleged members of a hacking group known as the Apophis Squad on charges of making false threats of violent attacks and staging attacks on multiple computer systems.
According to an announcement from the Department of Justice (DoJ), the two defendants, Timothy Dalton Vaughn, 20, of Winston-Salem, North Carolina, and George Duke-Cohan, 19, of Hertfordshire, United Kingdom, are allegedly part of a global group of hackers suspected of wreaking havoc on the internet for the better part of 2018, including launching distributed-denial-of-service (DDoS) attacks.
Duke-Cohan, who is already serving a three-year sentence in the UK for threatening an airline, which turned out to be a hoax, is believed to go by the names DigitalCrimes and 7R1D3N7 online.
The defendants face multiple charges, including conducting cyber- and swatting attacks against individuals, businesses and institutions in the US and the UK, according to the DoJ.
“Members of Apophis Squad communicated various threats – sometimes using ‘spoofed’ email addresses to make it appear the threats had been sent by innocent parties, including the mayor of London,” the announcement stated.
“They also allegedly defaced websites and launched denial-of-service attacks. In addition, Vaughn allegedly conducted a DDoS attack that took down hoonigan.com, the website of a Long Beach motorsport company, for three days, and sent extortionate emails to the company demanding a Bitcoin payment to cease the attack.”
If convicted of all charges in the 11-count indictment, Vaughn could be sentenced to a maximum of 80 years in prison. Duke-Cohen, who is facing nine charges, would be sentenced to a maximum of 65 years if found guilty.
“The Apophis Squad also took credit for hacking and defacing the website of a university in Colombia, resulting in visitors to the site seeing a picture of Adolf Hitler holding a sign saying ‘YOU ARE HACKED’ alongside the message ‘Hacked by APOPHIS SQUAD,’” the DoJ wrote.
Although most scrubbing services can help fend off distributed denial of service attacks, a more comprehensive mitigation strategy is required to remain unscathed
What was possibly the world’s biggest distributed denial of service (DDoS) attack in February 2018 was stopped in its tracks after 20 minutes because there was a DDoS protection service in place.
The attack on GitHub, a popular online code management service used by millions of developers, experienced incoming traffic of 1.3Tbps, bombarded by packets at a rate of 126.9 million per second. Within 10 minutes of the attack, GitHub had sounded the alarm and routed its traffic to its DDoS mitigation service Akamai Prolexic, which sorted out and blocked the malicious traffic.
GitHub is not alone, as DDoS attacks have grown in intensity and become more sophisticated. Since 2017, businesses in the Asia-Pacific (APAC) region started to experience DDoS attacks at almost the same rate as North American businesses, which have traditionally been the most targeted, said Shahnawaz Backer, security specialist for APAC at F5 Networks, based on F5’s data.
And ASEAN organisations are not standing still. The DDoS market in ASEAN has seen significant growth, accounting for 20% of the APAC market, according to Frost & Sullivan.
A growing number of enterprises are investing in DDoS solutions, especially cloud-based DDoS mitigation services, with a shift away from a service-provider-centric market.
A DDoS attack is one of the most complex threats that businesses can face. The goal of the individual hacker, organised criminals or state actors is to overwhelm a company’s network, website or network component, such as a router. To begin with, organisations have to determine whether a spike in traffic is legitimate or is an attack.
“Without a solid understanding of baselines and historic traffic trends, organisations are unlikely to detect an attack until it is too late,” said Sherrel Roche, senior market analyst at IDC’s Asia-Pacific business and IT services research group.
Landbank, the largest government-owned bank in the Philippines, has taken the step of implementing F5’s BIG-IP local traffic manager to understand its application traffic and performance better, as well as to gain full visibility into customer data as it enters and leaves an application. This enables the security team to inspect, manage and report fraudulent transactions as soon they are spotted.
Complementing that is an on-premise application level layer 7 DDoS mitigation service to ensure mission-critical applications are protected against application-specific attacks.
It can be relatively simple to launch a DDoS attack with readily available DDoS-for-hire services, and even people with little or no technical skills can launch a damaging attack.
One such attack, which generated over 170Gbps of traffic, was organised over chatrooms on the Steam game distribution platform and IRC (internet relay chat), with many participating members using downloaded tools. These included a YouTube tutorial by a 12-year-old developer, said Fernando Serto, head of security technology and strategy at Akamai Technologies APAC.
Part of the challenge of DDoS is the complexity of these attacks. Not only are there several categories of attack method, but each category has a host of different attacks. The same target can also be attacked using several different attack vectors.
On top of that, some attacks can be hard to detect. One notable attack involved overwhelming the target’s DNS (domain name system) server through a series of bursts that lasted several minutes, instead of a sustained attack.
“This led to defender fatigue as these bursts of traffic were coming in over a long period of time, and detection, let alone mitigation, of these types of attacks becomes very difficult,” said Serto.
DDoS attacks are unlike other cyber attacks, where patches and locally installed security appliances can block an attack altogether. The defence calculus for denial of service is different because no organisation can prevent or block all DDoS attacks on its own, said Gartner senior analyst Rajpreet Kaur.
So the decision to invest in DDoS protection is also not an easy one. DDoS mitigation is an expensive investment, which organisations do not easily choose unless they or their competitors have suffered an attack.
“While multinational and global firms will invest, the cost may deter smaller, local firms,” said Kaur.
Also, IT infrastructure is getting more complex as enterprises move their applications and infrastructure to the cloud, requiring DDoS solutions to cater to different environments, said Frost & Sullivan network security senior industry analyst Vu Anh Tien.
What GitHub relied on to counter the massive attack in February 2018 was scrubbing services, a common DDoS mitigation technique. Using this method, the traffic destined for a particular IP address range is redirected to datacentres, where the attack traffic is “scrubbed” or cleaned. Only clean traffic is then forwarded to the target destination.
Most DDoS scrubbing providers have three to seven scrubbing centres, typically distributed globally, said Gartner’s Kaur. Each centre consists of DDoS mitigation equipment and large amounts of bandwidth, which can be over 350Gbps, that feeds traffic to it. When customers are under attack, they “push the button” to redirect all traffic to the closest scrubbing centre to be cleaned.
Enterprise customers make use of scrubbing centres in two ways – one is to route traffic via the scrubbing centres around the clock, while others prefer to route traffic on demand when an attack occurs.
Given the complexity of security attacks and IT infrastructures, organisations are increasingly adopting hybrid models of protection, in order to protect against the broadest set of potential attack vectors. They often turn to an on-premise system that is the first line of defence, with the scrubbing centre stepping in when the on-premise technology is overwhelmed, said Backer.
IDC’s Roche added: “For bad traffic to be diverted to a scrubbing centre in a seamless action to reduce any downtime, organisations need to have seamless integration between cloud and on-premise solutions, implemented in front of an infrastructure’s network to help mitigate an attack before it reaches core network assets and data.”