Monthly Archives: September 2016

Waiting for DDoS

In football, many offensive plays are designed to trick the defense into thinking something else is about to unfold. In the world of cybersecurity, DoS (Denial of Service) or DDoS (Distributed Denial of Service) attacks often serve as a similar smokescreen or decoy to a far more sinister plot with the ulterior motive to mount a computer network breach that results in the loss of data or intellectual property. It was a DDoS attack that woke up Sony Pictures a year ago (watch the video emailed to Sony employees on the morning of the attack), even though attackers had infiltrated the company’s networks months before undetected, and eventually obliterated its computer systems. According to  Fortune , half of Sony’s global network was wiped out, erasing everything stored on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers. Hackers calling themselves “#GOP” (Guardians of Peace) threatened to release publicly Sony Pictures’ internal data if their demands, including “monetary compensation,” were not met. They weren’t bluffing. Sobering DDoS Statistics Recent studies show DDoS attacks growing exponentially in recent years, launched through rentable, relatively inexpensive, anonymous botnets that cost as little as $1,000 and can render an e-commerce website completely inoperable. The average denial of service (DoS) attack costs the victim $1.5 million, according to a separate Ponemon Institute survey sponsored by Akamai and published in March 2015. The 682 responding companies reported four attacks a year. AT&T also reported companies across its network were hit with four times a year with DDoS attacks and 62 percent growth in DDoS attacks over the past two years. Once an organization receives a DDoS attack, the chances of being the object of a data breach are better than 70 percent, reported Neustar Inc., a Sterling, Va.-based provider of cloud-based information services, including conducting research on cloud metrics and managing various top-level internet domains. The second quarter of 2015 set a record for the number of DDoS attacks recorded on Akamai’s Prolexic Routed network – more than double what was reported in 2014’s second quarter. Corero Networks, a Hudson, Mass.-based security services provider, reported that its clients were getting DDoS attacks an average of three times a day, and in the second quarter of 2015 daily attack volume reached an average of 4.5 attacks, a 32 percent increase from the previous quarter. More than 95 percent of the attacks combated by Corero last 30 minutes or less, and the vast majority of the attacks were less than 1 Gbps. Only 43 percent rate their organizations as highly effective in quickly containing DoS attacks, and only 14 percent claimed to have had the ability to prevent such attacks, according to the Ponemon report. The worst DDoS attack on the Akamai network peaked at 214 million packets per second (Mpps), a volume capable of taking out tier 1 routers, such as those used by internet service providers (ISPs). “It’s pretty hard to stay one step ahead of these guys,” admits Mark Tonnesen, chief information officer (CIO) and chief security officer (CSO) of Neustar. In a recent survey of 760 security professionals commissioned by Neustar and conducted by Simply Direct of Sudbury, Mass., for the U.S. market and Harris Interactive of London for the Europe, Middle East and Africa (EMEA) markets,  DDoS attacks increased in 2015 six-fold when compared to the previous year. “Every day there’s an announcement of some [DDoS attack] going on with a company caught unprepared, trying to ramp up with people and technology,” Tonnesen says. “Companies are looking for any way they can grab an edge any way in identification, detection and reaction time to eliminate the attack.” Interruption vs. Outage Those behind DDoS attacks may have ulterior motives to capture real value from the attack, such as financial gain, brand carnage, or intellectual property resold on the underground market. Any of those scenarios happen nine out of every 10 DDoS attacks, according to Neustar data. The impact on a company’s customers and the firm’s bottom line “negatively impacts everybody’s financials,” Tonnsesen points out. DDoS attacks, which can take the form of an interruption or the more serious outage, almost always serves as a smokescreen avoiding attention to an outright sinister data breach. Meanwhile, the IT staff is trying to figure out why the website isn’t working properly. “Unbeknownst to you, [the malware is] already in your network,” he explains. A DDoS  outage  is a complete slaughter of messaging to a network, such as an e-commerce platform. Effectively, the network appears to shut down completely due to the bandwidth overload, making it nearly impossible to get traffic through to the website. In contrast, a DDoS  interruption  involves attacks targeted such as to a customer service organization or intellectual property or customer records and identity. “[An interruption] certainly has a major impact, but it wouldn’t be an outage,” explains Tonnesen. “It’s more of a disruption, not a flat-out attack. The attackers are much more intelligent and organized; they know what they’re certainly looking for, such as affecting your brand and or having a financial impact. There’s an element of showcasing their capability, and the lack thereof of the company that was attacked.” As a result, IT security and network teams must be vigilant and always be on high alert. The Hybrid Solution  Some CISOs are moving to a “hybrid” approach to combating a DDoS attack of the of the Open System Interconnection (OSI) Model Application Layer 7 variety. The approach uses an on-ground client security product that links with a cloud-based mitigation tool. One argument for this approach is that attack victims can react more quickly to a specific attack on a business area, such as engineering or customer support, if they have the benefit of cloud-based updates rather than waiting for a network-based device to be updated. “Based on the customers I talk to, hybrid approaches are becoming mainstream,” says Tonnesen. Client and cloud security products work together with one or the other configured as a rules-based defense working on certain types of data attacks that affect key assets and applications.  Typically, underlying attacks involve a DNA-like sequence that lives in a lower level of an organization’s technology stack, such as malware sitting on a server some place, and begin to take over key assets. “That’s where a DDoS mitigation service can really help a weakness or attack sector,” Tonnesen says. “One approach really isn’t good enough anymore.” Mike Weber, vice president of labs of Coalfire, a cyber risk management and compliance company based in Louisville, Colo., says that “being able to diagnose a denial of service attack does take some time. Generally understanding if it’s a problem internally, such as an application malfunction, system problem or faulty hardware, those kinds of diagnostics take a while.” When Weber was fending off DDoS attacks at a former employer, a web hosting company, he received an insider’s view of old-fashioned corporate espionage. The client hosting company had known adversaries but could never pin the frequent attacks on a single entity. “They had a good idea who was behind the attacks,” he remembers. “A lot of times, it was their competition. It was used as a revenge tactic – sometimes it was intended to impact that company from a business perspective for whatever reason. Maybe it’s a page rank or advertising issue.” Attackers leverage those kinds of attacks to consume personnel/intellectual capital being used for diagnosis. While the victim attempts to identify the strategy attempting to thwart it typically sends companies under attack into a state of chaos. An attack against a website can be set to look like a denial of service interspersed with an attack that achieved the end goal of flooding log servers. Typically the obvious attack needs to be stopped before one can diagnose the other less obvious attack. “Think of that as DNS (Domain Name System) amplification – a DDoS attack where the attacker basically exploits vulnerabilities in the DNS servers to be able to turn small inquiries into large payloads, which are directed back to the victim’s server,” Weber says. “Those are a different protocol than those other attacks that are attacking different parts of the infrastructure whether they’re operating systems or applications. So typically they would be targeted towards two different parts of the client environment.” Malicious Traffic A typical approach to prevent DDoS from inflicting damage is to re-route non-malicious traffic to a cloud-based or third-party provider whose sole purpose is to mitigate denial of service-type attacks at what’s known as a “scrubbing” center. “Only clean traffic gets through,” says J.J. Cummings, managing principal of Cisco’s security incident response team. DDoS traffic then purposely gets diverted to the external provider, which takes the “brunt” of the attack and “roots out all that’s evil and bad.” Denial of service attacks are extremely challenging and can be expensive from a mitigation perspective, in terms of pipe size and technology, he admits. “At the end of the day it comes down to how critical these business applications are,” Cummings says. “How much do you want to spend to withstand an attack and an attack of what size?” The first questions that need to be addressed before, during or following a DDoS, says Cummings, “are how big is your Internet pipe and how much bandwidth has been thrown at you historically?” The answers determine a network’s required level of operational capability as well as what the needs at a bare minimum to resume the business. Security products are available from multiple vendors to help harden a company’s public-facing systems so they’re less susceptible to targeted types of attacks. “Those technologies presume you have enough of an Internet pipe to withstand that amount of bandwidth,” says Cummings. Otherwise, it’s a moot point. Detection analytics is another important tool to put DDoS mitigation measures in place. “You don’t all the sudden get a terabyte of traffic hitting. It kind of spools up, as that botnet starts to distribute the attack commands,” he adds. ISPs can know in advance to block certain IP addresses or certain traffic streams upstream. More sophisticated attacks often are focused on a profit motive and target companies with a lot of money or a gambling site that is taking bets on a major sporting event. In online video gaming or gambling, some players go to the extremes of disrupting the network where the opposition is hosted by firing off a DDoS attack. Retribution is another scenario with DDoS attacks. A former employee or student gets mad and rents a botnet to conduct the attack. A significant consequence to a denial of service attack is damage to the victim organization’s reputation, in addition to a potential dollar loss for every minute that the network is offline. Nearly two-thirds (64 percent) of respondents in the Ponemon Institute’s denial of service study say reputation damage is the main consequence of a DoS attack, with 35 percent for diminished IT staff productivity and 33 percent for revenue losses. “We try to come up with metrics on how to measure reputation loss, which is pretty significant,” says Larry Ponemon, chairman of the Ponemon Institute, the cybersecurity think tank based in Traverse City, Mich. “When people hear the bad news, what do they do? The churn can be significant from a revenue point of view. People leave, they find alternatives.” Citing research from the institute’s recent Cost of Data Breach study, Ponemon says the most expensive attack type on a unit cost per attack is DDoS, when compared to other security incidents such as phishing, because it takes a lot of effort to stop it. Meanwhile, he adds, “there’s an extraction of data while people are worrying about the website being down.” Source: http://www.scmagazine.com/waiting-for-ddos/article/523247/

Visit site:
Waiting for DDoS

Researcher believes major DDoS attacks part of military recon to shut down internet

Security researcher Bruce Schneier spotted a series of DDoS attacks which may be part of a larger effort to learn how to take down the internet on a national or even global scale. The attacks targeted major companies that provide the basic infrastructure for the internet and the incidents seem to appear to have probed the companies’ defenses to determine how well they can protect themselves, according to a Sept. 13 blog post. Schneier said he is unable to give details concerning which companies were targeted because he spoke with the companies under anonymity, but said the attack rate has increased in the last two years and that his findings are supported by a Verisign DDoS trends report. Schneier told SCMagazine.com he believes the attacks are part a foreign cyber organization doing military recon activities. The attacks are believed to be from China, but that being said Schneier said he is hesitant to point the blame at anyone. So far the targeted companies have been able to defend themselves, but when it comes to actually being able to take down the internet, Schneier said, “it does seem you can do it for small amounts of time but not permanently.” Some other experts agree. Several countries have a history of using DDoS attacks to target the U.S. and other nations so it’s safe to say that if taking down the internet will improve one’s position as a world power, someone will try to do it, Plixer CEO Michael Patterson told SCMagazine.com via emailed comments. “Consider the past attacks on our utilities and our 911 system and you can begin to appreciate the possibility of a combination of attacks that would certainly be possible with DDoS technologies,” Patterson said. “Our government needs to develop and implement a full scale back-up in the event that any one of these world players are successful in taking down the Internet.” Patterson said so much of the U.S. economy depends on the internet that its critical to have an alternative communication and digital plan in place in case something happens. However, some industry pros expressed doubt that an attacker would be able to carry out such a large scale attack. While the size, duration, and sophistication of DDoS attacks continue to grow, a complete shutdown is unlikely, Tim Matthews, Imperva Incapsula VP of marketing,  told SCMagazine.com via emailed comments. “Attacks might present temporary regional slowdowns – and annoy customers – but certainly not cause a global Internet blackout, as Mr. Schneier suggests,” Matthews said. “And with proper DDoS protections in place, most attacks like these would be stopped in their tracks.” Source: http://www.scmagazine.com/infrastructure-ddos-attacks-could-be-part-of-larger-plan-to-shut-down-internet-on-massive-scale/article/522962/

Link:
Researcher believes major DDoS attacks part of military recon to shut down internet

911 Is Vulnerable To DDoS Attacks

A new report has found that America’s emergency helpline number, 911, is vulnerable to Distributed Denial of Service (DDoS) attacks. Interestingly, the threat of attack has previously been issued by Department of Homeland Security as well as the FBI. Mark James, Security Specialist at ESET commented below. “These days DDoS attacks are easy to accomplish and can be relatively low cost to put in place. As technology gets cheaper, and the ability for botnets to infect more users thus making themselves stronger, seems easier and easier. The art of causing problems through brute force is now more readily available than ever before. In this modern day of internet everywhere, we take for granted the ability to access websites as and when we want them. When a website gets a DDoS attack those services become unavailable, now it’s not such a big problem when it’s a news delivery site but when it’s a service it’s a very different kettle of fish, and even more of a problem if it disrupts emergency or medical services. If you’re unable to access services in an emergency the worst case scenario could be life threatening. An effective defence to DDoS can be as easy as utilising third party services but there may be consequences for data security or disruption to the smooth user experience. Effective security is only achieved through multi-layered protection.” Source: http://www.informationsecuritybuzz.com/hacker-news/911-vulnerable-ddos-attacks/

Link:
911 Is Vulnerable To DDoS Attacks

6 steps for defending against DDoS attacks

If your business hasn’t already faced a distributed denial-of-service (DDoS) attack, brace yourself: fake traffic is coming. Your DevOps team and IT service desk need an action plan to handle these threats. This article will take you step-by-step through the process of identifying, stopping, and responding to DDoS attacks. The Task at Hand Before we discuss how to stop DDoS attacks, we need to examine their nature. No matter who launches a DDoS assault, the functional objective is the same: to take down a web service so that it denies access to legitimate end users. Hackers launch DDoS attacks for sport. Competitors do it to hurt your business. Hacktivists use them to further a cause. Extortionists even use DDoS attacks to hold web services for ransom. Whether attackers bombard your network with traffic, target a protocol, or overload application resources, the mechanics of DDoS attacks change little. Year after year though, DDoS attacks increased in size, complexity, and frequency according to research published by Arbor Networks in July 2016. The security firm recorded an average of 124,000 DDoS events  per week  over the prior 18 months. At 579 Gbps, the largest known attack of 2016 was 73 percent larger than the 2015 record holder. Mind you, 1 Gbps is enough to take down most networks. In theory, the task at hand is simple: create a system that can absorb DDoS attacks. In practice, DDoS defense is difficult because you have to distinguish between legitimate and illegitimate sources of traffic — and cybersecurity budgets don’t grow on trees. With these considerations in mind: Set Traffic Thresholds  You probably track how many users visit your site per day, per hour, and per minute. Thus, you understand your average traffic levels and, hopefully, you’ve recorded how special events (sales, big news releases, etc.) affect visits. Based on these numbers, set thresholds that automatically flag abnormal traffic for your security team. If you expect 1,000 visitors per 10 minutes, an influx of 5,000 visitors over one minute should trigger your alert. Blacklist and Whitelist Control who can access your network and APIs with whitelists and blacklists. However, do  not automatically blacklist IP addresses that trigger alerts. You will see false positives, and overreacting is a sure way to infuriate good customers. Temporarily block traffic and see how it responds. Legitimate users usually try again after a few minutes. Illegitimate traffic tends to switch IP addresses. CDNs The best defense against DDoS attacks is a content delivery network (CDN) like Prolexic (acquired by Akamai), Incapsula, Arbor Networks, or CloudFlare. They can identify illegitimate traffic and divert it to their cloud infrastructure. The problem is that CDNs are not cheap. A typical plan costs five figures per month. Or, if you pay per incident, you might get a six-figure bill for one attack. If you run a bank, a massive ecommerce company, or a social platform that makes thousands of dollars per second, that’s a small price to pay. Most companies either can’t afford a CDN or don’t have a platform that warrants such high security. If, for instance, your company has an informational website where no one makes transactions or uses services, you don’t need a CDN. You’re not a prime target. An application or network firewall might be enough to prevent abnormal traffic. If a DDoS attack takes you down, it won’t harm customers or your reputation. The cheapest way to defend against DDoS attacks is to deploy more servers when you detect suspicious activity. That is the  least  reliable method but still better than nothing. Remember, there is no end to the amount of money you can throw at security. Depending on your budget and risk tolerance, choose the right option for your service desk. Automate Communication with Customers When a DDoS attack succeeds, you don’t want your service desk buried in emails, phone calls, social media posts, and instant messages. Create a status page that automatically displays whether your service is up or down. Also, create DDoS communications templates that you can auto-send to end users who contact you. These templates should cover any interruption to service, not just DDoS attacks. Keep it vague with something like: “Thank you for contacting [your company name]. Our platform is currently down. We are working as quickly as possible to restore service. We will post updates on our status page [hyperlinked] as soon as we have more information”. Incident Report and Root Cause Analysis After you suffer an attack, you need to reestablish credibility. Draft an incident report explaining what happened, why, and how you responded. Then, discuss how you will prevent future attacks. If you contracted a CDN, for instance, discuss how it works and how it will deter future attacks. Open the report with simple,  non -technical language. You can add a technical section for CIOs, CTOs, and others who would appreciate the details. Practice for Attacks Simulate DDoS attacks to gauge how your action plan works. You could give DevOps and the service desk warning or take them by surprise to make the simulation realistic. Companies often run simulations in a planned maintenance window to spare end users further inconvenience. If you have a CDN, you can warn the provider, or not. Obviously if you pay per incident, coordinate tests with the CDN provider. Expect the Worst DDoS attacks are inevitable. Although they range from acts of digital vandalism to full-blown cyberterrorism, all DDoS attacks follow the same principles. Your action plan should address all types of DDoS attacks, no matter who perpetrates them. Whatever you do though, do not sacrifice your end users to cybersecurity paranoia. Better to suffer an attack than throttle the business you sought to defend. Source: http://betanews.com/2016/09/15/6-steps-for-defending-against-ddos-attacks/

Visit site:
6 steps for defending against DDoS attacks

DDoS and web application attacks keep escalating

Akamai Technologies released its Second Quarter, 2016 State of the Internet / Security Report, which highlights the cloud security landscape, specifically trends with DDoS and web application attacks, as well as malicious traffic from bots. During May 2016, the number of attacks spiked, fueled by campaigns targeting the gaming industry “While attack sizes are decreasing, we continue to see an uptick in the number of attacks as launch tools grow increasingly pervasive and easy to … More ?

Visit link:
DDoS and web application attacks keep escalating

Attackers Launch DDoS Attacks And the Kitchen Sink

First off, full disclosure, I work for Akamai as my day job. I don’t want any illusion on the point as I discuss the latest State of the Internet report that I was fortunate enough to be a part of creating. That being said, it was an interesting quarter. Last quarter shed some light on some interesting developments with regards to Distributed Denial of Service (DDOS) as attackers tried their hand at various different approaches. We hear. time and again, about DDoSdistributed denial of service attacks and theis last most recent quarter gave rise to one of significant volume. This example was a rather significant attack that was a confirmed 363 Gbps of attack traffic against a media organization customer in Europe. Nothing to sneeze at to be certain. Is your organization in a position to sustain operations while weathering an attack of this magnitude? As we have seen more frequently of late, this was a multi vector attack. Tto put a fine point on it, this attack made use of multiple different vectors in the attacker’s futile attempt to take down their intended target. They made their attempt using the following vectors: SYN, UDP fragments, push, tcp, DNS and UDP floods. The only thing they forgot to throw in was the kitchen sink. Over the last few quarters Akamai has noticed an uptick in the number of attacks against sites that have DNSSEC configured domains. DNS open resolvers continue to rise and attackers are taking advantage of this by capitalizing on them to amplify their attack traffic. A great deal of this can be traced back to botnets that have been built out as the commoditization of DDoS continues to spread. Now, in addition to this type of attack, we also see that the criminal element has been leveraging tactics to obfuscate their origin and identity when launching web attacks to obfuscate their origin and identity. These attackers have been demonstrating an increased use of anonymization services to help to cover their digital footprints in the binary sand. Like with any criminal with a lick of ny sense about them, the last thing attackers they want is to get pinched by law enforcement. Subsequently we have seen an increased amount of use of attackers leveraging virtual private networks (VPNs) and proxies when launching web application attacks. When looking for resources on how to accomplish this online, we see all manner of webpage giving step by step instructions onthat steps through what an attacker would need to do. From blocking client side JavaScript to using a browser in Incognito mode and even leveraging Tor to launch attacks. All of these ideas have various levels of merit but, there are shortfalls wherein the attacker can be discovered. There are differences between the traditional VPN services and anonymizing ones. Traffic from between the client and the VPN service is encrypted and the IP address of the client is masqueraded. Pretty standard, but, when you look at an anonymization service they will promise any number of things, the most basic being like not storing any logging information on their customers. This is not always the case as one Lulzsec member discovered in September 2011 when his VPN provider was served with a court order to turn over logs, which they claimed they didn’t keep. Another thing that attackers have to contend with is the throttling of bandwidth over anonymization services. As a result, they leverage third party booted and stressor platforms to launch their attacks. These services would be paid for with Bitcoin in an effort to further obfuscate their identity and avoid detection. Be sure to check out the latest copy of the State of the Internet Report which is out today September 14, 2016. for more in-depth discussion on denial of service attacks and anonymization efforts of the attackers. Source: http://www.csoonline.com/article/3119675/security/attackers-launch-ddos-attacks-and-the-kitchen-sink.html

See original article:
Attackers Launch DDoS Attacks And the Kitchen Sink

Business still ill-prepared to handle modern DDoS attacks

In September 1996, New York City’s original ISP, Panix, was hit by a SYN flood denial of service attack that took them offline for several days. At a time when only 20 million Americans were online, this was one of the first high profile examples of the growing importance of network and service availability. It also demonstrated how fragile internet infrastructure was at the time. According to an advisory from Carnegie Melon’s CERT, “There is, … More ?

Originally posted here:
Business still ill-prepared to handle modern DDoS attacks

DDoS downtime calculator based on real-world information

Are you wondering how you can assess the risks associated with a DDoS attack? Incapsula’s free DDoS Downtime Calculator offers case-specific information adjusted to the realities of your organization. The algorithm inside the DDoS Downtime Calculator is based on real-world information from a DDoS impact survey for which participants provided detailed information about the actual impact of DDoS attacks. Subsequent data analysis uncovered factors that cause impact cost variances. The DDoS Downtime Calculator provides personalized … More ?

Visit site:
DDoS downtime calculator based on real-world information

US 911 emergency system can be crippled by a mobile botnet

What would it take for attackers to significantly disrupt the 911 emergency system across the US? According to researchers from Ben-Gurion Univerisity of the Negev’s Cyber-Security Research Center, as little as 200,000 compromised mobile phones located throughout the country. The phones, made to repeatedly place calls to the 911 service, would effect a denial-of-service attack that would made one third (33%) of legitimate callers give up on reaching it. And if the number of those … More ?

Read this article:
US 911 emergency system can be crippled by a mobile botnet

Infected Android phones could flood America’s 911 with DDoS attacks

One killer trojanised app or $100k of hardware is enough. A research trio has shown how thousands of malware-infected phones could launch automated distributed denial of service attacks to cripple the US emergency phone system “for days”.…

Visit site:
Infected Android phones could flood America’s 911 with DDoS attacks