Category Archives: DDoS Vendors

Millions download botnet-building malware from Google Play

Researchers have discovered a new batch of malicious apps on Google Play, some of which have been downloaded and installed on some 2.6 million devices. The apps’ capabilities The apps posed as legitimate offerings that modify the look of the characters in Minecraft: Pocket Edition (PE). In the background, though, they set out to rope the devices into a botnet. Once they were installed on a target device, they would connect to a C&C server, … More ?

See the original post:
Millions download botnet-building malware from Google Play

400 attacks per day: Behind Australia’s growing DDoS attack surface

There is no denying that the number of DDoS attacks has been increasing everywhere around the world, new variants of attacking tools and techniques have been made available to the attackers much faster than we have seen in the past. Based on the statistics we have collected for Australia, the number of DDoS attacks have been increased roughly 25% each year, and we believe that number could become around 30,000 attacks per month by end of 2020. The largest DDoS attack targeting Australia in 2017 is around 228 Gbps in June, although these kinds of multi-gigabit attacks always catch our attention, they don’t really happen very often. Almost 80% of the DDoS attacks seen in Australia are under 2 Gbps, but still could possibly overwhelm the bandwidth of the internet connection for a lot of enterprises. Another interesting observation is that the number of DDoS attacks between 10 to 50 Gbps has been steadily increasing from last year. Given the fact that the attackers are getting more weapons in their arsenal – for example, IoT and mobile devices, this means the size and frequency of the DDoS attacks will keep growing. When we look at the countries where most of the DDoS attacks were being sourced, we have observed that countries such as the US, China, Korea, UK and Germany are usually at the top of the list. As DDoS attacks are typically sourced from infected computer devices (notnets), countries with a high computer population may also have a high infected rate, particularly if pirated software is being used to a large extent in that country. In recent years, with the arrival of IoT botnets, such as Mirai, some Asian countries with a high deployment rate of IoT devices have also been seen as major sources of DDoS attacks. If we turn our focus from the source country to the destination country being attacked most often, we then find the countries which are on the top of the list of the attacking sources, are also high on the list for the receiving side. A possible reason could be that the high computer population and adoption rate in the country also means a lot of business is being conducted over the network, such as the financial sector, consumer sector, government and so on, giving the attackers more targets to aim for. Source: https://securitybrief.com.au/story/400-attacks-day-behind-australias-growing-ddos-attack-surface/

Taken from:
400 attacks per day: Behind Australia’s growing DDoS attack surface

What is cyber terrorism?

How is cyber terrorism defined and how likely is an attack? Everyone is familiar with what “terrorism” means, but when we stick the word “cyber” in front of it, things get a bit more nebulous. Whereas the effects of real-world terrorism are both obvious and destructive, those of cyber terrorism are often hidden to those who aren’t directly affected. Also, those effects are more likely to be disruptive than destructive, although this isn’t always the case. Cyber terrorism incidents One of the earliest examples of cyber terrorism is a 1996 attack on an ISP in Massachusetts. Cited by Edward Maggio of the New York Institute of Technology and the authors of Internet: A Historical Encyclopedia, Volume 2 , a hacker allegedly associated with the white supremacist movement in the US broke into his Massachusetts-based ISP after it prevented him from sending out a worldwide racist message under its name. The individual deleted some records and temporarily disabled the ISP’s services, leaving the threat “you have yet to see true electronic terrorism. This is a promise” While this is a clear example of a cyber-terrorist incident carried out by a malicious, politically motivated individual that caused both disruption and damage, other frequently listed examples fit less clearly into the category of “terrorism”. For example, while attacks that have taken out emergency services call centres or air-traffic control could be considered cyber terrorism, the motivation of the individuals is often unclear. If a person caused real-life disruption to these systems, but had no particular motivation other than mischief, would they be classed as a terrorist? Perhaps not. Similarly, cyber protests such as those that occurred in 1999 during the Kosovo against NATO’s bombing campaign in the country or website defacements and DDoS attacks are arguably online versions of traditional protests, rather than terrorism. Additionally, in the case of civil war, if one side commits a cyber attack against the other then it can be said to be more of an act of war – or cyber war – than one of cyber terror. Again, where there is a cold war between nations, associated cyber attacks could be thought of as sub-conflict level skirmishes. Indeed, the FBI defines cyber terrorism as “[any] premeditated, politically motivated attack against information, computer systems or computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine agents”. Under this definition, very few of the tens-of-thousands of cyber attacks carried out every year would count as cyber terrorism. The future of cyber terrorism As the number of connected devices increases, the likelihood of a more destructive cyber terrorist incident – something on a par with an attack in the physical world – becomes increasingly possible. The security industry is full of stories and proofs of concept about hacking medical devices, with two particularly famous demonstrations being given by New Zealander Barnaby Jack. This opens up the possibility for targeted assassinations or mass-scale killings carried out remotely and potentially across borders. Similarly, there are concerns self-driving vehicles could be turned into remote-controlled missiles and used in an attack, although the counter argument is that such vehicles will make the roads safer in the face of terrorists driving conventional vehicles into crowds. Another possible style of cyber terrorism is disruption of infrastructure in a way that could potentially endanger life. For example, in 2016 an unknown actor caused a disruption that saw two apartment buildings in Finland lost hot water and heating for a week in the dead of winter. In locations as cold as Finland, actions like this could cause illness and death if widespread and sustained. Nevertheless, the likelihood is most serious cyber attacks will be acts of cyber warfare, rather than cyber terrorism, as nation states have larger and more sophisticated resources at hand. Source: http://www.itpro.co.uk/security/29726/what-is-cyber-terrorism

See the original post:
What is cyber terrorism?

Despite increased spend, why doesn’t DDoS mitigation always work?

Newly published research suggests that while there has been a marked increase in spending to mitigate against Distributed Denial of Service (DDoS) attacks, organisations are still falling victim. Newly published research suggests that while there has been a marked increase in spending to mitigate against Distributed Denial of Service (DDoS) attacks, organisations are still falling victim. The ‘DDoS 2017 Report: Dangerous Overconfidence’, published today by CDNetworks, reveals that spending on DDoS mitigation in the UK has increased over the last year. Indeed, it says that the average annual spend is now £24,200 and 20 percent of businesses are investing more than £40,000 per year. While 83 percent of businesses were confident of their resilience against the business continuity threat, despite the greater investment more than half (54 percent) still ended up victims of a successful DDoS attack during the last 12 months that took their website, network or online app down. According to Kaspersky Lab’s Global IT Security Risks Survey 2017, some 33 percent of organisations have experienced an attack this year, twice the number in 2016. While 20 percent were small businesses, 41 percent were enterprises. Then there’s the Neustar Global DDoS Attacks and Cyber Security Insights report which revealed 92 percent of those attacked reported theft of intellectual property, customer data or financial assets; and 36 percent saw malware activation happening during the DDoS attack. Research by the Imperva Incapsula security team suggests that attack patterns are changing, with high packet rate attacks becoming the norm. An A10 Networks report confirms this to be the case, suggesting that attacks greater than 50Gbps have quadrupled over the past two years and companies experiencing between 6-25 attacks per year also quadrupling in that timeframe. Given the growing threat, and you only have to look at some of the recent victims such as The National Lottery and Blizzard Entertainment for example, to realise that DDoS mitigation isn’t always working. SC Media UK put the ‘why does DDoS mitigation fail’ question to several vendors providing this type of service. But first, we spoke to Alex Nam, managing director of CDNetworks (US & EMEA) who told us there are various reasons including that some forms of DDoS mitigation don’t protect against all forms of attack. “A layer 7 DDoS attack, which impacts applications and the end-user,” Nam explained, “can only be protected against using web application firewall technology for example.” So not understanding the different types of attack, or the types of technology that can be protected, is a reason why DDoS mitigation often fails according to Nam. Rich Groves, the A10 director of research and development, thinks that the question would be better phrased as ‘what causes DDoS solutions to fail in certain instances?’ as he insists “otherwise it implies DDoS solutions are failing across the board, which isn’t the case.” Kirill Kasavchenko, principal security technologist (EMEA) at Arbor Network, also thinks that there is an important distinction to be made between whether DDoS mitigation fails or the approach to it does. “As the headlines became more dramatic, more vendors have rushed to claim they have a solution for the DDoS problem,” Kasavchenko explains, “this has caused much confusion in the market.” So, for example, elements of a layered security strategy such as IPS devices and firewalls address network integrity and confidentiality but not availability. They are stateful, inline, solutions that not only “are vulnerable to DDoS attacks” but “often become the targets themselves.” Indeed, Arbor’s annual security report shows 40 percent of respondents seeing firewalls fail as a direct result of a DDoS attack. Meanwhile, Ben Herzberg, security research group manager at Imperva, told SC Media that attackers are “changing tactics rapidly specifically to defeat anti-DDoS solutions, such as hit-and-run and pulse wave attacks” which should come as no great surprise to anyone. James Willett, SVP of products at Neustar, explained that attackers “routinely scout and reconnoitre their targets launching throttled attacks to identify defence response, defence tactics, and defence capacity.” Once known, the proper types and sizes of attacks can be readily crafted to overwhelm unsuspecting organisations that lack effective cloud-based mitigation depth. So what should enterprises be doing to ensure that spending on DDoS mitigation is invested wisely? “If they haven’t already, they should consider a cloud-based DDoS mitigation service that automatically routes traffic through the service and only delivers clean traffic,” Ben Herzberg insists, adding “these services are supported by dedicated security staff that track attack patterns on a daily basis and can quickly react to changing attack patterns.” James Willett suggests they need to understand that not all clouds are managed the same. “Organisations can ensure proper investments that reduce impact and minimise disruption risk,” he told SC, “by pressing security providers on their management of good and bad traffic.” Rich Groves agrees that the focus “should be on vendor performance and solution effectiveness rather than on any particular feature set.” The highest-performing DDoS detection and mitigation available to them at the best price range to identify attack traffic and eliminate it, in other words. But perhaps Kasavchenko has the most straightforward advice of all: “The number one thing to do is work with a DDoS mitigation vendor. Vendors who treat DDoS as an add-on are likely to have very limited capabilities…” Source: https://www.scmagazineuk.com/despite-increased-spend-why-doesnt-ddos-mitigation-always-work/article/699729/

DDoS Attacks Cause Train Delays Across Sweden

DDoS attacks on two separate days have brought down several IT systems employed by Sweden’s transport agencies, causing train delays in some cases. The incidents took place early in the mornings of Wednesday and Thursday, October 11 and 12, this week. The first attack hit the Sweden Transport Administration (Trafikverket) on Wednesday. According to local press, the attack brought down the IT system that manages train orders. The agency had to stop or delay trains for the time of the attack. Trafikverket’s email system and website also went down, exacerbating the issue and preventing travelers from making reservations or getting updates on the delays. The agency used Facebook to manage the crisis and keep travelers informed. Road traffic maps were also affected, an issue that lingers even today, at the time of publishing, according to the agency’s website. Three Swedish transportation agencies targeted Speaking to local media, Trafikverket officials said the attack was cleverly aimed at TDC and DGC, the agency’s two service providers, but they were both aimed in such a way to affect the agency’s services. Trafikverket was able to restore service in a few hours, but the delays affected the entire day’s train operations. While initially, some might have thought this was a random incident, the next day, a similar DDoS attack hit the website of another government agency, the Sweden Transport Agency (Transportstyrelsen), and public transport operator Västtrafik, who provides train, bus, ferry, and tram transport for parts of Western Sweden. Cyber-warfare implications In perspective, both incidents give the impression of someone probing various parts of Sweden’s transportation system to see how the country would react in the face of a cyber-attack and downtime. The DDoS attacks come a week after a report that Russia was testing cyber-weapons in the Baltic Sea region. In April 2016, Swedish officials blamed Russia for carrying out cyber-attacks on the country’s air traffic control infrastructure that grounded flights for a day in November 2015. Source: https://www.bleepingcomputer.com/news/security/ddos-attacks-cause-train-delays-across-sweden/

DDoS attacks: Brands have plenty to lose, even if attacked only once

DDoS attacks continue to be an effective means to distract and confuse security teams while inflicting serious damage on brands. Neustar discovered that brands experienced a 27 percent increase in the number of breaches per DDoS attack, despite suffering similar attack levels in the same time period last year. Attackers are getting higher yields from determined attacks Data from the report shows attackers are achieving higher levels of success against brands they only hit once: … More ?

View original post here:
DDoS attacks: Brands have plenty to lose, even if attacked only once

Investigation reveals large botnet hiding behind Fast Flux technique

Fast Flux, a DNS technique first introduced in 2006 and widely associated with the Storm Worm malware variants, can be used by botnets to hide various types of malicious activities – including phishing, web proxying, malware delivery, and malware communication. The technique allows the botnet to “hide” behind an ever-changing network of compromised hosts, ultimately acting as proxies and making detection incredibly difficult. High-level architecture overview of the Fast Flux network ?and associated threat landscape … More ?

Follow this link:
Investigation reveals large botnet hiding behind Fast Flux technique

Pulse-Wave DDoS Attacks Mark a New Tactic in Q2

A new tactic for DDoS is gaining steam: the pulse wave attack. It’s called such due to the traffic pattern it generates—a rapid succession of attack bursts that split a botnet’s attack output. According to Imperva’s latest Global DDoS Threat Landscape Report, a statistical analysis of more than 15,000 network and application layer DDoS attacks mitigated by Imperva Incapsula’s services during Q2 2017, the largest network layer assault it mitigated peaked at 350Gbps. The tactic enables an offender to pin down multiple targets with alternating high-volume bursts. As such, it serves as the DDoS equivalent of hitting two birds with one stone, the company said. “A DDoS attack typically takes on a wave form, with a gradual ramp-up leading to a peak, followed by either an abrupt drop or a slow descent,” the company explained. “When repeated, the pattern resembles a triangle, or sawtooth waveform. The incline of such DDoS waves marks the time it takes the offenders to mobilize their botnets. For pulse wave attacks, a lack of a gradual incline was the first thing that caught our attention. It wasn’t the first time we’ve seen attacks ramp up quickly. However, never before have we seen attacks of this magnitude peak with such immediacy, then be repeated with such precision.” Whoever was on the other end of these assaults, they were able to mobilize a 300Gbps botnet within a matter of seconds, Imperva noted. This, coupled with the accurate persistence in which the pulses reoccurred, painted a picture of very skilled bad actors exhibiting a high measure of control over their attack resources. “We realized it makes no sense to assume that the botnet shuts down during those brief ‘quiet times’,” the firm said. “Instead, the gaps are simply a sign of offenders switching targets on-the-fly, leveraging a high degree of control over their resources. This also explained how the attack could instantly reach its peak. It was a result of the botnet switching targets on-the-fly, while working at full capacity. Clearly, the people operating these botnets have figured out the rule of thumb for DDoS attacks: moments to go down, hours to recover. Knowing that—and having access to an instantly responsive botnet—they did the smart thing by hitting two birds with one stone.” Pulse-wave attacks were carried out encountered on multiple occasions throughout the quarter, according to Imperva’s data. In the plus column, this quarter, there was a small dip in application layer attacks, which fell to 973 per week from an all-time high of 1,099 in Q1. However, don’t rejoice just quite yet. “There is no reason to assume that the minor decline in the number of application layer assaults is the beginning of a new trend,” said Igal Zeifman, Incapsula security evangelist at Imperva—noting the change was minor at best. Conversely, the quarter for the fifth time in a row saw a decrease in the number of network layer assaults, which dropped to 196 per week from 296 in the prior quarter. “The persistent year-long downtrend in the amount of network layer attacks is a strong sign of a shift in the DDoS threat landscape,” Zeifman said. “There are several possible reasons for this shift, one of which is the ever-increasing number of network layer mitigation solutions on the market. The commoditization of such services makes them more commonplace, likely driving attackers to explore alternative attack methods.” For instance one of the most prevalent trends Incapsula observed in the quarter was the increase in the amount of persistent application layer assaults, which have been scaling up for five quarters in a row. In the second quarter of the year, 75.9% of targets were subjected to multiple attacks—the highest percentage Imperva has ever seen. Notably, US-hosted websites bore the brunt of these repeat assaults—38% were hit six or more times, out of which 23% were targeted more than 10 times. Conversely, 33.6% of sites hosted outside of the US saw six or more attacks, while “only” 19.5% saw more than 10 assaults in the span of the quarter. “This increase in the number of repeat assaults is another clear trend and a testament to the ease with which application layer assaults are carried out,” Zeifman said. “What these numbers show is that, even after multiple failed attempts, the minimal resource requirement motivates the offenders to keep going after their target. Another point of interest was the unexpected spike in botnet activity out of Turkey, Ukraine and India. In Turkey, Imperva recorded more than 3,000 attacking devices that generated over 800 million attack requests, more than double the rate of last quarter. In Ukraine and India, it recorded 4,300 attacking devices, representing a roughly 75% increase from Q1 2017. The combined attack output of Ukraine and India was 1.45 billion DDoS requests for the quarter. Meanwhile, as the origin of 63% of DDoS requests in Q2 2017 and home to over 306,000 attacking devices, China retained its first spot on the list of attacking countries. Source: https://www.infosecurity-magazine.com/news/pulsewave-ddos-attacks-mark-q2/

See the original article here:
Pulse-Wave DDoS Attacks Mark a New Tactic in Q2

As US launches DDoS attacks, N. Korea gets more bandwidth—from Russia

Fast pipe from Vladivostok gives N. Korea more Internet in face of US cyber operations. As the US reportedly conducts a denial-of-service attack against North Korea’s access to the Internet, the regime of Kim Jong Un has gained another connection to help a select few North Koreans stay connected to the wider world—thanks to a Russian telecommunications provider. Despite UN sanctions and US unilateral moves to punish companies that do business with the Democratic People’s Republic of Korea, 38 North’s Martyn Williams reports that Russian telecommunications provider TransTelekom (????????????m) began routing North Korean Internet traffic at 5:30pm Pyongyang time on Sunday. The connection, Williams reported, offers a second route for traffic from North Korea’s Byol (“Star”) Internet service provider, which also runs North Korea’s cellular phone network. Byol offers foreigners in North Korea 1Mbps Internet access for €600 (US$660) a month (with no data caps). Up until now, all Byol’s traffic passed through a single link provided by China Unicom. But the new connection uses a telecommunications cable link that passes over the Friendship Bridge railway bridge—the only connection between North Korea and Russia. According to Dyn Research data, the new connection is now providing more than half of the route requests to North Korea’s networks. TransTelekom (sometimes spelled TransTeleComm) is owned by Russia’s railroad operator, Russian Railways. A Dyn Research chart showing the new routing data for North Korea’s ISP. According to a Washington Post report, The Department of Defense’s US Cyber Command had specifically targeted North Korea’s Reconnaissance General Bureau—the country’s primary intelligence agency—with a denial-of-service attack against the organization’s network infrastructure. That attack was supposed to end on Saturday, according to a White House official who spoke with the Post . While the unnamed official said the attack specifically targeted North Korea’s own hacking operations, North Korea has previously run those operations from outside its borders—from China. So it’s not clear whether the attack would have had any impact on ongoing North Korean cyberespionage operations. Source: https://arstechnica.com/information-technology/2017/10/as-us-launches-ddos-attacks-n-korea-gets-more-bandwidth-from-russia/

View post:
As US launches DDoS attacks, N. Korea gets more bandwidth—from Russia

US pressured North Korea by overwhelming hackers with data traffic

The US is no stranger to hacking North Korea, but it’s usually in a bid to directly thwart the country’s military ambitions. Now, however, those attacks are being used as a diplomatic strategy. The Washington Post has learned that President Trump ordered a broad pressure campaign against North Korea that led to the US conducting a denial of service attack against North Korea’s spying office, the Reconnaissance General Bureau. The move flooded the RGB’s servers with traffic that effectively strangled their internet access, including the Bureau 121 group responsible for the North’s hacking campaigns. And while it clearly didn’t change Kim Jong Un’s mind, it does appear to have had a practical effect. Reportedly, the initiative was designed to be temporary and only lasted for half a year — Trump signed the order in March, and it ended on September 30th. It wasn’t destructive, either. According to the Post ‘s sources, however, North Korean hackers were complaining about the ability to do their jobs during that period. North Korea certainly isn’t going to get much sympathy. With that said, it raises questions about the use of cyberattacks as a pressure tactic. It no doubt sends the message that the US can cripple a hostile country’s digital warfare capabilities if it wants, but there is the concern that it could escalate an already tense situation. After all, North Korea is the sort of country that claims you can declare war with a tweet — while that’s hyperbolic, it might interpret a denial of service attack as an act of aggression that merits revenge. Source: https://www.engadget.com/2017/10/01/us-launched-dos-attack-against-north-korea-hackers/