Tag Archives: stop ddos attacks

?How to defend against the internet’s doomsday of DDoS attacks

Last week assault on Dyn’s global managed DNS services was only the start. Here’s how to fend off hackers’ attacks both on your servers and the internet. We knew major destructive attacks on the internet were coming. Last week the first of them hit Dyn, a top-tier a major Domain Name System (DNS) service provider, with a global Distributed Denial of Service (DDoS)attack. As Dyn went down, popular websites such as AirBnB, GitHub, Reddit, Spotify, and Twitter followed it down. Welcome to the end of the internet as we’ve known it. Up until now we’ve assumed that the internet was as reliable as our electrical power. Those days are done. Today, we can expect massive swaths of the internet to be brought down by new DDoS attacks at any time. We still don’t know who was behind these attacks. Some have suggested, since Dyn is an American company and most of the mauled sites were based in the US, that Russia or Iran was behind the attack. It doesn’t take a nation, though, to wreck the internet. All it takes is the hundreds of millions of unsecured shoddy devices of the Internet of Things (IoT). In the Dyn onslaught , Kyle York, Dyn’s chief strategy officer said the DDoS attack used “tens of millions” devices. Hangzhou Xiongmai Technology, a Chinese technology company, has admitted that its webcam and digital video recorder (DVR) products were used in the assault. Xiongmai is telling its customers to update their device firmware and change usernames and passwords. Good luck with that. Quick: Do you know how to update your DVR’s firmware? The attack itself appears to have been made with the Mirai botnet. This open-source botnet scans for devices using their default username and password credentials. Anyone can use it — China, you, the kid next door — to generate DDoS attacks. For truly damaging DDoS barrages, you need to know something about the internet’s architecture, but that’s not difficult. Or, as Jeff Jarmoc, a Salesforce security engineer, tweeted, “In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.” That’s funny, but it’s no joke. Fortunately, you can do some things about it. Securing the Internet of Things First, and this unfortunately is a long-term solution, IoT vendors must make it easy to update and secure their devices. Since you can’t expect users to patch their systems — look at how well they do with Windows — patching must be made mandatory and done automatically. One easy way to do this is to use an operating system, such as Ubuntu with Snap, to update devices quickly and cleanly. These “atomic” style updating systems make patches both easier to write and deploy. Another method is to lock down IoT applications and operating systems. Just like any server, the device should have the absolute minimum of network services. Your smart TV may need to use DNS, but your smart baby monitor? Not so much. That’s all fine and dandy and it needs to be done, but it’s not going to help you anytime soon. And, we can expect more attacks at any moment. Defending your intranet and websites First, you should protect your own sites by practicing DDoS prevention 101. For example, make sure your routers drop junk packets. You should also block unnecessary external protocols such as Internet Control Message Protocol (ICMP) at your network’s edge. And, as always, set up good firewalls and server rules. In short, block everything you can at your network edge. Better still, have your upstream ISP block unnecessary and undesired traffic. For example, your ISP can make your life easier simply by upstream blackholing. And if you know your company will never need to receive UDP traffic, like Network Time Protocol (NTP) or DNS, your ISP should just toss garbage traffic into the bit bin. You should also look to DDoS mitigation companies to protect your web presence. Companies such as Akamai, CloudFlare, and Incapsula offer affordable DDoS mitigation plans for businesses of all sizes. As DDoS attacks grow to heretofore unseen sizes, even the DDoS prevention companies are being overwhelmed. Akamai, for example, had to stop trying to protect the Krebs on Security blog after it was smacked by a DDoS blast that reached 620 Gbps in size. That’s fine for protecting your home turf, but what about when your DNS provider get nailed? You can mitigate these attacks by using multiple DNS providers. One way to do this is to use Netflix’s open-source program Denominator to support managed, mirrored DNS records. This currently works across AWS Route53, RackSpace CloudDNS, DynECT, and UltraDNS, but it’s not hard to add your own or other DNS providers. This way, even when a DDoS knocks out a single DNS provider, you can still keep your sites up and running. Which ones will work best for you? You can find out by using Namebench. This is an easy-to-use, open-source DNS benchmark utility. Even with spreading out your risk among DNS providers, DNS attacks are only going to become both stronger and more common. DNS providers like Dyn are very difficult to secure. As Carl Herberger, vice president for security solutions at Radware, an Israeli-based internet security company, told Bloomberg, DNS providers are like hospitals: They must admit anyone who shows up at the emergency room. That makes it all too easy to overwhelm them with massive — in the range of 500 gigabits per second — attacks. In short, there is no easy, fast fix here. One way you can try to keep these attacks from being quite so damaging is to increase the Time to Live (TTL) in your own DNS servers and caches. Typically, today’s local DNS servers have a TTL of 600 seconds, or 5 minutes. If you increased the TTL to say 21,600 seconds, or six hours, your local systems might dodge the DNS attack until it was over. Protecting the internet While the techniques might help you, they don’t do that much to protect the internet at large. DNS is the internet’s single point of total failure. That’s bad enough, but as F5, a top-tier ISP notes, DNS is historically under-provisioned. We must set up a stronger DNS system. ISPs and router and switch vendors should also get off their duffs and finally implement Network Ingress Filtering, better known as Best Current Practice (BCP)-38. BCP-38 works by filtering out bogus internet addresses at the edge of the internet. Thus, when your compromised webcam starts trying to spam the net, BCP-38 blocks these packets at your router or at your ISP’s router or switch. It’s possible, but unfortunately not likely, that your ISP has already implemented BCP-38. You can find out by running Spoofer. This is a new, open-source program that checks to see how your ISP handles spoofed packets. So why wasn’t it implemented years ago? Andrew McConachie, an ICANNtechnical and policy specialist, explained in an article that ISPs are too cheap to pay the small costs required to implement BCP-38. BCP-38 isn’t a cure-all, but it sure would help. Another fundamental fix that could be made is response rate limiting (RRL). This is a new DNS enhancement that can shrink attacks by 60 percent. RRL works by recognizing that when hundreds of packets per second arrive with very similar source addresses asking for similar or identical information, chances are they’re an attack. When RRL spots malicious traffic, it slows down the rate the DNS replies to the bogus requests. Simple and effective. Those are some basic ideas on how to fix the internet. It’s now up to you to use them. Don’t delay. Bigger attacks are on their way and there’s no time to waste. Source: http://www.zdnet.com/article/how-to-defend-against-the-internets-doomsday-of-ddos-attacks/

View article:
?How to defend against the internet’s doomsday of DDoS attacks

Chinese firm recalls camera products linked to massive DDOS attack

Hangzhou Xiongmai Technology is recalling earlier models of four kinds of cameras due to a security vulnerability A Chinese electronics component maker is recalling 4.3 million internet-connected camera products from the U.S. market amid claims they may have played a role in Friday’s massive internet disruption. On Monday, Hangzhou Xiongmai Technology said it was recalling earlier models of four kinds of cameras due to a security vulnerability that can make them easy to hack. “The main security problem is that users aren’t changing the device’s default passwords,” Xiongmai said in a Chinese-language statement posted online. According to security firm Flashpoint, malware known as Mirai has been exploiting the products from Xiongmai to launch massive distributed denial-of-service attacks, including Friday’s, which slowed access to many popular sites, including Netflix, PayPal, and Twitter. Companies observing Friday’s disruption said botnets powered by the Mirai malware were at least partly responsible for the attack. Xiongmai, a maker of camera modules and DVR boards, has acknowledged that its products have been a target for hackers, but it said it patched the problem with the default passwords back in April 2015. For older products, the company has come up with a firmware update to fix the flaw. To prevent the security risks, the company has still decided to recall earlier models. However, Xiongmai has also dismissed news reports that its products were largely behind Friday’s DDOS attack as untrue and is threatening legal action against those who damage its reputation. “Security vulnerabilities are a common problem for mankind,” the company said. “All industry leaders will experience them.” Experts have said the Mirai malware is probably targeting products from several vendors, in addition to Xiongmai. The malicious coding is built to try a list of more than 60 combinations of user names and passwords when infecting devices . So far, the Mirai malware has gone on to infect at least 500,000 devices, according to internet backbone provider Level 3 Communications. Source: http://www.pcworld.com/article/3133962/chinese-firm-recalls-camera-products-linked-to-massive-ddos-attack.html

Bitter feud between partners as IBM deflects eCensus blame

NextGen, Vocus refute claims of error. A bitter feud has broken out between IBM and its internet service provider partners for the 2016 eCensus as the main contractor tried to deflect blame for the site’s meltdown on August 9 In its first detailed response to the failure, IBM said it had plans in place for the risk of DDoS attacks, but its efforts were to no avail thanks to a failure at an upstream provider. The ABS at the time said it had been forced to take the site offline on Census night following a series of DDoS attacks combined with the failure of the network geoblocking function and the collapse of a router. The statistics body has publicly criticised IBM for failing to properly implement a geoblocking service, which would have halted the international DDoS attack targeted at the Census site. But IBM is now laying blame squarely at the feet of its internet service provider partner NextGen and NextGen’s upstream supplier Vocus for the geoblocking bungle. It claimed NextGen had provided “repeated” assurances – including after the day’s third DDoS attack – that a geoblocking strategy that IBM codenamed ‘Island Australia’ had been correctly put in place. However, when the fourth and biggest DDoS attack of the day hit at around 7:30pm, IBM said it became clear that a Singapore link operated by Vocus had not been closed off, allowing the attack traffic to pass through to the Census site. “Vocus admitted the error in a teleconference with IBM, NextGen and Telstra around 11.00 pm on 9 August 2016,” IBM said. “Had NextGen (and through it Vocus) properly implemented Island Australia, it would have been effective to prevent this DDoS attack and the effects it had on the eCensus site. As a result, the eCensus site would not have become unavailable to the public during the peak period on 9 August 2016.” IBM said while it accepted its responsibility as the head contractor for the eCensus, it could not have avoided using ISPs to provide links for the website. “It is not possible for an IT services company such as IBM to implement the 2016 eCensus without engaging ISPs. It was necessary for IBM to involve the ISPs in the implementation of the geoblocking solution as they have control over their respective data networks and are in a position to block internet traffic originating from particular domains or IP addresses.” IBM did, however, admit what many security experts speculated had occured – that following the fourth DDoS a system monitoring dashboard showed an apparent spike in outbound traffic, causing its staff to wrongly assume data was being exfiltrated from the website, prompting IBM to shut down the website. The contractor also revealed that a configuration error meant a manual reboot of one of its routers – which was needed after the eCensus firewall became overloaded with traffic – took much longer to rectify than it should have, keeping the site offline for a further hour and a half. NextGen, Vocus fight back But Vocus said NextGen was well aware that Vocus would not provide geoblocking services, and had instead recommended its own DDoS protection. IBM declined the offer, Vocus said. NextGen and Vocus instead agreed on remote triggered black hole (RTBH) route advertisements with international carriers. “If Vocus DDoS protection product was left in place the eCensus website would have been appropriately shielded from DDoS attacks,” Vocus said in its submission to the inquiry. Vocus refuted IBM’s claim that it had failed to implement geoblocking, revealing that it had not been made aware of IBM’s DDoS mitigation strategy – including ‘Island Australia’ – until after the fourth attack on August 9. “As a result, any assumption that Vocus was required to, or had implemented Island Australia or geo-blocking including, without limitation … are inaccurate,” Vocus said. “Once Vocus was made aware of the fourth DDoS attack, it implemented a static null route to block additional DDoS traffic at its international border routers within 15 minutes.” Vocus also argued that the fourth DDoS was not as large as IBM claimed, comprising of attack traffic that peaked at 563Mbps and lasting only 14 minutes – which it said was “not considered significant in the industry”. “Such attacks would not usually bring down the Census website which should have had relevant preparations in place to enable it to cater for the expected traffic from users as well as high likelihood of DDoS attacks.” NextGen, in its own submission, claimed it had “strongly recommended” to IBM that it take up a DDoS protection product like that on offer by Vocus, but the contractor declined. The ISP said it was not made aware of details of IBM’s ‘Island Australia’ strategy until six days before the eCensus went live in late July. At that point it told IBM that an IP address range it had provided was part of a larger aggregate network and therefore would not respond to “specific international routing restrictions” if ‘Island Australia’ was implemented. “Nextgen recommended using an alternative IP address range, which would give IBM better control, but this was rejected by IBM,” the ISP said. IBM instead chose to request NextGen’s upstream suppliers apply IP address blocking filters and international remote black holes for 20 host routes. “Nextgen believes that the individual host routes picked by IBM may not be exhaustive, and DDoS attacks could come from other routes in the IP address range (which they did in the third DDoS attack on Census day),” NextGen said. “There were a number of routes without geoblocking during the fourth DDoS attack, and which were not identified during testing, along with the [Vocus] Singapore link.” NextGen said it again offered to implement DDoS protection, this time at its own cost, which IBM agreed to four days after the events of August 9. Source: http://www.itnews.com.au/news/bitter-feud-between-partners-as-ibm-deflects-ecensus-blame-439752

Continue reading here:
Bitter feud between partners as IBM deflects eCensus blame

Internet service providers face DDoS attack second time in the last three months

The service providers have also alleged that their complaints about the DDoS attacks have gone ignored. Internet service providers (ISPs), mainly from Mumbai and Pune, claimed they are being targeted in a distributed denial of service (DDoS) attack for the second time in the last three months, and said they will raise the issue of cyber terrorism with IGP (Cyber) Brijesh Singh. They also claimed that their complaint was not taken seriously by the Pune Police. “We have been facing DDoS attacks since September 15 and have been running from pillar to post to lodge a complaint, but no officer from the Pune Police has taken a serious stand on our complaint. We are now going to lodge our complaint with IGP (Cyber) Brijesh Singh,” Kishore Desarda, director, Gazon Communication, said. A DDoS attack typically bombards websites with requests, overloading the portal until its server crashes, thus denying access to legitimate users. “Such attacks, which reduce (Internet) speed to almost zero, have posed a serious threat to businesses of all ISPs, not only in Mumbai and Pune but across Maharashtra, and they need to be curbed immediately,” Mr. Desarda said. In July, ISPs had filed an FIR with the IG’s office about DDoS attacks. The case is being investigated by the Mumbai Police’s cyber cell. Another leading ISP said, “DDoS attackers are back in business and it has hit services adversely in cities like Mumbai, Thane, Navi Mumbai and Pune. This unprecedented attack on ISPs is akin to cyber terrorism and has assumed extreme significance against the backdrop of the hacking of more than 35 Central and State government websites in the last few days.” In July, ISP representatives had met IGP Singh and had apprised him of the gravity of this sort of ‘cyber terrorism’. Following their request, the cyber cell had registered an FIR and launched a probe. “Some unknown people are involved in crashing the networks of ISPs by making lakhs of requests at a particular terminal at a particular time at an unprecedented level, thus slowing down the whole internet experience, which we call DDOS. The Cyber Crime department is taking all possible measures to nab the perpetrators,” Mr. Singh had said earlier Source: http://www.bgr.in/news/internet-service-providers-face-ddos-attack-second-time-in-the-last-three-months/

View article:
Internet service providers face DDoS attack second time in the last three months

Leaked Mirai source code already being tested in wild, analysis suggests

Since the source code to the Mirai Internet of Things botnet was publicly leaked on Sept. 30, researchers at Imperva have uncovered evidence of several low-level distributed denial of serviceattacks likely perpetrated by new users testing out this suddenly accessible DDoS tool. With its unusual ability to bombard targets with traffic in the form of generic routing encapsulation (GRE) data packets, Mirai was leveraged last month to launch a massive DDoS attack against Internet security researcher Brian Krebs’ blog site KrebsonSecurity. Soon after, a Hackforums user with the nickname Anna-senpai publicly posted the botnet’s source code – quite possibly a move by the malware’s original author to impede investigators from closing in on him. In a blog post this week, Imperva reported several low-level DDoS attacks taking place in the days following the leak. Consisting of low-volume application layer HTTP floods leveraging small numbers of source IPs, these attacks “looked like the experimental first steps of new Mirai users who were testing the water after the malware became widely available,” the blog post read. But Imperva also found evidence of much stronger Mirai attacks on its network prior to the leak. On Aug. 17, Imperva mitigated numerous GRE traffic surges that peaked at 280 Gbps and 130 million packets per second. Traffic from this attack originated from nearly 50,000 unique IPs in 164 countries, many of which were linked to Internet-enabled CCTV cameras, DVRs and routers – all infected by Mirai, which continuously scans the web for vulnerable devices that use default or hard-coded usernames and passwords. An Imperva analysis of the source code revealed several unique traits, including a hardcoded blacklist of IPs that the adversary did not want to attack, perhaps in order to keep a low profile. Some of these IPs belonged to the Department of Defense, the U.S. Postal Service and General Electric. Ben Herzberg, security group research manager with Imperva Incapsula, told SCMagazine.com in a phone interview that the Marai’s author may have truncated the complete blacklist before publishing it – possibly because such information could offer a clue as to the attacker’s identity. Imperva also found Mirai to be territorial in nature, using killer scripts to eliminate other worms, trojans and botnet programs that may have infiltrated the same IoT devices. Moreover, the company noted traces of Russian-language strings, which could offer a clue to the malware’s origin. Herzberg said it’s only a matter of time before Mirai’s newest users make their own modifications. “People will start playing with the code and say, ‘Hey, let’s modify this, change this,” said Herzberg. “They have a nice base to start with.” Web performance and security company Cloudflare also strongly suspects it has encountered multiple Mirai DDoS attacks, including one HTTP-based attack that peaked at 1.75 million requests per second. According to a company blog post, the assault leveraged a botnet composed of over 52,000 unique IP addresses, which bombarded the Cloudflare network – primarily its Hong Kong and Prague data centers – with a flurry of short HTTP requests designed to use up server resources and take down web applications. A second HTTP-based attack launched from close to 129,000 unique IP addresses generated fewer requests per second, but consumed up to 360Gbps of inbound HTTP traffic – an unusually high number for this brand of attack. In this instance, much of the malicious traffic was concentrated in Frankfurt. Cloudflare concluded that the attacks were launched from compromised IoT devices, including a high concentration of connected CCTV cameras running on Vietnamese networks and multiple unidentified devices operating in Ukraine. “Although the most recent attacks have mostly involved Internet-connected cameras, there’s no reason to think that they are likely the only source of future DDoS attacks,” the Imperva report warns. “As more and more devices (fridges, fitness trackers, sleep monitors…) are added to the Internet they’ll likely be unwilling participants in future attacks.” Of course, compromised IoT devices can be used for more than just DDoS attacks. Today, Akamai Technologies released a white paper warning of a new in-the-wild exploit called SSHowDowN that capitalizes on a 12-year-old IoT vulnerability. According to Akamai, cybercriminals are remotely converting millions of IoT devices into proxies that route malicious traffic to targeted websites in order to check stolen log-in credentials against them and determine where they can be used. Bad actors can also use the same exploit to check websites for SQL injection vulnerabilities, and can even launch attacks against the internal network hosting the Internet-connected device. The vulnerability, officially designated as CVE-2004-1653, affects poorly configured devices that use default passwords, including video surveillance equipment, satellite antenna equipment, networking devices and Network Attached Storage devices. It allows a remote user to create an authorized Socket Shell (SSH) tunnel and use it as a SOCKS proxy, even if the device is supposedly hardened against SSH connections. “What we’re trying to do is raise awareness,” especially among IoT vendors said Ryan Barnett, principal security research at Akamai, in an interview with SCMagazine.com. Barnett noted that when the CVE first came out, an exploit on it was “more theoretical,” but now “we want to show it is actively being used in a massive attack campaign.” Source: http://www.scmagazine.com/leaked-mirai-source-code-already-being-tested-in-wild-analysis-suggests/article/547313/

More:
Leaked Mirai source code already being tested in wild, analysis suggests

A Decade of DDoS Education: What’s Changed and What’s Stayed the Same

While Distributed Denial of Service (DDoS) attacks have been around for over 20 years, they have only become well-known to the majority of enterprises over the past ten years or so. Ten years ago, many enterprise IT teams only had a vague idea of what a DDoS attack was because they noticed the common symptoms “our website is down,” “the firewall crashed,” “nothing works” etc. The average IT team in 2006 would not have been aware of the techniques DDoS attacks typically used like spoofed addresses or POST floods. In order to provide a true understanding of what DDoS attacks were and how enterprises could defend against them, some basic education had to happen. In 2006 that meant putting it in terms that everyone understood, “what would happen to our meeting if we tried fitting 100 people in this room?” Eventually as education continued and attacks grew in notoriety, the basics of DDoS became common knowledge in the industry. But DDoS in its nature is an evolving threat and as application-layer attacks became predominant more education was needed. Application-layer attacks are not about blocking access to the door of the meeting room anymore, now we had to explain the stealthy nature of low-volume, targeted attacks. “So you’ve let two of us in this meeting room because we appear to be legitimate salespeople, but now we’re going to unplug the projector so you can’t run your meeting properly.” Now ten years later, the majority of enterprise IT teams have a solid understanding of the threat DDoS poses and the basics of defense but even today we still come across people who believe they can protect themselves against DDoS attacks by simply increasing their bandwidth or relying on their firewalls or unified threat management appliances. With the volume of attacks today that is definitely not enough to ensure service and network availability in the face of sustained DDoS attacks. The majority of DDoS education today has shifted from learning about the attack methods themselves to the correct defense techniques and processes. Even with the significant improvements in DDoS education and awareness, a lot of people still have unrealistic expectations that once they install a DDoS mitigation solution their job is done. There is no silver bullet against DDoS attacks. There is no magic box, there is no “set it and forget it” solution. You still have to educate the user. Part of this comes from the misconception that DDoS attacks are launched by untalented kids. While that is true in some cases, many enterprise IT teams are surprised to find themselves often fighting against talented opponents who are often smarter than them, have more time than them and whose effort to start attacks is minuscule compared to their effort in blocking them. Often times, when faced with these advanced adversaries, IT teams are quickly overwhelmed. Even though they have some mitigation tools in place, they may not have the right tools. They may not know who to call or recognize the type of attack targeting their systems. In short, they don’t have a technology problem, they have a people and process problem. Think of DDoS defense like a NASCAR race, you have a super-powerful car (your DDoS mitigation solution or service), but if you don’t know how to drive over 70 mph, you’re going to crash and hurt yourself very quickly. And let’s not even mention what happens if you decided to install that cheap transmission because it was half-off. Enterprise IT teams need to focus on building the best car they can, hiring a skilled team that can keep the car in its best possible condition and then hiring the best driver they can afford to drive the car when the time comes. Even if you have the best car in the world, an unskilled maintenance team or driver will lead to a third or fourth place finish at the end of the season. But if you want to win the championship, you need the best car, mechanics and driver you can afford. Moving on from the NASCAR analogy, this means: Understanding the technology that best fits your needs: on-premise, always-on, protection or an on-demand service? Customizing that technology to fit your assets. Is it just your website or the services you provide from it? What about defending your corporate network? Identifying and training a team that is capable of understanding all of the procedures in all possible scenarios that surround a DDoS attack. Continue evolving your mitigation strategy. Keep your technology state-of-the-art and provide continuous training for your team. If you follow these steps you’ll end up in the winner’s circle after mitigating another DDoS attack and not in pit row trying to figure out what went wrong. Source: http://wwpi.com/2016/10/12/a-decade-of-ddos-education-whats-changed-and-whats-stayed-the-same/

Visit link:
A Decade of DDoS Education: What’s Changed and What’s Stayed the Same

73% of organisations across the globe have suffered a DDoS attack

A new report from analytics firm Neustar has brought to light the amount of companies around the world who have suffered a DDoS attack, and how they are working to mitigate them. Nearly three-quarters (73 percent) of organisations worldwide have suffered a DDoS attack and 76 percent are investing more in response to the threat of such attacks. For its new global report, Neustar studied 1,002 directors, managers, CISOs, CSOs, CTOs and other C-suite executives to discover how DDoS attacks are affecting them and what they’re doing to mitigate the threat. Respondents represent diverse industries such as technology (18 percent), finance (14 percent), retail (12 percent) and government (seven percent) in North America, EMEA, and Asia Pacific. In EMEA, 75 percent of organisations were attacked. Nearly half (48 percent) were attacked six or more time and 32 percent encountered malware after a DDoS attack. Almost a quarter (21 percent) of attacked organisations reported customer data theft and 70 percent of those specific respondents said they learned of the attack from outside sources, such as social media. Globally, 30 percent of organisations took less than an hour to detect a DDoS attacks. In EMEA, 37 percent of organisations took three or more hours to detect attacks. Despite only two percent of reported attacks exceeding 100+ GBPS, recent DDoS attacks have reached over 620 Gbps and up to almost 1 Tbps in attack size. Organisations are seeking to stay one step ahead of the game and protect against DDoS attacks. To prevent and protect against future attacks, organisations are using: Traditional firewall ISP based prevention (53 percent) Cloud service provider (47 percent) On-premise DDoS appliance and a DDoS mitigation service (36 percent) DDoS mitigation service (29 percent) DDoS mitigation appliance (27 percent) CDN (14 percent) WAF (13 percent) No DDoS protection is used in four percent of organisations. Nearly two-thirds (61 percent) have adopted and actively use IoT devices. In all, 82 percent of IoT adopters experienced an attack compared to just 58 percent of those who have not yet done so. Moreover, 43 percent of IoT adopters that were attacked are investing more than they did a year ago. In emailed commentary to SCMagazineUK .com, Paul McEvatt, senior cyber-threat intelligence manager, UK & Ireland at Fujitsu said, “This latest report revealing the different levels of DDoS attacks has really highlighted the issues with the security of Internet of Things devices, with 82 percent of IoT adopters having experienced an attack compared with just 58 percent of those who have not yet done so. When internet-connected devices are hacked, it again brings to the surface the security risks we face as technology touches every aspect of daily life. McEvatt added, “The issue is that businesses are failing to understand what is needed for a robust application of security from the outset, whether that’s for routers, smart devices or connected cars. Various attackers use online services to look for vulnerable IoT devices, making organisations an easy target for low-level cyber-criminals. The worrying reality is that security is often an afterthought and security fundamentals are still not being followed such as changing default passwords. Many of the cameras used in the recent DDoS attacks were shipped and left connected to the internet with weak credentials such as root/pass, root/admin or root/1111111, so it is little wonder these devices continue to be compromised.” Source: http://www.scmagazineuk.com/73-of-organisations-across-the-globe-have-suffered-a-ddos-attack/article/527211/

More:
73% of organisations across the globe have suffered a DDoS attack

Worry more about small app layer DDoS attacks than huge network blasts, says Canadian vendor

Massive distributed denial of service (DDoS) attacks have been grabbing headlines recently, with cyber security reporter Brian Krebbs being forced to temporarily take his site down after his service provider couldn’t handle a 620 Gbps attack, followed a few days later by a 1 Tbps attack on French hosting provider OVH. The incidents have some worried that DDoS attacks can now scale so high that current mitigation technology renders targeted organizations defenceless. Not so, says a Toronto security firm. In a report issued Tuesday DDoS Strike concludes CISOs worry too much about high volume network layer attacks and not enough about application layer attacks, which can take down a site with as little as 4.3 Gpbs of traffic. “Most organizations are only part way to understanding DDoS attacks and therefore having the capacity to defend against them with full effectiveness,” the report concludes. The report is based on an analysis of data gathered by DDoS Strike, which offers a service for testing enterprise infrastructures on their layer 3-7 denial of service mitigation techniques. DDoS Strike is a division of Security Compass, which makes application development security tools. What the company found after looking at its data from test attacks on 21 systems of Canadian and U.S.-based customers (some companies had more than one system) was that 95 per cent of targets tested suffered service degradation close to knocking a site offline — suggesting their DDoS mitigation efforts were useless. Of attacks at the application layer 75 per cent would have been successful. But, Sahba Kazerooni, vice-president DDoS Strike, said in an interview, network scrubbing techniques are largely effective. with service generally being denied only for a few hours until mitigation can either be tuned or turned on. More importantly, he added, is that application layer attacks are harder to defend, needing multiple tiers of defence, more expertise among IT staff trying to block them and fine controls. The result is more downtime for a successful app layer attack. “Our customers have a skewed way of looking at DdoS as a threat,” he said, “because they were being warned by the industry to worry about major ( network) attacks “and they’re forgetting about high level attacks on the app layer.” “We have this tendency to over-focus on technology when it comes to DDoS. We’re very quick to deploy on-site mitigation devices or to buy a scrubbing service. The piece that’s missing is to focus on the process and the training of staff to handle DDoS attacks.” Some of the customers tested brought their systems back from the brink in an average of 25 minutes, he said. (DDoS Strikes thinks that’s too long.) But of the successful test attacks his company carried out, over 70 per cent had some kind of process or people gap that resulted in longer than necessary downtime, he said. “A lot of companies can benefit not only from buying services and product but also training their employees,” Kazerooni concludes focusing more on their own processes with the goal of ultimately reducing downtime.” The report concludes that • businesses should stop thinking of DDoS attacks as crude acts of brute force, and start thinking of them as sophisticated, incisive attacks as complex as any other major hacking threat; • DDoS mitigation is incomplete out of the box, and can only be effective with proper DDoS simulation testing at all levels; • and DDoS mitigation should be viewed as a multifaceted strategy, involving people, process, and technology, rather than solely a technical fix. Source: http://www.itworldcanada.com/article/worry-more-about-small-app-layer-ddos-attacks-than-huge-network-blasts-says-canadian-vendor/386956

Link:
Worry more about small app layer DDoS attacks than huge network blasts, says Canadian vendor

Expect ‘Flood’ of DDoS Attacks After Source Code Release

The source code behind the massive distributed denial of service attack against security researcher Brian Krebs’s website has been released online. In a blog post over the weekend, Krebs wrote that the so-called Mirai source code’s release pretty much guarantees that “the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders, and other easily hackable devices.” Krebs knows all too well what Mirai is capable of. Last month, the “Internet of Things” botnet launched a “historically large” 620Gbps DDoS attack against his well-known and respected site KrebsOnSecurity, inundating it with so much spam traffic that DDoS protection provider Akamai dropped the site to protect other subscribers. The Mirai source code leak came to light on Friday via the Hackforums community, Krebs said. A user with the alias “anna-senpai” posted the code there for anyone to use, likely to avoid getting caught. “It’s an open question why anna-senpai released the source code for Mirai, but it’s unlikely to have been an altruistic gesture: Miscreants who develop malicious software often dump their source code publicly when law enforcement investigators and security firms start sniffing around a little too close to home,” Krebs wrote. “Publishing the code online for all to see and download ensures that the code’s original authors aren’t the only ones found possessing it if and when the authorities come knocking with search warrants.” The malware spreads by “continuously scanning the Internet for [vulnerable] IoT systems” that are using default or hard-coded usernames and passwords. Vulnerable devices are then turned into bots, which together can be used to launch DDoS attacks designed to send so much traffic to a website that it’s knocked offline. “My guess is that (if it’s not already happening) there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth,” Krebs wrote. “On the bright side, if that happens it may help to lessen the number of vulnerable systems.” Source: http://www.pcmag.com/news/348404/expect-flood-of-ddos-attacks-after-source-code-release

See the article here:
Expect ‘Flood’ of DDoS Attacks After Source Code Release

Newsweek Website Suffers DDoS Attack After Publishing Controversial Trump Report

Newsweek reported suffering a massive DDoS attack right after they published an exposé on how some of Donald Trump’s companies had violated the United States embargo on trading with Cuba. The attack was sufficient to prevent access to the article on Friday, September 30, but the attack subsided, and the report was available the following day. Kurt Eichenwald, the journalist that penned the piece, and Jim Impoco, Newsweek Editor-in-Chief, both categorized the incident as a cyber-attack. “The reason ppl couldnt read #TrumpInCuba piece late yesterday is that hackers launched a major attack on Newsweek after it was posted,” Eichenwald wrote on Twitter. “Last night we were on the receiving end of what our IT chief called a ‘massive’ DoS (denial of service) attack,” Impoco told fellow media outlet TalkingPointMemo (TPM) via email. Some websites that generate enough hype can suffer from huge traffic loads that overcome servers. Nevertheless, Newsweek is a reputable news portal that has the resources to deal with such traffic spikes. Impoco was very adamant that the incident was because of a coordinated DDoS attack, which he claims might have originated from Russia, but did not elaborate beyond explaining that the DDoS attack’s “main” IP address was from Russia. This explanation doesn’t make any technical sense since DDoS attacks don’t have “main” IP addresses. Source: http://news.softpedia.com/news/newsweek-website-suffers-ddos-attack-after-publishing-controversial-trump-report-508874.shtml

More:
Newsweek Website Suffers DDoS Attack After Publishing Controversial Trump Report