Tag Archives: web-development

Analysis: Who’s Really Behind DDoS?

Now that Izz ad-Din al-Qassam Cyber Fighters has launched its fourth phase of distributed-denial-of-service attacks against U.S. banks, many observers are continuing to ask: Who’s behind this group, and what are the real motives? Is al-Qassam really an independent hacktivist group, as it claims? Does it have connections to a nation-state, such as Iran? Or does it have ties to organized crime? And is there a possibility that it has leased out its botnet to multiple groups? In this analysis, Information Security Media Group weighs the evidence. al-Qassam has been waging DDoS attacks against leading U.S. banking institutions and a handful of smaller ones since last September. The attacks, designed to disrupt online banking service, have, so far, proven to be more of a nuisance than a malicious threat. But the launch of this new phase, which was announced July 23, raises new questions about just who is behind Izz ad-Din al-Qassam The Group’s Message Since the beginning, al-Qassam has positioned itself as a group of hacktivists – independent attackers who are waging online war against U.S. banking institutions to make a social statement. The group claims the catalyst for the attacks is a movie trailer on YouTube that it deems offensive to Muslims. And because YouTube has not removed links to this trailer, as al-Qassam has asked, al-Qassam is focusing its attack energies on America’s core – it’s financial foundation. In an Oct. 23 post on the open forum Pastebin, al-Qassam restated its purpose, and noted that the attacks are not being waged to perpetrate fraud . “We have already stressed that the attacks launch only to prevent banking services temporarily throughout the day and there is no stealing or handling of money in our agenda,” the group states. “So if others have done such actions, we don’t assume any responsibility for it. Every day we are giving a compulsive break to all employees of one of the banks and its customers.” The post also takes issue with statements made in October by U.S. Defense Secretary Leon Panetta, who during a speech about cybersecurity noted that industries touching critical infrastructure were at risk. “Mr. Panetta has noted in his remarks to the potential cyberthreats such as attacking on power and water infrastructures, running off trains from the tracks and etc.,” the post states. “In our opinion, Panetta’s remarks are for distracting the public opinion and in support of the owners of the banks’ capital. … This is capitalism’s usual trick.” Then, in November, an alleged member of al-Qassam told ABC News that its attacks were not backed by anyone, nor were they connected to the August 2012 attack on Aramco, a Saudi oil firm, which involved the deletion of data from tens of thousands of computers. “No government or organization is supporting us, and we do not wait for any support as well,” the self-proclaimed al-Qassam member wrote in an e-mail, ABC News reported. “Do you think that the massive protests in the world are done with support? [In] the same manner [that] millions of Muslims in the world protested, hackers are also part of this protest” But many experts have questioned the protest motive and have expressed doubt that al-Qassam is what it says it is. Experts’ Views Financial fraud analyst Avivah Litan has repeatedly argued these attacks are actually being backed by a nation-state, namely Iran, not independent hacktivists. Others, such as Bill Wansley of the consultancy Booz Allen Hamilton, have shared similar opinions. “There are indications that it’s an Iranian group,” Wansley told BankInfoSecurity in late September 2012. “There are a lot of indicators it’s from that region of the world. But these hacktivist groups, frankly, can operate from a number of different locations and give the impression of being from one time zone when they’re really not. So it’s not conclusive. But there certainly have been some indicators, such as the use of Arabic names, Iranian names and the time zone [and the time of day when the first attacks struck] that would indicate something from that part of the world.” An unnamed source within the U.S. government quoted in the New York Times in May suggested Iran is backing attacks against the U.S. in retaliation for economic sanctions the U.S. has imposed on Iran. Many security experts, however, have been reluctant to attribute these attacks to any one type of actor. That’s because any attribution could only be based on circumstantial evidence in the online world, says Alan Brill, cybercrime investigator and senior managing director at investigations and risk-consulting firm Kroll. “You can’t accept crowd opinion for verified fact,” he says. “I think it’s still very difficult to attribute things like this, simply because the Internet was never designed to make that easy.” Although Brill admits he has not carefully reviewed the evidence linked to these attacks, he says attributing these types of attacks is challenged by attackers’ abilities to mask their points of origination with throw-away IP addresses and anonymous networks. “Unlike other forms of evidence, such as a fingerprint at a crime scene, which does not change, this stuff is just so fluid,” he says. “It’s very difficult to put all of the pieces together. And in the case of state actors, you’re not going to get a lot beyond circumstantial evidence.” Reviewing Patterns But what can the industry glean from the most recent attacks? Many experts say the more they learn about al-Qassam, the more confused they are. The group’s Pastebin announcements, attack schedules and breaks between attack campaigns have been inconsistent. Just as soon as the industry thinks it’s outlined a pattern, the pattern changes, as shown again in this fourth wave of attacks. Here, Information Security Media Group spells out some important factors. Are They Really Hacktivists? Support for the notion that al-Qassam is a hacktivist group stems from the fact that it claims itself to be one – and so far, no financial fraud or other type of data compromise has been linked to an al-Qassam attack. Banking regulators have warned of the potential for DDoS to be used as a mode of distraction for fraud to be perpetrated in the background But so far, no account compromises have been associated with al-Qassam attacks. The group claims it’s waging its attacks for social reasons – outrage over a YouTube video deemed offensive to Muslims. That purpose would suggest this is just a group of hacktivists out for attention. Is a Nation-State Involved? But none of the industry experts interviewed for this analysis believes that is truly the motive. Hacktivists typically want attention. “There’s usually some bragging about what was accomplished,” Wansley said last year. “That’s the typical pattern of some of the hacktivist groups.” While al-Qassam bragged on Pastebin in the early weeks of its attacks, the bragging has waned over time. Hacktivists also often name their targets in advance. Al-Qassam did this early on, but as the attacks became less effective, that stopped. During the second and third campaigns, al-Qassam took credit after the attacks. Now, most of that post-attack bragging has stopped as well. And experts note that these DDoS strikes have been hitting U.S. banking institutions for nearly a year; a hacktivist group would need substantial funding to run an attack campaign that long. That’s why many believe al-Qassam is actually a front for a nation-state, a criminal network – or even a mix of both. “In this case, there’s a group that has an Arabic name that has never been associated with cyber-activity at all,” Wansley noted. “[The name has] been associated with Hamas. And for them to, all of the sudden, become a hacktivist group is just really interesting. We’ve never seen that before. That doesn’t mean they’re not doing it, but it could also mean they’re being used as a cover for some other country or organization to do something.” The timing of this fourth phase further supports the notion that al-Qassam is actually a nation-state actor, Gartner’s Litan contends. The Iranian presidential election, as well as elections for regional posts, occurred June 14. Litan says the attacks were expected to lapse during the election, assuming that the Iranian government is actually funding the attacks. “We all knew they’d be back after the election,” she says. “Really, this is just business as expected.” Based on information she’s gathered from law enforcement and some of the attacked banks, Litan concludes: “We know it’s Iran because the attacks have been traced back to them, through the files, through the servers.” Is There a Criminal Connection? But could there be a criminal element involved? Many experts say a connection to organized crime is possible, because the attackers waging these long-term, extensive DDoS strikes are likely getting funding from a nefarious source. But are there clues al-Qassam is waging its attacks for a criminal purpose? Brobot, al-Qassam’s botnet, keeps growing, experts say. While the attacks waged by Brobot have been unsuccessful at causing any significant online outages during the third and fourth phases, al-Qassam has continued to increase the botnet’s size. Why? Some argue the purpose is to rent out Brobot for a profit – perhaps to cybercrime rings. And attacks linked to Brobot this campaign may support the notion that Brobot is now being used by more than just al-Qassam. During the afternoon hours of July 30, Brobot was used to attack merchant sites, seemingly as a coding test for the attacks that kicked off July 31, says Mike Smith of the cybersecurity firm Akamai, which has been tracking and mitigating DDoS activity linked to al-Qassam. The only commonality among the July 30 targets: They all have the word “Da Vinci” in their website URLs, Smith and others confirmed. “There was no connection to banking at all,” Smith says. Source: http://www.govinfosecurity.com/analysis-whos-really-behind-ddos-a-5966

View article:
Analysis: Who’s Really Behind DDoS?

5 Steps to Prepare for a DDOS Attack

As more people are realizing that in today’s cyber climate Distributed Denial of Service (DDoS) attacks are a matter of when, not if, the most common question I get asked is “What can I do to prepare?” I like to break it down into 5 key steps enterprises can take now to be prepared for a future attack: 1. Centralize Data Gathering and Understand Trends This is true across all security topics, but the last thing you want to be is blind when a DDoS attack hits. Generally the DDoS attack timeline goes something like this for the head of network operations: – 9:00 am – your monitoring system starts lighting up like a Christmas tree and your phone is blowing up with SMS alerts saying “the site is down.” – 9:01 am – your CEO calls you screaming “why is the site down?!?!?!?!” Hopefully, you can answer that question, but without proper metrics and data gathering you can’t possibly hope to identify the root cause. It could be a network circuit down, data center failure, DDoS attack, etc. With proper data gathering and monitoring in place, you can quickly identify a DDoS attack as the cause, and you can start the process of getting the website back up and running. It’s critical to identify the cause early as DDoS attacks can be quite complex and the sooner you jump on identification and remediation, the sooner the site will be back up. At minimum, the metrics you should gather include: Inbound and outbound bandwidth on all of your network circuits, peering connections, etc. Server metrics: CPU load, network and disk I/O, memory, etc. Top talkers: top sources and destinations of traffic by IP and port. If you are running a web site, you need to understand items like top URLs being requested (vs. the top URLs usually being requested), top HTTP headers, HTTP vs. HTTPS traffic ratios etc. All of these metrics (and there are many more I didn’t cover) should then be sent to a central logging and correlation system so you can view and compare them from a single viewpoint. This helps you spot trends and quickly identify the sources and method of the attack. This is especially important when it’s a very complex attack where it might not be an obvious issue (e.g. it’s easy to see when your network bandwidth is saturated, but when it’s a botnet simulating clicking the “Add to Cart” button to overwhelm your database resources, that isn’t as easy to spot; especially if you are trying to piece data from many disparate systems). 2. Define a Clear Escalation Path Now that you have determined it really is a DDoS attack, what next? Do you know who to call to get your service back up and running? What tools do you have in place to block the malicious traffic? If you have purchased DDoS protection (very smart!), how do you get the system fired up? These are key questions that should be written down and answered BEFORE the attack hits. During an attack people are rarely calm and it’s no fun trying to figure out an escalation path in the middle of the craziness. Do it before the attack hits so you can calmly execute your plan and get your site back up and running. Note that this doesn’t just mean “technical” contacts. You want to let the head of support and customer service know as well. You can bet customers will be calling in and there is nothing worse than to answer “weird, I didn’t know our site was down” when a customer calls. You also want to let your CEO know (if he or she doesn’t already). Each business is different, so you should consider your situation and think of all the people who might want to know the website is down and add them to the list. An “outages” mailing list is a central place to report these items without you needing to remember who to send the info to every time. If you do have a cloud-based DDoS protection service in place, make sure the group you have chosen internally to be the touch point with the provider has the up to date 24/7 hotline, email address to send capture files to, etc. The vendor should be one of the first calls you make to start the mitigation. You need to engage your mitigation provider immediately as they have done this many times before and will know what to do to get your site back up and running. 3. Use Layered Filtering In the discussion on size vs. complexity of an attack, you need to be able to handle both the “big and dumb” types (a whole lot of requests that are generally easy to spot as malicious – often known as “network level”) and “small and complex” (fewer requests, but extremely difficult to differentiate legitimate vs. malicious – commonly referred as “application level” or “layer 7? attacks). Some tools and techniques work (and scale) very well to mitigate against the “big and dumb” types, but fail miserably on the application attacks. On the other hand, some techniques that are required for application attacks have trouble scaling on the larger network attacks. Recently, we have seen more of a third type of attack, “big and complex!” A combination of the two aforementioned attack types, these are big attacks where the traffic is really hard to identify as malicious or legitimate. With great technology and layered filtering though, you are in a better position to handle any of these types of attacks. 4. Address Application and Configuration Issues Not only are DDoS attacks really good at pinpointing bottlenecks in your network and security infrastructure, they are also amazing at identifying problems in your application; especially when it comes to performance tuning and configuration. If you haven’t done proper application load testing (both before launch and every so often to check for any slowness that may have crept in) a DDoS attack may be the first time your website or application has really been stress-tested. You may find your database configuration is sub-optimal, or your Web server isn’t configured for enough open connections. Whatever the issue, you will quickly see how well you have tuned your website. It’s always a good idea to do load testing of your site on your schedule, not the attackers’. 5. Protect Your Domain Name System (DNS) This is crucial and yet probably the most overlooked of all of the above recommendations. I can’t tell you how many enterprises have spent millions of dollars on their Web hosting infrastructure (data centers, web servers, load balancers, database servers, etc.) but have only two low end DNS servers to handle all of their DNS traffic. DNS is an extremely common target of a DDoS attack due to how critical the service is for Web availability (there are plenty of articles and examples of large Web properties going down due to DNS issues – often attack-related). If a customer can’t resolve the IP address of your website (which is the job of DNS), it doesn’t matter how much you have spent on your hosting, that customer is not getting to your site. Protecting your DNS as part of a good DDOS mitigation strategy is fundamental. (Here’s a report from Gartner Research that discusses this issue. Conclusion It would take a book to cover all of these topics in depth. Hopefully this will at least give you, some things to think about and plan for with your DDoS mitigation strategy. Stay tuned for my next post where I will go in depth on some of the cool technology we use at Verisign to protect both our own and our customers’ infrastructure. Source: http://www.circleid.com/posts/20130731_5_steps_to_prepare_for_a_ddos_attack/

See more here:
5 Steps to Prepare for a DDOS Attack

DDoS attacks getting bigger but shorter in duration

Distributed Denial of Service (DDoS) attacks are getting bigger, but their duration are getting shorter, according to an analysis released this week by Arbor Networks. During the first six months of 2013, the average size of DDoS attacks remained solidly over the 2Gbps, Arbor reported — something the company has never seen before. Although the average may have been skewed during the period by the massive attack on Spamhaus in March, which reached 300Gbps at its zenith, large attacks in general have been going up too, Arbor found. From January to June this year, it said attacks exceeding 20Gbps more than doubled over 2012. Several security experts agreed with Arbor’s analysis. Michael Smith, CSIRT director for Akamai Technologies, cited two factors affecting DDoS numbers during the period. “It’s just easier to do these days,” he said in an interview. “You can rent a botnet for $20.” He added that a hacktivist group known as the Izz ad-Dim al-Qassam Cyber Fighters (QCF) has adopted a strategy that is also driving up the raw number of attacks and depressing their duration. “They attack multiple targets during the course of a day,” Smith explained. Not only do they attack multiple sites, but they don’t prolong an attack if they don’t see immediate results. “They’ll move from target to target after 10 or 20 minutes until they find one they can cause an immediate impact on,” Smith noted. Attacks are becoming bigger because hackers have more resources to mount attacks than ever before, said Marc Gaffan, founder of Incapsula. “There’s more ammunition for hackers in the wild which is why attacks have grown in size,” he said. New techniques have also contributed to the size of the attacks. For example, in the Spamhaus attack, hackers exploited openings in DNS servers to amplify the magnitude of their attacks on the website. They do that by sending a request to a server with an open DNS resolver. In the request, they spoof the address of their target so when the server answers the request, it sends its answer to the target. “When the resolver sends back the answer, which is larger than the question, it’s amplifying the attacker’s request,” Gaffan said. “Sometimes the answer can be as much as 50 times larger than the request,” he continued. “So an attack can be 50 times the original firepower used for the request.” In addition to improving their techniques, hackers have also increased their efficiencies by shortening their attacks. They will hit a site long enough to bring it down, disappear into the ether, then return to take it down again just as it’s recovering from the initial attack. “When a website goes down, it takes time to bring it back up,” Gaffan said. “There’s no point continuing to fire at that target when it’s down. You want to conserve your ammunition and fly under the radar, because the more you fire the greater the chances of someone identifying you as the source of the fire.” The technique also allows the attackers to get better mileage from their resources. “They could hit multiple targets with a single piece of infrastructure as opposed to hitting one target for an hour,” Gaffan said. Part of the reason attackers are sharpening their skills of deception is that defenders are getting better at blunting DDoS attacks. “The Internet as a whole is getting better at responding to these attacks,” said Cisco Technical Leader for Threat Research, Craig Williams. “We’ve seen DNS amplification shoot through the roof, but I suspect that’s going to start dropping with the addition of RPZs that can mitigate queries and people getting better at closing down open resolvers,” Williams told CSOonline . Source: http://www.networkworld.com/news/2013/073113-ddos-attacks-getting-bigger-but-272389.html?page=2

Taken from:
DDoS attacks getting bigger but shorter in duration

Regions Bank Hit with New DDoS Attack

Regions Bank was the victim of cyber attackers that shuttered the bank’s website and interrupted its customers’ debit cards, reported AL.com. The bank’s website was hit Friday with a distributed-denial-of-service attack. Customers may have also not been able to use their debit cards at ATMs and merchants, according to a statement released to the website. “Access to regions.com and online banking were disrupted intermittently today by a distributed denial of service (DDoS) attack,” a spokesman told AL.com on Friday. “Some customers may have also been unable to use their CheckCards at ATMs or at merchants. We apologize for the difficulties this has caused and are working to resolve the issues as quickly as possible.” The attack comes on the heels of recent threats by from the hactivist group Izz ad-Din al-Qassam Cyber Fighters. Since last September, al-Qassam has taken responsibility for a series of cyber assaults that have plagued some of the nation’s largest banks — shuttering the online banking operations of Wells Fargo, PNC and dozens of others. Regions Bank was among those hit in early October. The Regions outage and debit card issues that occurred Friday reportedly lasted for nearly two hours. Source: http://www.americanbanker.com/issues/178_145/regions-bank-hit-with-new-ddos-attack-1060942-1.html

Read more here:
Regions Bank Hit with New DDoS Attack

DDoS: Lessons From U.K. Attacks

While U.S. banking institutions brace for the next wave of distributed-denial-of-service attacks by Izz ad-Din al-Qassam, new cyberthreat research reminds us that no industry or global market is immune to DDoS. A new study from online security provider Neustar shows that DDoS attacks are up in the United Kingdom, just as they are in the U.S., and they’re targeting everything from e-commerce sites to government. It’s not just banking institutions that DDoS attackers want to take down – a truth we’ve been preaching for several months. But now, data proves it. Of the 381 U.K. organizations polled between May and June by Neustar, 22 percent said they suffered from some type of DDoS attack in 2012. By comparison, a survey of 704 North American organizations released in April 2012 showed that 35 percent had been targeted by DDoS within the last year. While the financial services sector has been the primary DDoS target in the U.S., telecommunications companies are the No. 1 target in the U.K., according to the Neustar survey, with 53 percent reporting attacks. Half of U.K. e-commerce companies and 43 percent of online retailers surveyed reported attacks. But only 17 percent of the U.K. financial-services organizations say they had been targeted, compared with 44 percent in the North American survey. The North American data is a bit out of date, so the percentage of financial institutions hit by DDoS is now probably even higher. And attacks aimed at U.K. organizations have been nowhere as fierce as those waged against U.S. banks since September 2012. More Attacks on Way Now that al-Qassam has just announced plans for a fourth phase of attacks, we’re all bracing for more strikes against U.S. banks (see DDoS: Attackers Announce Phase 4 ). But the new survey sends a clear message: No organization is safe from DDoS. “As in North America, U.K. companies face serious challenges as they decide on DDoS protection and attempt to mitigate losses,” Neustar writes in its survey study. “While many companies are hoping traditional defenses will suffice, given the frequency of attacks, their growing complexity and the impact when sites go dark, such hopes are badly misplaced.” U.K. organizations could learn quite a bit from the example U.S. banks have set. Experts have noted time and time again that European banks and others are not well-prepped for DDoS. Despite the fact that the attacks waged against U.S. banks have been among the largest the industry has ever seen, the percentage of U.S. organizations that experienced extended outages was much smaller than that of U.K. organizations, the surveys showed. The defenses U.S. banking institutions have put in place have set a new bar. We already knew that, but now Neustar’s survey results support it. According to Neustar, while online outages lasting about 24 hours affected about 37 percent of both North American and U.K. organizations surveyed, outages lasting more than a week affected 22 percent in the U.K. and only 13 percent in North America. Having a site down for more than a week is an embarrassment, and costly. Can you even imagine a major banking institution’s site being down that long? Banks in the U.S. are prepared for DDoS. But what about other organizations? Are non-banks getting ready for DDoS, or do they still see this as only a threat to banking institutions? What you think? Let us know in the comment section below. Source: http://www.bankinfosecurity.com/blogs/ddos-no-industry-safe-p-1524

Visit link:
DDoS: Lessons From U.K. Attacks

Network Solutions Recovers After DDoS Attack

Network Solutions said it’s fully mitigated a distributed denial of service (DDoS) attack that compromised some services last week, and that attack volumes against the company had returned to normal. “We experience DDoS attacks almost daily, but our automatic mitigation protocols usually handle the attacks without any impact to our customers,” said John Herbkersman, a spokesman for Network Solutions’ parent company, Web.com, via email. Network Solutions manages more than more than 6.6 million domains, provides hosting services, registers domain names and also sells SSL certificates, among other services. But Monday, some customers reported still experiencing domain name server (DNS) and website updating difficulties that dated to the start of the DDoS attacks. The company, however, disputed those claims. “Some customers may be experiencing issues, but they are not related to last week’s DDoS attack,” said Herbkersman. The DDoS attacks began last week, with Network Solutions at first reporting that “some Network Solutions hosting customers are reporting latency issues,” according to a “notice to customers who are experiencing hosting issues” posted to the company’s website on Tuesday, July 16. “Our technology team is aware of the problem, and they’re working to resolve it as quickly as possible. Thank you for your patience,” it said. As the week continued, the company posted updates via Twitter and to its Facebook page. By Wednesday, it said that the outages were due to a DDoS attack “that is impacting our customers as well as the Network Solutions site.” It said that the company’s technology staff were “working to mitigate the situation.” Later on Wednesday the company declared via Twitter: “The recent DDOS attack affecting customers has now been mitigated. Customer websites should be resolving normally. Thanks for your patience.” The Network Solutions website wasn’t available or updateable for the duration of the attacks. But that wasn’t apparent to all customers, who might not have turned to Facebook and Twitter seeking updates about the company’s service availability. One InformationWeek reader, who emailed Friday, accused Network Solutions of being less than forthcoming about the fact that the outages were being caused by a DDoS attack, “which they acknowledged only when calling them,” after he found only the “notice to customers who are experiencing hosting issues” post on the company’s site. “They have been trying to bury it,” he alleged. “Some sites were down for the entire day.” Herbkersman brushed off the criticism. “In addition to Facebook, we communicated via the Network Solutions’ website and via Twitter,” he said. “We also responded directly to customers who called our customer service team and those who contacted us via social media channels.” Friday, the company did publish a fuller accounting of the outage to its website. “Earlier this week, Network Solutions experienced a distributed denial of service (DDoS) attack on its servers that affected our customers. The Network Solutions technology team quickly identified the issue and implemented measures to mitigate the attack,” read a statement posted to the company’s site and cross-referenced on its Facebook page. “We apologize to our customers who were impacted.” “Are we getting refunded some money because of your 99.99% uptime guarantee?” responded one member via Facebook. “Feel free to call our support team and they will be happy to discuss,” came a reply from Network Solutions. Customers might have had to contend with more than just the DDoS attack. A Tuesday Facebook post — since deleted, which the company said it made to help direct customers to more recent information about the DDoS-driven outages — drew comments from customers reporting DNS issues. “There were multiple reports on the July 16, 2013 Facebook thread that appear to indicate customer DNS records were corrupted before the DDoS induced outage,” Craig Williams, a technical leader in the Cisco Systems threat research group, said in a blog post. The one-two punch of domain name resolution difficulties and a DDoS attack could have left numerous sites inaccessible not just during the attack, but in subsequent days, as the company attempted to identify the extent of the damage and make repairs in subsequent days. Last week’s DDoS attack was the second such attack for Network Solutions customers in less than a month. “In [the] previous outage, domain name servers were redirected away from their proper IP addresses,” said Williams. In that case, however, at least some of the DNS issues appeared to be “a result of a server misconfiguration while Network Solutions was attempting to mitigate a DDoS attack.” Herbkersman, the Web.com spokesman, said last week’s outages were entirely driven by the DDoS attacks, rather than the company’s response to those attacks. Source: http://www.informationweek.com/security/attacks/network-solutions-recovers-after-ddos-at/240158685

Read the original:
Network Solutions Recovers After DDoS Attack

Four steps for denying DDoS attacks

Financial institutions have been battling waves of large distributed denial of service attacks since early 2012. Many of these attacks have been the work of a group called the Qassam Cyber Fighters, which until recently posted weekly updates on Pastebin about the reasons behind its attacks, and summarising Operation Ababil, its DDoS campaign, writes Terry Greer-King, UK managing director, Check Point ( right ). Other hacktivist groups have launched their own DDoS attacks and targeted financial services institutions with focused attacks on web forms and content. There have also been reports of nation-state organised cyber assaults on banks and government agencies, along with complex, multi-vector efforts that have combined DDoS attacks with online account tampering and fraud. These incidents against all sizes of banks have shown that there are many kinds of DDoS attacks, including traditional SYN and DNS floods, as well as DNS amplification, application layer and content targeted methods. Denial of Service (DoS) activities that have targeted SSL encrypted webpage resources and content are an additional challenge. In some instances, the adversaries have moved to a blended form of attack that incorporates harder-to-stop application layer methods alongside ‘cheap’, high-volume attacks that can be filtered and blocked through simpler means. To cope with this level of malicious activity, CIOs, CISOs, and their teams need to have a plan in place, and consider a set of defensive tools that combine on-premise technologies and cloud-based scrubbing services. They should also begin to explore and ultimately implement intelligence gathering and distribution methodologies that help lead to a comprehensive DoS mitigation strategy. Here are four steps to help in devising that strategy Have a scrubbing service or ‘cleaning provider’ to handle large volumetric attacks : the volumes associated with DDoS activity have reached a level where 80 Gbps of DDoS traffic is a normal event. There are even reports of attacks in the range of 300 Gbps. Few, if any organisations can maintain sufficient bandwidth to cope with attacks of this size. When faced with DDoS incidents this large, the first thing an organisation needs to consider is the option to route their Internet traffic through a dedicated cloud-based scrubbing provider that can remove malicious packets from the stream. These providers are the first line of defense for large volumetric attacks, as they have the necessary tools and bandwidth to clean network traffic so that DDoS packets are stopped in the cloud and regular business as usual traffic is allowed. Use a dedicated DDoS mitigation appliance to isolate and remediate attacks: the complexity of DoS attacks and the tendency to combine volumetric and application methods require a combination of mitigation methods. The most effective way to cope with the application and “low and slow” elements of these multi-vector attacks is to use an on-premise dedicated appliance. Firewalls and intrusion prevention systems are critical to the mitigation effort, and DDoS security devices provide an additional layer of defense through specialised technologies that identify and block advanced DoS activity in real-time. Administrators can also configure their on-premise solutions to communicate with cloud scrubbing service providers to enable automated route away during attack. Tune firewalls to handle large connection rates: t he firewall will also be an important piece of networking equipment during DDoS attacks. Administrators should adjust their firewall settings in order to recognise and handle volumetric and application-layer attacks. Depending on the capabilities of the firewall, protections can also be activated to block DDoS packets and improve firewall performance while under attack. Develop a strategy to protect applications from DDoS attacks: a s well as using security solutions, administrators should also consider tuning their web servers, and modifying their load balancing and content delivery strategies to ensure the best possible uptime. This should also include safeguards against multiple login attempts. Machine-led, automated activities can also be blocked by including web pages with offer details, such as opportunities for interest rate reduction or information on new products, so that users much click on “accept” or “no thanks” buttons in order to continue deeper into website content. Content analysis can also help – simple steps such as ensuring there are no large PDF files hosted on high-value servers can make a difference. The above methods are crucial to any DDoS mitigation strategy. Organisations must also reach out to service providers and ISPs and work with them to identify novel mitigation techniques. After all, DDoS attacks use the same Internet routes as bank customers, and ISPs carry both forms of traffic. Of increasing importance is the need to investigate and implement intelligence gathering and distribution strategies, both within company networks and across other companies operating in financial services. Getting more information about who the attacking agent is, the motivations behind the attack, and methods used, helps administrators anticipate and proactively architect around those attacks. Attack profile information can range from the protocols used in the attack (SYN, DNS, HTTP), the sources of attack packets, the command and control networks, and the times of day during which attacks began and ended. While valuable in mitigating attacks, there is no easy way to communicate this data, and regulatory hurdles make it even more difficult to share attack information. Right now, information-sharing consists of friends talking to friends. Information sharing needs to evolve into an automated system where multiple organisations can log in to a solution and see correlated and raw log data that provide clues about current and older attacks. Such systems could also be used to share attack intelligence and distribute protections. An industry information sharing capability would help elevate financial services companies’ abilities to cope with DDoS activity and bring the industry as a whole to a new level of preparedness. Source: http://www.bankingtech.com/154272/four-steps-for-denying-ddos-attacks/

Excerpt from:
Four steps for denying DDoS attacks

Many online newspapers become DDoS victims

At 4.11 pm of July 7, when accessing Dan Tri newspaper at dantri.com.vn, readers would see the words “Ban hay thuc hien phep tinh de tiep tuc su dung bao Dan Tri” showing that the access was denied. Dan Tri was just one of the many online newspapers hacked in recent days under a large scale DDoS offensive of the hackers. The hacking made a lot of newspapers inaccessible. Some readers still could access websites, but they had to try many times and wait with patience. Internet security experts have commented that the attack might have been well prepared for a long time, because it was conducted in a very methodical way. HVAOnline, a security forum, reported that since July 4, Thanh Nien, Tuoi tre, Dan Tri, VietNamNet, Kenh 14 have been the victims of the DDoS attacks, noting that the number of hacked online newspapers is on the rise. It is estimated that each of the newspapers incur the DDoS attack capacity of 50-70 Mbps, while the capacity was up to 1.3 Gbps for some newspapers. To date, some newspapers have fixed the problems, but the access remains unstable. According to Vo Do Thang, Director of Athena, an Internet security training center in HCM City, the current attack power would be unbearable to the small online newspapers. As such, the hacking would cause serious consequences, especially if it lasts for a long time. The experts said hackers purposely attacked the server of VDC 2 (the Vietnam Data communication Company) where the servers of many online newspapers are located. As a result, not only the VDC 2’s server, but the newspapers’ servers also suffered. HVAOnline said the forum itself and many other forums, information portals in Vietnam also incurred many DDoS attacks, but at weaker intensity. In fact, experts said the attacks began in June 2013 already at low intensity, which could be the preparation for the “general offensive” in July. They believe that the hackers may belong to a big and powerful organization to be able to mobilize such large botnets and zombies for the large scale attack. The hackers reportedly timed their attacks in their way. After finishing one attack aiming to one goal, they began the attack to another goal. After that, they unexpectedly returned and attacked the first aiming point. This way of hacking might make readers and the newspapers’ administrators misunderstand that the newspapers got troubles, while they did not think of a DDoS attack. Buu Dien newspaper on July 11 quoted the Director of an Internet security firm as saying that the firm, after analyzing the attack, found out that the attack was originated from an IP in Vietnam. BKAV’s Nguyen Minh Duc said two days ago that BKAV has not received any request for help from the hacked newspapers. A Symantec’s report in 2011 said that Vietnam has become the favorite space of the world’s hackers, and that it is the biggest botnet in the world. One of the reasons behind this is that Vietnamese don’t install anti-virus software on their computers, and they have the habit of installing cracked software pieces, or downloading some software products from unreliable websites. Source: http://english.vietnamnet.vn/fms/science-it/79186/many-online-newspapers-become-ddos-victims.html

See more here:
Many online newspapers become DDoS victims

Tips To Prepare For A DDoS Attack

IT security experts report that distributed denial of service (DDoS) attacks are a growing concern for 2013: this trend is proved by the countless attacks during 2012 and shown from the findings on the latest CSI Computer Crime & Security Survey, which attracts widespread media attention and is one of many online sources that provides valuable information and guidance to information security professionals. How can a business or individual decrease the likelihood of these type of threats? Fortunately, there are methods that can be used in advance to mitigate risk and infections from the amplification of such attacks. Safety First First of all, it is paramount to identify if the network is safe and protected from unauthorized access, malicious content, real-time threats and cyber intrusions. If not, network system managers should consider using traditional security products like a firewall, Intrusion Prevention and Detection Systems (IPDS) and Web application firewall devices to establish a first line of security defense. It is crucial to be responsive and implement the necessary security hardware and software tools ahead of time to defend the perimeter of the network from intrusion and before being the hacker’s target. Business and individuals alike should plan early on and not wait until they are at mercy of the attack to use proper security controls. Malicious attacks, which can be carried out from several compromised systems and from another location (IP address), can enable a rogue attacker to install a series of zombie Trojans to attack or infect (with malware) hosted computers. Whatever reason and motive the intruder has, s/he is able to take over an entire network and initiate a flood or packet attack, all while denying legitimate connections and paralyzing victims’ systems or servers (e.g., Web servers, DNS servers, application servers). The aim is to use up the network bandwidth and bring its operations or services down. Knowing how dangerous such an attack can be, it comes of utmost importance to be familiar with the different kind of DDoS attacks that could affect the network to understand what type of countermeasures should be put to use. Despite the scale and frequency of these attacks, there are ways to be prepared and avoid being vulnerable to this threat that can be so disruptive. Next is a list of tips to prepare and plan, before an attack strikes, which if made a victim of could have devastating effects on one’s business, such as costly downtime and/or lost revenue. Here are six ways to prevent a DDoS attack • Utilize packet filters on the router(s) • Setup a firewall with advanced security • Properly configure webserver with security modules • Implement logging with ACLs and have them in place to filter traffic • Exploit NetFlow for traffic monitoring and tracking down specific attacks • Rely on a third-party cloud DDoS mitigation provider for proprietary filtering technology. This is a great alternative for those that do not want to handle the security themselves and obtain a quick solution that provides on-demand, real-time protection to monitor 24/7 a business or individuals’ on-premises network infrastructure. If you’re looking for reputable provider, I would suggest getting DDoS protection from DOSarrest . Other than the tips listed, it is suggested to always have more bandwidth available, maintain anti-virus software, and deploy IPDS devices or firewalls in front of the servers just in case of a DDoS attack. It is better to spend some time (and money) preparing in advance for this network threat than dealing with a last minute crisis and trying to figure out what needs to be done. Source: http://www.examiner.com/article/tips-to-prepare-for-a-ddos-attack

See the original post:
Tips To Prepare For A DDoS Attack

Financial Security: Learning From DDoS Attacks

Exactly how big are distributed denial of service (DDoS) attacks in mid-2013? “Just big enough” is what most attackers would say. The Cyber Fighters of Izz ad-din Al Qassam, a group claiming to protest an anti-Moslem video and considered by many experts to be the perpetrators of the attacks, have shown a knack for ratcheting up the volume as banks invest in greater DDoS mitigation bandwidth. The al Qassam template hasn’t gone unnoticed. In the cyber underground, criminal gangs have chatted about the group’s favorite weapon, the “itsoknoproblembro” DDoS toolkit, which hits various parts of a web site at the same time and floods servers with traffic up to 70Gbps. The al Qassam botnet — dubbed the “brobot” — is striking too. Instead of marshaling tens of thousands of infected home computers, it uses hosting providers’ or business’ commercial content servers, which offer fatter pipes and bandwidth galore. The same tactics are available to those whose motive is greed, with the Internet itself serving as their weapons storehouse. Since they never pay for those high-capacity servers and all that power, what’s to stop attackers from using as much as they want? Though an attack of less than 2Gbps can take down many sites, attackers want to be sure your site is down throughout the world. In fact, they use free web monitoring services to make sure that folks in Chicago and Paris can’t reach you. If the attack isn’t working globally, the attackers up the ante. Just figuratively, though–humongous attacks cost no more than surgical strikes. If this is bad news for top-tier banks, it’s potentially disastrous for smaller institutions lacking the budget and expertise to handle attacks themselves. Fortunately, a little planning and preparation can make a big difference. “Does This Hardware Make Me Look Fat?” It Pays To Be Less Attractive To Attackers. Short of making arrests, the good guys can’t stop the bad guys from launching DDoS attacks. So increasingly, larger banks have taken steps to become less-appealing targets — less likely to go offline for long periods of time and more likely to retain customers thanks to helpful communications. Best practice number one: Distribute your Internet infrastructure. Separate your DNS, e-commerce, payment gateways and VPNs. If everything’s on the same infrastructure and you’re socked with a DDoS attack, the damage is more widespread and the attackers win. Say your DNS is hit. Not good, but if your VPN, for instance, is on a different circuit (either real or virtual), your staff has backdoor access to email and other functions. Because you’ve segregated your private- and public-facing systems, business doesn’t grind to a complete halt. To accomplish this, find a trusted third party to manage infrastructure like DNS. Or at least have a Plan B, enabling you to park your DNS, VPN or web service somewhere else until the attack ends. By lining up a willing provider well in advance, you’ll spare yourself some agony when the dirt hits the fan. It’s also smart to assume that someday you’re going to be hit. To paraphrase Trotsky, you may not be interested in DDoS, but DDoS is interested in you. With over 7,000 attacks daily, it’s only a matter of time, so more banks and credit unions are crafting emergency plans. Like natural disaster planning or certain business recovery efforts, these preparations go far beyond technical responses. It starts with being ready to do business, gasp, offline. If your credit union site is down, you may decide to extend your regular business hours, which in turn might require extra tellers and call center operators, or even coffee and cookies for customers in long lines. You’ll also need to let people know about any such contingencies. Be ready to communicate with customers quickly and reassuringly. Email may not be an option, so consider radio announcements or other media outlets, including a company web page separate from the one that’s under attack. Also think about a toll-free number your customers can call. How much detail should you reveal about the impact of an attack? That’s up to you, of course. Some financial institutions have chosen to say as little as possible, for fear of feeding attackers valuable information. Others have been more transparent, betting they’ll reap the reward in customer gratitude and fewer account defections. Whatever procedures you develop, be sure to practice them. You’ll never be ready for everything, but executing the basics well can help enormously. Again, the throes of a crisis aren’t the best time to white-board responses. Run drills of your emergency plan and you’ll likely accomplish two things: more effective DDoS mitigation and better core service, the latter tending to slip when attacks are all-consuming. While al Qassam is a role model for cyber miscreants, the major banks are a more positive one in the DDoS protection arena. Smaller banks and credit unions don’t have the same deep pockets, but they can still make plans, develop responses and make smart technology investments. Inertia is the one thing they truly can’t afford. For protection against your eCommerce site click here . Source: http://www.banktech.com/risk-management/financial-security-learning-from-ddos-at/240157243

View the original here:
Financial Security: Learning From DDoS Attacks