Tag Archives: ddos-attacks

Report: DDoS attacks are less common, but they’re bigger

Information security company Verisign just published its Distributed Denial of Trends Report for Q1 2017. This report talks about changes in the frequency, size, and type of DDoS attack that the company has observed over the first few months of this year. The main takeaway is this: The number of DDoS attacks has plunged by 23 percent compared to the previous quarter. That’s good! However, the average peak attack size has increased by almost 26 percent, making them vastly more potent at taking down websites and critical online infrastructure. That’s bad. The report also notes that attacks are sophisticated in nature, and use several different attack types to take down a website. While 43 percent use just one attack vector, 25 percent use two, and six percent use five. This, obviously, makes it much more difficult to mitigate against. Verisign’s report also talks about the largest DDoS attack observed by the company in Q1. This was a multi-vector attack that peaked at 120 Gbps, and with a throughput of 90 Mpps. Per the report: This attack sent a flood of traffic to the targeted network in excess of 60 Gbps for more than 15 hours. The attackers were very persistent in their attempts to disrupt the victim’s network by sending attack traffic on a daily basis for over two weeks. The attack consisted primarily of TCP SYN and TCP RST floods of varying packet sizes and employed one of the signatures associated with the Mirai IoT botnet. The event also included UDP floods and IP fragments which increased the volume of the attack. So, in short. The attackers were using several different attack types, and they were able to sustain the attack over a long period of time. This shows the attacker has resources, either to create or rent a botnet of that size, and to sustain an attack over two weeks. The fact that DDoS attacks have increased in potency is hardly a surprise. They’ve been getting bigger and bigger, as bad actors figure out they can easily rope insecure Internet of Things (IoT) devices into their botnets. The Mirai botnet, for example, which took down Dyn last year, and with it much of the Internet, consisted of hundreds of thousands of insecure IoT products. The main thing you can gleam from the Verisign report is that DDoS attacks are increasingly professional, for lack of a better word. It’s not 2005 anymore. We’ve moved past the halcyon days of teenagers taking down sites with copies of LOIC they’d downloaded off Rapidshare. Now, it’s more potent. More commoditized. And the people operating them aren’t doing it for shits and giggles. Source: https://thenextweb.com/insider/2017/05/24/report-ddos-attacks-are-less-common-but-theyre-bigger/#.tnw_RJHfi1AZ

Originally posted here:
Report: DDoS attacks are less common, but they’re bigger

Examining the FCC claim that DDoS attacks hit net neutrality comment system

Attacks came from either an unusual type of DDoS or poorly written spam bots. On May 8, when the Federal Communications Commission website failed and many people were prevented from submitting comments about net neutrality, the cause seemed obvious. Comedian John Oliver had just aired a segment blasting FCC Chairman Ajit Pai’s plan to gut net neutrality rules, and it appeared that the site just couldn’t handle the sudden influx of comments. But when the FCC released a statement explaining the website’s downtime, the commission didn’t mention the Oliver show or people submitting comments opposing Pai’s plan. Instead, the FCC attributed the downtime solely to “multiple distributed denial-of-service attacks (DDoS).” These were “deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host,” performed by “actors” who “were not attempting to file comments themselves; rather, they made it difficult for legitimate commenters to access and file with the FCC.” The FCC has faced skepticism from net neutrality activists who doubt the website was hit with multiple DDoS attacks at the same time that many new commenters were trying to protest the plan to eliminate the current net neutrality rules. Besides the large influx of legitimate comments, what appeared to be spam bots flooded the FCC with identical comments attributed to people whose names were drawn from data breaches, which is another possible cause of downtime. There are now more than 2.5 million comments on Pai’s plan. The FCC is taking comments until August 16 and will make a final decision some time after that. The FCC initially declined to provide more detail on the DDoS attacks to Ars and other news organizations, but it is finally offering some more information. A spokesperson from the commission’s public relations department told Ars that the FCC stands by its earlier statement that there were multiple DDoS attacks. An FCC official who is familiar with the attacks suggested they might have come either from a DDoS or spam bots but has reason to doubt that they were just spam bots. In either case, the FCC says the attacks worked differently from traditional DDoSes launched from armies of infected computers. A petition by activist group Fight for the Future suggests that the FCC “invent[ed] a fake DDoS attack to cover up the fact that they lost comments from net neutrality supporters.” But while FCC commissioners are partisan creatures who are appointed and confirmed by politicians, the commission’s IT team is nonpartisan, with leadership that has served under both Presidents Obama and Trump. There’s no consensus among security experts on whether May 8 was or wasn’t the result of a DDoS attack against the FCC comments site. One security expert we spoke to said it sounds like the FCC was hit by an unusual type of DDoS attack, while another expert suggested that it might have been something that looked like a DDoS attack but actually wasn’t. Breaking the silence FCC CIO David Bray offered more details on how the attack worked in an interview with ZDNet published Friday. Here’s what the article said: According to Bray, FCC staff noticed high comment volumes around 3:00 AM the morning of Monday, May 8. As the FCC analyzed the log files, it became clear that non-human bots created these comments automatically by making calls to the FCC’s API. Interestingly, the attack did not come from a botnet of infected computers but was fully cloud-based. By using commercial cloud services to make massive API requests, the bots consumed available machine resources, which crowded out human commenters. In effect, the bot swarm created a distributed denial-of-service attack on FCC systems using the public API as a vehicle. It’s similar to the distributed denial of service attack on Pokemon Go in July 2016. This description “sounds like a ‘Layer 7’ or Application Layer attack,” Cloudflare Information Security Chief Marc Rogers told Ars. This is a type of DDoS, although it’s different from the ones websites are normally hit with. “In this type of [DDoS] attack, instead of trying to saturate the site’s network by flooding it with junk traffic, the attacker instead tries to bring a site down by attacking an application running on it,” Rogers said. “I am a little surprised that people are challenging the FCC’s decision to call this a DDoS,” Rogers also said. Cloudflare operates a global network that improves performance of websites and protects them from DDoS attacks and other security threats. When asked if the FCC still believes it was hit with DDoS attacks, an FCC spokesperson told Ars that “there have been DDoS attacks during this process,” including the morning of May 8. But the FCC official we talked to offered a bit less certainty on that point. “The challenge is someone trying to deny service would do the same thing as someone who just doesn’t know how to write a bot well,” the FCC official said. FCC officials said they spoke with law enforcement about the incident. Spam bots and DDoS could have same effect DDoS attacks, according to CDN provider Akamai, “are malicious attempts to render a website or Web application unavailable to users by overwhelming the site with an enormous amount of traffic, causing the site to crash or operate very slowly.” DDoS attacks are “distributed” because the attacks generally “use large armies of automated ‘bots’—computers that have been infected with malware and can be remotely controlled by hackers.” (Akamai declined to comment on the FCC downtime when contacted by Ars.) In this case, the FCC’s media spokesperson told Ars the traffic did not come from infected computers. Instead, the traffic came from “cloud-based bots which made it harder to implement usual DDoS defenses.” The FCC official involved in the DDoS response told us that the comment system “experienced a large number of non-human digital queries,” but that “the number of automated comments being submitted was much less than other API calls, raising questions as to their purpose.” If these were simply spammers who wanted to flood the FCC with as many comments as possible, like those who try to artificially inflate the number of either pro- or anti-net neutrality comments, they could have used the system’s bulk filing mechanism instead of the API. But the suspicious traffic came through the API, and the API queries were “malformed.” This means that “they aren’t formatted well—they either don’t fit the normal API spec or they are designed in such a way that they excessively tax the system when a simpler call could be done,” the FCC official said. Whether May 8 was the work of spam bots or DDoS attackers, “the effect would have been the same—denial of service to human users” who were trying to submit comments, the FCC official said. But these bots were submitting many fewer comments than other entities making API calls, suggesting that, if they were spam bots, they were “very poorly written.” The official said a similar event happened in 2014 during the previous debate over net neutrality rules, when bots tied up the system by filing comments and then immediately searching for them. “One has to ask why a bot would file, search, file, search, over and over,” the official said. If it was just a spam bot, “one has to wonder why, if the outside entity really wanted to upload lots of comments in bulk, they didn’t use the alternative bulk file upload mechanism” and “why the bots were submitting a much lower number of comments relative to other API calls,” the official said. The FCC says it stopped the attacks by 8:45am ET on May 8, but the days that followed were still plagued by intermittent downtime. “There were other waves after 8:45am that slowed the system for some and, as noted, there were ‘bots’ plural, not just one,” the FCC official said. On May 10, “we saw other attempts where massive malformed search queries also have hit the system, though it is unclear if the requestors meant for them to be poorly formed or not. The IT team has implemented solutions to handle them even if the API requests were malformed.” Was it a DDoS, or did it just look like one? There is some history of attackers launching DDoS attacks from public cloud services like Amazon’s. But the kind of traffic coming into the FCC after the John Oliver show might have looked like DDoS traffic even if it wasn’t, security company Arbor Networks says. Arbor Networks, which sells DDoS protection products, offered some analysis for its customers and shared the analysis with Ars yesterday. Arbor says: When a client has an active connection to a website which is under heavy load, there is a risk that the server will be unable to respond in a timely fashion. The client will then start to automatically resend its data, causing increased load. After a while, the user will also get impatient and will start to refresh the screen and repeatedly press the “Submit” button, increasing the load even further. Finally, the user will, in most cases, close the browser session and will attempt to reconnect to the website. This will then generate TCP SYN packets which, if processed correctly, will move to the establishment of the SSL session which involves key generation, key exchange, and other compute intensive processes. This will most likely also timeout, leaving sessions hanging and resulting in resource starvation on the server. A spam bot would behave in the same manner, “attempting to re-establish its sessions, increasing the load even further,” Arbor says. “Also, if the bot author wasn’t careful with his error handling code, the bot might also have become very aggressive and start to flood the server with additional requests.” What the FCC saw in this type of situation might have looked like a DDoS attack regardless of whether it was one, Arbor said: When viewed from the network level, there will be a flood of TCP SYN packets from legitimate clients attempting to connect; there will be a number of half-open SSL session which are attempting to finalize the setup phase and a large flood of application packets from clients attempting to send data to the Web server. Taken together, this will, in many ways, look similar to a multi-faceted DDoS attack using a mix of TCP-SYN flooding, SSL key exchange starvation, and HTTP/S payload attacks. This traffic can easily be mistaken for a DDoS attack when, in fact, it is the result of a flash crowd and spam bot all attempting to post responses to a website in the same time period. DDoS attacks generally try to “saturate all of the bandwidth that the target has available,” Fastly CTO Tyler McMullen told Ars. (Fastly provides cloud security and other Web performance tools.) In the FCC’s case, the attack sounds like it came from a small number of machines on a public cloud, he said. “Another form of denial-of-service attack is to make requests of a service that are computationally expensive,” he said. “By doing this, you don’t need a ton of infected devices to bring down a site—if the service is not protected against this kind of attack, it often doesn’t take much to take it offline. The amount of traffic referenced here does not make it obvious that it was a DDoS [against the FCC].” Server logs remain secret The FCC declined to publicly release server logs because they might contain private information such as IP addresses, according to ZDNet. The logs reportedly contain about 1GB of data per hour from the time period in question, which lasted nearly eight hours. The privacy concerns are legitimate, security experts told Ars. “Releasing the raw logs from their platform would almost certainly harm user privacy,” Rogers of Cloudflare told Ars. “Finally, redacting the logs would not be a simple task. The very nature of application layer attacks is to look exactly like legitimate user traffic.” McMullen agreed. “Releasing the logs publicly would definitely allow [the details of the attack] to be confirmed, but the risk of revealing personal information here is real,” he said. “IP addresses can sometimes be tied to an individual user. Worse, an IP address combined with the time at which the request occurred can make the individual user’s identity even more obvious.” But there are ways to partially redact IP addresses so that they cannot be tied to an individual, he said. “One could translate the IP addresses into their AS numbers, which is roughly the equivalent of replacing a specific street address with the name of the state the address is in,” he said. “That said, this would still make it clear whether the traffic was coming from a network used by humans (e.g. Comcast, Verizon, AT&T, etc) or one that primarily hosts servers.” Open by design The FCC’s public comments system is supposed to allow anyone to submit a comment, which raises some challenges in trying to prevent large swarms of traffic that can take down the site. The FCC has substantially upgraded its website and the back-end systems that support it since the 2014 net neutrality debate. Instead of ancient in-house servers, the comment system is now hosted on the Amazon cloud, which IT departments can use to scale computing resources up and down as needed. But this month’s events show that more work needs to be done. The FCC had already implemented a rate limit on its API, but the limit “is tied to a key, and, if bots requested multiple keys, they could bypass the limit,” the FCC official told us. The FCC has avoided using CAPTCHA systems to distinguish bots from humans because of “challenges to individuals who have different visual or other needs,” the official said. Even “NoCAPTCHA” systems that only require users to click a box instead of entering a hard-to-read string of characters can be problematic. “Some stakeholders who are both visually impaired and hearing impaired have reported browser issues with NoCAPTCHA,” the FCC official said. “Also a NoCAPTCHA would mean you would have to turn off the API,” but there are groups who want to use the API to submit comments on behalf of others in an automated fashion. Comments are often submitted in bulk both by pro- and anti-net neutrality groups. The FCC said it worked with its cloud partners to stop the most recent attacks, but it declined to share more details on what changes were made. “If folks knew everything we did, they could possibly work around what we did,” the FCC official said. Senate Democrats asked the FCC to provide details on how it will prevent future attacks. While the net neutrality record now contains many comments of questionable origin and quality, the FCC apparently won’t be throwing any of them out. But that doesn’t mean they’ll hold any weight on the decision-making process. “What matters most are the quality of the comments, not the quantity,” Pai said at a press conference this month. “Obviously, fake comments such as the ones submitted last week by the Flash, Batman, Wonder Woman, Aquaman, and Superman are not going to dramatically impact our deliberations on this issue.” There is “a tension between having open process where it’s easy to comment and preventing questionable comments from being filed,” Pai said. “Generally speaking, this agency has erred on the side of openness. We want to encourage people to participate in as easy and accessible a way as possible.” Source: https://arstechnica.com/information-technology/2017/05/examining-the-fcc-claim-that-ddos-attacks-hit-net-neutrality-comment-system/

Excerpt from:
Examining the FCC claim that DDoS attacks hit net neutrality comment system

Expect an increase in ransomware and DDoS attack combos in 2017

“Follow the money” is a popular catchphrase attributed to the 1976 movie All The President’s Men suggesting a money trail or corruption scheme within high (often political) office. Cybercriminal actors are certainly following the advice. The Deloitte Global Cyber Executive Briefing on E-Commerce & Online payments suggests that as retailers discover the financial rewards of having an e-commerce website, criminals are not far behind. But while robbing a brick and mortar store is wrought with risk of getting caught, the cyber world is proving much more lucrative relative to the effort and investments needed to execute a digital heist. For every e-commerce site that goes up, the potential target expands to include merchant, payment service provider, card company, suppliers, banks and buying customer. That is because e-commerce websites are directly connected both to the internet and to the business’ back-end systems for data processing and supply management. This makes e-commerce website a prime attack point for gaining access to crucial information assets within the organization according to Deloitte. The fourth Neustar annual Worldwide DDoS Attacks and Cyber Insights Research Report reveals that attacks against the financial services and retail industries are on the rise. Industry respondents confirm that it is getting much longer for organizations to detect and respond as cyberattacks grow in volume, complexity and frequency. Financial services institutions (FSIs) under attack There is recognition among industry players that they remain at high risk of malware and data theft (44% in 2017 versus 37% in 2016). Ransomware appears to be on the rapid rise in financial services industry as respondents to the survey indicate an increase in reported attacks from 17% in 2016 to 28% a year later. Financial institutions are also investing against Distributed Denial of Service (DDoS) attacks with 91% of organizations putting in more resources in 2017 compared to 79% in 2016. FSIs continue to be one of the favored targets of hackers as 86% of surveyed respondents confirm being under attack in 2017, up 10% from the previous year. More worrisome is that 88% reported being under attack more than once. Retailers under attack Eighty percent of respondents said they were under attack in 2017, up 7% from 2016. Respondents to the survey also noted that it took longer for them to detect and respond to the attacks in 2017 compared to 2016 suggesting that attack are getting sophisticated. Retailers responding to the survey Industry confirmed that they are spending more for security in 2017 (87%) compared to 2016 (76%). Respondents also report that ransomware attacks have increased from 13% in 2016 to 21% in 2017. Asia Pacific under attack Among respondents in Asia Pacific, 33% reported average revenue loss of at least US$250,000 with 49% reporting ransomware and DDoS attacks occurring in concert. Time to detect for 49% of respondents in the region stood at about three hours while 42% said it was taking them at least three hours to respond following discovery of the attack. In response to escalating frequency, complexity and severity of malware and DDoS attacks, Robin Schmitt, general manager, APAC at Neustar recommended that IT and business leaders need to evaluate the effectiveness of existing security strategies. “The research shows that simply identifying an attack and depending on basic defenses is not enough. Organizations in the region need to adopt stronger defenses and innovative solutions to more quickly and effectively mitigate the growing risk and likely impact of a major DDoS attack,” he said. According to Neustar the data from the research suggests that 2017 will be another challenging one from a DDoS threat landscape perspective. Generic Routing Encapsulation (GRE) based flood attacks and Connectionless Lightweight Directory Access Protocol (CLDAP) reflection attacks are emerging as the new hot attack trends for 2017, suggesting that attackers are constantly eyeing new ways to turn legitimate infrastructure elements against their owners. Source: https://www.enterpriseinnovation.net/article/expect-increase-ransomware-and-ddos-attack-combos-2017-145803210

Original post:
Expect an increase in ransomware and DDoS attack combos in 2017

What is a DDoS attack? What happens during a DDoS attack?

DDoS attacks can leave systems down for days. But how do they actually work? DDoS attacks are one of the most common forms of cyber attack, with the number of global DDoS attacks increasing to 50 million annually, according to VeriSign. Distributed denial of service, or DDoS for short, refers to a cyber attack resulting in victims being unable to access systems and network resources, essentially disrupting internet services. The DDoS attack will attempt to make an online service or website unavailable by flooding it with unwanted traffic from multiple computers. For a DDoS attack to be successful, an attacker will spread malicious software to vulnerable computers, mainly through infected emails and attachments. This will create a network of infected machines which is called a botnet. The attacker can then instruct and control the botnet, commanding it to flood a certain site with traffic: so much that its network ceases to work, taking the site offline. There are lots of different ‘types’ of botnets, with the most recent, called Mirai, housing an estimated 380,000 bots. Mirai, which shot to fame in 2016, had the potential to infect unsecured internet of things devices, such as DVRs and IP cameras. Mirai famously shut down internet access for nearly one million Germans by exploiting security flaws in routers at OEM manufacturers Speedport and Zyxel, shutting down web access for about one million Deutsche Telekom customers for two days. Why hackers choose DDoS attacks? DDoS attacks can take down websites of all sizes, from heavy duty enterprises to smaller, more vulnerable sites. The moves for attacks can vary widely from politics to pure financial gain. DDoS attacks can be sold. So a buyer could request a certain site is taken offline, and pay a sum for its execution. Revenge is often a motive in these cases. Alternatively, attackers might want to blackmail a site for money and keep their site down for days until they pay. Finally, a popular tactic used to influence political events and block others political agendas is to overwhelm and bring down sites with different views and you. This activism is becoming an increasingly popular way of using DDoS attacks to control the media. How do I know if I’m a victim of a DDoS attack? Before your website crashes and goes offline entirely, there are a few warning signs to look out for. A common effect of DDoS attacks is an unusually slow connection to your site. Some DDoS attacks twin this with a large and sharp increase of spam emails. If your overall network performance is slow, there is no need to assume it’s a DDoS attack but if it has slowed down rapidly and you’re unable to open files or perform usually quick maintenance tasks on your website, you might have a problem. For most, the biggest (and most obvious) giveaway is that your site cannot be accessed. If you’ve checked all other possibilities, and you have no access whatsoever, it could be a DDoS attack. Source: http://www.techworld.com/security/how-does-ddos-attack-work-3659197/

See original article:
What is a DDoS attack? What happens during a DDoS attack?

WannaCry FAQ

What is it ? WannaCry also know as WanaCrypt 2.0 is a form of malware commonly known as “Ransom Ware”. Where did it come from ? It was originally developed by the NSA in the US called “Eternal Blue” and was a way for them to secretly access computers. It was based on a flaw in windows machines, Unfortunately the NSA did not store this weaponized malware securely enough and someone hacked in and stole it. At this point it was loose and easily findable on the Internet. If you see a screen like this, you’re machine is definitely infected. Here is a link below from Microsoft to check/scan if your PC has a virus. https://www.microsoft.com/security/scanner/en-us/default.aspx Who is responsible for this ? At this point no one knows but there are a lot of smart people working on it and they will be caught eventually…This is my opinion. Is someone making money from this ? Yes, as with all ransom ware there is a money component.These are 3 discovered bitcoin Identifiers that victims are paying the ransom to Which is hardcoded into the Malware. As of 09:15 EST May 14, 2017 The total ransom paid is a total of $15,150.00 USD. This is surprisingly low, it’s definitely going to rise. Check for yourself on its progress by clicking the 3 links below. https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn How did my computer get infected ? If you’re on a corporate network, you most likely got it from another computer on your network. If you’re at home on a cable modem you got it through email phishing or visiting a hacked or a sketchy website. How did it spread so quickly ? As you most likely know by now, millions of computers were infected in a few short days and those most affected by this are on corporate, Government and University networks. It spreads on these networks by using a windows flaw that goes from machine to machine using Microsoft’s SMB feature . Here’s a short list of victims from GITHUB NHS (uk) turning away patients, unable to perform x-rays. (list of affected hospitals) Nissan (uk) http://www.chroniclelive.co.uk/news/north-east-news/cyber-attack-nhs-latest-news-13029913 Telefonica (spain) ( https://twitter.com/SkyNews/status/863044193727389696 ) power firm Iberdrola and Gas Natural ( spain ) FedEx (us) ( https://twitter.com/jeancreed1/status/863089728253505539 ) University of Waterloo ( us ) Russia interior ministry & Megafon (russia) https://twitter.com/dabazdyrev/status/863034199460261890/photo/1 VTB (russian bank) https://twitter.com/vassgatov/status/863175506790952962 Russian Railroads (RZD) https://twitter.com/vassgatov/status/863175723846176768 Portugal Telecom ???????? – Sberbank Russia ( russia ) Shaheen Airlines (india, claimed on twitter) Train station in frankfurt ( germany ) Neustadt station ( germany ) the entire network of German Rail seems to be affected ( @farbenstau ) in China secondary schools and universities had been affected ( source ) A Library in Oman ( @99arwan1 ) China Yanshui County Public Security Bureau ( https://twitter.com/95cnsec/status/863292545278685184 ) Schools/Education (France) https://twitter.com/Damien_Bancal/status/863305670568837120 A mall in singapore https://twitter.com/nkl0x55/status/863340271391580 ATMs in china https://twitter.com/95cnsec/status/863382193615159 Renault STC telecom Norwegian soccer team ticket sales Is my website spreading this malware ? I can only say that any DOSarrest customers using our advanced WAF are not spreading this Malware as we won’t allow this type of malicious traffic to get to your server. Is it still spreading ? No, good news ! This thing had a kill switch built into its code, so if any machine can access this site www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com it won’t spread from that machine. I’m infected, What should I do ? We recommend that you wipe your machine clean  and restore from back-ups….of course everyone has backups, Right ? Need more info… Try Github.com Microsoft to get the free patch if you need it. Source: https://www.dosarrest.com/ddos-blog/wannacry-faq/

Read More:
WannaCry FAQ

News in brief: laptop ban could be extended; DDoS hits news sites; Taiwan might block Google DNS

Laptop ban could be extended Planning on flying from European countries to the US? Prepare to check in your laptop, tablet and any other devices larger than a cellphone, as US authorities are reported to be close to announcing an extension of the restriction on devices in the cabin from some Middle Eastern and Gulf countries to some countries in Europe, too. After the initial ban was announced, observers pointed out that the lithium batteries that power laptops and other devices have been banned from the holds of aircraft, adding that they’d prefer a battery fire in the cabin, where it can quickly be dealt with by crew, than in the hold. Lithium batteries have been implicated in many incidents – the US authorities were reported on Thursday to be in discussions about the risks of carrying a large number of batteries in the hold. If you’re affected by the ban, which also applies from some airports and to some carriers flying into the UK, we’ve got some tips on how to minimise the risk to your devices and the data on them in this piece. News sites hit by DDoS attack Just days after France shrugged off a dump of emails stolen from the campaign of the new president, Emmanuel Macron, leading French news websites including those of Le Monde and Le Figaro were knocked offline following a cyberattack on Cedexis, a cloud infrastructure provider. Cedexis had been hit by a “significant DDoS attack”, said Julien Coulon, the company’s co-founder. Cedexis was founded in France in 2009 and has its US headquarters in Portland, Oregon. Meanwhile, the victorious Macron shrugged off the cyberattack that was thought to be aimed at generating support for his far-right opponent, Marine Le Pen, as it emerged that his campaign had turned the table on the hackers, deliberately signing into phishing sites with a view to planting fake information. Mounir Mahjoubi, the digital lead for the campaign, told the Daily Beast: “You can flood these [phishing] addresses with multiple passwords and log-ins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out.” Taiwan could block Google DNS Taiwan is planning to block access to Google’s public DNS service, claiming the move will improve cybersecurity, the Register reported on Thursday. It’s not clear if the block to Google’s DNS, which many people use to bypass government filters on banned websites, would apply to the whole population or just to government officials. The presentation seen by The Register seems to suggest the aim is to reduce the risk of DNS spoofing. Taiwan doesn’t usually crop up on the list of countries where there’s concern about censorship of the internet, but he Register notes that customers of one Taiwanese ISP, HiNet broadband, had earlier this year reported issues with connecting to sites and platforms that users in mainland China are blocked from, including Facebook, YouTube, Google and Gmail. Source: https://nakedsecurity.sophos.com/2017/05/11/news-in-brief-laptop-ban-could-be-extended-ddos-hits-news-sites-taiwan-might-block-google-dns/

More:
News in brief: laptop ban could be extended; DDoS hits news sites; Taiwan might block Google DNS

Democrats Want FCC’s Pai to Drill Down on DDoS Attacks

A pair of Democratic senators has asked FCC chairman Ajit Pai for more information on what the FCC has said were multiple DDoS attacks on its website that affected comments being posted there. FCC chief information officer Dr. David Bray said the attacks “made it difficult for legitimate commenters to access and file with the FCC.” The key docket in terms of activity that could have been interrupted is net neutrality, where the FCC still managed to post more than half a million comments since last week, attack or no. Among the senators’ questions was whether any comments were prevented from being submitted and if so how many. Sens. Ron Wyden of Oregon and Brian Schatz of Hawaii, the latter the ranking member of the Senate Communications Subcommittee, sent a letter to Pai about the May 8 attack (which came in the wee hours of the morning following the May 7 airing of John Oliver’s call for a flood of comments in support of net neutrality). They asked about the FCC’s defenses against such an attack should it be repeated and that the chairman insure there were other ways to comment as a workaround, a dedicated email account for example. “Any potentially hostile cyber activities that prevent Americans from being able to participate in a fair and transparent process must be treated as a serious issue.” Specifically, they wanted information on the following by June 8: “Please provide details as to the nature of the DDoS attacks, including when the attacks began, when they ended, the amount of malicious traffic your network received, and an estimate of the number of devices that were sending malicious traffic to the FCC. To the extent that the FCC already has evidence suggesting which “actor(s) may have been responsible for the attacks, please provide that in your response. “Has the FCC sought assistance from other federal agencies in investigating and responding to these attacks? Which agencies have you sought assistance from? Have you received all of the help you have requested? “Several federal agencies utilize commercial services to protect their websites from DDoS attacks. Does the FCC use a commercial DDoS protection service? If not, why not? To the extent that the FCC utilizes commercial DDoS protection products, did these work as expected? If not, why not? “How many concurrent visitors is the FCC’s website designed to be able to handle? Has the FCC performed stress testing of its own website to ensure that it can cope as intended? Has the FCC identified which elements of its website are performance bottlenecks that limit the number of maximum concurrent visitors? Has the FCC sought to mitigate these bottlenecks? If not, why not? “Did the DDoS attacks prevent the public from being able to submit comments through the FCC’s website? If so, do you have an estimate of how many individuals were unable to access the FCC website or submit comments during the attacks? Were any comments lost or otherwise affected? “Will commenters who successfully submitted a comment — but did not receive a response, as your press release indicates — receive a response once your staff have addressed the DDoS and related technical issues?” While the letter did not question whether such an attack had happened, others have. “We think it’s more than just coincidence that the FCC would cite a DDoS attack at the same time that John Oliver’s call to make public comment on the FCC website in favor of net neutrality went viral,” said Rashad Robinson, executive director of Color Of Change, a big Title II fan. “That said, we certainly hope to see a full investigation into what happened in order to ensure the integrity and full transparency of a key federal agency. But the unfortunate reality is that, after everything this administration has done to steal our rights as Americans, we wouldn’t be surprised if this was merely an attempt to label the democratic exercise of free speech as a cyberattack.” Source: http://www.radioworld.com/news-and-business/0002/democrats-want-fccs-pai-to-drill-down-on-ddos-attacks/339655

See the original article here:
Democrats Want FCC’s Pai to Drill Down on DDoS Attacks

APAC organisations report average revenue loss of US$250,000 to DDoS attacks

Distributed Denial of Service (DDoS) attacks are causing revenue loss to organisations in Asia Pacific (APAC), according to Neustar’s Worldwide DDoS Attacks and Cyber Insights Research Report. A third (33 percent) of APAC organisations reported average revenue loss of at least US$250,000. Nearly half (49 percent) of organisations in the region take at least three hours to detect, and 42 percent take at least three hours to respond. The instances of ransomware and malware reported in concert with DDoS attacks were reported by 49 percent of organisations in APAC too. “With organisations across Asia Pacific being attacked more often and DDoS attacks predicted to become even larger and more complex, IT and business leaders need to evaluate the effectiveness of existing security strategies,” said Robin Schmitt, general manager, APAC at Neustar. Global findings The report also found that 99 percent of organisations globally have some sort of DDoS protection in place. However, 849 out of 1,010 organisations surveyed globally were attacked with no particular industry spared. Forty percent of the ‘victims’ said they received attack alerts from customers. More than half (51 percent) of attacks involved some sort of loss or theft, with a 38 percent increase year-over-year in customer data, financial and intellectual property thefts. Forty-five percent of DDoS attacks across the globe were reported to be more than 10 gigabits per second (Gbps), while 15 percent of attacks were at least 50 Gbps.. “The research shows that simply identifying an attack and depending on basic defences is not enough. Organisations in the region need to adopt stronger defences and innovative solutions to more quickly and effectively mitigate the growing risk and likely impact of a major DDoS attack,” said Schmitt. Source: https://www.mis-asia.com/tech/security/apac-organisations-report-average-revenue-loss-of-us250000-to-ddos-attacks/

See original article:
APAC organisations report average revenue loss of US$250,000 to DDoS attacks

FCC says DDOS attacks, not net neutrality comments, tied up comments system

The federal agency did not provide any evidence of the alleged attacks, which occurred as HBO comedian John Oliver urged viewers to flood the FCC with comments. The Federal Communications Commission (FCC) on Monday said that consumers trying to use its Electronic Comment Filing System ran into delays Sunday night because of multiple distributed denial-of-service (DDoS) attacks — not due to a deluge of comments from net neutrality proponents, as early reports suggested. “Beginning on Sunday night at midnight, our analysis reveals that the FCC was subject to multiple distributed denial-of-service attacks (DDos),” FCC chief information officer David Bray said in a statement. “These were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host. These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC.” The statement followed news reportssuggesting the FCC site was once again overwhelmed by commenters trying to voice their support for net neutrality at the behest of comedian John Oliver. On his HBO show Sunday night, Oliver urged viewers to leave comments at goFCCyourself.com, a URL that redirects visitors to the FCC’s proposal to reverse net neutrality rules. In 2014, net neutrality supporters managed to bring down the FCC comments system after Oliver made a similar plea for commenters to flood the site. The FCC didn’t offer any evidence of the DDoS attacks, nor did the agency immediately answer questions about how the incident was handled. ZDNet will update this article if the FCC responds. At least one pro-net neutrality group, Fight for the Future, expressed skepticism about the agency’s claim that the problems were caused by DDoS attacks. “The FCC’s statement today raises a lot of questions, and the agency should act immediately to ensure that voices of the public are not being silenced as it considers a move that would affect every single person that uses the Internet,” Fight for the Future Campaign Director Evan Greer said in a statement. By Monday afternoon, the FCC’s comments system appeared to be functioning, and there were more than 179,000 comments on the site. FCC Chairman Ajit Pai acknowledged to CNET’s Maggie Reardon on Monday that he favors “a free and open internet” — meaning he favors rolling back the Obama-era net neutrality rules. However, he said the committee has an “open mind” and will consider the public comments that are collected. “It’s not a decree,” he said of the proposal. “The entire purpose of this process is to get public input. Then, after the record is closed, we apply what the DC Circuit calls a ‘substantial evidence test.’ We look through the record, figure out what the right course is based on facts in the record. Then we make the appropriate judgment. I don’t have any predetermined views as to where we’re going to go.” Source: http://www.zdnet.com/article/fcc-says-ddos-attacks-not-net-neutrality-comments-tied-up-comments-system/

Read more here:
FCC says DDOS attacks, not net neutrality comments, tied up comments system

6 steps to reduce your risk of a DDoS attack

You’ve seen the splashy headlines about web services getting taken down by DDoS, or Distributed-Denial-of-Service Attacks, but have you ever worried about these attacks taking down your firm’s site? As recently as October 2016, internet traffic company Dyn was the victim of several DDoS attacks, which shut down websites and services across the East Coast. With the increasingly popularity of Internet of Things devices, which includes any everyday device that’s now connected to the web, these DDoS attacks are increasing in frequency. Hackers create armies of these devices, which are infected with malware, that will attack any given service. The attack works by having multiple devices flood the bandwidth of a service or website with so much traffic that the service is no longer available to normal users. Neustar, a global DDoS protection and cybersecurity firm, releases a yearly study about the impacts of DDoS attacks on businesses. Neustar’s first quarter 2017 report, found that the number of attacks doubled between 2017 and 2016. DDoS attacks are only getting larger, the report states, and the 1,010 respondents collectively experienced a minimum revenue risk from the attacks in excess of $2.2 billion during the previous 12 months. On Thursday, during the Arizona Technology Council 2017 Cybersecurity Summit, Mark Goldenberg, security solutions architect at CenturyLink, presented six steps regarding the possibility of a DDoS attack. In 2012, during the Occupy Wall Street movement, many financial institutions were victims of DDoS attacks, Goldenberg said. The attacks prompted the Federal Financial Institutions Examination Council to release these six steps. Goldenberg said these steps can apply to any firm in regards to a DDoS attack. Step 1: Assess information security risk Goldenberg said that a company should understand its online assets by maintaining an ongoing program to assess information security risk. Take time to review which publicly-based Internet assets are critical to your business that could be affected by a DDoS attack, he said. Some firms have services on a website that can be down for a period of time, but there are other parts of the website that are absolutely vital to your firm’s day-to-day operations, Goldenberg said. Understanding what’s vital and what isn’t will help your business make the right decisions in the event of an attack, he said. Step 2: Monitor Internet traffic to your site(s) in order to detect attacks Talk to your team about what sort of visibility your firm has, whether it’s sources of internet traffic or what types of internet traffic parts of your site is getting, Goldenberg said. Knowing your site’s analytics will let you and your team know where to look in the event of a cyberattack, which in turn will let your team know what kind of resources to bring to the table, Goldenberg said. Step 3: Be ready and notify Make sure your team has an incident response plan, which includes alerting service providers, especially internet providers, Goldenberg said. If your firm has multiple internet providers, Goldneberg said it’s important to know how to coordinate between the providers in the event of a DDoS attack. Your internet provider(s) won’t do anything independent of you, Goldenberg said. And be ready to know when and how to notify your customers when you’re under attack. “A communication plan is key,” Goldenberg said. Step 4: Ensure sufficient staffing for the duration of the DDoS attack When your firm is undergoing a DDoS attack, it’s important to have both your security and network team at the table working together. Make sure, though, that your security team is on the alert for potential breaches. “The perpetrators of the attack understand that when they launch an attack, it’s a priority issue for you to get your network back available,” Goldenberg said. If your security team isn’t on the lookout for breaches at the same time, your data could be compromised during the attack. Step 5: Share that information After your attack, you may want to share the information about it to fellow businesses within your industry. Goldenberg said the Arizona Technology Council is the perfect example of a group to share this information with. “If one peer is hit with a DDoS attack today, it could mean that you’re going to be next,” Goldenberg said. Step 6: Evaluate gaps in your response and adjust After the attack, it’s time to come together to find out what kind of gaps your firm may still have and to learn from it, Goldenberg said. “What you do today has to be reviewed with the team on a regular basis and kept up to date. If you’re able to withstand a low level attack today, regroup with the team, understand where your strengths are, where your weaknesses are, so you can plan for the larger attack down the road.” Source: http://azbigmedia.com/ab/6-steps-preparing-ddos-attack

Read More:
6 steps to reduce your risk of a DDoS attack