Tag Archives: rights

Federal DDoS Warnings Are Outdated

It’s always the same: Government cybersecurity experts learn of pending distributed denial of service attacks, especially around the anniversary of Sept. 11, and issue warning after warning after warning, as though security is something we can do on a “per-warning” basis. I really don’t understand this way of approaching security or why government agencies believe such warnings are helpful. I’m not saying we shouldn’t be warned — not at all. What I’m saying is that we shouldn’t wait for a warning before we do something about security. On Aug. 5, for instance, the FBI and the Financial Services and Information Sharing and Analysis Center issued a warning that the same groups behind the unsuccessful Operations USA and Operation Israel attacks in May were planning a new DDoS attack. Their recommendations leave me perplexed. For instance, they suggest: – Implement backup and recovery plans. Really? We’re supposed to wait for a warning on a 9/11 DDoS threat to know that we need to do this? We’re in serious trouble if that’s the case. – Scan and monitor emails for malware. Again, really? This is a recommendation? Is there truly anyone out there who still doesn’t do this? And, if there is, they deserve whatever happens to their network, I say. – Outline DDoS mitigation strategies. Finally, something a bit more relevant. I know for a fact that most companies aren’t putting much thought into DDoS defense strategy. Unfortunately, if you’re hosting a server with public access, you’ve no choice but to consider this with the utmost seriousness. Just how seriously, you ask? Well, that all depends on how much of your company’s livelihood hinges on that server. It’s an undeniable fact of our Internet life that these things will keep happening. No matter if it’s 9/11 or OpUSA or a private single hacker from Russia or China. They’ll continue to happen, and we all understand the need to be prepared. DDoS preparedness is accomplished as a strategy. It involves hardware, large bandwidth, ISP collaboration, remote redundancy and other possible strategies for defense and elusion. This isn’t anti-malware. You can’t create a signature or heuristic against DDoS. This is sheer brute force in that you win if you’re stronger, or if you’re the more elusive, so they can’t really get you. And that’s precisely why you need a strategy, and you need to plan it now. You can also purchase hardware — but make it part of a strategy. Don’t expect it to be the one and only thing you need to do to fend off a DDoS attack. Source: http://www.informationweek.com/government/security/federal-ddos-warnings-are-outdated/240161165

9/11 DDoS Alert for Banks, Agencies

U.S. and Israeli government agencies and banking institutions should be on alert for a potential Sept. 11 wave of distributed-denial-of-service attacks launched by the same groups behind the unsuccessful Operation USA and Operation Israel attacks in May. That warning comes from cybersecurity experts and alerts issued by the Federal Bureau of Investigation and the Financial Services Information Sharing and Analysis Center. While OpUSA and OpIsrael, which were designed to take down websites operated by globally recognized brands and governmental agencies, were not successful, cybersecurity experts say the threat this time is genuine. The groups behind these attacks are now more organized, better equipped and trained, and more determined than they were the first time around, they say. The FBI, however, notes that the attacks are not expected to have a serious or significant impact. “It is thought that due to the fact that hackers will be relying on commercial tools to exploit known vulnerabilities, and not developing custom tools or exploits, that the skill levels are, at best rudimentary, and capable of causing only temporary disruptions of any of the targeted organizations,” the FBI alert states. Attack Alerts On Aug. 5, the FS-ISAC issued a warning to its membership about a new wave of DDoS attacks that could target U.S. banks. David Floreen, senior vice president of the Massachusetts Bankers Association , says the FBI, which issued a separate alert on Aug. 30, and the FS-ISAC asked banking associations to spread the word about the possibility of attacks. “The attacks are expected to occur in two phases,” notes the FBI alert. “Phase I will take place over a period of 10 days and target several commercial and government sites with DDoS attacks. … “Phase II is scheduled to take place on September 11, with a more widespread attack threatened, along with Web defacements.” The FBI recommends organizations: Implement data backup and recovery plans; Outline DDoS mitigation strategies; Scan and monitor e-mail attachments for malicious links or code; and Mirror and maintain images of critical systems files The FBI did not release its alert to the public, an FBI spokeswoman acknowledges. But in an effort to get the word out, the Massachusetts Bankers Association posted the FBI and FS-ISAC warnings on its site, Floreen says. The FS-ISAC alert names top-tier banks that are likely to be targeted during an upcoming attack. The list of potential attack targets includes the same 133 U.S. banking institutions named in the April 24 Anonymous post that appeared on Pastebin during the first OpUSA campaign, says financial fraud expert Al Pascual, an analyst with consultancy Javelin Strategy & Research. The FS-ISAC alert does not reference OpIsrael, but experts say OpUSA and OpIsrael are connected. Planning Attacks Gary Warner, a cyberthreat researcher at the University of Alabama at Birmingham who also works for the anti- phishing and anti- malware firm Malcovery, claims the hacktivist groups’ main focus, for now, is Israel. If attacks against Israeli targets are successful, then U.S. targets will be next, he warns. Since June, two hacktivist groups, AnonGhost and Mauritanian Attacker, have been building plans for OpIsrael Reborn, according to Warner’s research. So far, these groups have not been linked to new attacks planned for a sequel to OpUSA, Warner says. Both groups, however, were involved in OpIsrael and OpUSA, he notes. “As part of our process of watching the phishers who create counterfeit bank websites, we track where many of those criminals hang out and what sorts of things they are discussing,” he says. “We became aware of OpIsrael Reborn while reviewing posts made by criminals who have been phishing U.S. banks and Internet companies.” Announcements for the new campaign began Sept. 2. But more posts were added on Facebook and in underground forums within the last week to recruit additional attackers, he says. “AnonGhost and Mauritanian Attacker have taken the time to build a strong coalition of hackers,” Warner says. “In that June release, there were no dates, no members and no targets announced.” Since that time, attackers have honed their targets, and they claim to have already compromised several government and banking sites in Israel, he says. On Sept. 11, they plan to publish information they’ve compromised from during those attacks, Warner adds. “They claim [on YouTube ] they are going to begin publishing the internal government documents of Israel,” he says. “The video also makes reference to the recent FBI claim that they have dismantled Anonymous.” Attackers are uniting this time out of anger over those claims made by the FBI as well as recent attacks waged against Islamic businesses believed to be backed by an Israeli hacktivist group, Warner explains. So why is this wave of attacks being taken more seriously than the first OpIsrael? The sheer number of attackers, their tools and the way the hacktivist groups have been building momentum through social networking sites such as Facebook has raised serious concern, Warner says. “They’ve been gathering tools since June 9, and training attackers on how do SQL and DDoS attacks,” he says. “It’s a SANS-quality training for hackers, and they’re prepping for wiping Israel off the [online] map.” On Sept. 9, two Israeli government websites were successfully taken offline for a period of time, Warner adds. “We did not see that success in OpIsrael or OpUSA,” he says. “If they pull this thing off against Israel, they will keep hitting others,” he says. No Attack Link to Al-Qassam Experts, including Warner, say Izz ad-Din al-Qassam Cyber Fighters , the self-proclaimed hacktivist group that’s been targeting U.S. banks since September 2012, does not appear to be involved in these most recent campaigns. And although U.S. banking institutions have built up strong online defenses over the last year to mitigate cyber-threats such as DDoS attacks, other sectors are far less prepared, Javelin’s Pascual says. “The lack of success that Izz ad-Din al-Qassam achieved during the fourth round of DDoS attacks was indicative of how well fortified U.S. banks have become,” Pascual says. But Rodney Joffe , senior technologist at DDoS-mitigation provider Neustar, says security professionals should be concerned that other attackers have learned lessons from al-Qassam’s strikes. “I don’t believe there is any connection between OpUSA and AQCF [al-Qassam Cyber Fighters],” he says. “However, the reason I think it is more worrying this time is because, as I have said over and over, the underground learned a lot of groundbreaking lessons from AQCF. … And this time around, they may be more successful.” Source: http://www.bankinfosecurity.com/911-ddos-alert-for-banks-agencies-a-6054

See the article here:
9/11 DDoS Alert for Banks, Agencies

SatoshiDice hit by DDoS attack, but bets continue

Bitcoin gambling site SatoshiDice has recovered after being felled for several days by a DDoS attack. The site went down several days ago, and was inaccessible from the Internet. Erik Voorhees, who created the site and sold it for $11.5 million in July, no longer runs the site, but naturally still has insights into how it operates. DDoS attacks happen a lot to bitcoin gambling sites, he said. “They largely wasted their money,” he said of the attackers, pointing out that the website isn’t needed for the placing of bets. It simply provides information about bet statistics, and bitcoin addresses to send to. These addresses are constant, available outside of the main site, and can easily be retained by regular gamblers even when the site goes down, meaning that bets can still be processed. “They’d have to launch an attack against the whole bitcoin network,” Voorhees said. There is a back-end computer processing the bets, but this isn’t the same computer that hosts the website. Attackers could potentially disrupt betting if they were able to find that machine, but Voorhees points out that it could easily be moved. The attack didn’t seem to affect the site’s popularity in the long term. SatoshiDice vanity addresses made up eight of the most popular bitcoin addresses used on the network overnight. Source: http://www.coindesk.com/satoshidice-hit-by-ddos-attack-but-bets-continue/

Visit site:
SatoshiDice hit by DDoS attack, but bets continue

Cybercrooks use DDoS attacks to mask theft of banks’ millions

Distributed denial of service attacks have been used to divert security personnel attention while millions of dollars were stolen from banks, according to a security researcher. At least three US banks in recent months have been plundered by fraudulent wire transfers while hackers deployed “low powered” DDoS attacks to mask their theft, Avivah Litan, an analyst at research firm Gartner, told SCMagazine.com. She declined to name the institutions affected but said the attacks appeared unrelated to the wave of DDoS attacks last winter and spring that took down Web sites belonging to JP Morgan , Wells Fargo, Bank of America, Chase, Citigroup, HSBC, and others. “It wasn’t the politically motivated groups,” she said. “It was a stealth, low-powered DDoS attack, meaning it wasn’t something that knocked their website down for hours.” Litan described the attack method in a blog post last week that warned banks’ losses could have been much greater. “Once the DDoS is underway, this attack involves takeover of the payment switch (eg, wire application) itself via a privileged user account that has access to it,” she wrote. “Now, instead of having to get into one customer account at a time, the criminals can simply control the master payment switch and move as much money from as many accounts as they can get away with until their actions are noticed.” Litan, an expert in financial fraud and banking security, did not describe how attackers gained access to the wire payment switch at banks, but she offered banks advice on how they might better protect themselves. “One rule that banks should institute is to slow down the money transfer system while under a DDoS attack,” she wrote. “More generally, a layered fraud prevention and security approach is warranted.” Security researchers have previously highlighted the growing trend of using DDoS attacks to hide fraudulent activity at banks. The Dell SecureWorks Counter Threat Unit issued a report (PDF) in April to warn that a popular DDoS toolkit called Dirt Jumper was being used to divert bank employees’ attention from attempted fraudulent wire transfers of up to $2.1 million. In a joint statement (PDF) issued last September with the Financial Services Information Sharing and Analysis Center and the Internet Crime Complaint Center, the FBI warned that the $200 Dirt Jumper toolkit was being used as a smokescreen to cover fraudulent wire transfers conducted with pilfered employee credentials. “In some of the incidents, before and after unauthorized transactions occurred, the bank or credit union suffered a distributed denial of service (DDoS) attack against their public Website(s) and/or Internet Banking URL,” the report said. “The DDoS attacks were likely used as a distraction for bank personnel to prevent them from immediately identifying a fraudulent transaction, which in most cases is necessary to stop the wire transfer.” Source: http://news.cnet.com/8301-1009_3-57599646-83/cybercrooks-use-ddos-attacks-to-mask-theft-of-banks-millions/

Read the article:
Cybercrooks use DDoS attacks to mask theft of banks’ millions

DDoS Attacks Strike Three Banks

Izz ad-Din al-Qassam Cyber Fighters’ so-called Phase 4 of distributed-denial-of-service attacks against major U.S. banks hasn’t stalled, it’s just been ineffective at disrupting online availability, security experts say The latest attacks have been sporadic and seemingly less targeted. U.S. banking institutions, which have been under attack since September 2012, have adapted their defenses, making their online-banking sites hard to take down, experts say. But Brobot , the botnet used by al-Qassam Cyber Fighters, is still active; it targeted banking institutions as recently as last week, says John LaCour, CEO of cybersecurity and intelligence firm PhishLabs. “PhishLabs can confirm that we detected QCF [Qassam Cyber Fighters] related DDoS attacks on Wednesday [Aug. 14] and Thursday [Aug. 15],” LaCour says. “Three large banks were attacked that we have seen targeted previously.” LaCour would not name the banks that were hit. He did say, however, attacks last week were linked to Brobot, and that Brobot still appears to be controlled by al-Qassam. Experts say they don’t feel Brobot has been leased out for hire, and that al-Qassam is still the group using the botnet against banks. Disruptions at 2 Banks JPMorgan Chase and Citigroup suffered intermittent online disruptions last week, according to Fox Business . Neither one of those banking institutions responded to Information Security Media Group’s request for comment. But according to tweets posted last week, Chase and Citi both acknowledged suffering site issues Aug. 15. “We’re experiencing issues with our website and Chase mobile,” Chase tweeted. “We apologize for the inconvenience. Please stay tuned for updates.” In its tweet, Citi said: “We are aware of system issues at this time. We are working to get the issue resolved.” Keynote, an online and mobile cloud testing and traffic monitoring provider, confirms both banks’ online banking sites did experience intermittent issues Aug. 15. But the cause of those online interruptions is not known, says Keynote’s Aaron Rudger. “The Chase banking website appears to have been unavailable from 8:55 a.m. ET until 10:21 a.m. ET,” he says. “Our monitoring agents reported DNS [Domain Naming System] lookup errors throughout that period, across the U.S.” DNS is the system that translates a website’s name, such as www.chase.com, into an Internet protocol address that’s assigned to a Web server for that site, Rudger explains. “Our monitoring agents did observe only a very small number of errors trying to download the Citibank homepage, starting at 12:52 p.m. ET,” he adds. “But that only lasted until 1:09 p.m. ET.” But other experts who asked to remain anonymous say the outage at Citi was not linked to Brobot; it was an internal technical issue. What’s Next for Brobot? Because attacks against banks are increasingly ineffective, some question what’s next for Brobot. Rodney Joffe, senior technologist at DDoS-mitigation provider Neustar, believes the attacks against banks are nearing an end. What’s next is anyone’s guess, he adds. But Joffe and others have suggested Brobot will likely soon be used to target other industries, especially those impacting critical infrastructure. The attackers will take aim at other targets to avoid admitting their campaign has been a failure, some suggest. “We’ll start to see disruptions that cause a little more fear in the U.S. public,” Joffe says. “We have heard about the compromise of water systems in small towns. I wouldn’t be surprised if we really start to see attacks like that.” Source: http://www.bankinfosecurity.com/ddos-attacks-strike-three-banks-a-6006

Continued here:
DDoS Attacks Strike Three Banks

DOSarrest begins Offering Vulnerability Testing and Optimization

VANCOUVER, BRITISH COLUMBIA–(Marketwired – Aug. 14, 2013) – DOSarrest Internet Security announced today that it will begin offering a website Vulnerability Testing and Optimization ( VTO ) service. The services is a comprehensive test that will intelligently crawl a website and find any vulnerabilities in the site’s coding, as well as analyze the structure of the website to see what can be optimized for better performance, all for a safer and better web experience for your visitors. The Vulnerability portion of the scan is able to analyze web code while it is being executed, even for a very large site with dynamic pages, and test with the most advanced SQL Injection and Cross Site Scripting (XSS) analyzers. A report is provided at the end that details all identified security breaches and the line of code that is the culprit as well as how to fix it. A secondary Optimization scan is executed again on all pages within a website, applying best practice rule sets which identify what elements and design structure can be optimized, and how to do it. A DOSarrest security specialist will walk the customer through the report and retest if necessary. “Our customers have come to greatly appreciate our efforts, to not only protect them from DDoS attacks, but to also assist their IT operations in securing their web servers in house “, says Jag Bains, CTO of DOSarrest. Bains, goes on to state “We’re able to leverage our experience and expertise to provide our customers a framework for securing their operations. With web application hacking on the rise, the VTO service is taking our customer partnerships to another level.” More information on this service can be found at: http://www.dosarrest.com/en/vulnerability-testing.html . About DOSarrest Internet Security: DOSarrest founded in 2007 in Vancouver, BC, Canada is one of only a couple of companies worldwide to specialize in only cloud based DDoS protection services. Their global client base includes mission critical ecommerce websites in a wide range of business segments including financial, health, media, education and government. Their innovative systems, software and exceptional service has been leading edge for over 6 years now.

More here:
DOSarrest begins Offering Vulnerability Testing and Optimization

UCAS under DDoS attack

Ucas has been the victim of a hacking attempt, when its website was the target of a denial of service attack. The site was unavailable late on 14 August, the day before thousands of A-level students were due to receive their results across the country. A spokesperson for Ucas said: “The UCAS website suffered a sustained, criminal ‘denial of service’ attack. The site was down for an hour and then restored fully. No personal information was compromised. Confirmation and Clearing went ahead as normal. The attack originated in the Asia Pacific region and the police have been informed.” The chief executive of Ucas, Mary Curnock Cook, speaking to the Huffington Post, said staff were ‘pretty upset’ at the attempt. “The incident was contained very, very quickly and no personal data was released to anybody.” As of yesterday evening, over one million students had logged into Track. Ucas placed nearly double the number of students through clearing this year, in comparison with numbers from last year. 7,970 students had found a place through clearing, compared with 4,180 last year. The attempt to wreck the system was stopped, thanks to new technology that Ucas have installed in their software. Cumock Cook said: “This year we have made a step-change in our technology arrangements and most of our critical services are deployed in the cloud, which gives us massive resilience.” Source: http://www.independent.co.uk/student/news/ucas-hacked-ahead-of-alevel-results-8770993.html

Link:
UCAS under DDoS attack

Police nab alleged DDoS extortion gang at Heathrow Airport

Two Polish men were arrested at Heathrow Airport earlier this week in connection with an alleged DDoS extortion attack on a Manchester-based business, news sources have reported. Details are light but it is known that a website connected to the business was brought down during the attack, which happened at an unspecified time before the 7 August arrests. “This investigation centres on an allegation that the on-line company was blackmailed,” said Detective Inspector Chris Mossop, of Greater Manchester Police’s Serious Crime Division “As part of this blackmail attempt, one of the company’s websites was made temporarily unavailable by the offenders,” he added. “Denial of service attacks have become increasingly common offences in recent years and can have a devastating effect on the victim’s on-line business or presence.” The investigation continued in several countries, including the UK, the US and Poland, police said. Although such cases rarely come to light, cyber-extortion has flourished in the last decade. In almost every case, DDoS is the weapon of choice. These days, small and medium-size businesses are the usual target because they are far less likely to have DDoS mitigation in place to defend themselves. The other less common technique involves attackers stealing data and threatening to release it unless a ransom is paid. An example of this type of attack came to light last year when a Belgian bank was blackmailed by hackers. Last December, hackers tried to extort $4,000 AUS (£2,600) from a medical centre in Australia after breaching its network and encrypting its customer database. A recent survey suggested that one in five UK businesses had been affected by DDoS attacks during 2012. Source: http://news.techworld.com/security/3463285/police-nab-alleged-ddos-extortion-gang-at-heathrow-airport/

Read the article:
Police nab alleged DDoS extortion gang at Heathrow Airport

5 Steps to Prepare for a DDOS Attack

As more people are realizing that in today’s cyber climate Distributed Denial of Service (DDoS) attacks are a matter of when, not if, the most common question I get asked is “What can I do to prepare?” I like to break it down into 5 key steps enterprises can take now to be prepared for a future attack: 1. Centralize Data Gathering and Understand Trends This is true across all security topics, but the last thing you want to be is blind when a DDoS attack hits. Generally the DDoS attack timeline goes something like this for the head of network operations: – 9:00 am – your monitoring system starts lighting up like a Christmas tree and your phone is blowing up with SMS alerts saying “the site is down.” – 9:01 am – your CEO calls you screaming “why is the site down?!?!?!?!” Hopefully, you can answer that question, but without proper metrics and data gathering you can’t possibly hope to identify the root cause. It could be a network circuit down, data center failure, DDoS attack, etc. With proper data gathering and monitoring in place, you can quickly identify a DDoS attack as the cause, and you can start the process of getting the website back up and running. It’s critical to identify the cause early as DDoS attacks can be quite complex and the sooner you jump on identification and remediation, the sooner the site will be back up. At minimum, the metrics you should gather include: Inbound and outbound bandwidth on all of your network circuits, peering connections, etc. Server metrics: CPU load, network and disk I/O, memory, etc. Top talkers: top sources and destinations of traffic by IP and port. If you are running a web site, you need to understand items like top URLs being requested (vs. the top URLs usually being requested), top HTTP headers, HTTP vs. HTTPS traffic ratios etc. All of these metrics (and there are many more I didn’t cover) should then be sent to a central logging and correlation system so you can view and compare them from a single viewpoint. This helps you spot trends and quickly identify the sources and method of the attack. This is especially important when it’s a very complex attack where it might not be an obvious issue (e.g. it’s easy to see when your network bandwidth is saturated, but when it’s a botnet simulating clicking the “Add to Cart” button to overwhelm your database resources, that isn’t as easy to spot; especially if you are trying to piece data from many disparate systems). 2. Define a Clear Escalation Path Now that you have determined it really is a DDoS attack, what next? Do you know who to call to get your service back up and running? What tools do you have in place to block the malicious traffic? If you have purchased DDoS protection (very smart!), how do you get the system fired up? These are key questions that should be written down and answered BEFORE the attack hits. During an attack people are rarely calm and it’s no fun trying to figure out an escalation path in the middle of the craziness. Do it before the attack hits so you can calmly execute your plan and get your site back up and running. Note that this doesn’t just mean “technical” contacts. You want to let the head of support and customer service know as well. You can bet customers will be calling in and there is nothing worse than to answer “weird, I didn’t know our site was down” when a customer calls. You also want to let your CEO know (if he or she doesn’t already). Each business is different, so you should consider your situation and think of all the people who might want to know the website is down and add them to the list. An “outages” mailing list is a central place to report these items without you needing to remember who to send the info to every time. If you do have a cloud-based DDoS protection service in place, make sure the group you have chosen internally to be the touch point with the provider has the up to date 24/7 hotline, email address to send capture files to, etc. The vendor should be one of the first calls you make to start the mitigation. You need to engage your mitigation provider immediately as they have done this many times before and will know what to do to get your site back up and running. 3. Use Layered Filtering In the discussion on size vs. complexity of an attack, you need to be able to handle both the “big and dumb” types (a whole lot of requests that are generally easy to spot as malicious – often known as “network level”) and “small and complex” (fewer requests, but extremely difficult to differentiate legitimate vs. malicious – commonly referred as “application level” or “layer 7? attacks). Some tools and techniques work (and scale) very well to mitigate against the “big and dumb” types, but fail miserably on the application attacks. On the other hand, some techniques that are required for application attacks have trouble scaling on the larger network attacks. Recently, we have seen more of a third type of attack, “big and complex!” A combination of the two aforementioned attack types, these are big attacks where the traffic is really hard to identify as malicious or legitimate. With great technology and layered filtering though, you are in a better position to handle any of these types of attacks. 4. Address Application and Configuration Issues Not only are DDoS attacks really good at pinpointing bottlenecks in your network and security infrastructure, they are also amazing at identifying problems in your application; especially when it comes to performance tuning and configuration. If you haven’t done proper application load testing (both before launch and every so often to check for any slowness that may have crept in) a DDoS attack may be the first time your website or application has really been stress-tested. You may find your database configuration is sub-optimal, or your Web server isn’t configured for enough open connections. Whatever the issue, you will quickly see how well you have tuned your website. It’s always a good idea to do load testing of your site on your schedule, not the attackers’. 5. Protect Your Domain Name System (DNS) This is crucial and yet probably the most overlooked of all of the above recommendations. I can’t tell you how many enterprises have spent millions of dollars on their Web hosting infrastructure (data centers, web servers, load balancers, database servers, etc.) but have only two low end DNS servers to handle all of their DNS traffic. DNS is an extremely common target of a DDoS attack due to how critical the service is for Web availability (there are plenty of articles and examples of large Web properties going down due to DNS issues – often attack-related). If a customer can’t resolve the IP address of your website (which is the job of DNS), it doesn’t matter how much you have spent on your hosting, that customer is not getting to your site. Protecting your DNS as part of a good DDOS mitigation strategy is fundamental. (Here’s a report from Gartner Research that discusses this issue. Conclusion It would take a book to cover all of these topics in depth. Hopefully this will at least give you, some things to think about and plan for with your DDoS mitigation strategy. Stay tuned for my next post where I will go in depth on some of the cool technology we use at Verisign to protect both our own and our customers’ infrastructure. Source: http://www.circleid.com/posts/20130731_5_steps_to_prepare_for_a_ddos_attack/

See more here:
5 Steps to Prepare for a DDOS Attack

DDoS attacks getting bigger but shorter in duration

Distributed Denial of Service (DDoS) attacks are getting bigger, but their duration are getting shorter, according to an analysis released this week by Arbor Networks. During the first six months of 2013, the average size of DDoS attacks remained solidly over the 2Gbps, Arbor reported — something the company has never seen before. Although the average may have been skewed during the period by the massive attack on Spamhaus in March, which reached 300Gbps at its zenith, large attacks in general have been going up too, Arbor found. From January to June this year, it said attacks exceeding 20Gbps more than doubled over 2012. Several security experts agreed with Arbor’s analysis. Michael Smith, CSIRT director for Akamai Technologies, cited two factors affecting DDoS numbers during the period. “It’s just easier to do these days,” he said in an interview. “You can rent a botnet for $20.” He added that a hacktivist group known as the Izz ad-Dim al-Qassam Cyber Fighters (QCF) has adopted a strategy that is also driving up the raw number of attacks and depressing their duration. “They attack multiple targets during the course of a day,” Smith explained. Not only do they attack multiple sites, but they don’t prolong an attack if they don’t see immediate results. “They’ll move from target to target after 10 or 20 minutes until they find one they can cause an immediate impact on,” Smith noted. Attacks are becoming bigger because hackers have more resources to mount attacks than ever before, said Marc Gaffan, founder of Incapsula. “There’s more ammunition for hackers in the wild which is why attacks have grown in size,” he said. New techniques have also contributed to the size of the attacks. For example, in the Spamhaus attack, hackers exploited openings in DNS servers to amplify the magnitude of their attacks on the website. They do that by sending a request to a server with an open DNS resolver. In the request, they spoof the address of their target so when the server answers the request, it sends its answer to the target. “When the resolver sends back the answer, which is larger than the question, it’s amplifying the attacker’s request,” Gaffan said. “Sometimes the answer can be as much as 50 times larger than the request,” he continued. “So an attack can be 50 times the original firepower used for the request.” In addition to improving their techniques, hackers have also increased their efficiencies by shortening their attacks. They will hit a site long enough to bring it down, disappear into the ether, then return to take it down again just as it’s recovering from the initial attack. “When a website goes down, it takes time to bring it back up,” Gaffan said. “There’s no point continuing to fire at that target when it’s down. You want to conserve your ammunition and fly under the radar, because the more you fire the greater the chances of someone identifying you as the source of the fire.” The technique also allows the attackers to get better mileage from their resources. “They could hit multiple targets with a single piece of infrastructure as opposed to hitting one target for an hour,” Gaffan said. Part of the reason attackers are sharpening their skills of deception is that defenders are getting better at blunting DDoS attacks. “The Internet as a whole is getting better at responding to these attacks,” said Cisco Technical Leader for Threat Research, Craig Williams. “We’ve seen DNS amplification shoot through the roof, but I suspect that’s going to start dropping with the addition of RPZs that can mitigate queries and people getting better at closing down open resolvers,” Williams told CSOonline . Source: http://www.networkworld.com/news/2013/073113-ddos-attacks-getting-bigger-but-272389.html?page=2

Taken from:
DDoS attacks getting bigger but shorter in duration