Tag Archives: denial of service attack

Federal DDoS Warnings Are Outdated

It’s always the same: Government cybersecurity experts learn of pending distributed denial of service attacks, especially around the anniversary of Sept. 11, and issue warning after warning after warning, as though security is something we can do on a “per-warning” basis. I really don’t understand this way of approaching security or why government agencies believe such warnings are helpful. I’m not saying we shouldn’t be warned — not at all. What I’m saying is that we shouldn’t wait for a warning before we do something about security. On Aug. 5, for instance, the FBI and the Financial Services and Information Sharing and Analysis Center issued a warning that the same groups behind the unsuccessful Operations USA and Operation Israel attacks in May were planning a new DDoS attack. Their recommendations leave me perplexed. For instance, they suggest: – Implement backup and recovery plans. Really? We’re supposed to wait for a warning on a 9/11 DDoS threat to know that we need to do this? We’re in serious trouble if that’s the case. – Scan and monitor emails for malware. Again, really? This is a recommendation? Is there truly anyone out there who still doesn’t do this? And, if there is, they deserve whatever happens to their network, I say. – Outline DDoS mitigation strategies. Finally, something a bit more relevant. I know for a fact that most companies aren’t putting much thought into DDoS defense strategy. Unfortunately, if you’re hosting a server with public access, you’ve no choice but to consider this with the utmost seriousness. Just how seriously, you ask? Well, that all depends on how much of your company’s livelihood hinges on that server. It’s an undeniable fact of our Internet life that these things will keep happening. No matter if it’s 9/11 or OpUSA or a private single hacker from Russia or China. They’ll continue to happen, and we all understand the need to be prepared. DDoS preparedness is accomplished as a strategy. It involves hardware, large bandwidth, ISP collaboration, remote redundancy and other possible strategies for defense and elusion. This isn’t anti-malware. You can’t create a signature or heuristic against DDoS. This is sheer brute force in that you win if you’re stronger, or if you’re the more elusive, so they can’t really get you. And that’s precisely why you need a strategy, and you need to plan it now. You can also purchase hardware — but make it part of a strategy. Don’t expect it to be the one and only thing you need to do to fend off a DDoS attack. Source: http://www.informationweek.com/government/security/federal-ddos-warnings-are-outdated/240161165

9/11 DDoS Alert for Banks, Agencies

U.S. and Israeli government agencies and banking institutions should be on alert for a potential Sept. 11 wave of distributed-denial-of-service attacks launched by the same groups behind the unsuccessful Operation USA and Operation Israel attacks in May. That warning comes from cybersecurity experts and alerts issued by the Federal Bureau of Investigation and the Financial Services Information Sharing and Analysis Center. While OpUSA and OpIsrael, which were designed to take down websites operated by globally recognized brands and governmental agencies, were not successful, cybersecurity experts say the threat this time is genuine. The groups behind these attacks are now more organized, better equipped and trained, and more determined than they were the first time around, they say. The FBI, however, notes that the attacks are not expected to have a serious or significant impact. “It is thought that due to the fact that hackers will be relying on commercial tools to exploit known vulnerabilities, and not developing custom tools or exploits, that the skill levels are, at best rudimentary, and capable of causing only temporary disruptions of any of the targeted organizations,” the FBI alert states. Attack Alerts On Aug. 5, the FS-ISAC issued a warning to its membership about a new wave of DDoS attacks that could target U.S. banks. David Floreen, senior vice president of the Massachusetts Bankers Association , says the FBI, which issued a separate alert on Aug. 30, and the FS-ISAC asked banking associations to spread the word about the possibility of attacks. “The attacks are expected to occur in two phases,” notes the FBI alert. “Phase I will take place over a period of 10 days and target several commercial and government sites with DDoS attacks. … “Phase II is scheduled to take place on September 11, with a more widespread attack threatened, along with Web defacements.” The FBI recommends organizations: Implement data backup and recovery plans; Outline DDoS mitigation strategies; Scan and monitor e-mail attachments for malicious links or code; and Mirror and maintain images of critical systems files The FBI did not release its alert to the public, an FBI spokeswoman acknowledges. But in an effort to get the word out, the Massachusetts Bankers Association posted the FBI and FS-ISAC warnings on its site, Floreen says. The FS-ISAC alert names top-tier banks that are likely to be targeted during an upcoming attack. The list of potential attack targets includes the same 133 U.S. banking institutions named in the April 24 Anonymous post that appeared on Pastebin during the first OpUSA campaign, says financial fraud expert Al Pascual, an analyst with consultancy Javelin Strategy & Research. The FS-ISAC alert does not reference OpIsrael, but experts say OpUSA and OpIsrael are connected. Planning Attacks Gary Warner, a cyberthreat researcher at the University of Alabama at Birmingham who also works for the anti- phishing and anti- malware firm Malcovery, claims the hacktivist groups’ main focus, for now, is Israel. If attacks against Israeli targets are successful, then U.S. targets will be next, he warns. Since June, two hacktivist groups, AnonGhost and Mauritanian Attacker, have been building plans for OpIsrael Reborn, according to Warner’s research. So far, these groups have not been linked to new attacks planned for a sequel to OpUSA, Warner says. Both groups, however, were involved in OpIsrael and OpUSA, he notes. “As part of our process of watching the phishers who create counterfeit bank websites, we track where many of those criminals hang out and what sorts of things they are discussing,” he says. “We became aware of OpIsrael Reborn while reviewing posts made by criminals who have been phishing U.S. banks and Internet companies.” Announcements for the new campaign began Sept. 2. But more posts were added on Facebook and in underground forums within the last week to recruit additional attackers, he says. “AnonGhost and Mauritanian Attacker have taken the time to build a strong coalition of hackers,” Warner says. “In that June release, there were no dates, no members and no targets announced.” Since that time, attackers have honed their targets, and they claim to have already compromised several government and banking sites in Israel, he says. On Sept. 11, they plan to publish information they’ve compromised from during those attacks, Warner adds. “They claim [on YouTube ] they are going to begin publishing the internal government documents of Israel,” he says. “The video also makes reference to the recent FBI claim that they have dismantled Anonymous.” Attackers are uniting this time out of anger over those claims made by the FBI as well as recent attacks waged against Islamic businesses believed to be backed by an Israeli hacktivist group, Warner explains. So why is this wave of attacks being taken more seriously than the first OpIsrael? The sheer number of attackers, their tools and the way the hacktivist groups have been building momentum through social networking sites such as Facebook has raised serious concern, Warner says. “They’ve been gathering tools since June 9, and training attackers on how do SQL and DDoS attacks,” he says. “It’s a SANS-quality training for hackers, and they’re prepping for wiping Israel off the [online] map.” On Sept. 9, two Israeli government websites were successfully taken offline for a period of time, Warner adds. “We did not see that success in OpIsrael or OpUSA,” he says. “If they pull this thing off against Israel, they will keep hitting others,” he says. No Attack Link to Al-Qassam Experts, including Warner, say Izz ad-Din al-Qassam Cyber Fighters , the self-proclaimed hacktivist group that’s been targeting U.S. banks since September 2012, does not appear to be involved in these most recent campaigns. And although U.S. banking institutions have built up strong online defenses over the last year to mitigate cyber-threats such as DDoS attacks, other sectors are far less prepared, Javelin’s Pascual says. “The lack of success that Izz ad-Din al-Qassam achieved during the fourth round of DDoS attacks was indicative of how well fortified U.S. banks have become,” Pascual says. But Rodney Joffe , senior technologist at DDoS-mitigation provider Neustar, says security professionals should be concerned that other attackers have learned lessons from al-Qassam’s strikes. “I don’t believe there is any connection between OpUSA and AQCF [al-Qassam Cyber Fighters],” he says. “However, the reason I think it is more worrying this time is because, as I have said over and over, the underground learned a lot of groundbreaking lessons from AQCF. … And this time around, they may be more successful.” Source: http://www.bankinfosecurity.com/911-ddos-alert-for-banks-agencies-a-6054

See the article here:
9/11 DDoS Alert for Banks, Agencies

Major DDoS attacks .cn domain; disrupts Internet in China

China’s Internet was hit with a major distributed denial of service (DDoS) attack Sunday morning that briefly disrupted and slowed access to sites in the .cn domain. The DDoS attack was the largest in history against the domain servers for China’s .cn ccTLD (country code top level domain), according to the China Internet Network Information Center (CNNIC), which administers the domain. The first attack started Sunday around midnight Beijing time, and was then succeeded by a larger attack at 4 a.m, the CNNIC said in an Internet posting. A number of sites were affected, but Internet service to the sites had been gradually restored by 10 a.m. Sunday It’s unclear where the attack originated from or if it was still continuing. A CNNIC spokeswoman said on Monday it would update the public once more information was gathered. Chinese regulators have already launched unspecified measures to protect the domain system, while CNNIC has apologized for the disruption. China has often been accused of launching DDoS attacks. In this year’s first quarter, it was the top source country for DDoS attacks, according to security vendor Prolexic. The U.S. was ranked second. DDoS attacks can commonly work by deploying armies of hacked computers to send traffic to a website, saturating it with data so that it becomes inaccessible to normal users.A China, however, has said its facing a surge of Trojan and botnet attacks against the country. Many of those attacks are coming from the U.S., South Korea and Germany. China has also denied the country sponsors hacking, despite claims brought by U.S. officials and security vendor Mandiant that its government actively conducts cyber-espionage. Source: http://www.computerworld.com/s/article/9241899/Major_DDoS_attacks_.cn_domain_disrupts_Internet_in_China

UCAS under DDoS attack

Ucas has been the victim of a hacking attempt, when its website was the target of a denial of service attack. The site was unavailable late on 14 August, the day before thousands of A-level students were due to receive their results across the country. A spokesperson for Ucas said: “The UCAS website suffered a sustained, criminal ‘denial of service’ attack. The site was down for an hour and then restored fully. No personal information was compromised. Confirmation and Clearing went ahead as normal. The attack originated in the Asia Pacific region and the police have been informed.” The chief executive of Ucas, Mary Curnock Cook, speaking to the Huffington Post, said staff were ‘pretty upset’ at the attempt. “The incident was contained very, very quickly and no personal data was released to anybody.” As of yesterday evening, over one million students had logged into Track. Ucas placed nearly double the number of students through clearing this year, in comparison with numbers from last year. 7,970 students had found a place through clearing, compared with 4,180 last year. The attempt to wreck the system was stopped, thanks to new technology that Ucas have installed in their software. Cumock Cook said: “This year we have made a step-change in our technology arrangements and most of our critical services are deployed in the cloud, which gives us massive resilience.” Source: http://www.independent.co.uk/student/news/ucas-hacked-ahead-of-alevel-results-8770993.html

Link:
UCAS under DDoS attack

Analysis: Who’s Really Behind DDoS?

Now that Izz ad-Din al-Qassam Cyber Fighters has launched its fourth phase of distributed-denial-of-service attacks against U.S. banks, many observers are continuing to ask: Who’s behind this group, and what are the real motives? Is al-Qassam really an independent hacktivist group, as it claims? Does it have connections to a nation-state, such as Iran? Or does it have ties to organized crime? And is there a possibility that it has leased out its botnet to multiple groups? In this analysis, Information Security Media Group weighs the evidence. al-Qassam has been waging DDoS attacks against leading U.S. banking institutions and a handful of smaller ones since last September. The attacks, designed to disrupt online banking service, have, so far, proven to be more of a nuisance than a malicious threat. But the launch of this new phase, which was announced July 23, raises new questions about just who is behind Izz ad-Din al-Qassam The Group’s Message Since the beginning, al-Qassam has positioned itself as a group of hacktivists – independent attackers who are waging online war against U.S. banking institutions to make a social statement. The group claims the catalyst for the attacks is a movie trailer on YouTube that it deems offensive to Muslims. And because YouTube has not removed links to this trailer, as al-Qassam has asked, al-Qassam is focusing its attack energies on America’s core – it’s financial foundation. In an Oct. 23 post on the open forum Pastebin, al-Qassam restated its purpose, and noted that the attacks are not being waged to perpetrate fraud . “We have already stressed that the attacks launch only to prevent banking services temporarily throughout the day and there is no stealing or handling of money in our agenda,” the group states. “So if others have done such actions, we don’t assume any responsibility for it. Every day we are giving a compulsive break to all employees of one of the banks and its customers.” The post also takes issue with statements made in October by U.S. Defense Secretary Leon Panetta, who during a speech about cybersecurity noted that industries touching critical infrastructure were at risk. “Mr. Panetta has noted in his remarks to the potential cyberthreats such as attacking on power and water infrastructures, running off trains from the tracks and etc.,” the post states. “In our opinion, Panetta’s remarks are for distracting the public opinion and in support of the owners of the banks’ capital. … This is capitalism’s usual trick.” Then, in November, an alleged member of al-Qassam told ABC News that its attacks were not backed by anyone, nor were they connected to the August 2012 attack on Aramco, a Saudi oil firm, which involved the deletion of data from tens of thousands of computers. “No government or organization is supporting us, and we do not wait for any support as well,” the self-proclaimed al-Qassam member wrote in an e-mail, ABC News reported. “Do you think that the massive protests in the world are done with support? [In] the same manner [that] millions of Muslims in the world protested, hackers are also part of this protest” But many experts have questioned the protest motive and have expressed doubt that al-Qassam is what it says it is. Experts’ Views Financial fraud analyst Avivah Litan has repeatedly argued these attacks are actually being backed by a nation-state, namely Iran, not independent hacktivists. Others, such as Bill Wansley of the consultancy Booz Allen Hamilton, have shared similar opinions. “There are indications that it’s an Iranian group,” Wansley told BankInfoSecurity in late September 2012. “There are a lot of indicators it’s from that region of the world. But these hacktivist groups, frankly, can operate from a number of different locations and give the impression of being from one time zone when they’re really not. So it’s not conclusive. But there certainly have been some indicators, such as the use of Arabic names, Iranian names and the time zone [and the time of day when the first attacks struck] that would indicate something from that part of the world.” An unnamed source within the U.S. government quoted in the New York Times in May suggested Iran is backing attacks against the U.S. in retaliation for economic sanctions the U.S. has imposed on Iran. Many security experts, however, have been reluctant to attribute these attacks to any one type of actor. That’s because any attribution could only be based on circumstantial evidence in the online world, says Alan Brill, cybercrime investigator and senior managing director at investigations and risk-consulting firm Kroll. “You can’t accept crowd opinion for verified fact,” he says. “I think it’s still very difficult to attribute things like this, simply because the Internet was never designed to make that easy.” Although Brill admits he has not carefully reviewed the evidence linked to these attacks, he says attributing these types of attacks is challenged by attackers’ abilities to mask their points of origination with throw-away IP addresses and anonymous networks. “Unlike other forms of evidence, such as a fingerprint at a crime scene, which does not change, this stuff is just so fluid,” he says. “It’s very difficult to put all of the pieces together. And in the case of state actors, you’re not going to get a lot beyond circumstantial evidence.” Reviewing Patterns But what can the industry glean from the most recent attacks? Many experts say the more they learn about al-Qassam, the more confused they are. The group’s Pastebin announcements, attack schedules and breaks between attack campaigns have been inconsistent. Just as soon as the industry thinks it’s outlined a pattern, the pattern changes, as shown again in this fourth wave of attacks. Here, Information Security Media Group spells out some important factors. Are They Really Hacktivists? Support for the notion that al-Qassam is a hacktivist group stems from the fact that it claims itself to be one – and so far, no financial fraud or other type of data compromise has been linked to an al-Qassam attack. Banking regulators have warned of the potential for DDoS to be used as a mode of distraction for fraud to be perpetrated in the background But so far, no account compromises have been associated with al-Qassam attacks. The group claims it’s waging its attacks for social reasons – outrage over a YouTube video deemed offensive to Muslims. That purpose would suggest this is just a group of hacktivists out for attention. Is a Nation-State Involved? But none of the industry experts interviewed for this analysis believes that is truly the motive. Hacktivists typically want attention. “There’s usually some bragging about what was accomplished,” Wansley said last year. “That’s the typical pattern of some of the hacktivist groups.” While al-Qassam bragged on Pastebin in the early weeks of its attacks, the bragging has waned over time. Hacktivists also often name their targets in advance. Al-Qassam did this early on, but as the attacks became less effective, that stopped. During the second and third campaigns, al-Qassam took credit after the attacks. Now, most of that post-attack bragging has stopped as well. And experts note that these DDoS strikes have been hitting U.S. banking institutions for nearly a year; a hacktivist group would need substantial funding to run an attack campaign that long. That’s why many believe al-Qassam is actually a front for a nation-state, a criminal network – or even a mix of both. “In this case, there’s a group that has an Arabic name that has never been associated with cyber-activity at all,” Wansley noted. “[The name has] been associated with Hamas. And for them to, all of the sudden, become a hacktivist group is just really interesting. We’ve never seen that before. That doesn’t mean they’re not doing it, but it could also mean they’re being used as a cover for some other country or organization to do something.” The timing of this fourth phase further supports the notion that al-Qassam is actually a nation-state actor, Gartner’s Litan contends. The Iranian presidential election, as well as elections for regional posts, occurred June 14. Litan says the attacks were expected to lapse during the election, assuming that the Iranian government is actually funding the attacks. “We all knew they’d be back after the election,” she says. “Really, this is just business as expected.” Based on information she’s gathered from law enforcement and some of the attacked banks, Litan concludes: “We know it’s Iran because the attacks have been traced back to them, through the files, through the servers.” Is There a Criminal Connection? But could there be a criminal element involved? Many experts say a connection to organized crime is possible, because the attackers waging these long-term, extensive DDoS strikes are likely getting funding from a nefarious source. But are there clues al-Qassam is waging its attacks for a criminal purpose? Brobot, al-Qassam’s botnet, keeps growing, experts say. While the attacks waged by Brobot have been unsuccessful at causing any significant online outages during the third and fourth phases, al-Qassam has continued to increase the botnet’s size. Why? Some argue the purpose is to rent out Brobot for a profit – perhaps to cybercrime rings. And attacks linked to Brobot this campaign may support the notion that Brobot is now being used by more than just al-Qassam. During the afternoon hours of July 30, Brobot was used to attack merchant sites, seemingly as a coding test for the attacks that kicked off July 31, says Mike Smith of the cybersecurity firm Akamai, which has been tracking and mitigating DDoS activity linked to al-Qassam. The only commonality among the July 30 targets: They all have the word “Da Vinci” in their website URLs, Smith and others confirmed. “There was no connection to banking at all,” Smith says. Source: http://www.govinfosecurity.com/analysis-whos-really-behind-ddos-a-5966

View article:
Analysis: Who’s Really Behind DDoS?

5 Steps to Prepare for a DDOS Attack

As more people are realizing that in today’s cyber climate Distributed Denial of Service (DDoS) attacks are a matter of when, not if, the most common question I get asked is “What can I do to prepare?” I like to break it down into 5 key steps enterprises can take now to be prepared for a future attack: 1. Centralize Data Gathering and Understand Trends This is true across all security topics, but the last thing you want to be is blind when a DDoS attack hits. Generally the DDoS attack timeline goes something like this for the head of network operations: – 9:00 am – your monitoring system starts lighting up like a Christmas tree and your phone is blowing up with SMS alerts saying “the site is down.” – 9:01 am – your CEO calls you screaming “why is the site down?!?!?!?!” Hopefully, you can answer that question, but without proper metrics and data gathering you can’t possibly hope to identify the root cause. It could be a network circuit down, data center failure, DDoS attack, etc. With proper data gathering and monitoring in place, you can quickly identify a DDoS attack as the cause, and you can start the process of getting the website back up and running. It’s critical to identify the cause early as DDoS attacks can be quite complex and the sooner you jump on identification and remediation, the sooner the site will be back up. At minimum, the metrics you should gather include: Inbound and outbound bandwidth on all of your network circuits, peering connections, etc. Server metrics: CPU load, network and disk I/O, memory, etc. Top talkers: top sources and destinations of traffic by IP and port. If you are running a web site, you need to understand items like top URLs being requested (vs. the top URLs usually being requested), top HTTP headers, HTTP vs. HTTPS traffic ratios etc. All of these metrics (and there are many more I didn’t cover) should then be sent to a central logging and correlation system so you can view and compare them from a single viewpoint. This helps you spot trends and quickly identify the sources and method of the attack. This is especially important when it’s a very complex attack where it might not be an obvious issue (e.g. it’s easy to see when your network bandwidth is saturated, but when it’s a botnet simulating clicking the “Add to Cart” button to overwhelm your database resources, that isn’t as easy to spot; especially if you are trying to piece data from many disparate systems). 2. Define a Clear Escalation Path Now that you have determined it really is a DDoS attack, what next? Do you know who to call to get your service back up and running? What tools do you have in place to block the malicious traffic? If you have purchased DDoS protection (very smart!), how do you get the system fired up? These are key questions that should be written down and answered BEFORE the attack hits. During an attack people are rarely calm and it’s no fun trying to figure out an escalation path in the middle of the craziness. Do it before the attack hits so you can calmly execute your plan and get your site back up and running. Note that this doesn’t just mean “technical” contacts. You want to let the head of support and customer service know as well. You can bet customers will be calling in and there is nothing worse than to answer “weird, I didn’t know our site was down” when a customer calls. You also want to let your CEO know (if he or she doesn’t already). Each business is different, so you should consider your situation and think of all the people who might want to know the website is down and add them to the list. An “outages” mailing list is a central place to report these items without you needing to remember who to send the info to every time. If you do have a cloud-based DDoS protection service in place, make sure the group you have chosen internally to be the touch point with the provider has the up to date 24/7 hotline, email address to send capture files to, etc. The vendor should be one of the first calls you make to start the mitigation. You need to engage your mitigation provider immediately as they have done this many times before and will know what to do to get your site back up and running. 3. Use Layered Filtering In the discussion on size vs. complexity of an attack, you need to be able to handle both the “big and dumb” types (a whole lot of requests that are generally easy to spot as malicious – often known as “network level”) and “small and complex” (fewer requests, but extremely difficult to differentiate legitimate vs. malicious – commonly referred as “application level” or “layer 7? attacks). Some tools and techniques work (and scale) very well to mitigate against the “big and dumb” types, but fail miserably on the application attacks. On the other hand, some techniques that are required for application attacks have trouble scaling on the larger network attacks. Recently, we have seen more of a third type of attack, “big and complex!” A combination of the two aforementioned attack types, these are big attacks where the traffic is really hard to identify as malicious or legitimate. With great technology and layered filtering though, you are in a better position to handle any of these types of attacks. 4. Address Application and Configuration Issues Not only are DDoS attacks really good at pinpointing bottlenecks in your network and security infrastructure, they are also amazing at identifying problems in your application; especially when it comes to performance tuning and configuration. If you haven’t done proper application load testing (both before launch and every so often to check for any slowness that may have crept in) a DDoS attack may be the first time your website or application has really been stress-tested. You may find your database configuration is sub-optimal, or your Web server isn’t configured for enough open connections. Whatever the issue, you will quickly see how well you have tuned your website. It’s always a good idea to do load testing of your site on your schedule, not the attackers’. 5. Protect Your Domain Name System (DNS) This is crucial and yet probably the most overlooked of all of the above recommendations. I can’t tell you how many enterprises have spent millions of dollars on their Web hosting infrastructure (data centers, web servers, load balancers, database servers, etc.) but have only two low end DNS servers to handle all of their DNS traffic. DNS is an extremely common target of a DDoS attack due to how critical the service is for Web availability (there are plenty of articles and examples of large Web properties going down due to DNS issues – often attack-related). If a customer can’t resolve the IP address of your website (which is the job of DNS), it doesn’t matter how much you have spent on your hosting, that customer is not getting to your site. Protecting your DNS as part of a good DDOS mitigation strategy is fundamental. (Here’s a report from Gartner Research that discusses this issue. Conclusion It would take a book to cover all of these topics in depth. Hopefully this will at least give you, some things to think about and plan for with your DDoS mitigation strategy. Stay tuned for my next post where I will go in depth on some of the cool technology we use at Verisign to protect both our own and our customers’ infrastructure. Source: http://www.circleid.com/posts/20130731_5_steps_to_prepare_for_a_ddos_attack/

See more here:
5 Steps to Prepare for a DDOS Attack

Network Solutions Recovers After DDoS Attack

Network Solutions said it’s fully mitigated a distributed denial of service (DDoS) attack that compromised some services last week, and that attack volumes against the company had returned to normal. “We experience DDoS attacks almost daily, but our automatic mitigation protocols usually handle the attacks without any impact to our customers,” said John Herbkersman, a spokesman for Network Solutions’ parent company, Web.com, via email. Network Solutions manages more than more than 6.6 million domains, provides hosting services, registers domain names and also sells SSL certificates, among other services. But Monday, some customers reported still experiencing domain name server (DNS) and website updating difficulties that dated to the start of the DDoS attacks. The company, however, disputed those claims. “Some customers may be experiencing issues, but they are not related to last week’s DDoS attack,” said Herbkersman. The DDoS attacks began last week, with Network Solutions at first reporting that “some Network Solutions hosting customers are reporting latency issues,” according to a “notice to customers who are experiencing hosting issues” posted to the company’s website on Tuesday, July 16. “Our technology team is aware of the problem, and they’re working to resolve it as quickly as possible. Thank you for your patience,” it said. As the week continued, the company posted updates via Twitter and to its Facebook page. By Wednesday, it said that the outages were due to a DDoS attack “that is impacting our customers as well as the Network Solutions site.” It said that the company’s technology staff were “working to mitigate the situation.” Later on Wednesday the company declared via Twitter: “The recent DDOS attack affecting customers has now been mitigated. Customer websites should be resolving normally. Thanks for your patience.” The Network Solutions website wasn’t available or updateable for the duration of the attacks. But that wasn’t apparent to all customers, who might not have turned to Facebook and Twitter seeking updates about the company’s service availability. One InformationWeek reader, who emailed Friday, accused Network Solutions of being less than forthcoming about the fact that the outages were being caused by a DDoS attack, “which they acknowledged only when calling them,” after he found only the “notice to customers who are experiencing hosting issues” post on the company’s site. “They have been trying to bury it,” he alleged. “Some sites were down for the entire day.” Herbkersman brushed off the criticism. “In addition to Facebook, we communicated via the Network Solutions’ website and via Twitter,” he said. “We also responded directly to customers who called our customer service team and those who contacted us via social media channels.” Friday, the company did publish a fuller accounting of the outage to its website. “Earlier this week, Network Solutions experienced a distributed denial of service (DDoS) attack on its servers that affected our customers. The Network Solutions technology team quickly identified the issue and implemented measures to mitigate the attack,” read a statement posted to the company’s site and cross-referenced on its Facebook page. “We apologize to our customers who were impacted.” “Are we getting refunded some money because of your 99.99% uptime guarantee?” responded one member via Facebook. “Feel free to call our support team and they will be happy to discuss,” came a reply from Network Solutions. Customers might have had to contend with more than just the DDoS attack. A Tuesday Facebook post — since deleted, which the company said it made to help direct customers to more recent information about the DDoS-driven outages — drew comments from customers reporting DNS issues. “There were multiple reports on the July 16, 2013 Facebook thread that appear to indicate customer DNS records were corrupted before the DDoS induced outage,” Craig Williams, a technical leader in the Cisco Systems threat research group, said in a blog post. The one-two punch of domain name resolution difficulties and a DDoS attack could have left numerous sites inaccessible not just during the attack, but in subsequent days, as the company attempted to identify the extent of the damage and make repairs in subsequent days. Last week’s DDoS attack was the second such attack for Network Solutions customers in less than a month. “In [the] previous outage, domain name servers were redirected away from their proper IP addresses,” said Williams. In that case, however, at least some of the DNS issues appeared to be “a result of a server misconfiguration while Network Solutions was attempting to mitigate a DDoS attack.” Herbkersman, the Web.com spokesman, said last week’s outages were entirely driven by the DDoS attacks, rather than the company’s response to those attacks. Source: http://www.informationweek.com/security/attacks/network-solutions-recovers-after-ddos-at/240158685

Read the original:
Network Solutions Recovers After DDoS Attack

Network Solutions restores service after DDoS attack

Network Solutions said Wednesday it has restored services after a distributed denial-of-service (DDoS) attack knocked some websites it hosts offline for a few hours. The company, which is owned by Web.com, registers domain names, offers hosting services, sells SSL certificates and provides other website-related administration services. Network Solutions wrote on Facebook around mid-day Wednesday EDT that it was under attack. About three hours later, it said most customer websites should resolve normally. Some customers commented on Facebook, however, that they were still experiencing downtime. Many suggested a problem with Network Solutions’ DNS (Domain Name System) servers, which are used to look up domain names and translate the names into an IP addresses that can be requested by a browser. DDoS attacks are a favored method to disrupt websites and involve sending large amounts of data in hopes of overwhelming servers and causing websites to not respond to requests. Focusing DDoS attacks on DNS servers has proven to be a very effective attack method. In early June, three domain name management and hosting providers — DNSimple, easyDNS and TPP Wholesale — reported DNS-related outages caused by DDoS attacks. Hosting service DNSimple said it came under a DNS reflection attack, where DNS queries are sent to one party but the response is directed to another network, exhausting the victim network’s bandwidth. Source: http://www.pcworld.com/article/2044618/network-solutions-restores-service-after-ddos-attack.html

Continue Reading:
Network Solutions restores service after DDoS attack

Staying Informed About DDoS Threats

Distributed-denial-of-service attacks have plagued U.S. banks since last September. But DDoS attacks pose a persistent, genuine threat to other sectors as well. Any organization with an online presence is at risk. Successful DDoS attacks can take a website offline, damaging brand image and chipping away at consumer trust. But they also can do much more. In some cases, these attacks can be used to mask fraud by distracting security and IT departments while banking accounts or confidential files are simultaneously being taken over. To provide insights on the latest DDoS threats – and effective mitigation strategies – Information Security Media Group has launched a DDoS Resource Center . The resource center, sponsored by online security firms Akamai, Fortinet, Neustar, Radware and VeriSign, includes timely interviews, in-depth features, news stories and blogs that offer insights about emerging botnets and attack techniques from those who are analyzing and battling DDoS on the frontlines. The resource center also offers expert insights on practical steps for minimizing the impact of DDoS attacks. By visiting the resource center, you’ll get the latest information on the different types of DDoS attacks, such as DNS reflection and application layer attacks, as well as the attacks’ possible links to fraud . You’ll learn about DDoS protections and mitigation services , notification and response strategies, and DDoS detection measures. Here’s a sampling of the variety of content our resource center offers: An interview with ex-FBI investigator Shawn Henry , who shares insights about cross-border and cross-industry collaboration that’s taking place behind the scenes to strengthen DDoS and cybersecurity knowledge. An analysis of a new type of DDoS strike that targeted two U.S. banks for what some say could have been a test for more attacks to come. A blog about how the botnet, known as Brobot, that’s been used in DDoS attacks against U.S. banks is being retooled to defeat common mitigation practices. And an interview with former federal banking examiner Amy McHugh about why community banks are prime targets for DDoS strikes being waged as modes of distraction to veil account takeover attempts. The DDoS Resource Center also provides research, white papers and webinars, including a session on new defense strategies for DDoS , which includes insights from Rodney Joffee of DDoS-mitigation provider Neustar and Mike Wyffels, senior vice president and chief technology officer of multibank holding company QCR Holdings Inc. Source: http://www.bankinfosecurity.com/blogs/staying-informed-about-ddos-threats-p-1506

See the original article here:
Staying Informed About DDoS Threats

Protect Your Website: How to Fight DDoS Attacks

Distributed denial of service (DDoS) attacks, a cyberattack that makes a specific resource unavailable to its intended user, are becoming more complex and sophisticated. Attackers don’t just carry out single attacks — they repeatedly test their target’s security and target their assault to achieve the highest amount of damage. Thousands and thousands of attacks occur daily, shutting down websites and network systems, essentially rendering businesses inoperable. To combat DD0S attacks, the first thing SMBs must do is assume they are going to be a target. Since the only DDoS attacks we hear about are those against large corporations, banks and the government, many SMBs don’t think they will ever be the target of digital warfare. Consequently, they don’t take the necessary precautions to prevent or mitigate attacks. “The reason for an attack could be anything,” said Vann Abernethy, senior product manager for NSFOCUS, a leading global DDoS mitigation solution provider. It could be an extortion attempt, a protest against company practices, or even an act of revenge by a disgruntled client or ex-employee. Unarmed with any technical knowledge, anyone with checkbook and a grudge or statement to make can launch an attack. “Everybody that has a measurable ROI associated with their web presence or anybody that can feel pain from their website being down is a target.” Despite the growing threat of DDoS attacks, most Web service providers will not guard your back, according to Abernethy, as it’s not common to cut off one pipe to protect the network. “If you get hit, they’ll say, ‘We’re gonna protect the rest of our customers by shutting you down.’” Therefore, Abernethy tells businesses to always read the fine print and see what their Web host’s policies are regarding DDoS attacks. While some say they will protect you, most have consumer-grade security that is not strong enough to defend your website against high-volume attacks. “SMBs really have two choices to make,” said Brian Laing, vice president of AhnLab, a security solutions provider. “The first is to use cloud-based applications which can more easily scale up to handle any DDoS attacks. The second option would be to implement a DDoS solution that can protect against both application and bandwidth (packet flooding) attacks.” Before implementing any type of DDoS defender, SMBs should investigate exactly what type of solution a vendor is providing, according to Laing. For instance, the defense mechanism should be able to recognize good traffic from bad, while also having a self-learning capability to be able to set flexible thresholds. Abernethy agrees. “We see thousands and thousands of attacks every day, so we have both detection and mitigation algorithms. They basically say, ‘That looks like an attack, it smells like an attack, let’s engage our mitigation algorithms.’ It looks at the attack traffic itself and then says, ‘Yes, that is an attack.’ We can detect those attacks and the system can be set up to go into automatic mitigation.” What SMBs need, Abernethy says, is a purpose-built DDoS defender with both detection and mitigation functions to quickly diagnose and mitigate DDoS attacks. The system should also be a “learning machine” that gets to know your environment over time for more precise detection. SMBs should also keep in mind that defending oneself from DDoS attacks doesn’t stop at prevention and mitigation. Because a DDoS attack shuts down your entire operation — and because most anti-DDoS protections are primarily concerned with simply knocking the attack down — you should have a recovery plan that either you or your providers facilitate. Pierluigi Stella, chief technology officer of Network Box USA, global managed security services provider, says that fending off an attack boils down to strategy and having the right resources for defense. “The real problem, though, is that defense is not a piece of hardware but a strategy, wherein the hardware plays an important role, but isn’t the only player,” Stella said. First, if your bandwidth is an old T1 at 1.5 Mbps, Stella advises businesses to upgrade that old Internet connection to one with a much larger bandwidth that can’t be taken down so quickly. A Disaster Recovery (DR) site should also be part of your recovery plan, Stella said. The DR site should have all your data, so it will serve as your temporary site as you work on getting the current one back up. Ryan Huber, chief architect at Risk I/O, a leader in vulnerability intelligence, says that depending on your business, a simpler option is a static page, such as product literature or other representation of your site. This will temporarily disable site functions such as online ordering, but serves its damage-control purpose of not keeping customers in the dark as you get the full site running. “This has the added benefit of helping you to keep users informed during the attack,” he said. Abernethy recommends that anyone who does business online do regular, full backups. The recovery plan should also include critical details, such as what the recovery process is, where data backups are stored and who is responsible for which tasks. Disaster-recovery planning should also be part of regular operational maintenance. “Don’t just make a plan and think you are covered,” Abernethy said. “Get into the habit of reviewing the full plan each backup cycle to ensure any changes are accounted for. It sounds like a lot of extra work, but it really isn’t if you build it into your normal routine.” As Stella says, businesses should always be in ‘prepared mode.’ “Don’t wait for the hurricane to strike.” For protection against your eCommerce site click here . Source: http://www.businessnewsdaily.com/4667-ddos-attacks-small-business.html

View original post here:
Protect Your Website: How to Fight DDoS Attacks