Tag Archives: defend against ddos

E-toll site weathers denial of service (DDoS) attack

Sanral’s e-toll Web site suffered a denial of service (DoS) attack on Friday, according to the agency. “Some users complained of slow site performance, and our service provider traced the problem to a denial of service attack of international origin,” said Sanral spokesman Vusi Mona. No further details of the attack were available, but Alex van Niekerk, project manager for the Gauteng Freeway Improvement Project, said the site has come under repeated attack since going live, but suffered only minor performance degradation. DoS attacks, particularly distributed denial of service (DDoS) attacks, are a popular technique used to knock sites offline, overwhelming them with traffic until they are unable to service their clients. Activist group Anonymous frequently uses DDoS to attack targets, using its wide base of supporters to generate traffic. Botnets often launch DDoS attacks from their installed base of zombie PCs. And last year, anti-spam service Spamhaus suffered one of the largest DDoS attacks in history, with incoming traffic peaking at 300Gbps, launched by a Dutch Web host known for harbouring spammers. Sanral’s Web site has been the target of several attacks lately, including a hack which may have leaked personal information, a flaw which allowed motorists to be tracked in real-time, and a session fixation attack which allowed login sessions to be hijacked. Source: http://www.itweb.co.za/index.php?option=com_content&view=article&id=70192:e-toll-site-weathers-denial-of-service-attack

See more here:
E-toll site weathers denial of service (DDoS) attack

DDoS attacks get more complex – are networks prepared?

The threat of cyber attacks from both external and internal sources is growing daily. A denial of service, or DoS, attack is one of the most common. DoS have plagued defense, civilian and commercial networks over the years, but the way they are carried out is growing in complexity. If you thought your systems were engineered to defend against a DoS attack, you may want to take another look.   Denial of service attack evolution A denial of service attack is a battle for computing resources between legitimate requests that a network and application infrastructure were designed for and illegitimate requests coming in solely to hinder the service provided or shut down the service altogether.   The first DoS attacks were primarily aimed at Layer 3 or Layer 4 of the OSI model and were designed to consume all available bandwidth, crash the system being attacked, or consume all of the available memory, connections or processing power. Some examples of these types of attacks are the Ping of Death, Teardrop, SYN flood and ICMP flood. As operating system developers, hardware vendors and network architects began to mitigate these attacks, attackers have had to adapt and discover new methods. This has led to an increase in complexity and diversity in the attacks that have been used.   Since DoS attacks require a high volume of traffic — typically more than a single machine can generate — attackers may use a botnet, which is a network of computers that are under the control of the attacker. These devices are likely to have been subverted through malicious means. This type of DoS, called a distributed denial of service (DDoS), is harder to defend against because the traffic likely will be coming from many directions.   While the goal of newer DoS attacks is the same as older attacks, the newer attacks are much more likely to be an application layer attack launched against higher level protocols such as HTTP or the Domain Name System. Application layer attacks are a natural progression for several reasons: 1) lower level attacks were well known and system architects knew how to defend against them; 2) few mechanisms, if any, were available to defend against these types of attacks; and 3) data at a higher layer is much more expensive to process, thus utilizing more computing resources.   As attacks go up the OSI stack and deeper into the application, they generally become harder to detect. This equates to these attacks being more expensive, in terms of computing resources, to defend against. If the attack is more expensive to defend against, it is more likely to cause a denial of service. More recently, attackers have been combining several DDoS attack types. For instance, an L3/L4 attack, in combination with an application layer attack, is referred to as diverse distributed denial of service or 3DoS. Internet and bandwidth growth impact DoS   Back in the mid- to late 1990s, fewer computers existed on the Internet. Connections to the Internet and other networks were smaller and not much existed in the way of security awareness. Attackers generally had less bandwidth to the Internet, but so did organizations.   Fast forward to the present and it’s not uncommon for a home connection to have 100 megabits per second of available bandwidth to the Internet. These faster connections give attackers the ability to send more data during an attack from a single device. The Internet has also become more sensitive to privacy and security, which has lead to encryption technologies such as Secure Sockets Layer/Transport Layer Security to encrypt data transmitted across a network. While the data can be transported with confidence, the trade-off is that encrypted traffic requires extra processing power, which means a device encrypting traffic typically will be under a greater load and, therefore, will be unable to process as many requests, leaving the device more susceptible to a DoS attack.   Protection against DoS attacks   As mentioned previously, DoS attacks are not simply a network issue; they are an issue for the entire enterprise. When building or upgrading an infrastructure, architects should consider current traffic and future growth. They should also have resources in place to anticipate having a DoS attack launched against their infrastructure, thereby creating a more resilient infrastructure.   A more resilient infrastructure does not always mean buying bigger iron. Resiliency and higher availability can be achieved by spreading the load across multiple devices using dedicated hardware Application Delivery Controllers (ADCs). Hardware ADCs evenly distribute the load across all types of devices, thus providing a more resilient infrastructure and also offer many offloading capabilities for technologies such as SSL and compression.   When choosing a device, architects should consider whether the device offloads some processing to dedicated hardware. When a typical server is purchased, it has a general purpose processor to handle all computing tasks. More specialized hardware such as firewalls and Active Directory Certificates offer dedicated hardware for protection against SYN floods and SSL offload. This typically allows for such devices to handle exponentially more traffic, which in turn means they are more capable to thwart an attack. Since attacks are spread across multiple levels of the OSI model, tiered protection is needed all the way from the network up to the application design. This typically equates to L3/L4 firewalls being close to the edge that they are protecting against some of the more traditional DoS attacks and more specialized defense mechanism for application layer traffic such as Web Application Firewalls (WAFs) to protect Web applications. WAFs can be a vital ally in protecting a Web infrastructure by defending against various types of malicious attacks, including DoS. As such, WAFs fill in an important void in Web application intelligence left behind by L3/L4 firewalls.   As demonstrated, many types of DoS attacks are possible and can be generated from many different angles. DoS attacks will continue to evolve at the same — often uncomfortably fast — rate as our use of technology. Understanding how these two evolutions are tied together will help network and application architects be vigilant and better weigh the options at their disposal to protect their infrastructure. Source: http://defensesystems.com/Articles/2013/12/19/DOS-attacks-complexity.aspx?admgarea=DS&Page=3

Continue reading here:
DDoS attacks get more complex – are networks prepared?

US-CERT warns of NTP Amplification attacks

US-CERT has issued an advisory that warns enterprises about distributed denial of service attacks flooding networks with massive amounts of UDP traffic using publicly available network time protocol (NTP) servers. Known as NTP amplification attacks, hackers are exploiting something known as the monlist feature in NTP servers, also known as MON_GETLIST, which returns the IP address of the last 600 machines interacting with an NTP server. Monlists is a classic set-and-forget feature and is used generally to sync clocks between servers and computers. The protocol is vulnerable to hackers making forged REQ_MON_GETLIST requests enabling traffic amplification. “This response is much bigger than the request sent making it ideal for an amplification attack,” said John Graham-Cumming of Cloudflare. According to US-CERT, the MON_GETLIST command allows admins to query NTP servers for traffic counts. Attackers are sending this command to vulnerable NTP servers with the source address spoofed as the victim. “Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim,” the US-CERT advisory says. “Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks.” To mitigate these attacks, US-CERT advises disabling the monlist or upgrade to NTP version 4.2.7, which also disables monlist. NTP amplification attacks have been blamed for recent DDoS attacks against popular online games such as League of Legends, Battle.net and others. Ars Technica today reported that the gaming servers were hit with up to 100 Gbps of UDP traffic. Similar traffic amounts were used to take down American banks and financial institutions last year in allegedly politically motivated attacks. “Unfortunately, the simple UDP-based NTP protocol is prone to amplification attacks because it will reply to a packet with a spoofed source IP address and because at least one of its built-in commands will send a long reply to a short request,” Graham-Cumming said. “That makes it ideal as a DDoS tool.” Graham-Cumming added that an attacker who retrieves a list of open NTP servers, which can be located online using available Metasploit or Nmap modules that will find NTP servers that support monlist. Graham-Cumming demonstrated an example of the type of amplification possible in such an attack. He used the MON_GETLIST command on a NTP server, sending a request packet 234 bytes long. He said the response was split across 10 packets and was 4,460 bytes long. “That’s an amplification factor of 19x and because the response is sent in many packets an attack using this would consume a large amount of bandwidth and have a high packet rate,” Graham-Cumming said. “This particular NTP server only had 55 addresses to tell me about. Each response packet contains 6 addresses (with one short packet at the end), so a busy server that responded with the maximum 600 addresses would send 100 packets for a total of over 48k in response to just 234 bytes. That’s an amplification factor of 206x!” Source: http://threatpost.com/us-cert-warns-of-ntp-amplification-attacks/103573

View the original here:
US-CERT warns of NTP Amplification attacks

How EA, League of Legends & Battle.net Were Brought Down By DDoS Attacks

Last week, a group calling themselves DERP launched DDoS attacks on the servers of a number of the world’s biggest games (and games companies). It seemed like an awfully big list of victims for such a simple and ancient form of attack, but as Ars Technica explain, there was a bit more to it than that. Unlike a standard DDoS attack, which big services like Battle.net and League of Legends would have been able to defeat, the attackers used a new – and obviously incredibly effective – method. “Rather than directly flooding the targeted services with torrents of data”, Ars explains, “an attack group calling itself DERP Trolling sent much smaller sized data requests to time-synchronization servers running the Network Time Protocol (NTP). By manipulating the requests to make them appear as if they originated from one of the gaming sites, the attackers were able to vastly amplify the firepower at their disposal. A spoofed request containing eight bytes will typically result in a 468-byte response to a victim, a more than 58-fold increase.” According to “DoS-mitigation service” Black Lotus, while this sounds bad, it’s easy to protect against. Though, they would say that, wouldn’t they. Source: http://kotaku.com/how-ea-league-of-legends-battle-net-were-brought-dow-1498272633

Original post:
How EA, League of Legends & Battle.net Were Brought Down By DDoS Attacks

Attackers Wage Network Time Protocol-Based DDoS Attacks

Attackers have begun exploiting an oft-forgotten network protocol in a new spin on distributed denial-of-service (DDoS) attacks, as researchers spotted a spike in so-called NTP reflection attacks this month. The Network Time Protocol, or NTP, syncs time between machines on the network, and runs over port 123 UDP. It’s typically configured once by network administrators and often is not updated, according to Symantec, which discovered a major jump in attacks via the protocol over the past few weeks. “NTP is one of those set-it-and-forget-it protocols that is configured once and most network administrators don’t worry about it after that. Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks,” says Allan Liska, a Symantec researcher in blog post last week. Attackers appear to be employing NTP for DDoSing similar to the way DNS is being abused in such attacks. They transmit small spoofed packets requesting a large amount of data sent to the DDoS target’s IP address. According to Symantec, it’s all about abusing the so-called “monlist” command in an older version of NTP. Monlist returns a list of the last 600 hosts that have connected to the server. “For attackers the monlist query is a great reconnaissance tool. For a localized NTP server it can help to build a network profile. However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic,” Liska explains in the post. Monlist modules can be found in NMAP as well as in Metasploit, for example. Metasploit includes monlist DDoS exploit module. The spike in NTP reflection attacks occurred mainly in mid-December, with close to 15,000 IPs affected, and dropped off significantly after December 23, according to Symantec’s data,. Symantec recommends that organizations update their NTP implementations to version 4.2.7, which does not use the monlist command. Another option is to disable access to monlist in older versions of NTP. “By disabling monlist, or upgrading so the command is no longer there, not only are you protecting your network from unwanted reconnaissance, but you are also protecting your network from inadvertently being used in a DDoS attack,” Liska says. Source: http://www.darkreading.com/attacks-breaches/attackers-wage-network-time-protocol-bas/240165063

Read the article:
Attackers Wage Network Time Protocol-Based DDoS Attacks

The Changing Trends of DDoS Attacks

Distributed denial-of-service (DDoS) attacks certainly aren’t new. I’ve been talking about them for years. However, they have been changing. The traditional style of attack, the flood-the-target type that crashes a website, is still going strong. But now we are seeing an increase in application-layer attacks that have the same goal: Systems go down, resources are unavailable and the victim is scrambling to fix everything. Recently, Vann Abernethy, senior product manager for NSFOCUS, talked to me about the changing DDoS landscape. Something he has noticed is how DDoS attacks are being used as smokescreens to cover up other criminal activity. He said: In fact, the FBI warned of one such attack type back in November of 2011, which relies upon the insertion of some form of malware. When the attacker is ready to activate the malware, a DDoS attack is launched to occupy defenders. In this case, the DDoS attack is really nothing more than a smokescreen used to confuse the defenses and allow the real attack to go unnoticed – at least initially.  Considering that most malware goes undetected for long periods of time, even a small DDoS attack should be a huge red flag that something else may be going on. Abernethy adds that another trend he’s seeing is that the DDoS attack itself may be a bit more sinister. For example, a DDoS attack could be masking a simultaneous attack that is probing for vulnerabilities. He said: It’s like a recon team sent to look at an enemy’s position while they’re under some sort of long-range barrage. In general, basic probing will likely be caught if the victim has even modest security protections. But while under the duress of a DDoS attack, the very systems charged with either blocking or alerting suspicious activity might be under too much strain. Abernethy provides several solutions to protect against these emerging DDoS attack styles. One way is to have multiple teams set up to respond to DDoS attacks. One team would work on the DDoS attacks themselves; another team would be responsible for searching for other possible, hidden attacks. For the trend that involves probing, IT and security departments may want to deploy application security testing, and all applications used by the company should be subjected to the testing. DDoS attacks can be devastating to a company , interrupting vital customer interactions and ruining company reputations. The more we know about them, the better chance we have at protecting the company from any serious damage, if not preventing them altogether. Source: http://www.itbusinessedge.com/blogs/data-security/the-changing-trends-of-ddos-attacks.html

Read More:
The Changing Trends of DDoS Attacks

7 Security Trends to Expect in 2014

Computer systems, in many peoples’ eyes, are there to be hacked — and that means fraudsters are always working on new ways to exploit vulnerabilities. So what does 2014 have in store? Here are seven security predictions for the New Year. DDoS Attacks Get Sneaky DDoS attackers will go from simple volumetric attacks to ones which take advantage of a site’s specific performance characteristics. That’s the prediction of security researchers at Neohapsis, a security and risk management consulting company. DDoS attacks that intelligently target bottlenecks in performance, such as pages with a high server load (like database writes) or specific network bottlenecks (like login and session management), can magnify the impact over attacks which are simply volume-based and request the homepage of a site. So it’s likely that we will begin to see the spread of tools which profile specific targets. The result? DDoS attacks that have more impact, and involve less network traffic, than the ones enterprises have become accustomed to mitigating against. Insider Threats Remain Major Security Problem According to a CyberSecurity Watch survey insiders were found to be the cause in 21 percent of security breaches, and a further 21 percent may have been due to the actions of insiders. More than half of respondents to another recent survey said it’s more difficult today to detect and prevent insider attacks than it was in 2011, and 53 percent were increasing their security budgets in response to insider threats. While a significant number of breaches are caused by malicious or disgruntled employees – or former employees – many are caused by well-meaning employees who are simply trying to do their job. BYOD programs and file sharing and collaboration services like Dropbox mean that it will be harder than ever to keep corporate data under corporate control in the face of these well-meaning but irresponsible employees. Defending against insider threats requires a multi-layered use of technological controls, including system-wide use of data encryption and establishment of policies stressing prevention of data loss. Security Worries Drive Cloud Consolidation Organizations will look to buy more solutions from a single vendor and demand greater integration between solutions to automate security, according to Eric Chiu, president of HyTrust, a cloud security company. The fact that securing cloud environments is very different from securing traditional physical environments will drive greater consolidation in the market, he says. Legacy Systems Cause More Security Headaches The spate of IT failures in banks and other high profile companies highlights a simple fact: Many of them are running legacy systems which are so old and out of date that they are becoming almost impossible to maintain. That’s because there are few people with the skills and expert knowledge that would be needed to run them securely – even if they were updated to eliminate know vulnerabilities, which they frequently are not. They often aren’t updated because no-one knows what impact that would have. It’s inevitable that we’ll see hackers going after such systems, exploiting vulnerabilities that can’t easily be fixed. Encryption Will Be Revisited In the wake of revelations about the NSA, many companies are realizing that encryption many be the only thing that is protecting their data, and it may not be as strong as they imagined. What’s more, if hackers are led to believe there is a weakness in a particular system – either accidental or intentional – they will pound on it until they find it. As a result, many companies will look to improve the way they use encryption. Look for particular attention to be paid to cryptographic block modes like CBC and OFB, and authenticated modes like EAX, CCM and GCM, advise the experts at Neohapsis. In addition to the encryption methods themselves, look for insights and innovations around key management and forward security. ‘Stuxnets’ Become More Common State-sponsored malware like Stuxnet – which is widely attributed to the United States, Israel or both – has proved to be far more sophisticated and effective than anything that a couple of hackers can develop. Expect more of this type of malware from the likes of China, Russia, Iran, India, Brazil and Pakistan. It’s probably already out there, even if it hasn’t yet been detected. 2014 could be the year that its prevalence becomes apparent. Bitcoin Drives New Malware The Bitcoin virtual currency is growing in popularity with legitimate businesses, and that’s likely to continue. That’s because Bitcoin payments offer significant attractions: They are quick and cheap, and there is no possibility of a chargeback. But Bitcoin wallets make attractive targets for criminals, because stolen coins can be cashed out instantly, without a middleman or launderer taking a cut. And many Bitcoin users are relatively unsophisticated, protecting their wallets with very little security. So expect Trojans and other malware that specifically look for and target Bitcoin stashes, as well as ransomware that demands Bitcoins in return for decrypting data. Source: http://www.esecurityplanet.com/network-security/7-security-trends-to-expect-in-2014.html

View article:
7 Security Trends to Expect in 2014

New DDoS malware targets Linux and Windows systems

Attackers are compromising Linux and Windows systems to install a new malware program designed for launching distributed denial-of-service (DDoS) attacks, according to researchers from the Polish Computer Emergency Response Team (CERT Polska). Attackers are compromising Linux and Windows systems to install a new malware program designed for launching distributed denial-of-service (DDoS) attacks, according to researchers from the Polish Computer Emergency Response Team (CERT Polska). The malware was found by the Polish CERT at the beginning of December and the Linux version is being deployed following successful dictionary-based password guessing attacks against the SSH (Secure Shell) service. This means only systems that allow remote SSH access from the Internet and have accounts with weak passwords are at risk of being compromised by attackers distributing this malware. “We were able to obtain a 32-bit, statically linked, ELF file,” the Polish CERT researchers said Monday in a blog post. The executable runs in daemon mode and connects to a command-and-control (C&C) server using a hard-coded IP (Internet Protocol) address and port, they said. When first run, the malware sends operating system information — the output of the uname command — back to the C&C server and waits for instructions. “From the analysis we were able to determine that there are four types of attack possible, each of them a DDoS attack on the defined target,” the researchers said. “One of the possibilities is the DNS Amplification attack, in which a request, containing 256 random or previously defined queries, is sent to a DNS server. There are also other, unimplemented functions, which probably are meant to utilize the HTTP protocol in order to perform a DDoS attack.” While executing an attack, the malware provides information back to the C&C server about the running task, the CPU speed, system load and network connection speed. A variant of the DDoS malware also exists for Windows systems where it is installed as “C:Program FilesDbProtectSupportsvchost.exe” and is set up to run as a service on system start-up. Unlike the Linux version, the Windows variant connects to the C&C server using a domain name, not an IP address, and communicates on a different port, according to the Polish CERT analysis. However, the same C&C server was used by both the Linux and Windows variants, leading the Polish CERT researchers to conclude that they were created by the same group. Since this malware was designed almost exclusively for DDoS attacks, the attackers behind it are likely interested in compromising computers with significant network bandwidth at their disposal, like servers. “This also probably is the reason why there are two versions of the bot — Linux operating systems are a popular choice for server machines,” the researchers said. However, this is not the only malware program designed for Linux that was identified recently. A security researcher from the George Washington University, Andre DiMino, recently found and analyzed a malicious bot written in Perl after allowing attackers to compromise one of his honeypot Linux systems. The attackers were trying to exploit an old PHP vulnerability, so DiMino intentionally configured his system to be vulnerable so he could track their intentions. The vulnerability is known as CVE-2012-1823 and was patched in PHP 5.4.3 and PHP 5.3.13 in May 2012, suggesting the attack targeted neglected servers whose PHP installations haven’t been updated in a long time. After allowing his honeypot system to be compromised, DiMino saw attackers deploy malware written in Perl that connected to an Internet Relay Chat (IRC) server used by attackers for command and control. The bot then downloaded local privilege escalation exploits and a script used to perform Bitcoin and Primecoin mining — an operation that uses computing power to generate virtual currency. “Most servers that are injected with these various scripts are then used for a variety of tasks, including DDoS, vulnerability scanning, and exploiting,” DiMino said Tuesday in a blog post that provides a detailed analysis of the attack. “The mining of virtual currency is now often seen running in the background during the attacker’s ‘downtime’.” DiMino’s report comes after researchers from security vendor Symantec warned in November that the same PHP vulnerability was being exploited by a new Linux worm. The Symantec researchers found versions of the worm not only for x86 Linux PCs, but also for Linux systems with the ARM, PPC, MIPS and MIPSEL architectures. This led them to conclude that the attackers behind the worm were also targeting home routers, IP cameras, set-top boxes and other embedded systems with Linux-based firmware. Source: http://news.idg.no/cw/art.cfm?id=41695C7E-ED43-55A5-51306549A5A0A129

Read More:
New DDoS malware targets Linux and Windows systems

Companies still ignore DDoS attacks

Just days after NatWest Bank suffered a debilitating DDoS attack, a new survey has revealed that most businesses are still unprepared for this kind of threat. Some companies are unprepared for DDoS attacks Just days after NatWest Bank suffered a debilitating DDoS attack, a new survey has revealed that most businesses are still unprepared for this kind of threat. More than half the respondents to a survey by Corero lack adequate distributed denial-of-service (DDoS) defence technology. The study also reveals a lack of DDoS defence planning on multiple levels: nearly half of businesses have no formal DDoS response plan, 54 percent have outdated or non-existent network maps, and around one in three lack any clear idea of their normal network traffic volume. Furthermore, the survey slates businesses for under-investing in their security infrastructures, with around 40 percent of respondents still relying on firewalls, while nearly 60 percent do not test their DDoS defences regularly with network and application-layer tests. However, experts warn that DDos attacks are escalating and say that they can cause not only business disruption but also loss of IP, significant brand damage and a loss of customer confidence. Mike Loginov, CEO and CISO at independent security consultancy Ascot Barclay Group, told SCMagazineUK.com that figures from his firm and others show sharply rising numbers of successful DDoS attacks, adding: “These attacks are not necessarily undertaken by the perpetrator with financial gain in mind. However, they still leave the targeted business suffering costly damage repairs, loss of business and an undermining of the organisation’s capability to defend itself. Many attacks go unreported for fear of brand damage.” Andrew Miller, CFO and COO at Corero, which carried out the latest survey, agreed the threat is growing but stressed that companies are still not doing enough to protect themselves. “These denial-of-service-attacks (DDoS) are increasing and becoming more complex, but we’re still not seeing companies increasing their vigilance, investment and planning,” he told SCMagazineUK.com. “Across the board companies really need a combination of infrastructure investment, but more importantly putting in place plans to be able to detect what’s traversing companies’ networks.” Loginov agreed: “Generally speaking, IT departments, as the report suggests, are just not geared up to defend organisations against what cyber security professionals these days consider rudimentary attacks.” Miller said companies need “hybrid DDoS and cloud protection” but added that currently only “a small percentage” of companies have these defences in place. “What we’re seeing the more proactive customers doing is deploying a combination of both on-premises technology to provide 24/7 protection from denial of service attacks, as well as cloud protection services to deal with the high-volume ‘fill the pipe’ network-layer DDoS attacks – a combination of solutions rather than a single solution.” These warnings come just days after NatWest Bank was hit by a DDoS attack that left customers unable to access their accounts online. The 6 December attack disrupted NatWest’s website for about an hour and briefly hit the websites of the other banks in the RBS Group – RBS and Ulster Bank. The attack was focused on disruption rather than accessing account details. But Miller said organisations need to “understand it’s not just inconvenience, we’re talking about some loss of IPR. In the case of RBS, it’s obviously a significant issue from a brand and customer satisfaction perspective”. Miller added: “Denial of service attacks are often used as a smokescreen, a way of initially gaining entry into IT systems through a brute force-type attack, then following on from that the more sophisticated attacks which are aimed either at stealing customer information or intellectual property. We’re seeing banks in the US we’re talking to subject to these types of attacks on a daily basis.” In a statement to journalists, Jag Bains, CTO of DOSarrest Internet Security , said: “The transparency shown by RBS in admitting that they failed to invest properly in their IT systems is a common refrain amongst many enterprises, large and small. While each organisation may have multiple reasons for failing to invest, they all share the same notion that they won’t be a target until they get attacked. “With DDoS tools becoming more advanced and pervasive, all IT operations should work under the premise that they will be attacked and plan accordingly. Every stack and layer within their purview should be reviewed and they should identify cost-effective cloud solutions for their DDoS which provides much better performance and mitigation than expensive hardware.” The DDoS attacks on RBS came in the same week as an unrelated major IT failure, which hit the Group’s online and mobile banking, ATMs and debit card payments. As SCMagazineUK.com reported, RBS, NatWest and Ulster Bank customers were unable to use their cards to draw cash or pay for goods or services. RBS CEO Ross McEwan branded the outage as “unacceptable” and blamed decades of failure to invest adequately in new technology. Source: http://www.scmagazineuk.com/companies-still-ignore-ddos-attacks/article/324844/

View article:
Companies still ignore DDoS attacks

Introducing the DDDoSA: Disguised DDoS Attack

The Distributed Denial of Service (DDoS) attack is becoming the crowbar of the online criminal. In the past we have got rather used to DDoS attacks being one of the favoured approaches of hacktivists, with perhaps the Low Orbit Ion Cannon (LOIC) and later the High Orbit Ion Cannon (HOIC) as used by Anonymous to take down sites being the best known examples. However, recent evidence suggests that taking down a site is increasingly no longer the be all and end all of a DDoS attack, instead it’s just a means to a much more profitable end. A couple of weeks ago I reported how a Bitcoin bank robbery took place under the smokescreen of a DDoS attack. I’ve now learned that a DDoS attack on another Bitcoin-related site, the Bitcointalk.org online forum, could also have been implemented as a smokescreen tactic. Information Week reports the site was actually targeted for a password-stealing exercise with some 176,584 users login credentials at risk. Indeed, as TK Keanini (CTO at Lancope) points out there is an established marketplace out there selling the DDoS capability to anyone with the cash, and relatively little of it is needed to attack a smaller company, so the bad guys don’t even need a DDoS strike capability as a core competency any more. “It is almost always the case these days that DDoS attacks leverage blended methods, where the volumetric technique is included, but not the primary objective” Keanini says, adding “this is a sign of what is to come in 2014 as more adversaries just put together a multi faceted compostable attack and instead of having to have all this expertise in-house, they will be able to outsource via these marketplaces that sell these capabilities.” Jag Bains, CTO at DDoS mitigation experts DOSarrest says that his company has been seeing DDoS attacks sending huge amounts of traffic to a website to overwhelm key points in its infrastructure to send the security team scrambling to fight it off as something of a trend. “This serves as a distraction for the security personnel and aims to weaken the underlying infrastructure” Bains explains “once the security operations are no longer cohesive, criminals can use other methods to target intrusion prevention systems to get in and steal information”. All of which just goes to reinforce that maintaining the focus of core operations during a DDoS attack is an ever increasing problem for IT operations. “As DDoS continues to be used as part of a 1-2 punch in cybercrime and data theft attempts” Bains concludes “IT professionals have become stressed in keeping up with the ever increasing size and sophistication of DDoS attacks”. All of which can influence an organisation to resort to what you might call non-standard, or panicked, practices to deal with the ongoing attack. Things such as disabling their IDS platform for example. Things that further compromise the overall security of the network and enable the attackers to pull off the primary attack with ease.

More:
Introducing the DDDoSA: Disguised DDoS Attack