Tag Archives: defend against ddos

DDoS attack takes Deezer offline

Streaming music service Deezer experienced several hours of downtime this weekend just gone, thanks, apparently, to one of those Distributed Denial Of Service attacks that were so fashionable a few years back. The source of the DDoS isn’t clear, but the streaming service says its servers were first targeted on Friday, with no real impact, but that a high level attack occurred on Saturday afternoon, taking the service offline on all platforms. DDoS attacks swamp a server with traffic so that it crashes under the weight. Deezer bosses say that while the DDoS was enough to force their service offline, no data was accessed by the attackers. The company’s IT experts identified the course of the problem and put in place measures to limit the impact of the DDoS, so that even though the server attack continued through Sunday, the service has been back online since just after midnight Saturday night. Deezer Founder Daniel Marhely said yesterday in a message to users: “As soon as we became aware of the issue we launched an investigation. We assigned ten staff members to the incident and worked to get the service back up, fuelled by a winning mix of adrenalin and pizza. The method of attack was quickly identified and actions were taken to minimise the impact on the service. We regularly adapted solutions to the changing methods of attack. New protective measures (filters to distinguish between normal incoming traffic and flooding traffic from the attack) were set up by our team, and the attacks finally stopped around 00.22 GMT”. Stressing that no user data had leaked during the attack, the Deezer man went on: “We apologise for any inconvenience. We’re continuing to investigate and are working hard on measures to counter this type of attack in the future. We have taken steps to strengthen our servers and security systems and will continue to do so. Thanks for your patience. We really appreciated your kind messages and encouraging tweets throughout the weekend”. Source: http://www.completemusicupdate.com/article/ddos-attack-takes-deezer-offline/

Original post:
DDoS attack takes Deezer offline

Facing a criminal DDoS attack

Distributed denial of service (DDoS) attacks attempt to flood a server with so many requests that they render a website useless. The effects are many, from lost customer conversions and revenue to punished SEO ranking and blacklisting. The reality is that DDoS attack methods and the criminals behind them are evolving. Understanding this evolution is key to making sure companies that place any sort of importance on their websites stay protected. The type and style of attack is changing – there are headless browsers and application layer attacks, and DDoS attacks as cover for more sinister cyberattacks. Every reseller with security in the portfolio needs to understand that DDoS is not a static problem that can be dealt with and then ignored. It changes, and the tactics for defending against this type of attack need to advance even faster. Better general awareness about DDoS attacks has forced attackers to develop new ways to get around the basic defences. Media attention on high-profile DDoS attacks attracts activists with a message. Groups try to outdo one another in a bid for attention. A growing variety of coding practices, web platforms and web design features have multiplied the number of variables which can result in application exploits, rendering a website useless. With more access to high-CPU devices available through the cloud and dedicated hosting, DDoS attackers can now use those CPUs to run more sophisticated attacks. For these reasons, we are seeing more sophistication in attack style, meaning there is less volume and attackers are targeting very specific vulnerabilities in a website by doing their homework to make sure they target the weakest points. One of the stealthiest methods is headless browsers. These can be a clever way for cybercriminals to get around standard DDoS protection and masquerade as legitimate web traffic. The kit itself is used for programmers to test their websites, so to all intents and purposes, it is a legitimate browser web kit, just modified to run a series of queries and target basic web user interfaces. Detection is difficult and stopping a headless browser DDoS attack can take a trained professional to spot and remediate it. Importantly, with headless browsers Javascript and Captcha can be processed and can jump through the hoops, as it were, of the website, as it was designed for testing. This will be a big problem for more traditional DDoS protection, such as box solutions. What will be most effective here is real-time support, where there is a human involved who can develop some rule sets to determine what is going on and implement the modules within seconds. Application layer attacks are also becoming more prevalent, although you might not even notice them, if you don’t know what you are looking for. Attackers are getting better at reconnaissance and research, facilitating smarter attacks that can keep the volume low and under the radar, meanwhile killing the site in the background and fooling IT into spending time on the wrong part of the site when it is down. It is these application attacks and headless browser attacks that we see as the biggest concern for the future. I can only surmise that media hype is fuelling the focus on volumetric DDoS attacks, which is where the industry seems to be concentrating to meet customer expectations. Actually there is a rise in application attacks and we should be educating companies about these threats, as they indicate serious consequences for businesses that place any sort of importance on their websites. Jag Bains is chief technology officer of DOSarrest Source: http://www.channelweb.co.uk/crn-uk/opinion/2348218/facing-a-criminal-denial-of-service

See the original post:
Facing a criminal DDoS attack

Get Safe Online suffers ‘DDoS’ attack

“We’re looking at what we can do to make sure this won’t happen again. We’re sorry. I’ve had no sleep for two days” – Tony Neate, GSO chief executive During the first hour after the National Crime Agency (NCA) advised Internet users to check out the Get Safe Online web site in the wake of the Gameover Zeus/CryptoLocker botnet takedown, the site suffered what some have described as an unintended DDoS attack. The reality for most users who heeded the 2pm Monday call was that site either froze as they were trying to access it, or simply became inaccessible as too many people overloaded the site server’s access facility. Get Safe Online (GSO) has blamed the effective outage as simply down to the fact that two many people were trying to access the site at the same time. As a result, the servers could not complete the IP requests, resulting in an outage lasting two days, until late yesterday. This was despite the site operators moving swiftly to quadruple site capacity. Tony Neate, GSO’s chief executive – the man who set up the company back in 2006 after a 30-year career in the Police – told the BBC newswire that it is important for people to realise that this has been a learning curve for him and his team. “We’re looking at what we can do to make sure this won’t happen again. We’re sorry. I’ve had no sleep for two days,” he said. GSO is a jointly funded operation supported by the UK government and a variety of commercial sponsors, including Barclays, NatWest, Kaspersky Lab and PayPal. The idea behind the site is that it is a one-stop shop for cybersecurity safety for individuals and small businesses. Sean Power, security operations manager with DOSarrest, the DDoS remediation specialist, said that the overload of GSO is a great example of the `Slashdot effect’ or the `Reddit hug of death.’ This, he explained, is where a site’s sudden popularity – usually initiated by reference in a popular community site – is more than the infrastructure can handle. “This is akin to a small cart vendor opening a free money stall in Times Square,” he said, adding that the nett effect is a sudden denial of service that is both unintentional and unexpected. It is, says Power, vital that a denial-of-service incident response team is able to tell the difference between a malicious attack and a sudden dramatic increase in popularity, because you will want to treat the two situations very differently. “For this reason many firms elect to employ a seasoned denial-of-service mitigation company who have the expertise to make this distinction – and act accordingly to ensure that the site is up and available to all legitimate visitors,” he said.” “One of the added advantages of having a good distributed-denial-of-service protection provider is their ability to handle extremely large legitimate requests, whereby the customer gets to leverage their caching and distributed architecture,” he added. Source: http://www.scmagazineuk.com/get-safe-online-suffers-ddos-attack/article/351148/

Continue reading here:
Get Safe Online suffers ‘DDoS’ attack

Repeat attacks hit two thirds of DDoS victims

Empirical research just published suggests that, whilst overall DDoS attack volumes are increasing steadily, new attack vectors are also constantly being used by cybercriminals. The analysis – entitled `NSFOCUS DDoS Threat Report 2013? – is based on more than 244,000 real-life distributed denial of service attacks observed at Tier 1 or Tier 2 ISPs by the research firm during the year. Researchers found that 79.8 percent of all attacks were 50 Mbps or less. In addition, although large size attacks get the most media attention, only 0.63 percent of all attack incidents were logged at 4 Gbps or more. Perhaps most interestingly of all is that more than 90 percent of the observed attacks lasted 30 minutes or less – and that 63.6 per cent of all targeted victims are attacked more than once. This figure is in line with earlier figures from Neustar whose second annual report, entitled `DDoS Attacks & Impact Report – 2014: The Danger Deepens’ – suggested that once attacked, there is an estimated 69 percent chance of a repeat attack. Delving into the report reveals that HTTP_FLOOD, TCP_FLOOD and DNS_FLOOD are the top three attack types – contributing to more than 87 percent of all attacks. DNS_FLOOD attacks, however, significantly increased from 13.1 percent during the first half of the 2013 to 50.1 percent in the second half. So why the short duration attacks? The report suggests that, after analysing almost a quarter million DDoS incidents, a clear trend emerges, namely that that majority of DDoS attacks seen were short in duration, small in total attack size, and frequently repeating against the same target. “These short and frequently repeating attacks often serve two purposes: First, to scout their victims’ defence capabilities before more tailored assaults are launched, and second, to act as smokescreens or decoys for other exploitation,” says the report. The analysis adds that that many companies are using a combination of traditional counter-measures like scripts, tools and access control lists (ACLs) to handle network layer attacks – as well as on-premise DDoS mitigation systems for more prompt and effective mitigation against hybrid attacks (defined as a combination of network-layer and application-layer attacks). The most interesting takeout from the report, SCMagazineUK.com notes, is that the `old guard’ attack vectors – including the use of SNMP – remain an evolving constant. According to Sean Power, security operations manager with DOSarrest, amplification attacks – such as SNMP – are not really that new. “Legitimate SNMP traffic has no need to leave your network and should be prevented from doing so. This attack exists because many organisations fail to prevent this,” he explained. Power went on to say that the effectiveness of the attack stems from the fact that any Web site can be targeted and requires very little effort to produce excessive traffic, since it relies on third party unsecured networks to do most of the heavy lifting for the attack. “Blocking these attacks is best done via your edge devices as far removed from the targets as possible,” he said, adding that if the attack is large enough that it is overwhelming your edge devices, then you need to look at cloud-based technology for cleaning the traffic. Also commenting on the report, Tom Cross, director of security research for Lancope, said that many people who launch attacks on the Internet do so using toolkits that make the process of launching attacks as easy as installing a software application and running it. “DDoS attacks have become increasingly popular, there are many ways to launch them and lots of different tools circulating that launch attacks in different ways. As a consequence, anyone providing service on the Internet should be prepared for volumetric traffic floods involving any kind of Internet traffic,” he explained. Cross says that it is also important that people do not allow their networks to serve as reflectors that attackers can use to amplify their denial of service attacks. “To that end, DNS, SNMP, NTP, and Voice over IP services in particular should be checked to make sure that they cannot be used by an anonymous third party as a reflector. Locking down these services is part of being a good citizen of the Internet,” he said. Source: http://www.scmagazineuk.com/repeat-attacks-hit-two-thirds-of-ddos-victims/article/348960/

More:
Repeat attacks hit two thirds of DDoS victims

Australian Labor Party and the Bob Brown Foundation hit by DDoS attack

Inadvertent victims of “politically motivated” hack. A politically motivated DDoS attack on a US-based web hosting service has delivered global repercussions affecting a number of Australian websites including the homepages of the Australian Labor Party and the Bob Brown Foundation. Both organisations use the services of NationBuilder, a cloud-based web hosting and customer relationship management platform designed specifically for nonprofits, political parties and politicians. The ALP.org.au website was down for a few hours yesterday morning, its Canberra HQ confirmed. The Bob Brown Foundation site was also down yesterday and then again last night, said organiser Steven Chaffer, who had been contacted by a NationBuilder account rrepresentative. The state branches of the Labor Party also use NationBuilder, as does Victorian independent MP Cathy McGowan and the community services union United Voice. United Voice said it was not aware of any disturbance to its web presence. Yesterday NationBuilder was hit by a DDoS attack it believes to have been in protest against the political stance of one of its clients. “We are reasonably certain the attack is directed at one of our customers for their political beliefs, and is meant to disrupt upcoming elections,” wrote CEO Jim Gilliam on the NationBuilder website early this morning Australian time. He said the attack has caused “intermittent service outages” for the company’s clients but assured users that data and financial information was never exposed. “We know the impact is immeasurable and we are very, very sorry,” he said. “We are fiercely committed to serving all of our customers. Everyone has the right to organise – in fact, this is the very reason NationBuilder exists.” NationBuilder has not responded to iTnews’ requests to confirm the identity of the targeted client. However posts on the Anonymous hackers forum and from the self-professed antagonist on Twitter claim that the attack is targeting the British political party UKIP, which is taking its anti-immigration policy platform to elections for the UK membership of the European Union next week. The party’s leader Nigel Farage has been a controversial figure, branded as a racist by the UK Labor party. UKIP has been the subject of DDoS attacks before, and its website was one of many down intermittently yesterday and into today. Australian clients told iTnews that their services have now resumed. Source: http://www.itnews.com.au/News/386077,alp-bob-brown-sites-downed-by-ddos.aspx?utm_source=feed&utm_medium=rss&utm_campaign=editors_picks

View the original here:
Australian Labor Party and the Bob Brown Foundation hit by DDoS attack

Dating Website Plenty Of Fish Hit By DDoS Attack

Add Plenty of Fish to the list of technology companies whose websites have come under DDoS attacks from unknown cybercriminals in recent days. The company says that it was the victim of a five-hour attack today that affected approximately 1 million users. Initially, the attacks took down the Plenty of Fish website, then later the company’s mobile apps on iPhone, iPad and Android. As per the usual M.O., the attacker first contacted the site to warn them of the impending DDoS at 6:45 AM PT, then the attack started at 8:13 AM PT where it continued for several hours, off and on. The company says it was only recently able to mitigate the flood, and is now fully up and running again. The attack was 40 Gigabits in size, which makes it larger than the attack which took Meetup.com offline for nearly five days last month – that attack was “only” 8 GBps, the company had said at the time. These DDoS attacks (distributed denial-of-service attacks) have become more powerful as of late, thanks to the way attackers are exploiting older internet protocols like Network Time Protocol, or NTP, to increase their size. That seems to be the case here, given the size of the attack that Plenty of Fish suffered. Other companies that have been attacked more recently include TypePad, Basecamp, Vimeo, Bit.ly, and as of this past weekend, marketing analytics software provider Moz, to name just a few. In Plenty of Fish’s case, the attacker demanded $2,000 to have them stop the attack. Want to know if your company is about to have a bad day? Look for an email like this: From: dalem leinda Date: Tue, May 20, 2014 at 12:09 PM Subject: Re: DDoS attack, warning If you feel ready to negotiate, I’m still here. For something around $2k, I will stop the current attack and I will not resume further attacks. The amount depends on how quickly you can make the payment. Source: http://techcrunch.com/2014/05/20/dating-website-plenty-of-fish-hit-by-ddos-attack/?ncid=rss

DOSarrest Rolls Out Cloud Based Layer 7 Load Balancing

DOSarrest has begun offering a Cloud based Layer 7 local and global Load balancing solution to its DDoS protection services customer base. The Load balancing service is a fully managed solution, whereby customers can create pools of servers; a pool can be 1 or many servers and can be located in multiple locations. Load balancing types available include: Round Robin, IP Hash, least connections, weighted. Other options include: By Domain or Host Header, allows customers to direct our servers to pick-up and cache content based on the domain name or host header that is being requested by the visitor. By Resource, allows customers to direct our servers to pick-up and cache content based on the resource being requested by the visitor. Mydomain.com goes to one server(s) mydomain.com/images goes to another server(s) and/or location. The load balancing solution also can be used as Active/Active -All servers are is use Or Active/Passive -some servers are only used when one or more have a failure. Health checks are all part of the service to determine if a particular server or instance is active or not. Jag Bains, CTO at DOSarrest comments “I used to be in the hosting game and when I see the advantages of our cloud based solution over a hardware based solution, this is definitely the way to go.” Bains also adds “There is no capital required, no technical expertise is needed, no single point of failure, it’s able to handle 100?s of millions of requests and can be setup in 5 minutes…top that.” General Manager at DOSarrest, Mark Teolis states “It’s a natural add-on to our DDoS protection services, which already incorporates extensive caching of customers content, this way customers can leverage any combination and location of VPS’s, Instances, private cloud and dedicated servers. I can’t see why anyone would want to buy or manage a Load balancing device again, it just doesn’t make sense anymore.” Details on this service can be found here: www.dosarrest.com/solutions/load-balancing/

See original article:
DOSarrest Rolls Out Cloud Based Layer 7 Load Balancing

TypePad Claims It Was Hit By Another DDoS Attack

A number of technology companies, including Meetup, Basecamp, Vimeo, Bit.ly and others, have undergone website-crashing DDoS attacks (distributed denial-of-service) in recent months, but SAY Media-owned blogging platform Typepad, apparently, has the dubious honor of being taken down for an extended outage more than once in just a few weeks. The company has confirmed to us this morning that it is again undergoing another DDoS attack, which has taken its service offline. However, until all the facts are in and TypePad can provide more info about the nature of this attack, which right now it’s unable to do, it’s unclear at this time that this morning’s network outage is definitely a DDoS attack — the same as before. Because it’s still early in the investigation, it’s possible the company is presuming a DDoS attack, where only a network outage was at fault. We’ll update when we — and they — know more. However, when asked around an hour ago, TypePad did say that it was indeed “under a DDoS attack.” In April, we reported that Typepad was undergoing an extended DDoS attack, which, at the time, had been underway off and on for nearly five days. The company explained that the attack was similar in style to that which had taken down Basecamp, and confirmed that it was working with technology providers, including CloudFlare and Fastly to help mitigate the attack and bring its service back online. Though TypePad never shared extensive technical details about the DDoS attack, the typical scenario — and one that Basecamp had faced, as well — involves an initial demand for some sort of “ransom” once the site and its related services have been knocked offline. The amount first requested is usually small, but once attackers know they have a willing victim, they’ll often increase the amount. SAY Media said it had also received a “ransom” note, and was cooperating with the FBI on an investigation. According to Paul Devine, VP of Engineering at Say Media, this new Typepad attack began at 6:00 AM PT and the company is again working with CloudFlare and Fastly to mitigate the situation. “[We] don’t expect these attacks to have longevity,” he tells us. “We’re looking forward to having the sites up and running as quickly as we can.” As of a few minutes ago, the company tweeted that blogs were loading. However, at the same time, the URL http://www.typepad.com was still largely crashed when we tried it ourselves. That is, instead of loading up properly, CloudFlare is providing a snapshot of the site through its “Always Online” service, which helps sites offer a webpage instead of an error message when taken down through cyberattacks like this. The www.saymedia.com website address came up, however, though a bit slowly. (SAY Media operates a number of brands, including ReadWrite, xoJane, Fashionista, Cupcakes and Cashmere, and others.) The site loads but a “fatal error” message appears at the bottom of the page. Thanks to newer, more powerful types of DDoS attacks that have emerged as of late, attacks that once would have been thought to be record-breaking in size are now becoming routine. For instance, Meetup’s attack was 8 Gigabits in size, and it’s not uncommon for NTP-based DDoS attacks (which exploit an older protocol called Network Time Protocol) to be 10 Gigabits in size. However, one side effect of these attacks is that when a company later experiences a network outage, they sometimes immediately presume that they’re being attacked again. It can be difficult to tell the difference, especially in the early hours of these sorts of situations. We’ll be looking for TypePad to provide its customers with a longer post-mortem following this morning’s outage. Given multiple attacks over the course of several weeks, the company has a responsibility to let their customers know whether or not they’re being targeted by criminals, or if unrelated network outages came into play this morning instead. Source: http://techcrunch.com/2014/05/19/typepad-claims-it-was-hit-by-another-ddos-attack/?ncid=rss

Continued here:
TypePad Claims It Was Hit By Another DDoS Attack

5 People Arrested for Launching DDOS Attacks on Systems of Chinese Gaming Company

A total of five individuals have been arrested by Chinese authorities on suspicion of being behind distributed denial-of-service (DDOS) attacks launched against the systems of a Shanghai-based online gaming company. According to police in Shanghai ‘s Xuhui District, cited by Ecns.cn, the first suspect, surnamed Wu, was arrested in January, after the targeted company provided authorities with information needed to track him down. Wu told investigators that he had been hired by one of the targeted company’s competitors, an Internet firm based in the Henan Province operated by an individual called Tu. Tu’s firm offered not only online games, but also hacking services. The individuals he hired would hack into the systems of various organizations and use the hijacked computers to launch DDOS attacks against various targets. The attacks launched against the Shanghai online games company are said to have resulted in damage of close to 10 million Yuan ($1.6 million / €1.16 million). The attacks were aimed at the login page for an online game and prevented paying customers from accessing their accounts. Police detained Wu, Tu and three other individuals suspected of being responsible for the cyberattacks. The company operated by Tu is believed to be involved in other illegal activities as well, including hacking, distribution of obscene materials, and hosting illegal ads. Source: http://news.softpedia.com/news/5-People-Arrested-for-Launching-DDOS-Attacks-on-Systems-of-Chinese-Gaming-Company-441863.shtml

View original post here:
5 People Arrested for Launching DDOS Attacks on Systems of Chinese Gaming Company

Point DNS blitzed by mystery DDoS attack assault

Domain hosts Point DNS has been hammered with a high intensity DDoS attack on Friday, knocking servers out for hours. The size of the attack and techniques used – much less who might be behind the attack – remains unclear. Several Reg readers got in touch to notify us about the issue and the company confirmed the attack online. “We’re experiencing a DDoS attack on all DNS servers we are working hard mitigate the attack,” Point DNS said in a update to its Twitter profile. “We’re still working through a massive DDoS. We’re adding more nameservers and working with our network providers,” it added. The firm, whose services are used by more than 220,000 domains, was badly affected by the attack. This had a knock-on effect on firms who used its services – while websites were up and running as normal attempts to reach them by typing in a name to a browser would not resolve as normal. The snafu also means email won’t be delivered as normal to affected sites, with early indications suggesting clients clustered in Asia and Europe were worst affected. Security specialists Incapsula spotted a similar attack, which peaked at 25 million packets per second. It reported seeing floods of non-spoofed IP data coming from two DDoS protection services as the cause of the outage. “DNS flood have been around for a while but now the modern high-capacity servers take the attack to a new level,” Incapsula product evangelist Igal Zeifman told El Reg in a statement. “Unlike amplification attacks, that could be easily spotted and filtered on-edge, DNS flood queries can’t be dismissed before they could be allowed to be processed by the server. With powerful botnet machines pumping millions of malicious request each second, and aiming them directly and the most vulnerable server resources (eg CPU), the old threat is now making a comeback in a very dangerous manner.” Source: http://www.theregister.co.uk/2014/05/09/point_dns_ddos/

More:
Point DNS blitzed by mystery DDoS attack assault