Tag Archives: defend against ddos

DDoS attacks: half of targeted firms get hit again

Two new reports reveal that DDoS attacks are not only getting bigger- now logged between 250 and 325 Gbps, but that these attacks often target the same organisation more than once. The business challenge presented by DDoS attacks hit the spotlight once again this morning, after a research analytics firm revealed that 35 per cent more firms were hit by attacks during 2013 than in 2012 – and with 28 per cent of logged attacks seen last years lasting two days or more. The most revealing takeout from the Neustar analysis – the firm’s second annual report, entitled `DDoS Attacks & Impact Report – 2014: The Danger Deepens’ – is that once attacked, there is an estimated 69 percent chance of a repeat attack. And whilst 31 per cent of these companies were DDoS-attacked once, over 48 percent said they had been targeted between two to 10 times. Neustar’s figures confirm Arbor Networks’ report – released last week – which saw a record 325 Gbps attack hit a French organisation earlier this year, with a massive spike logged by the research division of the DDoS remediation firm on the first quarter of this year. Arbor says that it 72 attacks larger than 100 Gbps in size and volume, as well as 50 percent more attacks in the first quarter of 2014 than the entirety of 2013. Back at Neustar, the research company claims that 32 percent companies hit by a DDoS attack last year estimated the events had cost them more than £240,000 per day during the outage. Additionally, the reports notes larger DDoS attacks are becoming more frequent with a 200 percent increase in attacks affecting bandwidth of between 1 and 20 Gbps. For its research, Neustar took in response from 331 companies in the UK, across a range of public and private sector organisations. The company says its results show that DDoS attacks disrupt multiple business units – with public-facing areas like call centres, customer service and marketing operations absorbing more than 40 per cent of DDoS-attack related costs. This high cost may because these business functions are key revenue earners in most commercial companies, SCMagazineUK.com notes, but the report also cautions that DDoS attacks are now being used as smokescreens for other attacks – an attack vector that security researcher Brian Krebs has reported on several times over the last 12 months. Rodney Joffe, Neustar’s senior VP and technology fellow, said that organisations must remain constantly vigilant and abreast of the latest threats. “As an example, Neustar’s UltraDNS network suffered an attack just last week peaking at over 250 Gbps – a massive attack by industry standards. Even with proper mitigations in place, the attack caused an upstream ripple. It is a constantly changing threat landscape,”he noted. According to Mark Teolis, general manager with DOSarrest, a DDoS remediation specialist, the key problem with the latest generation of attacks is not just the volume and bandwidth used, but their general sophistication, with Layer 7 attacks now being seen in the mainstream. Layer 7 is the highest of the seven IP layers defined under the OSI (Open System Interconnection) model and represents the application layer – the location on the computing resource where data both originates and returns. Speaking with SCMagazineUK.com last week at the Infosecurity Europe show, Teolis said his firm’s latest software has been enhanced to deal with these latest Layer 7 attacks, by combining IDS (intrusion detection systems), load balancing, WAF (web application firewall) and DDoS mitigation under a single IT umbrella. Using an IDS, he explained, allows security professionals to pinpoint sophisticated layer 7 attacks, as well as provide cloud based WAF services. “Using these approaches – coupled with spreading the load across multiple cloud resources – significantly mitigates the effects of even the highest volume DDoS attack,” he said. Keith Bird, UK managing director with Check Point, told SCMagazineUK.com that DDoS attacks have been used as a hacktivist weapon for several years – and, as this research illustrates, now the net is widening to businesses at large. “We are seeing smokescreen-type attacks, and also more complex, multi-vector attacks on Web sites that combine DDoS with account tampering and fraud attempts,” he said adding, that, whilst these are difficult to defend against, firms should consider contingency and remediation plans in the event of such attacks. Source: http://www.scmagazineuk.com/ddos-attacks-half-of-targeted-firms-get-hit-again/article/345878/

See original article:
DDoS attacks: half of targeted firms get hit again

Majority of UK firms unprepared for DDoS attacks, study finds

New research released by Neustar suggests that the majority of UK businesses are unprepared to cope with the threat of DDoS attacks. Distributed Denial of Service (DDoS) attacks are a common method for cyberattacks to disrupt an online businesses. A DDoS attack uses compromised computer systems to attack a single target, sending traffic from multiple points of origin in a flow, which often overwhelms a system, causing it to deny authentic traffic access to services. According to research released by Neustar, a third of UK businesses estimate losses of £240,000 per day when hit with DDoS attacks. After surveying 331 companies in the United Kingdom across numerous industries including financial services, technology, and the public sector, the analytics provider says larger DDoS attacks are becoming more frequent with a 200 percent increase in attacks affecting bandwidth between 1-20Gbps, in addition to a significant increase in attacks on bandwidth with a magnitude of 100Gbps or more. Neustar’s report, “ United Kingdom DDoS Attacks & Impact Report. 2014: The Danger Deepens ,” also states that DDoS attacks are a “growing threat to organisations with potentially calamitous consequences for companies” without proper protection. Not only can DDoS attacks have an immediate impact on sales and business revenue, they can have long-lasting detrimental effects on brand value, customer trust, and public reputation. Key findings from the survey include: DDoS attacks often disrupt multiple business units, with public-facing areas like call centres, customer service, and marketing absorbing over 40 percent of DDoS-attack related costs. Over 35 percent more UK companies were hit by DDoS attacks in 2013 compared with 2012. In 2013, there was an increased number of longer attacks, with 28 percent lasting up to two days or more. Once attacked, there is an estimated 69 percent chance of a repeat attack. While 31 percent of these companies were DDoS-attacked once, over 48 percent were targeted two to 10 times. In 2013, attacks requiring over six people to mitigate rose to 39 percent compared to 25 percent in 2012, a 56 percent increase. In addition, Neustar’s research highlights an increase in a trend dubbed “smokescreening.” These types of DDoS attacks are used by cybercriminals in order to divert IT department attention while malware and viruses are inserted within a business network, with the overall aim of stealing valuable data or funds. Rodney Joffe, Senior Vice President and Technology Fellow at Neustar commented: Organisations must remain constantly vigilant and abreast of the latest threats. As an example, Neustar’s UltraDNS network suffered an attack just last week peaking at over 250Gbps — a massive attack by industry standards. Even with proper mitigations in place, the attack caused an upstream ripple. It is a constantly changing threat landscape. In February, Web performance company CloudFlare reported the mitigation of a DDoS attack on a French website which reached a record-setting attack of at least 325Gbps, and a potential reach of 400Gbps. Source: http://www.zdnet.com/majority-of-uk-firms-unprepared-for-ddos-attacks-study-finds-7000029178/

More:
Majority of UK firms unprepared for DDoS attacks, study finds

Infosecurity Europe: Are cybercriminals winning the security game?

One of the hot topics at the Infosecurity Europe show – held in London this week – is the scale and complexity of the latest attacks against corporates. Whilst several research operations and vendors competed with each other to come up with reports on how bad the attack landscape is at the moment, the real question that C level executives attending the event want to know is: how bad are the attacks really – and what can I do to defend against the threat? According to Ian Pratt, the co-founder of Bromium Labs, the threats situation is potentially quite serious, as his research team has uncovered a new type of attack vector called the Kernel Kracker, which is what some experts call a layered attack. The attack exploits a vulnerability in the Windows operating system kernel and allows the attacker to gain admin/system level privileges on the host system, so allowing them effectively peel away the various layers of security the company has installed. Having said this, Pratt says that the use of multiple layers of security to protect an organisation’s IT resources is still a very viable defence approach, as, although no set of security layers is ever going to reach 100 percent protection, the use of multiple layers is still a lot better than the old single-suite option of yesteryear. “The underlying problem is that all commodity operating systems are now too big to protect in their entirety,” he said, adding that – as an example – Windows XP had more than 100 patches applied to it last year by Microsoft. Against this backdrop, Pratt argues that the best solution is create virtual instances of a given operating system environment, taking the concept of virtual machines to its logical conclusion. This means, he says, that even if the defences fail and an attack succeeds, its effects are severely limited to the privileges assigned to the given Web browser session. After the session on a given Web resource finishes, the virtual machine collapses the session and a fresh one is started for the set Web site. “You can let the exploit happen, and its effects are limited,” he explained, adding that he fully expects cybercriminals to come up with new attack vectors on a constant basis. Will there ever come a time when it ceases to become viable for the cybercriminals to develop new attack vectors to attack corporate IT systems, we asked him. That time, he replied, is still a very long way off, as new methodologies will arrive all the time. “Over the last 18 months, it’s all been about Java. That is going to change, and you will see a new set of security threats being used,” he said. Jag Bains, CTO of DOSArrest, agreed that the threat landscape will continue to evolve from its current mix of DDoS attacks and operating system-specific vectors. “Today you’re seeing customised Javascript DDoS attacks – I think this attack vector is going to continue to evolve, as hackers continue to have the motivation to attack a corporate system,” he explained. David Gibson, vice president of Varonis Systems, agreed that cybercriminal attack vectors are evolving, but cautioned that the fundamental problem remains the volume of data to which users of IT systems have access. “We had a meeting with a client recently where users had the same levels of access rights [to data] as their high level management. As a result, we discovered that volumes of company data were being exfiltrated from the system, despite their use of multiple layers of security,” he said. It’s against this backdrop, he told SCMagazineUK.com , that he fully expects attacks to evolve for the foreseeable future, but he adds that the inside attacker is likely to be the “next big thing” in the security attacks arena. “For this reason, I am of the opinion that companies must continue to develop the technical controls required to protect the data in their organisation, as well as evolving the security being used to defend the IT resource,” he concluded. Source: http://www.scmagazineuk.com/infosecurity-europe-are-cybercriminals-winning-the-security-game/article/344740/

View post:
Infosecurity Europe: Are cybercriminals winning the security game?

UK webhost 123-Reg in DDOS attack

Businesses using 123-Reg’s web hosting service were knocked offline on Wednesday evening following a reported distributed denial of service (DDoS) attack. 123-Reg is the UK’s largest domain provider hosting over 1.4 million websites. The company said it was hit by a DDoS style attack that caused disruption to some customers on its shared hosting packages. DDoS attacks typically use a botnet of computers in a co-ordinated attack, driving web traffic to a particular website. The attack appeared to cause patchy service for websites hosted by the company for several hours with many customers taking to Twitter to vent their frustration. UK games and mobile apps start-up Greedy Goblin Games (@GreedyGoblins) tweeted 123-Reg: “It appears your shared hosting servers are down. Can access FTP but not websites”. While IT consultant @thepaulturvey tweeted: “Is there a problem with 123-Reg shared hosting? Multiple sites not responding”. 123-Reg support staff told one UK website owner: “There has been a DDOS type of attack targeting a website from our shared hosting platform which unfortunately affected some of our customers. Our system administrators have contained the attack and the connectivity issues should shortly be resolved”. Update: I’ve received the following statement from 123-Reg confirming the attack. 123-Reg did experience a DDoS attack targeted against one particular customer domain. It was a sustained attack which we monitored closely over the course of several hours. The attack itself was from 823 different IP addresses globally. This resulted in denigrated service to our hosting platform, meaning some customer sites were running slower, but no sites were taken offline as a result of this attack. Customer impact measured in terms of support queries was minimal — and likewise our social platforms saw a handful of comments — which are being addressed on a one to one basis via our support teams. Source: http://betanews.com/2014/04/23/uk-webhost-123-reg-in-ddos-attack/

Read this article:
UK webhost 123-Reg in DDOS attack

Easy-to-Use NTP Amplification Emerges as Common DDoS Attack Vector

Reflection attacks using the Network Time Protocol surge in the first quarter, as attackers shift to bandwidth-clogging floods of data. In the past year, attackers have changed focus from attacking applications to overwhelming network bandwidth using brute-force reflection attacks, according to a report published April 17 by content-delivery provider Akamai. The two most popular types of reflection attacks, which bounce network traffic off intermediate servers on the Internet, have shot up in popularity, accounting for 23 percent of all infrastructure attacks in the 2014 first quarter, Akamai stated in its Prolexic Quarterly Global DDoS Attack Report. The attacks were largely unheard of in 2013, the report stated. Much of the increase is due to easy-to-use tools, including techniques for using a vulnerability in the Network Time Protocol, or NTP, not only to reflect attacks but amplify them, Matt Mosher, director security strategy for Akamai, told eWEEK. “Reflection and amplification are easier for the attackers to do,” he said. “They don’t have to build a bot army or infect a bunch of machines.” The number of distributed denial-of-service (DDoS) attacks and the average bandwidth of an attack have both climbed, increasing by 47 percent and 39 percent, respectively, according to Akamai’s report. The jump occurred even as DDoS attacks that attempt to tie up applications with bogus requests declined 21 percent. Application layer attacks have declined since the third quarter of 2013, the report stated. “There have always been two dimensions to DDoS: the large volumetric attacks including amplification, and then there’s another set of DDoS that tries to create complexity and targets applications,” Mosher said. Attackers also focused on media and entertainment companies, which were the targets of nearly 50 percent of attacks. Software and technology companies were the second most popular target, at 17 percent, while security firms faced 12 percent of all DDoS attacks, according to Akamai. The largest attack seen by Akamai targeted a European entertainment firm, and exceeded 200G bps at its peak, the firm said. The attack lasted more than 10 hours, and amplified the attack volume through vulnerable servers using a combination of NTP and the Domain Name System (DNS) reflection. The attack also employed a tactic known as a POST flood attack, according to Akamai. Reflection attacks do not just use basic Internet protocols, but can use Web application features to inundate a target. An interesting attack in the first quarter of 2014 involved using the pingback function of WordPress sites to send data at the targeted network. “The effectiveness of this attack lies in the leveraging of victim WordPress Websites that have pingback functionality enabled,” the report stated. “This attack vector typically succeeds by exhausting the number of connections to the target site, rather than by overwhelming the target with bandwidth floods.” Computers in the United States, China, Thailand, Turkey and Germany accounted for almost three-quarters of all attacks, according to the report. Indonesia and South Korea were also in the top 10. “There was a noticeable presence of Asian countries in the top 10 source countries,” Akamai’s report noted. “Growing economies and an expanding IT infrastructure, plus large online populations, fuel DDoS attack campaigns.” Source: http://www.eweek.com/security/easy-to-use-ntp-amplification-emerges-as-common-ddos-attack-vector.html/

More:
Easy-to-Use NTP Amplification Emerges as Common DDoS Attack Vector

BTC-e Reports DDoS Attack Against Their Server

Having issues with BTC-e today? You’re not the only one. A number of users in the bitcoin community have reported issues with the exchange, raising fears about the service and whether or not it was operating as-should or not. The root of those issues are a distributed denial of service attack (DDoS), confirms the exchange on their official Twitter account. This isn’t the first time this has taken place (nor the last time, we reckon), and it certainly does highlight the community’s sensitivity when it comes to service disruptions. You can’t blame them, either. After the Mt. Gox debacle, it’s become difficult to trust some of these large-scale operations, particularly an exchange that has established itself as mostly secretive. That secrecy has allowed BTC-e to not require verification checks, making it a go-to spot for individuals looking to stay under the radar. As of this writing, it appears services are back to normal. Source: http://newsbtc.com/2014/04/13/btc-e-reports-ddos-attack-server/

Continue Reading:
BTC-e Reports DDoS Attack Against Their Server

Media hacking continues as Czech news sites suffer DDoS attacks

Media websites continue to be attacked by cyber criminals with reports now emerging that titles in the Czech Republic have been targeted. Three of the country’s most widely-read sites – ihned.cz, idnes.cz, and novinky.cz – have confirmed the slowing or crashing of their web pages according to Reuters, though it is not clear who is responsible for the hacks at present. Indicating the use of commonly-deployed Distributed Denial of Service (DDoS) attacks, Lucie Tvaruzkova, the head of business daily ihned.cz, said, “We are receiving great numbers of requests at our servers, which is a typical way to attack.” The incident follows other well-documented cyber-assaults on major media outlets this year, with both the New York Times and Wall Street Journal revealing their networks were breached in attacks they believed originated in China. Elsewhere, security researchers said last week that hackers have been targeting government agencies across a number of European countries, including the Czech Republic, Ireland, and Romania. A flaw in Adobe Systems ADBE.O software has apparently been exploited in the attacks. Source: http://www.itproportal.com/2013/03/04/media-hacking-continues-as-czech-news-sites-suffer-ddos-attacks/#ixzz2yBakJKEu

24 million reasons to lock down DNS amplification attacks

Research from Nominum, a US security consultancy that supplies ISPs with DNS-based analytics and revenue advice, claims to show that 24 million home and small office broadband routers around the world are vulnerable to being tapped as part of a massive DDoS attack. Distributed-denial-of-service (DDoS) swarm attacks have been around for years, but hijacking routers is a relatively recent trend, driven largely by the fact that very few users actively update the firmware of their legacy routers. Rather than hack the host computer, Nominum says that the hackers can now manipulate DNS (Domain Name System) traffic lookups – the technology that translates alphabetic domain names (e.g. www.bbc.co.uk) into its numeric identifier (e.g. 987.65.43.21). By spoofing the target’s IP address and generating a small IP request (ICMP) to a vulnerable router, the router will then generate a larger IP data packet to the real IP address. Nominum claims that this `amplification’ effect can be tapped to turn a few megabits of data bandwidth into many tens of gigabits of bandwidth hogging IP streams. This is no theoretical analysis, as the consultancy claims to have spotted over 5.3 million home and office routers being hijacked during February to generate IP attack traffic – with as much as 70 per cent of total DNS traffic being attributed to one attack seen during January. Nominum says the effect on ISP traffic is immense, with trillions of bytes of attack data disrupting ISP networks, websites and individuals. In the longer term, the consultancy says there is a network impact generated by malicious traffic saturating the available bandwidth and a consequent loss of revenue as users migrate to other ISPs due to an apparently poor experience. Sanjay Kapoor, the SVP of strategy with Nominum, said that existing DDoS defences do not work against today’s amplification attacks, which can be launched by any criminal who wants to achieve maximum damage with minimum effort. “Even if ISPs employ best practices to protect their networks, they can still become victims, thanks to the inherent vulnerability in open DNS proxies,” he said. Peter Wood, CEO of pen-testing specialist First Base Technologies, says that the problem identified by Nominum is often found by his research team where remote branch offices and staff working from home are involved. “We’ve recently been testing a Draytek Vigor router in this regard, and the good news is that most of the attack ports that could be used are turned off by default. Conversely, we also tested a Buffalo router, where the exact reverse was true,” he explained. “This is the joy of OpenDNS proxies. It’s also not that obvious how to configure a fixed IP on many routers,” he said, adding that some clients are – thankfully – becoming more aware of the security risks from the amplification attacks identified by Nominum’s research. Sven Schlueter, a senior consultant with Context Information Security, said that DNS application attacks mean that only minimal resources are required to conduct an attack against the availability of a larger system or network. “This type of attack is then often performed from different sources, all spoofing the source ‘to origin from the target’, resulting in a DDoS against the available bandwidth of the targeted hosts and networks when content is returned from the legitimate DNS,” he said, adding that a number of mitigation solutions are now possible. “For example, a DNS server administrator can ensure that the resolver is not open to the Internet. Very rarely – usually only for service providers – is a resolver required to be open to the Internet. However, if necessary, rate limiting and monitoring can be applied to slow down, detect and mitigate attacks,” he said. “ISPs can also enforce restrictions so that spoofing of addresses is not possible. Service owners, such as a Web site administrator, can only slightly mitigate the issue by dynamically allocating more bandwidth and filtering the attack at the border/ISP core, to the network affected,” he added. Jag Bains, CTO of DDoS remediation specialist DOSarrest, said that is a need for focused DDoS protection services as his firm is seeing more and more attack vectors and agents emerge – something that he says is only going to increase as the `Internet of Things’ gains further traction. “Strategic decision makers will need to understand what specific assets need protection and in what specific manner, and ensure they buy the right solution,” he noted. Lamar Bailey, director of security research with Tripwire, said that home and small office modems, gateways and routers are a generally the second weakest link in a home/small office network behind printers. “Internet providers do update or use current technology for home user gateways and the end user is generally stuck with what every the provider gives them. The routers are generally on very old technology and not easy or possible to secure. DDoS and other attacks are very successful on these old routers,” he said. Bailey went on to say that the ISPs need to take security more seriously and help protect their consumers. “In the US each region has limited options for ISPs which is almost a monopoly. This is bad for consumers and great for attackers and bot herders,” he explained. “Internet providers do update or use current technology for home user gateways and the end user is generally stuck with what every the provider gives them. The routers are generally on very old technology and not easy or possible to secure. DDoS and other attacks are very successful on these old routers,” he said. Bailey went on to say that the ISPs need to take security more seriously and help protect their consumers. “In the US each region has limited options for ISPs which is almost a monopoly. This is bad for consumers and great for attackers and bot herders,” he explained. Source: http://www.scmagazineuk.com/24-million-reasons-to-lock-down-dns-amplification-attacks/article/341026/

More here:
24 million reasons to lock down DNS amplification attacks

Blizzard games still suffering after DDoS attack

Blizzard has confirmed that some of its games are being affected by distributed denial of service attacks (DDoS attacks) on its European online services. Diablo , World of Warcraft , StarCraft and Hearthstone may all be affected by the attacks, suffering disconnections and high latency — a longer gap between the time when you click or press a button and the effect of that action, which makes the game can feel laggy. According to Blizzard’s official update, the attacks aren’t focusing on the company’s infrastructure, however the ripples of the DDoS attacks are still being felt by some of the playerbase. The issue may also be causing problems with the Blizzard authentication servers, which in turn leads to failed or slow login attempts. The company stated: “while we are closely monitoring the situation we wanted to thank you for your patience and apologise for any inconvenience this may cause.” On a lighter note, here’s the trailer for Blizzard’s new game Outcasts: Vengeance of the Vanquished . Blizzard Outcasts — Vengeance of the VanquishedBlizzard Entertainment What with it being an April Fool’s Day joke (despite Blizzard’s protestation that they “have no idea why you would doubt us, but yes, we are indeed making this game. For realsies.”) the game is unlikely to be affected by disconnections and latency. Silver linings and all that… Source: http://www.wired.co.uk/news/archive/2014-04/01/blizzard-ddos

Follow this link:
Blizzard games still suffering after DDoS attack

DDoS Trends Report Reveals Spike in Botnet Activity

A new study documenting distributed denial of service (DDoS) trends found an average of more than twelve million unique botnet-driven DDoS attacks are occurring weekly in the last 90 days, representing a 240% increase over the same period in 2013. “Unlike network DDoS attacks, Layer 7 attack sources can’t hide behind spoofed IPs. Instead they resort to using Trojan infected computers, hijacked hosting environments and Internet-connected devices,” the report stated “Large groups of such compromised resources constitute a botnet; a remotely controlled “zombie army” that can be used for DDoS attacks and other malicious activities.” Key findings on network (Layer 3 & 4) DDoS attacks included: Large SYN Floods account for 51.5% of all large-scale attacks Almost one in every three attacks is above 20Gbps 81% of attacks are multi-vector threats Normal SYN flood & Large SYN flood combo is the most popular multi-vector attack (75%) NTP reflection was the most common large-scale attack method in February 2014 Key findings on application (Layer 7) DDoS attacks included: DDoS bot traffic is up by 240% More than 25% of all Botnets are located in India, China and Iran USA is ranked number 5 in the list of “Top 10” attacking countries 29% of Botnets attack more than 50 targets a month 29.9% of DDoS bots can hold cookies 46% of all spoofed user-agents are fake Baidu Bots (while 11.7% are fake Googlebots) “2013 was a game-changing year for DDoS attacks, with higher-than-ever attack volumes and rapid evolution of new attack methods,” the report states. “Now, the perpetrators are looking to raise the stakes even higher by introducing new capabilities, many of which are specifically designed to abuse the weaknesses of traditional anti-DDoS solutions. As a result, in 2014, many IT organizations will need to re-think their security strategies to respond to latest Layer 3-4 and Layer 7 DDoS threats.” Source: http://www.tripwire.com/state-of-security/top-security-stories/ddos-trends-report-reveals-spike-botnet-activity/

Continued here:
DDoS Trends Report Reveals Spike in Botnet Activity