Category - Stop DDoS Attacks

1
3 Drivers Behind the Increasing Frequency of DDoS Attacks
2
California Dem hit with DDoS attacks during failed primary bid: report
3
McDreary? The Future of Medical Call Centers & DDoS
4
Massachusetts Man Convicted of Cyber Attack on Hospital
5
Internet security: Slaying the botnet beast and the DDoS dragon
6
DDoS attacks and real-world consequences
7
Check Point: Time for a Fifth Generation of Cybersecurity
8
Protecting your Network Against Ever-Changing Cyber-Attacks
9
DDoS attacks again target Dutch bank
10
DDoS used to oust competition in crypto market

3 Drivers Behind the Increasing Frequency of DDoS Attacks

What’s causing the uptick? Motivation, opportunity, and new capabilities.

According to IDC Research’s recent US DDoS Prevention Survey, more than 50% of IT security decision makers said that their organization had been the victim of a distributed denial-of-service (DDoS) attack as many as 10 times in the past year. For those who experienced an attack, more than 40% lasted longer than 10 hours. This statistic correlates with our ATLAS findings, which show there were 7.5 million DDoS attacks in 2017 — a rate, says Cisco, that is increasing at roughly the same rate as Internet traffic.

What’s behind the uptick? It boils down to three factors: motivation of the attackers; the opportunity presented by inexpensive, easy-to-use attack services; and the new capabilities that Internet of Things (IoT) botnets have.

Political and Criminal Motivations
In an increasingly politically and economically volatile landscape, DDoS attacks have become the new geopolitical tool for nation-states and political activists. Attacks on political websites and critical national infrastructure services are becoming more frequent, largely because of the desire and capabilities of attackers to affect real-world events, such as election processes, while staying undiscovered.

In June, a DDoS attack was launched against the website opposing a Mexican presidential candidate during a debate. This attack demonstrated how a nation-state could affect events far beyond the boundaries of the digital realm. It threatened the stability of the election process by knocking a candidate’s website offline while the debate was ongoing. Coincidence? Perhaps. Or maybe an example of the phenomenon security experts call “cyber reflection,” when an incident in the digital realm is mirrored in the physical world.

DDoS attacks carried out by criminal organizations for financial gain also demonstrate cyber reflection, particularly for global financial institutions and other supra-national entities whose power makes them prime targets, whether for state actors, disaffected activists, or cybercriminals. While extortion on the threat of DDoS continues to be a major threat to enterprises across all vertical sectors, cybercriminals also use DDoS as a smokescreen to draw attention away from other nefarious acts, such as data exfiltration and illegal transfers of money.

Attacks Made Easy
This past April, Webstresser.org — one of the largest DDoS-as-a-service (DaaS) providers in existence, which allowed criminals to buy the ability to launch attacks on businesses and responsible for millions of DDoS attacks around the globe — was taken down in a major international investigation. The site was used by a British suspect to attack a number of large retail banks last year, causing hundreds of thousands of pounds of damage. Six suspected members of the gang behind the site were arrested, with computers seized in the UK, Holland, and elsewhere. Unfortunately, as soon as Webstresser was shut down, various other similar services immediately popped up to take its place.

DaaS services like Webstresser run rampant in the underground marketplace, and their services are often available at extremely low prices. This allows anyone with access to digital currency or other online payment processing service to launch a DDoS attack at a target of their choosing. The low cost and availability of these services provide a means of carrying out attacks both in the heat of the moment and after careful planning.

The rage-fueled, irrational DDoS-based responses of gamers against other gamers is a good example of a spur-of-the-moment, emotional attack enabled by the availability of DaaS. In other cases, the DaaS platforms may be used in hacktivist operations to send a message or take down a website in opposition to someone’s viewpoint. The ease of accessibility to DaaS services enables virtually anyone to launch a cyberattack with relative anonymity.

IoT Botnets
IoT devices are quickly brought to market at the lowest cost possible, and securing them is often an afterthought for manufacturers. The result? Most consumer IoT devices are shipped with the most basic types of vulnerabilities, including hard code/default credentials, and susceptibility to buffer overflows and command injection. Moreover, when patches are released to address these issues, they are rarely applied. Typically, a consumer plugs in an IoT device and never contemplates the security aspect, or perhaps does not understand the necessity of applying regular security updates and patches. With nearly 27 billion connected devices in 2017, expected to rise to 125 billion by 2030 according to analysis from IHS Markit, they make extremely attractive targest for malware authors.

In the latter half of 2016, a high-visibility DDoS attack against a DNS host/provider was observed, which affected a number of major online properties. The malware responsible for this attack, and many others, was Mirai. Once the source code for Mirai was published on September 30, 2016, it sparked the creation of a slew of other IoT-based botnets, which have continued to evolve significantly. Combined with the proliferation of IoT devices, and their inherent lack of security, we have witnessed a dramatic growth in both the number and size of botnets. These new botnets provide the opportunity for attackers and DaaS services to create new, more powerful, and more sophisticated attacks.

Conclusion
Today’s DDoS attacks are increasingly multivector and multilayered, employing a combination of large-scale volumetric assaults and stealth infiltration targeting the application layer. This is just the latest trend in an ever-changing landscape where attackers adapt their solutions and make use of new tools and capabilities in an attempt to evade and overcome existing defenses. Businesses need to maintain a constant vigilance on the techniques used to target them and continually evolve their defenses to industry best practices.

Source: https://www.darkreading.com/attacks-breaches/3-drivers-behind-the-increasing-frequency-of-ddos-attacks/a/d-id/1332824

California Dem hit with DDoS attacks during failed primary bid: report

The campaign website of a Democratic congressional candidate in California was taken down by cyberattacks several times during the primary election season, according to cybersecurity experts.

Rolling Stone reported on Thursday that cybersecurity experts who reviewed forensic server data and emails concluded that the website for Bryan Caforio, who finished third in the June primary, was hit with distributed denial of service (DDoS) attacks while he was campaigning.

The attacks, which amount to artificially heavy website traffic that forces hosting companies to shut down or slow website services, were not advanced enough to access any data on the campaign site, but they succeeded in blocking access to bryancaforio.com four times before the primary, including during a crucial debate and in the week before the election.

Caforio’s campaign didn’t blame his loss on the attacks, but noted that he failed to advance to a runoff against Rep. Steve Knight (R-Calif.) by coming up 1,497 votes short in his loss against fellow Democrat Katie Hill.

Caforio’s campaign tried several tactics to deter malicious actors, including upgrading the website’s hosting service and adding specific DDoS protections, which in the end failed to deter the attacks.

“As I saw firsthand, dealing with cyberattacks is the new normal when running for office, forcing candidates to spend time fending off those attacks when they should be out talking to voters,” Caforio told the magazine.

A spokeswoman for the Department of Homeland Security (DHS) told Rolling Stone that it offered to help Caforio’s campaign investigate the four attacks but received no response.

A DHS spokesperson did not immediately respond to a request for comment from The Hill.

An aide to the Democratic Congressional Campaign Committee, the campaign arm for House Democrats, told Rolling Stone that it takes attacks such as the ones Caforio faced “very seriously.”

“While we don’t have control over the operations of individual campaigns, we continue to work with and encourage candidates and their staffs to utilize the resources we have offered and adopt best security practices,” the aide said.

Source: https://thehill.com/policy/cybersecurity/407608-california-democrat-hit-with-ddos-attacks-during-failed-primary-bid

McDreary? The Future of Medical Call Centers & DDoS

As healthcare’s digital transformation continues, security remains a top priority — especially as distributed denial-of-service (DDoS) attacks target the click-to-call features on websites.

Click-to-call defines the services that enable patients to immediately call a hospital or clinic directly from a button on their website, either using a traditional phone service or Voice over Internet Protocol (VoIP) technology. This is different from click-to-callback features, which are used for less pressing medical needs, and is an important differentiation when securing hospital communications from DDoS attacks.

Because direct click-to-call scenarios use more resources, such as audio streams and interactive voice response (IVR) systems, these types of connections are much easier to effect using an application-layer DDoS attack.

When a DDoS attack affects a healthcare system, click-to-call features are often taken fully offline. If this occurs during a health emergency, the implications can mean life or death.

However, click-to-call features also offer enhanced and more personalized engagement in a cost-effective manner, so simply removing them could result in delayed care or service abandonment as well as raise the cost of future care. So what’s the best move?

Neustar’s 2017 Worldwide DDoS Attacks and Cyber Insights Research Report found that while 99% of the organizations it surveyed had some sort of DDoS protection in place, the vast majority of them (90%) were planning to invest more than in the previous year, and 36% thought they should be investing even more than that.

The same way that keeping protected health information (PHI) secure continues to be of the utmost importance, further steps must be taken to protect healthcare organizations from DDoS attacks.

Gated access through proper authentication 
One of the primary ways healthcare organizations can prevent a DDoS attack is through proper authentication. Proper authentication reduces the attack surface by providing a gate of access to those systems and rules out certain flavors of anonymous attacks.

Anonymous DDoS attacks use an open access or resource and distribute/coordinate mass usage of the access, and are challenging to thwart as it is difficult to differentiate an attack from actual usage.

Proper authentication provides a simple differentiation. Credential loss is a possible attack vector even with authentication; however, coordinating DDoS attacks with authentication credentials is much more difficult due to the distribution of credentials. For instance, if an attacker has compromised a single access point and distributes the single authentication to all endpoints, a properly protected account could easily thwart an attack with access rate-limiting.

Securing Patient Portals 
Implementing secure patient portals is another way to prevent DDoS attacks on medical call centers.

Patient portals require strong authentication. If proper authentication is required before using resources such as call centers and call agents, then the ability to launch a large-scale attack would require numerous credentials. In circumstances where multi-factor authentication is required, the complexity of a successful DDoS attack only increases — thereby making it more difficult to pull off.

For example, if a username/password entry into a patient portal required a text or email verification as well — or even a prompt on an installed smartphone application — then the loss of even a large set of credentials could not be used in an attack without also compromising some other form(s) of communication. Since patient portals also contain mass amounts of private data, securing that information to the highest degree in order to safeguard it properly is key and can also help prevent a large-scale attack on a hospital’s click-to-call functionality.

What the threat of DDoS attacks means to the global security community 
Today it’s obviously critical that global security managers remain aware of the daunting DDoS threat. When (not “if”) an attack occurs, critical resources are consumed — sometimes even resources that are unrelated.

For example, a DDoS attack against a website might consume networking resources, bringing down a patient portal, and an attack against a patient portal may consume database resources and prevent normal internal operations.

DDoS attacks on weak targets are relatively inexpensive for attackers — existing botnets with simple traffic flooding exist and await the next purchase — and simple networking attacks can be thwarted with up-to-date networking equipment front-ending services.

However, application-aware and custom attacks are much more expensive to create, and can be made prohibitively expensive by taking simple steps like requiring authentication before allowing access to resource offerings.

Additionally, keeping software up-to-date is critical as software flaws are discovered, and quickly updating components is effective at blocking attacks before they can be crafted and deployed. Regularly updating systems and keeping them free of malware not only reduces available botnet size, amplification points and reflection points, but may also prevent a hop-off point for more sophisticated attacks.

As more tech companies enter the healthcare field to enable its digitization, and information security continues to be top of mind in every field, it’s important for those in the security industry — some of whom may directly dabble in healthcare — as well as the healthcare organizations themselves to focus on increasing their security measures and to know what they should be doing to prevent this type of communications attack.

Source: https://www.infosecurity-magazine.com/opinions/mcdreary-medical-ddos/

Massachusetts Man Convicted of Cyber Attack on Hospital

A Massachusetts man was convicted on Wednesday of carrying out a cyber attack on a Boston hospital’s network on behalf of the hacking activist group Anonymous in protest of its treatment of a teenager at the center of a high-profile custody dispute.

A federal jury in Boston found Martin Gottesfeld, 32, guilty of one count of conspiracy to damage protected computers and one count of damaging protected computers, prosecutors said.

Gottesfeld, who is in federal custody, is scheduled to be sentenced on Nov. 14. In a statement posted to YouTube that was recorded in case he was convicted, Gottesfeld said he plans to challenge the verdict.

He also accused prosecutors of ignoring what happened to the teen at the center of the case and of “not telling you the full truth.”

“I’m going to keep fighting,” he said. “I’m not going to give up.”

Prosecutors said that in late 2013, Gottesfeld, a computer systems engineer living in Somerville, Massachusetts, learned about a child custody dispute involving a Connecticut teenager named Justina Pelletier.

Pelletier had been taken into state custody in Massachusetts after a dispute over her diagnosis arose between her parents and Boston Children’s Hospital, which determined her health problems were psychiatric in nature and believed her parents were interfering with her treatment.

Her case garnered national headlines and drew the attention of religious and political groups who viewed it as an example of government interference with parental rights.

Gottesfeld, who disagreed with the hospital’s diagnosis, began advocating online for her release, prosecutors said.

They said Gottesfeld in March 2014 launched a distributed denial of service (DDOS) attack on a residential treatment facility called Wayside Youth & Family Support Network where Pelletier was a resident following her discharge from the hospital.

DDOS attacks shut down or slow websites by flooding them with data.

He later in April 2014 launched a DDOS attack on behalf of Anonymous on the network of Boston Children’s Hospital that not only knocked it off the internet but also affected several other nearby hospitals, prosecutors said.

Amid a federal investigation into his role in the cyber attacks, Gottesfeld in early 2016 fled, prosecutor said.

In mid-February 2016, a Disney Cruise Line vessel rescued Gottesfeld and his wife from a disabled powerboat off the coast of Cuba, prosecutors said. He was arrested when the cruise ship returned to Miami.

Source: https://www.usnews.com/news/us/articles/2018-08-01/massachusetts-man-convicted-of-cyber-attack-on-hospital

Internet security: Slaying the botnet beast and the DDoS dragon

Improving device security, better coordination between infrastructure companies, and smarter procurement by businesses are all part of tackling the botnet menace, according to a US government report.

The snappily titled Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats report is the result of an executive order signed by President Donald Trump last May aimed at strengthening the cyber security of federal networks and critical infrastructure.

Botnets and the distributed denial of service (DDoS) attacks they deliver are a growing menace.

Traditional ways of dealing with DDoS effectively involved network providers building in excess capacity to absorb the impact of an attack. However, these incidents have grown in size to more than one terabit per second, far outstripping expected size and excess capacity.

On top of this, standard ways of dealing with DDoS are unable to stop other uses of botnets, such as spreading ransomware. And as botnets add insecure Internet of Things (IoT) devices to magnify their attacks, future incidents can only increase in scale and complexity.

The report from the Department of Homeland Security and the Department of Commerce highlights a number of changes that need to be made.

Infrastructure providers should share more data about evolving threats — especially with smaller, less well-funded, or niche players — and see what benefits come from a move to IPv6, the report said.

Enterprises need to isolate legacy devices and other devices that cannot be secured, deploy on- and off-premise DDoS mitigation services and rethink their network architectures.

Industry and law enforcement should work to find ways to coordinate more often and earlier to detect and prevent threat activity, and to manage incidents that take place.

Devices: the biggest threat

But the biggest section of the report deals with the threat from devices — PCs, smartphones and IoT devices which, it said, have often been designed without security in mind.

“Developers are either unaware of good security design practices, assume that the device will be inaccessible (e.g., on a local network inaccessible from the Internet), or want to avoid security solutions that impose additional cost, increase time to market, or make a device harder for consumers to use. The resulting design choices, such as hard-coded administrative passwords, create inherently insecure devices. In other cases, appropriate security controls are present but usability and user interfaces result in less-secure configurations.”

The report noted that software development result in — optimistically — a flaw every 2,000 lines of code, and many of these flaws create exploitable security vulnerabilities. Although modern servers, desktops, laptops, and smartphones offer significantly fewer opportunities for compromise, this is not the case with new classes of device.

“IoT devices are often sorely lacking in security-focused features. These systems now offer the most attractive target to malicious actors, and are an increasingly large percentage of the devices in the ecosystem,” the report warned.

Another problem is that modern devices are not the only ones connected to the internet: many legacy servers, desktops, laptops, and mobile phones in use today are no longer supported by their manufacturers, so their vulnerabilities cannot be easily addressed. Software piracy can run as high as 70 percent in China, and manufacturers typically restrict the distribution of security patches to systems running legally purchased software, so these systems cannot be secured against known vulnerabilities.

All of this needs to change, the report said.

“Devices must be able to resist attacks throughout their deployment lifecycles — at the time of shipment, during use, and through to end-of-life. For this to occur, security must become a primary design requirement. Vendors must not ship devices with known serious security flaws, must include a secure update mechanism, and must follow best current practices (e.g., no hard-coded passwords, disabling software features that are not critical to operation) for system configuration and administration. Vendors should disclose the minimum duration of support to customers, and device manufacturers should maintain secure update services for the promised duration.”

However, the report acknowledged that at the moment the economics of tech work against security: “Market incentives appear to exacerbate the problem. Product developers prioritize time to market and innovative functionality over security and resilience. Security features are not easily understood or communicated to the consumer, which makes it difficult to generate demand.”

The report said that change could start with the enterprise buyer, and — perhaps optimistically — argued: “The value proposition for better security will likely start in the enterprise environment due to its economies of scale; once there is a generally accepted security posture in a given product class, few manufacturers would be likely to ignore it.”

Source: https://www.zdnet.com/article/internet-security-slaying-the-botnet-beast-and-the-ddos-dragon/

DDoS attacks and real-world consequences

DDoS attacks have long been known as some of the most devastating attacks on the internet. Even so, well, the consequences always seemed to boil down to dollars and cents. Even when a major attack costs a corporation millions of dollars there’s still a bit of relief in being able to say hey, it’s just downtime, it’s just money, what’s the big deal?

For most of history, DDoS attacks have been things that – other than that price tag – can’t escape beyond the boundaries of the internet to cause real-world chaos and consequences.

Times have changed, however. The world is more connected than ever and because of that connectivity it’s never been so at risk. The consequences of DDoS attacks are extending far beyond cyberspace, and it turns out downtime is a very big deal when it comes to infrastructure like a power grid.

Denial of essential services

A distributed denial of service attack or DDoS attack has been, for quite some now, a go-to attack type for cybercriminals of all kinds. When a website or online service shuts out legitimate users due to a DDoS-induced downtime it causes immediate frustration, an immediate loss of revenue, an immediate disruption to business processes and immediate attention on social media and in the traditional media as well as a long-term loss of loyalty in users and customers that could prove to be the most costly consequence of all. This makes DDoS attacks attractive weapons to businesses looking to gain competitive advantage, activists trying to make a political statement, “entrepreneurs” trying to make money from DDoS ransom notes, shady investors trying to manipulate cryptocurrency values, and of course professional attackers who do the dirty work for all of the above either with targeted contract attacks or basic DDoS for hire services.

Devastating though they may be for the victim (and costly, as mentioned, with per hour costs typically landing between $20,000 and $100,000) it wasn’t until the last few years that the world began to see what these attacks are truly capable of.

In January of 2016 the Ukranian power grid was hit with a distributed denial of service attack that left 100,000 people without power. The Estonian, Latvian and Lithuanian power grids have also been the targets of DDoS attacks. These attacks have been more limited in scope than the one that hit the Ukraine, and experts believe it is because these attacks are being used to probe for vulnerabilities that could be exploited in larger attacks. For all of the above attacks, the finger of blame has been squarely pointed at Russia, and there is every indication that Russia is ready and able to aim a massive attack at the US power grid.

The idea of a sustained attack on a power grid is a terrifying thing, not just because of the chaos it would cause in the economy and the disruption it would represent to every day life, but because if it were timed to coincide with a deep cold or other risky environmental condition, it could kill.

DDoS attacks have also been used stop or delay trains in both Sweden and Denmark, and security researchers fear for critical infrastructure entities including other transportation systems, oil and gas refineries, power plants, water and waste control facilities including dams and telecommunications. Critical infrastructure is vulnerable to these attacks in large part due to a process control software application called SCADA which represents a centralized target that requires as close to 100% uptime as possible.

As security researchers grapple with what can be done to stop these potential attacks, the rest of us have to grapple with the idea that a DDoS attack could cause a dam to fail, causing immense flooding and loss of life, or render critical communications systems in a petrochemical plant useless while malicious code attempts to trigger an explosion. This is the connected world we live in.

Acts of cyberwarfare

In 2016 the North Atlantic Treaty Organization (NATO) officially declared cyberspace a domain of warfare, meaning a cyberattack against a member nation could be considered an act of war by the organization. This paves the way for a response that could range from the retaliatory use of cyber weaponry all the way up to an armed response. Since the declaration, nations all over the globe have been rushing to update guidelines that clarify the justification for using cyber weaponry or responding to cyberattacks with force.

While the idea of an invasion in response to a DDoS attack could seem shocking on the surface, with the DDoS capabilities nation states have already demonstrated against critical infrastructure, these declarations and guidelines are becoming increasingly necessary as the so-called war of the future fought in cyberspace inches closer and closer to being the war of right now. With human lives in the balance, the devastation of DDoS attacks is no longer limited to downtime and dollars.

Source: https://www.talk-business.co.uk/2018/05/30/ddos-attacks-and-real-world-consequences/

Check Point: Time for a Fifth Generation of Cybersecurity

Cybersecurity is entering a new phase that requires IT organizations to put processes in place that are capable of continuously identifying potential threats before they impact operations and detecting them once a breach occurs.

Don Meyer, head of marketing for data center at Check Point Software Technologies, said that shift represents a new fifth era of cybersecurity that requires a mechanism through which cybersecurity intelligence is shared across a layered defense in real time.

Today, most organizations unfortunately still rely mainly on firewalls and anti-virus software that are not integrated in any meaningful way, said Meyer. That’s become problematic, because cybercriminals are becoming more adept at launching polymorphic attacks targeting multiple potential exploits. For example, a distributed denial of service (DDoS) attack may be intended to serve as a distraction as endpoints are being targeted. In some cases, the only purpose of these attacks is to implant malware that hijacks IT infrastructure to mine cryptocurrencies.

To effectively respond to those threats, an IT organization needs a central control plane through which companies can coordinate their response to threats to applications and infrastructure running in the cloud and on-premises. Given the increased volume of attacks and the ever-expanding size of the attack surface that needs to be defended, Meyer said it’s only a matter of time before organizations find themselves relying more on big data along with machine learning algorithms and other forms of artificial intelligence (AI) to defend the extended enterprise.

In fact, Meyer noted that cybercriminals already have access to advanced hacking tools developed by the Central Intelligence Agency (CIA), for example. Cybercriminals are leveraging those tools alongside machine learning algorithms to more precisely identify and target vulnerabilities. Today, cybercrime is a trillion-dollar industry, and much of the profits generated are plowed right back into the development of more sophisticated means of launching attacks. Despite this, cooperation remains limited among organizations trying to defend against these attacks. Unless organizations find some way to share and act on threat intelligence data in real time, the odds will continue to be stacked against them, Meyer said.

herefore, IT organizations need to move beyond deploying a series of uncoordinated point products to defend against one type of potential threat or another, he said. Rather, a modern approach to cybersecurity requires a much more coordinated response across multiple organizations that have committed to each other’s mutual defense.

It’s unclear where the center of gravity for cybersecurity intelligence will ultimately reside. Check Point and other providers of firewalls say their platforms are the most logical place to coordinate security across thousands of endpoints as well as any number of external cloud platforms. It’s obvious, however, that something must be done. The current status quo for cybersecurity is ineffective—not only will the volume of attacks continue to increase, the ability of IT organizations to discover and then remediate breaches is increasingly being taxed beyond any ability to keep pace.

Source: https://securityboulevard.com/2018/05/check-point-time-for-a-fifth-generation-of-cybersecurity/

Protecting your Network Against Ever-Changing Cyber-Attacks

There have been two notable evolutions made by hackers recently in the DDoS arena. First, there’s been an expansion of botnets. They’ve moved beyond PCs to compromised Internet of things (IoT) devices and cloud services. That’s vastly expanded the possible sources of attacks.

The second has been the use of highly distributed attack patterns, commonly referred to as carpet-bombing. The two are connected and reflect a sophisticated understanding by the attackers of the limitations of current DDoS defensive technologies.

Most DDoS defenses rely on a simple baseline model to identify ‘abnormal’ surges in traffic towards a specific target. This is an imprecise identification that lacks context, resulting in a lot of false positives. Suspect traffic is routed by a backhaul link to a mitigation appliance; however, much of the re-routed traffic can actually be legitimate. Thus, the process is resource intensive and costly

It also lacks the network-wide visibility to map attacks back to actual user experience, making it difficult to keep affected (and poor quality-intolerant) customers appraised of the situation.

In the age of IoT and cloud, it’s getting worse for these traditional defenses. Because the botnets that carry out the attacks have vastly expanded, it is now possible to carry out terabit-level attacks from hundreds of thousands and — not too far off — even millions of compromised devices. Traditional defenses have a harder time dealing with so many flows coming from so many different directions. They are not good at multi-vector attacks.

For example, the attack on the DNS provider DYN, back in October 2016, caused the entire network that DYN was on to suffer massive slow-down. Carried out by the Mirai botnet, which had hundreds of thousands of badly secured IoT devices and compromised cloud servers enslaved, it affected thousands of users. Although it had been initiated by a single attacker, the attack took down the entire infrastructure for a number of hours.

The challenge, if you’re a DNS provider like DYN, is that this DNS-based attack traffic looks like all the other traffic on your network — the perfect diversion. So while you struggle to find out what’s going on with your DNS service, the hijacked cloud servers come into play delivering a high impact, high-bandwidth TCP attack that takes the servers out altogether.

This combination of different attack sources and different attack vectors created the most impactful attack that we have ever seen.

An example of the other side of the coin is a carpet-bomb attack that often results in false negatives. As a method of attack, it evades the “big surge” method of detection. It doesn’t just affect a single target, although a single organization may, in the end, be the target. It affects tens of thousands of users and makes it harder to see who the target actually is.

Fortunately, as we’ve said, there are innovations on the defensive side that can help. We have identified five principles of the new approach to fighting DDoS:

  1. Global-level monitoring: use information about the entire internet and network to understand the context of what is occurring. For instance, is the surge just an AWS file transfer or an attack? If you have an accurate, global database of IP endpoints, you can know what the source is and whether it’s reliable, thus minimizing false positives.
  2. Ratio-based detection: as opposed to big surge detection, this method of identification takes a holistic view of the network. It looks for patterns of attack or signatures. For instance, an imbalance between SYN and SYN ACK, which is the telling signature of a SYN flood attack, will trigger an alert, even if no baseline trigger caused an alert.
  3. Use your routers: mitigation appliances or scrubbers are expensive solutions and inherently limited; routers are already in place and can easily block multiple attack vectors without taking a performance hit. If through global detection you understand all the endpoints from which the attack is coming, you simply create ACLs to drop this traffic at your peering routers.
  4. Protect your network out of the box: most DDoS defense solutions today are an afterthought. Layer in a defensive approach from the beginning. Build holistic network intelligence into your architecture and then use your routers to provide the first layer of blocking or re-routing. This will deal with a majority of the nuisance traffic and reserve the scrubbers for the attacks that require more stateful analysis.
  5. Map it back to quality of experience (QoE):  The key point for network operators is that there is no reasonable amount of poor quality streaming, according to the customer. They don’t care why they have been receiving SD video for 40 minutes, they just want it to improve or they’ll complain.

Quality issues like this are a large driver for customer churn, so visualizing and remediating the attack quickly is of utmost importance.

These are some of the principles that can help prepare us for the next level of battle with the ever-imaginative hacker communities. The costs of DDoS attacks are many. Make sure you’re fully prepared with a multi-dimensional, holistic approach to security.

Source: https://www.infosecurity-magazine.com/opinions/protecting-network-attacks/

DDoS attacks again target Dutch bank

Dutch banks ABN Amro and Rabobank were again targeted by DDoS attacks on Sunday night, leaving their online banking services unavailable for a time, ANP reports.

The two Dutch banks were also targeted by such cyber attacks on Thursday. In a DDoS attack, a website is bombarded with data, overloading its server and crashing the site.

Both banks report that all their services are available again, according to the news wire. ABN Amro resolved its problems by 10:00 p.m. on Sunday, Rabobank reported that its online services are up and running around 2:00 a.m. on Monday.

“The security of Internet Banking, Mobile Banking and iDeal was never in danger”, a spokesperson for ABN Amro said, according to AD.

In January the Dutch Tax Authority, ABN Amro, ING and Rabobank were all hit by multiple DDoS attacks. An 18-year-old man from Oosterhout was arrested. He said he targeted the financial institutions with cyber attacks to prove a point.

Source: https://nltimes.nl/2018/05/28/ddos-attacks-target-dutch-banks

DDoS used to oust competition in crypto market

n the last 12 months, cyber criminals have been using distributed denial-of-service (DDoS) attacks to target crypto-currencies.

That’s according to Alex Cruz Farmer, product manager at Cloudflare, who spoke at the ITWeb Security Summit 2018 event this week.

Criminal perpetrators of DDoS attacks often target sites or hosted on high-profile Web servers such as banks or credit card payment . Revenge, blackmail and activism can motivate these attacks.

However, when targeting crypto-currencies with DDoS attacks, “it’s not for the good old ransom, it’s a way to run the competition out of town”.

Cloudflare is one of the biggest DDoS mitigation platforms in the world, serving over eight million domains across more than 150 data centres.

Soon to be the norm

A crypto-currency marketplace customer, who had migrated to Cloudflare, had an attack which according to Farmer demonstrated the complexities of modern day attacks, which he believes will soon be the norm.

“The customer noticed that there were a huge number of sign-ups to their Web site, way more than usual, and had assumed this was spam or some other scam. After a week or two, they found that thousands and thousands of these accounts were logging in, and repeatedly checking their account balances, which in turn caused their database platform to grind to a halt.”

He explained that within a very short period of time, it was identified and the attack was dealt with, but the attackers did not stop there.

“Further application-based attacks occurred, focusing on almost every endpoint possible, to find another area of weakness. Fortunately, we were wise to these games, and our security teams were able to put adequate protections in place to block any further attacks.”

DDoS evolution

He pointed out that DDoS attacks have evolved over the years, noting that the first ever DDoS was in 1988 caused by the Morris Worm, written by Robert Morris.

“It was a complete accident, the purpose was to gauge the size of the Internet. However, due to an oversight in the code, it ended up taking down the Internet, causing huge amounts of damage, leading to the first ever cyber-related felony in the US.”

From then, he said DDoS attacks inherently were focused on exhausting CPU or other resources.

“For example, a simple TCP SYN attack on an Apache server would exhaust open sockets, rendering servers useless, causing any new connections to timeout. The only resolution was to restart the Web server.”

TCP SYN flood (aka SYN flood) is a type of DDoS attack that exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDoS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network saturation.

“Unfortunately for the attackers, there were quick and easy solutions for server administrators to protect themselves from SYN attacks, so naturally, the evolution was to find the next destructive option; exhaust the network.

“Come to 2003, we had one of the most epic DDoS attacks ever seen, caused by the infamous SQL Slammer virus. Not only did these attacks cripple the target server, they also crippled the network, and in some cases even their upstream ISP,” Farmer said.

Fast forward five to 10 years, we then saw the birth of User Datagram Protocol (UDP) based reflection attacks, primarily utilising NTP services (the service which sets the time on a computer, mobile phone or any other connected device), he pointed out.

“But, like always, patches are created, and the community came together to build necessary protections. It was UDP-based, so it was easy to block for most networks.”

According to Farmer, 2016 is when things really changed. “Mirai was born, with its debut attack of 540Gb/sec targeting the Rio Olympics, then a few weeks later generating the largest attack the world had seen against security blogger Brian Krebs.”

He explained that Mirai was orchestrated used IOT devices to generate the attacks. “While these devices may seem harmless, under the hood they run a real, fully-loaded operating system, mostly Linux. This means an attacker is able to run whatever script they wish, have it call home, update its firmware and most importantly, lock out the owner.”

Source: https://www.itweb.co.za/content/VgZey7JAZa8vdjX9

Copyright © 2014. DoS Protection UK. All Rights Reserved. Website Developed by: 6folds Marketing Inc. | Demo Test