Most Updated News on How to Protect Against DoS Attacks!

Why a massive DDoS attack on a blogger has internet experts worried
Web Host Hit by DDoS of Over 1Tbps
Here’s how security cameras drove the world’s biggest DDoS attack ever
DDOS attacks: An old nemesis returns to cripple your network
Hackers threaten First Securities with DDoS attacks
Renowned blog KrebsOnSecurity hit with massive DDoS attack
Cybersecurity is threatening America’s military supremacy
Blizzard’s Servers Knocked Offline By Another DDoS Attack
DDoS always knocks twice
Waiting for DDoS

Why a massive DDoS attack on a blogger has internet experts worried

Someone on the internet seems very angry with cybersecurity blogger Brian Krebs.

On 20 September, Krebs’ website was hit with what experts say is the biggest Distributed Denial of Service (DDoS) attack in public internet history, knocking it offline for days with a furious 600 to 700 Gbps (Gigabits per second) traffic surge.

DDoS attacks are a simple way of overloading a network router or server with so much traffic that it stops responding to legitimate requests.

According to Akamai (which had the unenviable job of attempting to protect his site last week), the attack was twice the size of any DDoS event the firm had ever seen before, easily big enough to disrupt thousands of websites let alone one.

So why did someone expend time and money to attack a lone blogger in such a dramatic way? Krebs has his own theories, and the attack follows Krebs breaking a story about the hacking and subsequent takedown of kingpin DDoS site vDOS, but in truth nobody knows for certain and probably never will.

DDoS attacks, large and small, have become a routine fact of internet life.

Many attacks are quietly damped down by specialist firms who protect websites and internet services.

But the latest attack has experts worried all the same.

Stop what you’re doing

DDoS attacks first emerged as an issue on the public internet in the late 1990s, and since then have been getting larger, more complex and more targeted.

Early motivations tended towards spiteful mischief. A good example is the year 2000 attacks on websites including Yahoo, CNN and Amazon by ‘MafiaBoy’, who later turned out to be 15-year old Canadian youth Michael Calce. Within weeks, he was arrested.

Things stepped up a level in 2008 when hacktivist group Anonymous started an infamous series of DDoS attacks with one aimed at websites belonging to the Church of Scientology.

By then, professional cybercriminals were offering DDoS-for-hire ‘booter’ and ‘stresser’ services that could be rented out to unscrupulous organizations to attack rivals. Built from armies of ordinary PCs and servers that had quietly been turned into botnet ‘zombies’ using malware, attacks suddenly got larger.

This culminated in 2013 with a massive DDoS attack on a British spam-fighting organization called Spamhaus that was measured at a then eye-popping 300Gbps.

These days, DDoS is now often used in extortion attacks where cybercriminals threaten organizations with crippling attacks on their websites unless a ransom is paid. Many are inclined to pay up.

The Krebs effect

The discouraging aspect of the Krebs attack is that internet firms may have thought they were finally getting on top of DDoS at last using techniques that identify rogue traffic and more quickly cut off the botnets that fuel their packet storms.

The apparent ease with which the latest massive attack was summoned suggests otherwise.

In 2015, Naked Security alumnus and blogger Graham Cluley suffered a smaller DDoS attack on his site so Krebs is not alone. Weeks earlier, community site Mumsnet experienced a DDoS attack designed to distract security engineers as part of a cyberattack on the firm’s user database.

At the weekend, Google stepped in and opened its Project Shield umbrella over Krebs’ beleaguered site. Project Shield is a free service launched earlier in 2016 by Google, specifically to protect small websites such as Krebs’ from being silenced by DDoS attackers.

For now it looks like Google’s vast resources were enough to ward off the unprecedented attack, but it’s little comfort to know that nothing short of the internet’s biggest player was the shield that one simple news site needed.

With criminals apparently able to call up so much horsepower, the wizards of DDoS defence might yet have to rethink their plans – and fast.


Web Host Hit by DDoS of Over 1Tbps

A French web hoster is claiming his firm has been hit by the biggest DDoS attack ever seen, powered by an IoT botnet with an estimated capacity of 1.5Tbps.

Octave Klaba, the founder and CTO of OVH, took to Twitter late last week to reveal his firm was under attack from a stream of DDoS blitzes creeping towards and eventually past the 1Tbps mark.

He claimed the botnet in question was initially comprised of around 145,000 internet-connected cameras and digital video recorders with an estimated 1-30Mbps capacity each – that’s a potential 1.5Tbps in total.

In further updates this week Klaba said the botnet had increased by first another 6857 devices and then 15,654 more.

The news follows reports last week that Akamai was forced to withdraw its pro bono DDoS protection of the KrebsOnSecurity site after it was allegedly hit by an attack measuring 665Gbps, then the largest on record.

Dave Larson, CTO and COO at Corero Network Security, claimed the recent attacks are beginning to change the way IT security professionals view DDoS.

“The internet is a powerful tool, and must be viewed with security and protection first and foremost,” he added. “Motivations for attacks, and the tools and devices used to execute the attacks, are readily available to just about anyone; combining this with almost complete anonymity creates a recipe to break the Internet.”

Roland Dobbins, principal engineer at Arbor Networks, argued that IoT botnets are increasingly favored by hackers because they frequently ship with insecure defaults, are often connected to high speed internet and are rarely patched to fix bugs.

“Embedded IoT devices are often low-interaction – end-users don’t spend much time directly interfacing with them, and so aren’t given any clues that they’re being exploited by threat actors to launch attacks,” he told Infosecurity.

“Organizations can defend against DDoS attacks by implementing best current practices for DDoS defense, including hardening their network infrastructure; ensuring they’ve complete visibility into all traffic from their networks; having sufficient DDoS mitigation capacity and capabilities either on premise or via cloud-based DDoS mitigation services or both; and by having a DDoS defense plan which is kept updated and is rehearsed on a regular basis.”


Here’s how security cameras drove the world’s biggest DDoS attack ever

DDoS attacks are reaching monster levels that pose a massive threat

The record for the biggest DDoS attack ever seen has been broken once again, with an absolute monster of distributed denial of service firepower managing to almost reach the not-so-magic 1Tbps mark.

Technically this was actually two concurrent attacks, although the majority of the traffic was concentrated in one, which is the largest ever recorded single blast of DDoS.

As the Register reported, Octave Klaba, the founder and CTO of, the French hosting company which suffered the attack, said that the assault consisted of two simultaneous barrages of 799Gbps and 191Gbps, for a total of 990Gbps.

The previous largest DDoS was the recent 620Gbps effort that hit ‘Krebs On Security’, the website of security researcher Brian Krebs, which was driven by the same botnet of some 150,000+ compromised Internet of Things devices, routers, DVRs and security cameras responsible for this latest volley.

Krebs said he was hit in retaliation to an article posted on his blog, although it isn’t clear why came under fire.

Massive attacks

As Klaba said on Twitter, though, it’s hardly uncommon for his company to experience DDoS, and a tweet outlining the attacks suffered by the organisation over a period of four days this month showed 25 separate attacks which all exceeded 100Gbps (including the two mentioned here). Several others were simultaneous (or near-simultaneous) pairs of attacks, too.

He further noted that the botnet in question could potentially up its firepower by some 50% compared to the assault his company was hit by, tweeting: “This botnet with 145,607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS.”

Not only are DDoS attacks getting larger in size, but they are also becoming much more frequent according to a VeriSign report we saw back in the spring – this observed that the number of attacks had almost doubled in the final quarter of 2015, compared to the same period in the previous year.


DDOS attacks: An old nemesis returns to cripple your network

Once considered a cybersecurity threat of the past, Distributed Denial of Service (DDoS) attacks have re-emerged with a vengeance. DDoS attacks are wreaking havoc on enterprises and end users with alarming frequency.

Distributed Denial of Service is a cyberattack where multiple systems are compromised, often joined with a Trojan, and used to target a single system to exhaust resources so that legitimate users are denied access to resources. Websites or other online resources become so overloaded with bogus traffic that they become unusable. A well-orchestrated DDoS carried out by automated bots or programs has the power to knock a website offline. These attacks can cripple even the most established and largest organisations. An e-commerce business can no longer conduct online transactions, jeopardising sales. Emergency response services can no longer respond, putting lives in danger.

According to the VeriSign Distributed Denial of Service Trends Report, DDoS activity increased by 85 percent in one year. The report also suggested that cyber attackers are beginning to hit targets repeatedly, with some organisations the target of DDoS attacks up to 16 times in just three months. If you think your organisation is obscure and can fly under the cyber attacker radar – forget it. Every industry is vulnerable.

If an increase in attacks isn’t troubling enough, the size and the amount of damage DDoS attacks can do is also disturbing. The fastest flood attack detected by Verisign occurred during the fourth quarter of 2015, targeting a telecommunications company by sending 125 million packets per second (Mpps), and driving a volumetric DDoS attack of 65 gigabits per second (Gbps). The end result – the site imploded and was temporarily knocked out of service.

Why DDos attacks are back in vogue

The reason why DDoS attacks are back is simple – it is relatively easy to launch a sustained attack and cripple any organisation connected to the Internet. Botnets, a group of computers connected for malicious purposes, can actually be acquired as a DDoS for hire service. The ability to acquire destructive assets demonstrates how easy it is for someone with little technical knowledge to attack any organisation.

DDoS attacks typically hit in three ways – Application Order, Volumetric, and Hybrid. Application orders cripple networks by potentially creating hundreds of thousands of connections at a time; volumetric attacks seek to overload a site with traffic; hybrid attacks can deliver the double whammy of knocking a business offline. The real danger of DDoS attacks is that they are often an end around. While technicians are pre-occupied with trying to get the website back up, attackers can often plant a backdoor in others areas of the network to eventually steal information.

How to prevent DDoS attacks

Prevention is nearly impossible, since there is no effective control of hackers in the outside world. A DDoS appliance protecting the Internet connection is the first line of defence. This will help to mitigate an attack. Appliances from vendors such as Fortinet or Radware are placed on customer premise as close to their Internet edge as possible. These devices can help to identify and block most DDoS traffic. However, this solution falls short with a DDoS attack that is attempting to flood Internet circuits. The only way to protect against this type of attack is to have a device at the service provider or in the cloud. A managed security services provider (MSSP) can offer on-demand services that are both cost effective and architected with a cloud focus in mind, in order to effectively protect against each type of attack.

A number of companies offer tools to analyse network traffic for signs of malicious activity, which can often weed out unwanted network connections. Infrastructure Access Control Lists (IACLs) can also be installed in routers and switches to detect suspicious traffic patterns and keep unwanted traffic off servers.

Many companies believe they can thwart attacks by hiding behind a firewall, but these general purpose tools are typically the first to fall. Firewalls offer some protection, but they can be easily hacked. Organisations expose themselves to attack when they use technology as a crutch. Winning the DDoS war requires organisations to look at their operations as a critical network and seek ways to defend it with talented individuals and technology that stay one step ahead of the attackers. A firewall is important but not a panacea.

The major drawback to do-it-yourself solutions is that they are reactive. Attackers can easily modify their methods and come at a business from disparate sources using different vectors. This keeps an organisation always in a defensive position, having to repeatedly deploy additional configurations, while simultaneously attempting to recover from any downtime events.

Many organisations have limited expertise and resource bandwidth to deal with the complexities of security and compliance. Managed security services providers with the ability to monitor, manage and protect control systems fill that cybersecurity gap. Detecting a DDoS attack requires specialised hardware capable of sending alerts via email or text. The goal is to report and respond to the incident before the attacker makes resources unavailable. An MSSP who employs both technology and on-site personnel can monitor and act as a full operations team.

If a DDoS attack is suspected, it is probably affecting the ISP as well. The security team should immediately contact the ISP to see if they can detect a DDoS attack and re-route traffic. Inquire whether any DDoS protective services are available, and consider a backup ISP as a contingency.

DDoS attacks will continue in the future due to the ease of execution. Companies must ensure they are prepared, constantly monitor the network, and have a game plan if an attack is under way. The daily headlines prove that no organisation is immune. With a little foresight it is possible to both thwart an attack and defend against future ones.


Hackers threaten First Securities with DDoS attacks

TAIPEI, Taiwan — First Securities (第一金證券) was blackmailed on Thursday by hackers who threatened to completely disable its trading system with DDoS (distributed denial-of-service) attacks.

The hackers asked the brokerage firm to pay 50 bitcoins (approximately NT$940,000), in an email that they sent to First Securities at around 10 a.m. on Thursday.

Local newspaper Apple Daily cited an unnamed source as saying that a DDoS attack came at around 11 a.m., stopping all electronic trades.

First Securities President Yeh Kuang-chang (葉光章) confirmed that they received the blackmail email but stressed that the firm’s trading system was only slowed down but not disabled by the attacks as reported. The firm has activated a reserve system and, while a small number of investors were affected by the attacks, the system was not paralyzed, Yeh said. He said he believed the situation would be resolved by Friday.

Yeh said the firm had reported the incident, which he said had caused no losses to the firm, to the authorities or to the investigation bureau.

Yeh also stressed that while the firm had yet to ascertain the origin of the hackers, he had preliminary ruled out the possibility that Thursday’s DDoS attacks were related to the ATM heist aimed at its sister institution — First Commercial Bank — in July. ATMs at 41 First Bank branches were hacked in the incident, with over NT$80 million believed to have been stolen. Seventeen suspects from six countries have been identified in the heist, which involved an international crime ring. The Taiwan Stock Exchange (TWSE) issued a statement at 6 p.m. saying that First Securities suffered from an unknown online attack beginning at 10:50 a.m. and was not able to immediately recover its electronic trading system. The TWSE advised investors to use other forms of trading.

TWSE Vice President Chien Lih-chung (簡立忠) said the TWSE had informed other securities firms and that no other firms had reported similar blackmail or system problems.


Renowned blog KrebsOnSecurity hit with massive DDoS attack

The 620 Gbps DDoS attack was built on a massive botnet.

The security blog KrebsOnSecurity has been hit with one of the largest distributed denial of service (DDoS) attacks of all time.

The site, which is run by security expert Brian Krebs, was hit by a DDoS attack of around 620 Gbps on 20 September.

KrebsOnSecurity managed to stay online during the attack, due to defences from content delivery network provider Akamai.

The largest attack of this kind Akamai had previously defended was one of 336 Gbps earlier this year.

Previous large-scale DDoS attacks, including the 336 Gbps attack, used well-known methods to amplify a smaller attack such as using unmanaged DNS servers.

Apart from being much larger in terms of scale, the attack on KrebsOnSecurity also differed in that it seemed to instead use a very large botnet of hacked devices. This could have involved hundreds of thousands of systems.

“Someone has a botnet with capabilities we haven’t seen before,” Martin McKeay, Akamai’s senior security advocate, said to KrebsOnSecurity. “We looked at the traffic coming from the attacking systems, and they weren’t just from one region of the world or from a small subset of networks — they were everywhere.”

Brian Krebs said that there were some signs that the attack had used a botnet that had captured a large number of Internet of Things (IoT) devices.

During a DDoS attack, the targeted website is flooded with traffic, designed to overwhelm the resources of the site to crash or suspend its services.

“It seems likely that we can expect such monster attacks to soon become the new norm,” wrote Krebs.

He suggested that the attack on his site might have been in retaliation for a series he had done on the takedown of a DDoS-for-hire service vDOS, a theory supported by text included in the strings of the DDoS attack referencing the vDOS owners.


Cybersecurity is threatening America’s military supremacy

The sparsely populated Spratly Islands, a collection of hundreds of islands and reefs spread over roughly 165,000 square miles in the South China Sea, are very quickly becoming the center of one of the most contentious international disputes between world powers since the fall of the Soviet Union.

Alarmingly, the use of cyber attacks in this dispute suggests we might already be in the midst of a new Cold War playing out in cyberspace — where America’s advantage is not as clear as it is with conventional armies and navies.

The Spratly Islands are of economic and strategic importance. All of the countries in the region — including China, Vietnam and the Philippines — have made competing territorial claims to the region. In recent years, China has become increasingly aggressive in its claim, rapidly building artificial islands while also conducting military operations in the area.

Beyond this conventional military build up, however, are complex and brazen cyber attacks by China that are leaving America and its allies increasingly concerned.

A massive distributed denial of service (DDoS) attack knocked offline at least 68 Philippine government websites in July, apparently in response to an international court ruling that denied China’s territorial claims in the region. Just days later, Vietnam’s national airline and major airports were targeted in a series of attacks by the Chinese hacking group 1937CN.

Those are just the latest examples of China’s years long cyber campaign related to the Spratly Islands. (In another attack, the website of the aforementioned international court was infected with malware and taken offline last year.)

While these “nuisance” attacks — and continued cyber espionage by China — are serious, targeted Chinese cyber attacks designed to impact America’s physical military systems in the South China Sea are the most substantial evidence that we may be on the brink of a more tangible cyber threat to American military power.

China appears to be moving forward with plans to use electronic attacks designed to either disrupt or take control of American drones. With reports that the Chinese attempted to interfere with U.S. military drones at least once in recent years, the country has shown a willingness to use GPS jamming to prevent U.S. aircraft from conducting surveillance missions in the Spratly Islands.

That 2015 instance appears to fit China’s public posturing on the ways it says it could use electronic GPS jamming to disrupt U.S. drone networks. One 2013 report in the Chinese journal Aerospace Electronic Warfare notes in technical detail how its military can “use network warfare to attack and even control America’s network” by disrupting the connection between satellites and aircraft.

This sort of GPS jamming could be the largest electronic threat to the U.S. drone program. In fact, it has been widely speculated that Iran used a similar GPS “spoofing” technique to take control of a U.S. surveillance drone in 2011.

The American military says it is preparing for these sorts of attacks with its new cyber strategy released last year. In addition to outlining how cyber will be included in military planning, the report calls for a hardening of the military’s cyber defenses to prevent the theft of military technology or cyber attacks against military infrastructure and weaponry.

Blizzard’s Servers Knocked Offline By Another DDoS Attack

Blizzard Entertainment became a victim of yet another distributed denial-of-service (DDoS) attack as its servers were knocked down on Sunday, Sept. 18.

The DDoS attack that rendered’s servers offline was waged by hacking group PoodleCorp.

Owing to the attack,, which runs several popular games such as World of WarcraftHearthstone: Heroes of Warcraft and Overwatch to name a few, was left handicapped even as angry users took to social media to vent their ire.

Gamers on PC, PlayStation 4 and Xbox One were all affected by the outage. Blizzard Entertainment acknowledged the situation on its official Twitter account.

“We are currently monitoring a DDOS attack against network providers which is affecting latency/connections to our games,” wrote Blizzard in a tweet.

The DDoS attack on lasted for half an hour after PoodleCorp took to Twitter to state that it would halt the attack and restore the servers if the tweet below was retweeted 2,000 times.

The blackmail (ransom note?) found favor with a majority of gamers as they were only too willing to retweet to have access again to the games they were playing. As promised, PoodleCorp stopped the attack once the 2,000 retweet milestone was reached. This is not the first time Blizzard Entertainment has come under the mercy of PoodleCorp.

Earlier in August, we reported that it was hit with a PoodleCorp DDoS attack, which disrupted gameplay for users of until network engineers addressed the issue. Back then however, the hacking group did not ask for retweets.

Blizzard Entertainment has been the victim of a spate of DDoS attacks in the past few months. In June, an attack took down its servers as well. The outage was attributed to Lizard Squad member AppleJ4ck, who claimed responsibility and cautioned that the hack was a small part of some “preparations.”

Aside from the DDoS attack, Blizzard has been having a terrible week anyway. On Sept. 14, 16 and 18, the company suffered from technical issues that prevented or delayed users from logging in and joining the game servers. However, for now, Blizzard Entertainment can breathe easy as the technical problems was encountering owing to the DDoS attack from PoodleCorp have been resolved.



DDoS always knocks twice

If you were DDoSed once, you will be DDoSed again, that is for sure.

A company is rarely attacked by a DDoS (distributed denial of service) just once. If it happens once, it will probably happen again, which is why constant preventive measures are required, if a company wants to keep their online services operational.

These are the results of a new report by Kaspersky Lab. Entitled Corporate IT Security Risks 2016, it says that one in six companies were victims of DDoS attacks in the past 12 months. The majority of those attacks were aimed against construction, IT and telecommunications companies. Almost four out of five (79 per cent) reported more than one attack, and almost half reported being attacked four times, or more. The length of these attacks is also an issue. Just above a third (39 per cent) are considered ‘short-lived’, while more than a fifth (21 per cent) lasted ‘several days’ or even ‘weeks’.

Companies are usually the last to know they’re being attacked, too, with 27 per cent being informed by their customers, and in 46 per cent of cases by their third-party audit organisation. Kaspersky Lab says this is not unusual, as cyber-attackers usually go for customer portals (40 per cent), communication services (40 per cent) and websites (39 per cent).

“It’s dangerous to view DDoS attacks as some rare occurrence that a company may encounter once, by accident, and with minimal damage. As a rule, if an attack is successful, the criminals will use this tool against a company over and over again, blocking its resources for prolonged periods of time. Unfortunately, even a single attack can inflict large financial and reputational losses and, considering the likelihood of a repeat attack is almost 80 per cent, you can multiply these losses two, three or more times. For a modern company, an anti-DDoS solution is just as necessary as the basic protection against malware and phishing,” says Alexey Kiselev, Project Manager on the Kaspersky DDoS Protection team.


Waiting for DDoS

In football, many offensive plays are designed to trick the defense into thinking something else is about to unfold. In the world of cybersecurity, DoS (Denial of Service) or DDoS (Distributed Denial of Service) attacks often serve as a similar smokescreen or decoy to a far more sinister plot with the ulterior motive to mount a computer network breach that results in the loss of data or intellectual property.

It was a DDoS attack that woke up Sony Pictures a year ago (watch the video emailed to Sony employees on the morning of the attack), even though attackers had infiltrated the company’s networks months before undetected, and eventually obliterated its computer systems. According to Fortune, half of Sony’s global network was wiped out, erasing everything stored on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers.

Hackers calling themselves “#GOP” (Guardians of Peace) threatened to release publicly Sony Pictures’ internal data if their demands, including “monetary compensation,” were not met. They weren’t bluffing.

Sobering DDoS Statistics

Recent studies show DDoS attacks growing exponentially in recent years, launched through rentable, relatively inexpensive, anonymous botnets that cost as little as $1,000 and can render an e-commerce website completely inoperable.

  • The average denial of service (DoS) attack costs the victim $1.5 million, according to a separate Ponemon Institute survey sponsored by Akamai and published in March 2015. The 682 responding companies reported four attacks a year.
  • AT&T also reported companies across its network were hit with four times a year with DDoS attacks and 62 percent growth in DDoS attacks over the past two years.
  • Once an organization receives a DDoS attack, the chances of being the object of a data breach are better than 70 percent, reported Neustar Inc., a Sterling, Va.-based provider of cloud-based information services, including conducting research on cloud metrics and managing various top-level internet domains.
  • The second quarter of 2015 set a record for the number of DDoS attacks recorded on Akamai’s Prolexic Routed network – more than double what was reported in 2014’s second quarter.
  • Corero Networks, a Hudson, Mass.-based security services provider, reported that its clients were getting DDoS attacks an average of three times a day, and in the second quarter of 2015 daily attack volume reached an average of 4.5 attacks, a 32 percent increase from the previous quarter.
  • More than 95 percent of the attacks combated by Corero last 30 minutes or less, and the vast majority of the attacks were less than 1 Gbps.
  • Only 43 percent rate their organizations as highly effective in quickly containing DoS attacks, and only 14 percent claimed to have had the ability to prevent such attacks, according to the Ponemon report.
  • The worst DDoS attack on the Akamai network peaked at 214 million packets per second (Mpps), a volume capable of taking out tier 1 routers, such as those used by internet service providers (ISPs).

“It’s pretty hard to stay one step ahead of these guys,” admits Mark Tonnesen, chief information officer (CIO) and chief security officer (CSO) of Neustar. In a recent survey of 760 security professionals commissioned by Neustar and conducted by Simply Direct of Sudbury, Mass., for the U.S. market and Harris Interactive of London for the Europe, Middle East and Africa (EMEA) markets,  DDoS attacks increased in 2015 six-fold when compared to the previous year.

“Every day there’s an announcement of some [DDoS attack] going on with a company caught unprepared, trying to ramp up with people and technology,” Tonnesen says. “Companies are looking for any way they can grab an edge any way in identification, detection and reaction time to eliminate the attack.”

Interruption vs. Outage

Those behind DDoS attacks may have ulterior motives to capture real value from the attack, such as financial gain, brand carnage, or intellectual property resold on the underground market. Any of those scenarios happen nine out of every 10 DDoS attacks, according to Neustar data. The impact on a company’s customers and the firm’s bottom line “negatively impacts everybody’s financials,” Tonnsesen points out.

DDoS attacks, which can take the form of an interruption or the more serious outage, almost always serves as a smokescreen avoiding attention to an outright sinister data breach. Meanwhile, the IT staff is trying to figure out why the website isn’t working properly. “Unbeknownst to you, [the malware is] already in your network,” he explains.

A DDoS outage is a complete slaughter of messaging to a network, such as an e-commerce platform. Effectively, the network appears to shut down completely due to the bandwidth overload, making it nearly impossible to get traffic through to the website. In contrast, a DDoS interruption involves attacks targeted such as to a customer service organization or intellectual property or customer records and identity.

“[An interruption] certainly has a major impact, but it wouldn’t be an outage,” explains Tonnesen. “It’s more of a disruption, not a flat-out attack. The attackers are much more intelligent and organized; they know what they’re certainly looking for, such as affecting your brand and or having a financial impact. There’s an element of showcasing their capability, and the lack thereof of the company that was attacked.” As a result, IT security and network teams must be vigilant and always be on high alert.

The Hybrid Solution 

Some CISOs are moving to a “hybrid” approach to combating a DDoS attack of the of the Open System Interconnection (OSI) Model Application Layer 7 variety. The approach uses an on-ground client security product that links with a cloud-based mitigation tool. One argument for this approach is that attack victims can react more quickly to a specific attack on a business area, such as engineering or customer support, if they have the benefit of cloud-based updates rather than waiting for a network-based device to be updated.

“Based on the customers I talk to, hybrid approaches are becoming mainstream,” says Tonnesen.

Client and cloud security products work together with one or the other configured as a rules-based defense working on certain types of data attacks that affect key assets and applications.  Typically, underlying attacks involve a DNA-like sequence that lives in a lower level of an organization’s technology stack, such as malware sitting on a server some place, and begin to take over key assets. “That’s where a DDoS mitigation service can really help a weakness or attack sector,” Tonnesen says. “One approach really isn’t good enough anymore.”

Mike Weber, vice president of labs of Coalfire, a cyber risk management and compliance company based in Louisville, Colo., says that “being able to diagnose a denial of service attack does take some time. Generally understanding if it’s a problem internally, such as an application malfunction, system problem or faulty hardware, those kinds of diagnostics take a while.”

When Weber was fending off DDoS attacks at a former employer, a web hosting company, he received an insider’s view of old-fashioned corporate espionage. The client hosting company had known adversaries but could never pin the frequent attacks on a single entity. “They had a good idea who was behind the attacks,” he remembers. “A lot of times, it was their competition. It was used as a revenge tactic – sometimes it was intended to impact that company from a business perspective for whatever reason. Maybe it’s a page rank or advertising issue.”

Attackers leverage those kinds of attacks to consume personnel/intellectual capital being used for diagnosis. While the victim attempts to identify the strategy attempting to thwart it typically sends companies under attack into a state of chaos.

An attack against a website can be set to look like a denial of service interspersed with an attack that achieved the end goal of flooding log servers. Typically the obvious attack needs to be stopped before one can diagnose the other less obvious attack. “Think of that as DNS (Domain Name System) amplification – a DDoS attack where the attacker basically exploits vulnerabilities in the DNS servers to be able to turn small inquiries into large payloads, which are directed back to the victim’s server,” Weber says. “Those are a different protocol than those other attacks that are attacking different parts of the infrastructure whether they’re operating systems or applications. So typically they would be targeted towards two different parts of the client environment.”

Malicious Traffic

A typical approach to prevent DDoS from inflicting damage is to re-route non-malicious traffic to a cloud-based or third-party provider whose sole purpose is to mitigate denial of service-type attacks at what’s known as a “scrubbing” center.

“Only clean traffic gets through,” says J.J. Cummings, managing principal of Cisco’s security incident response team.

DDoS traffic then purposely gets diverted to the external provider, which takes the “brunt” of the attack and “roots out all that’s evil and bad.” Denial of service attacks are extremely challenging and can be expensive from a mitigation perspective, in terms of pipe size and technology, he admits.

“At the end of the day it comes down to how critical these business applications are,” Cummings says. “How much do you want to spend to withstand an attack and an attack of what size?”

The first questions that need to be addressed before, during or following a DDoS, says Cummings, “are how big is your Internet pipe and how much bandwidth has been thrown at you historically?” The answers determine a network’s required level of operational capability as well as what the needs at a bare minimum to resume the business.

Security products are available from multiple vendors to help harden a company’s public-facing systems so they’re less susceptible to targeted types of attacks. “Those technologies presume you have enough of an Internet pipe to withstand that amount of bandwidth,” says Cummings. Otherwise, it’s a moot point.

Detection analytics is another important tool to put DDoS mitigation measures in place. “You don’t all the sudden get a terabyte of traffic hitting. It kind of spools up, as that botnet starts to distribute the attack commands,” he adds. ISPs can know in advance to block certain IP addresses or certain traffic streams upstream.

More sophisticated attacks often are focused on a profit motive and target companies with a lot of money or a gambling site that is taking bets on a major sporting event. In online video gaming or gambling, some players go to the extremes of disrupting the network where the opposition is hosted by firing off a DDoS attack.

Retribution is another scenario with DDoS attacks. A former employee or student gets mad and rents a botnet to conduct the attack.

A significant consequence to a denial of service attack is damage to the victim organization’s reputation, in addition to a potential dollar loss for every minute that the network is offline.

Nearly two-thirds (64 percent) of respondents in the Ponemon Institute’s denial of service study say reputation damage is the main consequence of a DoS attack, with 35 percent for diminished IT staff productivity and 33 percent for revenue losses.

“We try to come up with metrics on how to measure reputation loss, which is pretty significant,” says Larry Ponemon, chairman of the Ponemon Institute, the cybersecurity think tank based in Traverse City, Mich. “When people hear the bad news, what do they do? The churn can be significant from a revenue point of view. People leave, they find alternatives.”

Citing research from the institute’s recent Cost of Data Breach study, Ponemon says the most expensive attack type on a unit cost per attack is DDoS, when compared to other security incidents such as phishing, because it takes a lot of effort to stop it. Meanwhile, he adds, “there’s an extraction of data while people are worrying about the website being down.”


Copyright © 2014. DoS Protection UK. All Rights Reserved. Website Developed by: 6folds Marketing Inc. | Demo Test