Category Archives: DDoS Criminals

Mini but mighty: Beware minor DDoS attacks that mask graver threats, warns report

Despite detecting an increase in large distributed denial of service attacks in the first quarter of 2017, Corero Network Security has reported that the greatest DDoS threat currently comes from smaller attacks designed to either hide other malicious activities or set the stage for future malicious actions. Corero, which specializes in DDoS prevention, noted in its just released Q4 2016 – Q1 2017 Trends Report that these “sub-saturation” attacks typically fall within a certain sweet spot: They are short enough in duration and small enough in size to avoid detection by mitigation tools, yet they are still significant enough to serve the attacker’s purpose. According to the company, many legacy and homegrown mitigation tools will not respond to attacks that are less than one Gbps in size and under than 10 minutes in duration, because they do not meet a certain pre-programmed threshold. “…They are just disruptive enough to knock a firewall or intrusion prevention system (IPS) offline so that the hackers can target, map and infiltrate a network to install malware and engage data exfiltration activity,” said Ashley Stephenson, CEO at Corero Network Security, in a company press release. In other cases, the attackers may simply be testing a network for weaknesses, in anticipation of a future malicious action down the line. But even if the DDoS attack is detected, network administrators may too busy responding to the outage to realize that there is actually a bigger threat at hand. In an email to SC Media, Stephanie Weagle, vice president at Corero, cited UK-based telecom company TalkTalk as a recent example. In 2015, hackers stole the company’s customer data using a DDoS attack as an effecitve distraction. “Short DDoS attacks might seem harmless, in that they don’t cause extended periods of downtime. But IT teams who choose to ignore them are effectively leaving their doors wide open for malware or ransomware attacks, data theft or other more serious intrusions,” Stephenson explained. “Just like the mythological Trojan Horse, these attacks deceive security teams by masquerading as a harmless bystander – in this case, a flicker of internet outage – while hiding their more sinister motives.” According to the report, 80 percent of attempted DDoS attacks that were launched against Corero customers in Q1 2017 were less than 1 Gbps in volume, while 71 percent lasted 10 minutes or less. In Q4, 77 percent of DDoS attacks were less than 1 Gbps in volume, while 73 percent were 10 minutes or less in duration. While smaller attacks remain the norm, Corero did see a 55 percent rise in DDoS attacks that were 10 Gbps or larger in Q1, compared to the previous quarter. Corero customers averaged 124 attacks per month in Q1, an increase of nine percent over Q4 2016. Source: https://www.scmagazine.com/mini-but-mighty-beware-minor-ddos-attacks-that-mask-graver-threats-warns-report/article/666432/

Read More:
Mini but mighty: Beware minor DDoS attacks that mask graver threats, warns report

The dark, dangerous, and insanely profitable world of DDoS attacks

Imagine a business model with a 95 percent profit margin. As wonderful as this sound, this business is certainly not something that most would want to get into. We’re talking, of course, about the criminal enterprise of Distributed Denial of Service (DDoS) attacks. This form of cyber-crime has grown exponentially over the past few years, giving CIOs and digital business leaders sleepless nights about whether they’ll be the next victim. Powerful DDoS attacks have a devastating effect: flooding web servers and hauling companies offline, causing untold financial and reputational damage. “The popularity of DDoS has spawned a criminal underworld, with thousands of service providers hiding out on the so-called ‘Dark Web’,” explains Arbor Network’s territory manager for Sub-Sahara, Bryan Hamman. These nefarious organisations offer to execute DDoS attacks for as little as just a few dollars. One simply chooses the type of attack (do you want to use web servers or connected botnets?), the magnitude, the duration, and indicates the victim that they’re targeting. “These Dark Web services have made it very simple to enlist the resources needed for a DDoS attack. Self-service portals and bitcoin payment systems guarantee one’s anonymity and eliminate the need for direct contact with the service provider,” says Hamman. He adds that reports and status updates are all published via these portals, allowing customers to track the impact of their attacks. In some cases, there are even bonuses for each attack that’s commissioned – so DDoS providers even have a form of loyalty programme. Soft targets Cyber-security company Kaspersky Lab recently found that the most basic attack (sold at about USD25 per hour) resulted in a profit to the service provider of about USD18 per hour. But the second revenue stream emerges with those DDoS attacks that demand a ransom from companies in return for restoring services and bringing the victim back online. In these cases, profit shares from the ransoms can push the overall profit margins to over 95 percent. The intended victims themselves are priced differently – with the likes of government websites, and organisations known to have some form of defence in place, commanding a much higher premium, notes Hamman. “It’s interesting to note the level of awareness and information held by the DDoS service providers, as they distinguish between the soft targets and the more difficult quests. Those organisations with the most advanced DDoS defences are far less likely to be targeted,” he explains. The answer “With such rich pickings available for cyber-criminals, it shows that the scourge of DDoS isn’t likely to slow down anytime soon,” highlights Hamman. Almost all types of organisations today are totally dependent on connectivity to sustain their business. As we rapidly adopt Cloud architectures and new mobility or virtual office solutions, all of our data, applications and services are only available when we’re connected. So it stands to reason that organisations should ensure they have professional and dedicated DDoS prevention solutions in place. “Companies need to have what we term ‘layered protection’ – incorporating broad DDoS attack detection and mitigation, alongside network visibility and actionable security intelligence.” “By remaining on the cusp of the latest DDoS protection tools, it becomes possible to thwart any attacks from the growing legion of DDoS attackers out there,” he adds. And, when these criminal services are so immediately available for hire, with just a few clicks of the mouse, the threat of DDoS is ever-present for all businesses and industries. By Bryan Hamman, Arbor Network’s territory manager for Sub-Sahara Source: http://www.itnewsafrica.com/2017/05/the-dark-dangerous-and-insanely-profitable-world-of-ddos-attacks/

More here:
The dark, dangerous, and insanely profitable world of DDoS attacks

Examining the FCC claim that DDoS attacks hit net neutrality comment system

Attacks came from either an unusual type of DDoS or poorly written spam bots. On May 8, when the Federal Communications Commission website failed and many people were prevented from submitting comments about net neutrality, the cause seemed obvious. Comedian John Oliver had just aired a segment blasting FCC Chairman Ajit Pai’s plan to gut net neutrality rules, and it appeared that the site just couldn’t handle the sudden influx of comments. But when the FCC released a statement explaining the website’s downtime, the commission didn’t mention the Oliver show or people submitting comments opposing Pai’s plan. Instead, the FCC attributed the downtime solely to “multiple distributed denial-of-service attacks (DDoS).” These were “deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host,” performed by “actors” who “were not attempting to file comments themselves; rather, they made it difficult for legitimate commenters to access and file with the FCC.” The FCC has faced skepticism from net neutrality activists who doubt the website was hit with multiple DDoS attacks at the same time that many new commenters were trying to protest the plan to eliminate the current net neutrality rules. Besides the large influx of legitimate comments, what appeared to be spam bots flooded the FCC with identical comments attributed to people whose names were drawn from data breaches, which is another possible cause of downtime. There are now more than 2.5 million comments on Pai’s plan. The FCC is taking comments until August 16 and will make a final decision some time after that. The FCC initially declined to provide more detail on the DDoS attacks to Ars and other news organizations, but it is finally offering some more information. A spokesperson from the commission’s public relations department told Ars that the FCC stands by its earlier statement that there were multiple DDoS attacks. An FCC official who is familiar with the attacks suggested they might have come either from a DDoS or spam bots but has reason to doubt that they were just spam bots. In either case, the FCC says the attacks worked differently from traditional DDoSes launched from armies of infected computers. A petition by activist group Fight for the Future suggests that the FCC “invent[ed] a fake DDoS attack to cover up the fact that they lost comments from net neutrality supporters.” But while FCC commissioners are partisan creatures who are appointed and confirmed by politicians, the commission’s IT team is nonpartisan, with leadership that has served under both Presidents Obama and Trump. There’s no consensus among security experts on whether May 8 was or wasn’t the result of a DDoS attack against the FCC comments site. One security expert we spoke to said it sounds like the FCC was hit by an unusual type of DDoS attack, while another expert suggested that it might have been something that looked like a DDoS attack but actually wasn’t. Breaking the silence FCC CIO David Bray offered more details on how the attack worked in an interview with ZDNet published Friday. Here’s what the article said: According to Bray, FCC staff noticed high comment volumes around 3:00 AM the morning of Monday, May 8. As the FCC analyzed the log files, it became clear that non-human bots created these comments automatically by making calls to the FCC’s API. Interestingly, the attack did not come from a botnet of infected computers but was fully cloud-based. By using commercial cloud services to make massive API requests, the bots consumed available machine resources, which crowded out human commenters. In effect, the bot swarm created a distributed denial-of-service attack on FCC systems using the public API as a vehicle. It’s similar to the distributed denial of service attack on Pokemon Go in July 2016. This description “sounds like a ‘Layer 7’ or Application Layer attack,” Cloudflare Information Security Chief Marc Rogers told Ars. This is a type of DDoS, although it’s different from the ones websites are normally hit with. “In this type of [DDoS] attack, instead of trying to saturate the site’s network by flooding it with junk traffic, the attacker instead tries to bring a site down by attacking an application running on it,” Rogers said. “I am a little surprised that people are challenging the FCC’s decision to call this a DDoS,” Rogers also said. Cloudflare operates a global network that improves performance of websites and protects them from DDoS attacks and other security threats. When asked if the FCC still believes it was hit with DDoS attacks, an FCC spokesperson told Ars that “there have been DDoS attacks during this process,” including the morning of May 8. But the FCC official we talked to offered a bit less certainty on that point. “The challenge is someone trying to deny service would do the same thing as someone who just doesn’t know how to write a bot well,” the FCC official said. FCC officials said they spoke with law enforcement about the incident. Spam bots and DDoS could have same effect DDoS attacks, according to CDN provider Akamai, “are malicious attempts to render a website or Web application unavailable to users by overwhelming the site with an enormous amount of traffic, causing the site to crash or operate very slowly.” DDoS attacks are “distributed” because the attacks generally “use large armies of automated ‘bots’—computers that have been infected with malware and can be remotely controlled by hackers.” (Akamai declined to comment on the FCC downtime when contacted by Ars.) In this case, the FCC’s media spokesperson told Ars the traffic did not come from infected computers. Instead, the traffic came from “cloud-based bots which made it harder to implement usual DDoS defenses.” The FCC official involved in the DDoS response told us that the comment system “experienced a large number of non-human digital queries,” but that “the number of automated comments being submitted was much less than other API calls, raising questions as to their purpose.” If these were simply spammers who wanted to flood the FCC with as many comments as possible, like those who try to artificially inflate the number of either pro- or anti-net neutrality comments, they could have used the system’s bulk filing mechanism instead of the API. But the suspicious traffic came through the API, and the API queries were “malformed.” This means that “they aren’t formatted well—they either don’t fit the normal API spec or they are designed in such a way that they excessively tax the system when a simpler call could be done,” the FCC official said. Whether May 8 was the work of spam bots or DDoS attackers, “the effect would have been the same—denial of service to human users” who were trying to submit comments, the FCC official said. But these bots were submitting many fewer comments than other entities making API calls, suggesting that, if they were spam bots, they were “very poorly written.” The official said a similar event happened in 2014 during the previous debate over net neutrality rules, when bots tied up the system by filing comments and then immediately searching for them. “One has to ask why a bot would file, search, file, search, over and over,” the official said. If it was just a spam bot, “one has to wonder why, if the outside entity really wanted to upload lots of comments in bulk, they didn’t use the alternative bulk file upload mechanism” and “why the bots were submitting a much lower number of comments relative to other API calls,” the official said. The FCC says it stopped the attacks by 8:45am ET on May 8, but the days that followed were still plagued by intermittent downtime. “There were other waves after 8:45am that slowed the system for some and, as noted, there were ‘bots’ plural, not just one,” the FCC official said. On May 10, “we saw other attempts where massive malformed search queries also have hit the system, though it is unclear if the requestors meant for them to be poorly formed or not. The IT team has implemented solutions to handle them even if the API requests were malformed.” Was it a DDoS, or did it just look like one? There is some history of attackers launching DDoS attacks from public cloud services like Amazon’s. But the kind of traffic coming into the FCC after the John Oliver show might have looked like DDoS traffic even if it wasn’t, security company Arbor Networks says. Arbor Networks, which sells DDoS protection products, offered some analysis for its customers and shared the analysis with Ars yesterday. Arbor says: When a client has an active connection to a website which is under heavy load, there is a risk that the server will be unable to respond in a timely fashion. The client will then start to automatically resend its data, causing increased load. After a while, the user will also get impatient and will start to refresh the screen and repeatedly press the “Submit” button, increasing the load even further. Finally, the user will, in most cases, close the browser session and will attempt to reconnect to the website. This will then generate TCP SYN packets which, if processed correctly, will move to the establishment of the SSL session which involves key generation, key exchange, and other compute intensive processes. This will most likely also timeout, leaving sessions hanging and resulting in resource starvation on the server. A spam bot would behave in the same manner, “attempting to re-establish its sessions, increasing the load even further,” Arbor says. “Also, if the bot author wasn’t careful with his error handling code, the bot might also have become very aggressive and start to flood the server with additional requests.” What the FCC saw in this type of situation might have looked like a DDoS attack regardless of whether it was one, Arbor said: When viewed from the network level, there will be a flood of TCP SYN packets from legitimate clients attempting to connect; there will be a number of half-open SSL session which are attempting to finalize the setup phase and a large flood of application packets from clients attempting to send data to the Web server. Taken together, this will, in many ways, look similar to a multi-faceted DDoS attack using a mix of TCP-SYN flooding, SSL key exchange starvation, and HTTP/S payload attacks. This traffic can easily be mistaken for a DDoS attack when, in fact, it is the result of a flash crowd and spam bot all attempting to post responses to a website in the same time period. DDoS attacks generally try to “saturate all of the bandwidth that the target has available,” Fastly CTO Tyler McMullen told Ars. (Fastly provides cloud security and other Web performance tools.) In the FCC’s case, the attack sounds like it came from a small number of machines on a public cloud, he said. “Another form of denial-of-service attack is to make requests of a service that are computationally expensive,” he said. “By doing this, you don’t need a ton of infected devices to bring down a site—if the service is not protected against this kind of attack, it often doesn’t take much to take it offline. The amount of traffic referenced here does not make it obvious that it was a DDoS [against the FCC].” Server logs remain secret The FCC declined to publicly release server logs because they might contain private information such as IP addresses, according to ZDNet. The logs reportedly contain about 1GB of data per hour from the time period in question, which lasted nearly eight hours. The privacy concerns are legitimate, security experts told Ars. “Releasing the raw logs from their platform would almost certainly harm user privacy,” Rogers of Cloudflare told Ars. “Finally, redacting the logs would not be a simple task. The very nature of application layer attacks is to look exactly like legitimate user traffic.” McMullen agreed. “Releasing the logs publicly would definitely allow [the details of the attack] to be confirmed, but the risk of revealing personal information here is real,” he said. “IP addresses can sometimes be tied to an individual user. Worse, an IP address combined with the time at which the request occurred can make the individual user’s identity even more obvious.” But there are ways to partially redact IP addresses so that they cannot be tied to an individual, he said. “One could translate the IP addresses into their AS numbers, which is roughly the equivalent of replacing a specific street address with the name of the state the address is in,” he said. “That said, this would still make it clear whether the traffic was coming from a network used by humans (e.g. Comcast, Verizon, AT&T, etc) or one that primarily hosts servers.” Open by design The FCC’s public comments system is supposed to allow anyone to submit a comment, which raises some challenges in trying to prevent large swarms of traffic that can take down the site. The FCC has substantially upgraded its website and the back-end systems that support it since the 2014 net neutrality debate. Instead of ancient in-house servers, the comment system is now hosted on the Amazon cloud, which IT departments can use to scale computing resources up and down as needed. But this month’s events show that more work needs to be done. The FCC had already implemented a rate limit on its API, but the limit “is tied to a key, and, if bots requested multiple keys, they could bypass the limit,” the FCC official told us. The FCC has avoided using CAPTCHA systems to distinguish bots from humans because of “challenges to individuals who have different visual or other needs,” the official said. Even “NoCAPTCHA” systems that only require users to click a box instead of entering a hard-to-read string of characters can be problematic. “Some stakeholders who are both visually impaired and hearing impaired have reported browser issues with NoCAPTCHA,” the FCC official said. “Also a NoCAPTCHA would mean you would have to turn off the API,” but there are groups who want to use the API to submit comments on behalf of others in an automated fashion. Comments are often submitted in bulk both by pro- and anti-net neutrality groups. The FCC said it worked with its cloud partners to stop the most recent attacks, but it declined to share more details on what changes were made. “If folks knew everything we did, they could possibly work around what we did,” the FCC official said. Senate Democrats asked the FCC to provide details on how it will prevent future attacks. While the net neutrality record now contains many comments of questionable origin and quality, the FCC apparently won’t be throwing any of them out. But that doesn’t mean they’ll hold any weight on the decision-making process. “What matters most are the quality of the comments, not the quantity,” Pai said at a press conference this month. “Obviously, fake comments such as the ones submitted last week by the Flash, Batman, Wonder Woman, Aquaman, and Superman are not going to dramatically impact our deliberations on this issue.” There is “a tension between having open process where it’s easy to comment and preventing questionable comments from being filed,” Pai said. “Generally speaking, this agency has erred on the side of openness. We want to encourage people to participate in as easy and accessible a way as possible.” Source: https://arstechnica.com/information-technology/2017/05/examining-the-fcc-claim-that-ddos-attacks-hit-net-neutrality-comment-system/

Excerpt from:
Examining the FCC claim that DDoS attacks hit net neutrality comment system

‘Cyberattacks could contribute to a dramatic shift in world power’

In our five-minute CIO series, Lior Tabansky explains how cyberattacks could have a seismic effect on the world order. Lior Tabansky is a cyber power scholar at the Blavatnik Interdisciplinary Cyber Research Center (ICRC) and the director of strategy in Tel-Aviv-based cybersecurity consultancy firm CSG. Tabansky brings a refreshing interdisciplinary approach to cybersecurity to the table, facilitated by his political science and security studies, 15 years of hands-on IT professional practice, and high-level think tank, policy and corporate experience. His strategic cybersecurity expertise stems from a unique combination: service in the Israeli Air Force, subsequent career designing and managing business ICT infrastructure, postgraduate political science education and a proven commitment to interdisciplinary, academic policy-oriented research. Tabansky recently wrote an insightful and timely book – Cybersecurity in Israel – co-authored with Prof Isaac Ben-Israel and published by Springer. This comprehensive yet concise work offers an ‘insider’ strategic analysis of Israeli cyber power, with invaluable lessons to be learned by governments and corporations alike. How does one become a cyber scholar? I was always interested in politics and international relations because, since high school, I figured out this was important and I wanted to know how the world works. In parallel, around the mid-90s, the whole PC revolution happened and it fascinated me. And then you realise that things don’t work like they are supposed to, and I learned on my own to play with it and fix it and from there on, I pursued parallel academic tracks. One track was political science and security studies and, in parallel, I began working in IT as an admin because they paid more than other professions. Around 2003, I was doing a master’s on the role of IT in counter-terrorism and that’s how I became more established academically in this field. From there on, technology changed, and I was studying mostly the development of how it can challenge national security. Is most of your work academic? First of all, this subject is not very fashionable in academia because it is mostly current affairs; it relates to policy issues and is constantly moving, so it is on the fringes of the academic world. I had a lot of backlash for trying to pursue proper academic research with things that are constantly moving. It’s a conceptual issue. On top of that, the centre we established at Tel-Aviv University is more like a think tank in terms of influencing policy debates –it is mostly pure research. We also hold our Cyber Week conference in the summer, which attracts 5,000 people and delegations from 50 countries. With cyberattacks on the rise, every individual is threatened. How do you see the world we are in? This is not a purely defence issue, each one of us is affected. This is precisely why, as a civilisation, we build societies, states, cities and so on. The primary duty of the state is to provide security for society. Of course, you need to change a lot and adapt and this is where I think the west, and particularly the US, are doing a particularly bad job. They were the first to develop the whole field, to recognise and publish the deep implications of technology, and yet they are still all the time complaining about China, and now it has switched to Russia; but their governments fail to protect the companies, the citizens and civil society, and maybe they are not even trying. So, the failure is not even trying. This is a very typical problem. We are in the midst of a revolution similar to the industrial revolution and, unless society and states adapt, we will see dramatic shifts in world power. And, sitting where we are sitting, that is not a good thing. The shakes and tremors will come at everyone’s expense. Most of the rest of the world doesn’t like the western world’s dominance, and these are the ones who will continue to challenge the western way of life – it is a dangerous situation. Do you feel that the way the western world is going about cybersecurity – with an emphasis on surveillance rather than defence – is the wrong approach? Yes. It is not a resource issue. The US, for example, has by far the largest resources of all their competitors combined, definitely in defence and security. The NSA has been the largest employer of mathematicians for decades, so they are way ahead of all of us in that field. The problem is politics. How you work these things out and the balance between all sorts of values and security is very difficult, and, of course, no one knows how to get it right. It’s not a resource issue. The US has unlimited resources, manpower and technology, and they can get it right. If you try to focus too much on defence and security, you will harm civil liberties and so on, and no one wants that. The thing is, while we are figuring out how to solve it over the last few decades, your adversaries will try to act more and more in their interests. Has Israel gotten it right? There is much more to be done. We are relatively in a good situation compared to other western democracies. However, it is far away from the ideal situation that we have in security affairs. We pay taxes, we get security, and it works pretty well. Europe is in a great historic anomaly of having several decades of zero wars. This is only because societies got the defence issue right, which includes economics, diplomacy and other things. Unless we get it right in the cyber area, there will be changes. This is what history is about. And if we don’t get it right? Will some countries do better than others? There are a lot of instruments for cooperation between like-minded countries in terms of official bodies such as the EU and NATO and, more importantly, bilateral. This is where the strengths of the west lie, in the freedom to have people meet and develop new ideas. This is our best chance. It is a case of western civilisation versus the rest of the world that wants to compete with us. And yet, when it comes to security, organisations spend a fortune on cyber defence, only to have it unravel because one individual opens a phishing email … I’m happy to hear from you as a technology journalist acknowledge that technology can have human failure. From an information security perspective, we have a good empirical knowledge of how things happen. Most of the important breaches involve insiders; everything involves human behaviour. The top four strategies for cyber defence will mitigate 94pc of all breaches. There are already so many readily available, built-in technology solutions that we can use and yet we don’t, and the problem is with humans. This again brings me to society and politics, and policy and government issues, which are more complicated than a single solution or bunch of solutions. The other issue is, we do not know what the threats will look like. It is much worse when it is cyber because of the rate of change. Therefore, I don’t know if that is the official position of Israeli strategy but the underlying notion is, we don’t know what capability we will need in the future. It’s not like we can design a great aeroplane and it would take 20 years and we get there; we need to have an ecosystem in place that’s dynamic enough to identify changes and to adapt rapidly. It’s a dramatically different mindset from other defence issues. You can’t just plan ahead. It is much more complicated and you need to involve sectors of society, the private sector (whether they like it or not), the education system, academia. The main responsibility for national defence should be the defence organisations. In the last year, attacks such as WannaCry, and the various DDOS attacks on the internet of things and cloud organisations, suggest a worrying spike in attack capabilities. Do you agree? It is very predictable: if you take Moore’s Law and subsequent laws in networking and memory, and continue to extrapolate forward, yes, the internet of things is definitely going to happen. The complexity is growing, the number of potential threat vectors is growing, and it only means that you need to put in place better policies and prioritise where to put the limited funds we have. Unlike the Americans who have unlimited resources, in Israel, we don’t consider DDOS attacks a big problem, but of course we do things to prevent them. The Israeli government’s networks have been withstanding DDOS attacks, larger than the Estonians suffered in 2007, routinely. You need to assume things will go wrong and focus on the more narrow, more critical elements, because we cannot cover everything. Has the best attack not yet been invented? Since 2002, the government has legislated an arrangement for critical infrastructure protection. The concern was not information under threat, but the symbiosis between the operational technology and the information technology. I think this remains the major threat scenario: a disruptive or destructive attack on the systems that underpin our modern life. What would be the typical attack volume on Israel, what are you dealing with? State of the art! Whatever appears on the market, we usually get it first. Even 10 years ago, we had a lot of solutions readily available to deploy to mitigate massive DDOS attacks; even today, it is a matter of where you put your investment. If you spend enough money, you can mitigate any volume of DDOS attack, but is it worth the effort? Attackers are not interested in achieving the specific volume of attack, they are interested in achieving an effect. And the better your defences are, the more it helps you to incur higher costs on them. Source: https://www.siliconrepublic.com/enterprise/israel-cyber-defence

View article:
‘Cyberattacks could contribute to a dramatic shift in world power’

What is a DDoS attack? What happens during a DDoS attack?

DDoS attacks can leave systems down for days. But how do they actually work? DDoS attacks are one of the most common forms of cyber attack, with the number of global DDoS attacks increasing to 50 million annually, according to VeriSign. Distributed denial of service, or DDoS for short, refers to a cyber attack resulting in victims being unable to access systems and network resources, essentially disrupting internet services. The DDoS attack will attempt to make an online service or website unavailable by flooding it with unwanted traffic from multiple computers. For a DDoS attack to be successful, an attacker will spread malicious software to vulnerable computers, mainly through infected emails and attachments. This will create a network of infected machines which is called a botnet. The attacker can then instruct and control the botnet, commanding it to flood a certain site with traffic: so much that its network ceases to work, taking the site offline. There are lots of different ‘types’ of botnets, with the most recent, called Mirai, housing an estimated 380,000 bots. Mirai, which shot to fame in 2016, had the potential to infect unsecured internet of things devices, such as DVRs and IP cameras. Mirai famously shut down internet access for nearly one million Germans by exploiting security flaws in routers at OEM manufacturers Speedport and Zyxel, shutting down web access for about one million Deutsche Telekom customers for two days. Why hackers choose DDoS attacks? DDoS attacks can take down websites of all sizes, from heavy duty enterprises to smaller, more vulnerable sites. The moves for attacks can vary widely from politics to pure financial gain. DDoS attacks can be sold. So a buyer could request a certain site is taken offline, and pay a sum for its execution. Revenge is often a motive in these cases. Alternatively, attackers might want to blackmail a site for money and keep their site down for days until they pay. Finally, a popular tactic used to influence political events and block others political agendas is to overwhelm and bring down sites with different views and you. This activism is becoming an increasingly popular way of using DDoS attacks to control the media. How do I know if I’m a victim of a DDoS attack? Before your website crashes and goes offline entirely, there are a few warning signs to look out for. A common effect of DDoS attacks is an unusually slow connection to your site. Some DDoS attacks twin this with a large and sharp increase of spam emails. If your overall network performance is slow, there is no need to assume it’s a DDoS attack but if it has slowed down rapidly and you’re unable to open files or perform usually quick maintenance tasks on your website, you might have a problem. For most, the biggest (and most obvious) giveaway is that your site cannot be accessed. If you’ve checked all other possibilities, and you have no access whatsoever, it could be a DDoS attack. Source: http://www.techworld.com/security/how-does-ddos-attack-work-3659197/

See original article:
What is a DDoS attack? What happens during a DDoS attack?

News in brief: laptop ban could be extended; DDoS hits news sites; Taiwan might block Google DNS

Laptop ban could be extended Planning on flying from European countries to the US? Prepare to check in your laptop, tablet and any other devices larger than a cellphone, as US authorities are reported to be close to announcing an extension of the restriction on devices in the cabin from some Middle Eastern and Gulf countries to some countries in Europe, too. After the initial ban was announced, observers pointed out that the lithium batteries that power laptops and other devices have been banned from the holds of aircraft, adding that they’d prefer a battery fire in the cabin, where it can quickly be dealt with by crew, than in the hold. Lithium batteries have been implicated in many incidents – the US authorities were reported on Thursday to be in discussions about the risks of carrying a large number of batteries in the hold. If you’re affected by the ban, which also applies from some airports and to some carriers flying into the UK, we’ve got some tips on how to minimise the risk to your devices and the data on them in this piece. News sites hit by DDoS attack Just days after France shrugged off a dump of emails stolen from the campaign of the new president, Emmanuel Macron, leading French news websites including those of Le Monde and Le Figaro were knocked offline following a cyberattack on Cedexis, a cloud infrastructure provider. Cedexis had been hit by a “significant DDoS attack”, said Julien Coulon, the company’s co-founder. Cedexis was founded in France in 2009 and has its US headquarters in Portland, Oregon. Meanwhile, the victorious Macron shrugged off the cyberattack that was thought to be aimed at generating support for his far-right opponent, Marine Le Pen, as it emerged that his campaign had turned the table on the hackers, deliberately signing into phishing sites with a view to planting fake information. Mounir Mahjoubi, the digital lead for the campaign, told the Daily Beast: “You can flood these [phishing] addresses with multiple passwords and log-ins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out.” Taiwan could block Google DNS Taiwan is planning to block access to Google’s public DNS service, claiming the move will improve cybersecurity, the Register reported on Thursday. It’s not clear if the block to Google’s DNS, which many people use to bypass government filters on banned websites, would apply to the whole population or just to government officials. The presentation seen by The Register seems to suggest the aim is to reduce the risk of DNS spoofing. Taiwan doesn’t usually crop up on the list of countries where there’s concern about censorship of the internet, but he Register notes that customers of one Taiwanese ISP, HiNet broadband, had earlier this year reported issues with connecting to sites and platforms that users in mainland China are blocked from, including Facebook, YouTube, Google and Gmail. Source: https://nakedsecurity.sophos.com/2017/05/11/news-in-brief-laptop-ban-could-be-extended-ddos-hits-news-sites-taiwan-might-block-google-dns/

More:
News in brief: laptop ban could be extended; DDoS hits news sites; Taiwan might block Google DNS

Democrats Want FCC’s Pai to Drill Down on DDoS Attacks

A pair of Democratic senators has asked FCC chairman Ajit Pai for more information on what the FCC has said were multiple DDoS attacks on its website that affected comments being posted there. FCC chief information officer Dr. David Bray said the attacks “made it difficult for legitimate commenters to access and file with the FCC.” The key docket in terms of activity that could have been interrupted is net neutrality, where the FCC still managed to post more than half a million comments since last week, attack or no. Among the senators’ questions was whether any comments were prevented from being submitted and if so how many. Sens. Ron Wyden of Oregon and Brian Schatz of Hawaii, the latter the ranking member of the Senate Communications Subcommittee, sent a letter to Pai about the May 8 attack (which came in the wee hours of the morning following the May 7 airing of John Oliver’s call for a flood of comments in support of net neutrality). They asked about the FCC’s defenses against such an attack should it be repeated and that the chairman insure there were other ways to comment as a workaround, a dedicated email account for example. “Any potentially hostile cyber activities that prevent Americans from being able to participate in a fair and transparent process must be treated as a serious issue.” Specifically, they wanted information on the following by June 8: “Please provide details as to the nature of the DDoS attacks, including when the attacks began, when they ended, the amount of malicious traffic your network received, and an estimate of the number of devices that were sending malicious traffic to the FCC. To the extent that the FCC already has evidence suggesting which “actor(s) may have been responsible for the attacks, please provide that in your response. “Has the FCC sought assistance from other federal agencies in investigating and responding to these attacks? Which agencies have you sought assistance from? Have you received all of the help you have requested? “Several federal agencies utilize commercial services to protect their websites from DDoS attacks. Does the FCC use a commercial DDoS protection service? If not, why not? To the extent that the FCC utilizes commercial DDoS protection products, did these work as expected? If not, why not? “How many concurrent visitors is the FCC’s website designed to be able to handle? Has the FCC performed stress testing of its own website to ensure that it can cope as intended? Has the FCC identified which elements of its website are performance bottlenecks that limit the number of maximum concurrent visitors? Has the FCC sought to mitigate these bottlenecks? If not, why not? “Did the DDoS attacks prevent the public from being able to submit comments through the FCC’s website? If so, do you have an estimate of how many individuals were unable to access the FCC website or submit comments during the attacks? Were any comments lost or otherwise affected? “Will commenters who successfully submitted a comment — but did not receive a response, as your press release indicates — receive a response once your staff have addressed the DDoS and related technical issues?” While the letter did not question whether such an attack had happened, others have. “We think it’s more than just coincidence that the FCC would cite a DDoS attack at the same time that John Oliver’s call to make public comment on the FCC website in favor of net neutrality went viral,” said Rashad Robinson, executive director of Color Of Change, a big Title II fan. “That said, we certainly hope to see a full investigation into what happened in order to ensure the integrity and full transparency of a key federal agency. But the unfortunate reality is that, after everything this administration has done to steal our rights as Americans, we wouldn’t be surprised if this was merely an attempt to label the democratic exercise of free speech as a cyberattack.” Source: http://www.radioworld.com/news-and-business/0002/democrats-want-fccs-pai-to-drill-down-on-ddos-attacks/339655

See the original article here:
Democrats Want FCC’s Pai to Drill Down on DDoS Attacks

APAC organisations report average revenue loss of US$250,000 to DDoS attacks

Distributed Denial of Service (DDoS) attacks are causing revenue loss to organisations in Asia Pacific (APAC), according to Neustar’s Worldwide DDoS Attacks and Cyber Insights Research Report. A third (33 percent) of APAC organisations reported average revenue loss of at least US$250,000. Nearly half (49 percent) of organisations in the region take at least three hours to detect, and 42 percent take at least three hours to respond. The instances of ransomware and malware reported in concert with DDoS attacks were reported by 49 percent of organisations in APAC too. “With organisations across Asia Pacific being attacked more often and DDoS attacks predicted to become even larger and more complex, IT and business leaders need to evaluate the effectiveness of existing security strategies,” said Robin Schmitt, general manager, APAC at Neustar. Global findings The report also found that 99 percent of organisations globally have some sort of DDoS protection in place. However, 849 out of 1,010 organisations surveyed globally were attacked with no particular industry spared. Forty percent of the ‘victims’ said they received attack alerts from customers. More than half (51 percent) of attacks involved some sort of loss or theft, with a 38 percent increase year-over-year in customer data, financial and intellectual property thefts. Forty-five percent of DDoS attacks across the globe were reported to be more than 10 gigabits per second (Gbps), while 15 percent of attacks were at least 50 Gbps.. “The research shows that simply identifying an attack and depending on basic defences is not enough. Organisations in the region need to adopt stronger defences and innovative solutions to more quickly and effectively mitigate the growing risk and likely impact of a major DDoS attack,” said Schmitt. Source: https://www.mis-asia.com/tech/security/apac-organisations-report-average-revenue-loss-of-us250000-to-ddos-attacks/

See original article:
APAC organisations report average revenue loss of US$250,000 to DDoS attacks

FCC says DDOS attacks, not net neutrality comments, tied up comments system

The federal agency did not provide any evidence of the alleged attacks, which occurred as HBO comedian John Oliver urged viewers to flood the FCC with comments. The Federal Communications Commission (FCC) on Monday said that consumers trying to use its Electronic Comment Filing System ran into delays Sunday night because of multiple distributed denial-of-service (DDoS) attacks — not due to a deluge of comments from net neutrality proponents, as early reports suggested. “Beginning on Sunday night at midnight, our analysis reveals that the FCC was subject to multiple distributed denial-of-service attacks (DDos),” FCC chief information officer David Bray said in a statement. “These were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host. These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC.” The statement followed news reportssuggesting the FCC site was once again overwhelmed by commenters trying to voice their support for net neutrality at the behest of comedian John Oliver. On his HBO show Sunday night, Oliver urged viewers to leave comments at goFCCyourself.com, a URL that redirects visitors to the FCC’s proposal to reverse net neutrality rules. In 2014, net neutrality supporters managed to bring down the FCC comments system after Oliver made a similar plea for commenters to flood the site. The FCC didn’t offer any evidence of the DDoS attacks, nor did the agency immediately answer questions about how the incident was handled. ZDNet will update this article if the FCC responds. At least one pro-net neutrality group, Fight for the Future, expressed skepticism about the agency’s claim that the problems were caused by DDoS attacks. “The FCC’s statement today raises a lot of questions, and the agency should act immediately to ensure that voices of the public are not being silenced as it considers a move that would affect every single person that uses the Internet,” Fight for the Future Campaign Director Evan Greer said in a statement. By Monday afternoon, the FCC’s comments system appeared to be functioning, and there were more than 179,000 comments on the site. FCC Chairman Ajit Pai acknowledged to CNET’s Maggie Reardon on Monday that he favors “a free and open internet” — meaning he favors rolling back the Obama-era net neutrality rules. However, he said the committee has an “open mind” and will consider the public comments that are collected. “It’s not a decree,” he said of the proposal. “The entire purpose of this process is to get public input. Then, after the record is closed, we apply what the DC Circuit calls a ‘substantial evidence test.’ We look through the record, figure out what the right course is based on facts in the record. Then we make the appropriate judgment. I don’t have any predetermined views as to where we’re going to go.” Source: http://www.zdnet.com/article/fcc-says-ddos-attacks-not-net-neutrality-comments-tied-up-comments-system/

Read more here:
FCC says DDOS attacks, not net neutrality comments, tied up comments system