The rise of IoT-based DDoS attacks: Is there a solution?

The rise of IoT DDoS attacks makes it imperative to rethink DDoS defences to thwart these sophisticated and often devastating threats.

Sanjai Gangadharan is the Regional Director SAARC, A10 Networks which is a U.S. based company, based in San Jose, California, that provides a range of high-performance application security and networking solutions that help organizations ensure that business critical applications are protected, reliable and always available.The company is known for manufacturing highly scalable application delivery controllers (software and hardware) and expanded into intelligent automation, machine learning and security solution solutions.

There’s a flood of connected devices making their way into our homes and businesses. From mobile, wearables and car technology to advancements in smart homes, TVs and cameras, the tech world is awash with internet-connected devices. By 2020, it is estimated that there will be more than 30 billion connected devices in the world – more than four times the earth’s population.

Tech-hungry consumers keep their eyes peeled for major device announcements. Also watching are distributed denial of service (DDoS) attackers who have made the Internet of Things (IoT) their weapon of choice. These nefarious actors exploit millions of vulnerable IoT devices to create sophisticated malware-based DDoS botnets which they then use to initiate devastating attacks. IoT vulnerabilities give these hackers the ability to scale their attacks across tens of millions of devices and unique IP addresses.

Every new device announcement adds more weapons to an already stocked arsenal the connected gadgets hackers have at their disposal that they can weaponise and leverage to launch DDoS attacks.

If we’ve learned anything from the Mirai botnet’s path of destruction in the late 2016, during which attackers hijacked more than 5,00,000 webcams to launch a DDoS attack topping 1 Tbps, and last year’s WireX and Reaper threats – it’s that bad actors will latch onto unsecured devices and use them to do their bidding.

“Millions of unsecure, internet-enabled devices provide new threat vectors. Given the rapid proliferation of Internet of Things devices in advance of IoT-oriented security standards and configuration practices, expect these devices to be increasingly used as weapons for DDoS and other attacks,” said Adam Isles, principal at The Chertoff Group, a global advisory firm that provides security risk management, business strategy and merchant banking advisory services.

According to a recent AT&T Cybersecurity Insights report, nearly a third (32%) of surveyed organisations said IoT-based DDoS attacks are their biggest future cybersecurity concern. AT&T found that more than a third (35%) of all its survey respondents say that IoT devices were the primary source of a data breach experienced over the prior year. And the outlook for future IoT attacks remains bleak, with 68% of survey respondents saying they expect IoT threats to increase in the coming year.

That said, AT&T found that 90% of organisations have conducted enterprise-wide cyber risk assessments in the past year, but only half (50%) have conducted risk assessments specific to IoT threats.

Meanwhile, according to our A10 Application Intelligence Report (AIR), distributed denial of service (DDoS) attacks took the top spot among cyberthreats against businesses, with more than one third (38%) of IT decision makers saying their company has suffered an attack at least once over the past 12 months, with another 9% noting they’re not aware whether they’ve been attacked or not.

Frighteningly, that means that nearly half of IT professionals say their company has either been a victim of a DDoS attack or they don’t know if they’ve been a victim.

This rash of IoT-based DDoS attacks when paired with lack of awareness and the growing roster of IoT devices hitting the market creates a potentially catastrophic opportunity cocktail for savvy cyber-attackers.

The consensus: IoT-based DDoS attacks will grow in both bot size and traffic volumes mostly due to their use of vulnerable, poorly-secured IoT devices. Contributing to those millions of vulnerable IoT devices will be this year’s crop of marquee CES announcements and the myriad gadgets found under the Christmas tree.

The rise of IoT DDoS attacks makes it imperative to rethink DDoS defences to thwart these sophisticated and often devastating threats. Here are key things to look for in an effective DDoS defense solution to ensure that IoT DDoS attacks can’t take you down:

⦁ DDoS defense solutions should be capable of detecting, mitigating and reporting on multi-vector DDoS attacks at the network edge and in centralised scrubbing centers to scale and defend against colossal IoT-fueled attacks

⦁ DDoS defense solutions must differentiate botnet traffic from legitimate traffic and users, so services stay available when battling an attack

⦁ DDoS defense solutions should include intelligence on known botnets and agents to defend networks against known threats

⦁ DDoS defense solutions must scale yet maintain cost-efficiency


  • 0

Q4 2017 Global DDoS Threat Landscape Report

Today we are releasing our latest Global DDoS Threat Landscape Report, a statistical analysis of 5,055 network and application layer DDoS attacks mitigated by Imperva Incapsula services during Q4 2017.

In Q4, the number of application layer attacks nearly doubled, just as the number of network layer assaults declined. In both cases, however, we saw attacks grow more persistent.

Target wise, the cryptocurrency industry continued to draw the attention of DDoS offenders, ranking as the fifth most attacked industry this quarter alongside some of the more regular attack targets. Another notable development was the high number of network layer assaults against businesses in the APAC region. In the last quarter of the year, the region served as home to seven out of the top-ten attacked countries. Combined, they drew 68.9 percent of all network layer DDoS attacks.DDoS report_top attacked countriesFigure 1: Top attacked countries, by number of network layer attacks

Report Highlights

Amidst Price Spike, Attacks on Cryptocurrency Industry Continue

Bitcoin was once again the eighth most targeted industry in Q4, after making its first appearance on the top-10 list in the prior quarter. Furthermore, it came in fifth place for the most attacks suffered, outscoring such established and commonly attacked business sectors as financials and publishing.DDoS report_top attacked industriesFigure 2: Top attacked industries, by number of network layer attacks

The increase in attacks against bitcoin-related sites is likely linked to a growth spike experienced by the industry late last year when cryptocurrency prices reached an all-time high. As prices have since subsided, it will be interesting to see if the overall number of attacks declines as well in the coming months.

Even after the recent price drop, there currently remains 190 active cryptocurrency exchanges, up from 70 in Q3. Of these, 24 exchanges have a daily turnover of more than 10 million USD. With an ever-increasing number of targets, despite the volatility in the price of bitcoin, we expect to see assaults directed at the cryptocurrency industry continue for the foreseeable future.

Application Layer Attacks Double, Assaults Become More Persistent

This quarter, we saw a spike in the number of application assaults, which increased 43 percent over their Q3 levels. Network layer attacks, on the other hand, fell by more than 50 percent since last quarter.

DDoS report_number of attacks per week

Figure 3: Number of weekly DDoS attacks QoQ

Interestingly, even as the number of application layer assaults went up and network layer attacks decreased, both became more persistent. Our data shows that 63.3 percent of application layer DDoS targets were subjected to repeat attacks, up from 46.7 last quarter.

DDoS report_repeat app layer attacks

Figure 4: Repeat application layer attacks Q0Q

In the case of network layer attacks, the number of repeat DDoS assaults went up to 67.4 percent, compared to 57.8 percent in Q3. However, the average number of attack decreased, as most of the repeat assaults consisted of two to five bursts.

DDoS report_repeat network layer attacks

Figure 5: Repeat network layer attacks Q0Q

The increase in attack persistence reflects the growing ease with which bad actors can launch multiple DDoS attacks. Today, even if a mitigation service is able to deflect an initial attack, perpetrators have every reason to try again and again, until they take down their target or grow bored and move on.

This obviously highlights the need for a hands-off mitigation solution that can be automatically activated to mitigate every repeat attack burst. In the absence of such a solution, a persistent DDoS campaign can quickly turn into a prolonged war of attrition, forcing an enterprise to spend money and man-hours to fight off a series of assaults.


  • 0

How Can Blockchain Be Used to Aid Cybersecurity?

With the rapid advancement of internet-based technologies, cybersecurity is a constant cloud looming on the horizon. As the technology evolves, so too, do the cybercriminals. Their constant efforts to steal valuable data and disrupt business through DDoS attacks are increasingly sophisticated.

Holding companies hostage and monetizing data through ransomware techniques is sadly par for the course. In fact, it’s estimated that cybersecurity alone costs the global economy some $450 billion a year. With IT professionals scrambling to stay one step ahead of the hackers, how can blockchain be used to aid cybersecurity?

No Single Point of Failure

The decentralized nature of the blockchain means that there is no single point of failure, nor one central database waiting to be hacked. Information is stored over several databases, and each block is linked to the next in the chain, making no “hackable” entrance. This provides infinitely greater security than our current, centralized structures.

Removing Human Error

The weakest link in our current system is simple logins that are vulnerable to being cracked. Blockchain can remove human error in cybersecurity, as businesses can authenticate devices without the need for a password system. Each device is provided with a specific SSL certificate, rather than a password. Human intervention becoming a potential hacker vector is consequently avoided.

Bitcoin advocate, adjunct professor at NYU Law School and practicing attorney, Andrew Hinkes, explains, “Using a public blockchain with proof of work consensus can remove the foibles of human mistake or manipulation.”

Detecting Tampering in Real Time

The blockchain can uncover and reject suspicious behavior in the system in real time. Say, for example, that a hacker tried to interfere with the information in a block. The entire system would be alerted and examine all data blocks to locate the one that stood out from the rest. It would then be recognized as false and excluded from the system.

Improving IoT Security

With the rise in IoT devices, come inherent security risks. We’ve already seen problems occur when trying to disable compromised devices that become part of botnets. According to Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, the blockchain can put an end to that:

“The blockchain, with its solid cryptographic foundation offering a decentralized solution can aid against data tampering, thus offering greater assurances for the legitimacy of the data.” This would mean that potentially billions of IoT devices could connect and communicate in a secure ecosystem.


All transactions on the blockchain are highly traceable, using a timestamp and digital signature. Companies can easily go back to the root of each and every transaction to a given date and locate the corresponding party. Since all transactions are cryptographically associated to a user, the perpetrator can be easily found.

Says Hinkes, “Blockchains create an audit trail of all activity by its participants, which simplifies access control and monitoring.” This offers companies a level of security and transparency on every iteration.

The Takeaway

Currently, the impending threat of DDoS attacks comes from our existing Domain Name System. Blockchain technology would disrupt this completely by decentralizing the DNS and distributing the content to a greater number of nodes. This would make it virtually impossible for cybercriminals to hack and create a secure environment to host the world’s data.


  • 0

Misconfigured security measure leads DDoS amplification attacks to soar at end of 2017

DDoS attacks using domain name server (DNS) amplification increased more than 357 percent in the fourth quarter of 2017 compared to the previous year.

A new report by protection specialist Nexusguard attributes the rise to the use of Domain Name System Security Extensions (DNSSEC), a technology that’s intended to add integrity and security to the DNS protocol.

If not correctly configured, however, DNSSEC-enabled servers can be deliberately targeted to reflect amplification attacks, due to the large size of the responses they generate.

While the overall number of DDoS attacks has fallen 12 percent compared to the same period last year, a new class of powerful botnets is set to exploit wider DNSSEC adoption. Nexusguard warns teams to evaluate the DNSSEC response and security flaw to strengthen systems against future attacks.

“Enterprises have worked hard to patch against snooping, hijacking and other DNS abuses; however, improperly configured DNSSEC-enabled name servers may be a new plague for unprepared teams,” says Juniman Kasman, chief technology officer for Nexusguard. “Admins and IT teams need to check security for the entire network, as well as correctly configure DNSSEC on the domain to properly harden servers against these new attacks.”

The report also finds that hackers continue to favor multi-vector attacks, blending combinations of network time protocol (NTP), universal datagram protocol (UDP), DNS and other popular attack vectors. This tactic has been seen in more than half of all botnets over the past year.

China and the US continue as the top two sources of DDoS attacks in Q4, contributing 21.8 percent and 14.3 percent of the botnets, respectively. South Korea climbed to third place, contributing nearly six percent of the global attacks, up from sixth place last quarter.


  • 0

Vengeance by DDoS: No one is immune

The DDoS attack is showing up as one of the tools used to extract vengeance against companies, organizations, and individuals. Companies need a defense plan.

In what may catch many by surprise, distributed denial of service (DDoS) attacks are being used against companies, organizations, and individuals as an act of vengeance or revenge. No one is immune; documented victims have included non-profit organizations, community colleges, courts and law enforcement entities, and even noted security journalist Brian Krebs.

The commonality is the individual behind the attack wishes to inflict damage, swiftly and completely, on the entity being attacked. No prior experience necessary; you can rent the DDoS service, by subscription no less, with a few clicks and an anonymous bitcoin payment.

DDoS for hire

According to the Department of Justice (DOJ), John Kelsey Gammell in January 2018 pleaded guilty to “conspiracy to commit intentional damage to a protected computer.” The DOJ continues, “Gammel directed DDoS attacks at a number of victim’s websites, including websites operated by companies he used to work for, companies that declined to hire him, competitors to his business and websites for law enforcement agencies and courts.”

Gammel, it would appear, wasn’t totally ignorant of the need to obfuscate his identity when hiring the DDoS service (vDOS, CStress, Inboot,, and IPStresser), as he used IP anonymization services, cleaned his drives, and used encryption to conceal the records of his activities.

DDoS attack against a small business

Then we review the actions of David Chelsey Goodyear, whom the DOJ tells us was convicted in February 2018 by a jury of “directing distributed denial of service cyber-attacks against two websites owned by Oklahoma telescope retailer, Astronomics.” Astronomics, operates a free astronomy forum, “Cloudy Nights,” which has 65,000-plus participants. Goodyear was booted from the forum for violating the terms of service and would repeatedly return under a new userid/alias only to get booted again for violating the terms of service. With each instance, Goodyear’s frustration increased, and he threatened a DDoS attack against Cloudy Nights and A55tronomics.

What makes Goodyear’s act of vengeance so interesting is that it didn’t cost him a penny. Goodyear joined HackForum, and within hours of joining the forum posted a request for the forum’s users to “take down” the Astronomics website. For the next two weeks, the family owned Astronomics was subjected to DDoS attacks. No shortage of individuals ready to do the dirty work on request. Astronomics pegged their losses at a minimum of $5,000, with sustained damage for over a year.

DDoS attack against a security writer

Then there was the DDoS attack against noted security journalist Brian Krebs, which occurred in September 2016. The attack, large for the time, was estimated by Krebs to be 620 Gbps in size. This attack leveraged Internet of Things devices, routers, IP cameras and digital video recorders.

In Krebs’ instance, he was attacked by two individuals associated with the vDOS, a DDoS service for hire. Yes, the creators of the service used by Gammel to attack his victims. Krebs had written about the takedown of the vDOS service and the identity of two 18-year-old Israeli’s, Yarden “applej4ck” Bidani and Itay “p1st” Huri, as the admins. Shortly after Krebs’ article — and his site going dark as a result of the attack — the teens were arrested in Israel.

Industry steps up

For news organizations, journalists, election monitoring sites, human rights organizations, etc., Google offers a free service: Project Shield. It matters not how large your site is, if your application for Project Shield protection is approved, you will receive free protection.

For businesses, many IP hosting companies have partnered with a variety of DDoS defense companies, some bundling the service into their hosting agreements. Noted names include Cloudflare, Akamai, AWS Shield, and Microsoft Azure.

Bottom line: If you rely on your website for commerce, be it as a store front or service provider, you must factor the DDoS threat into your cybersecurity matrix, and put in place a protection, mitigation and defense.

The threat is not going to dissipate, and, indeed, as witnessed in the recent February 28 attack against GitHub, the DDoS 1.3 Tbps in size, DDoS attacks are only going to increase in both frequency and velocity. In GitHub’s instance, they were prepared, and their service interruption was measured in minutes and not days.

Are you prepared for a DDoS against your site?


  • 0

Cryptocurrency: just for tax avoidance & paying cyber-hold-ups anonymously?

At a cursory glance, the cryptocurrency landscape looks an awful lot like the old Wild West – lawless, volatile, open; no viable law enforcement in sight. But is there also a more positive side to blockchain technology?

We’ve all seen the headlines. Bitcoin’s rise and fall, high profile hacking attacks, and ICO fly-by-night scam teams riding off into the sunset with investor money. At a cursory glance, the cryptocurrency landscape looks an awful lot like the old Wild West – lawless, volatile, open; no viable law enforcement in sight.

Transactions are sent anonymously by faceless villains on the darkweb for illicit dealings. Lack of central authorities have lead to crypto’s ban in at least five countries, and its surging value makes it increasingly attractive to cyber-criminals. So the question remains: Are cryptocurrencies more than just a way for criminals to get paid anonymously and avoid tax?

A response to the 2008 financial crisis

To get to the root of the issue, it’s worth remembering why cryptocurrencies came about in the first place. Bitcoin, the world’s first cryptocurrency, emerged in response to the 2008 financial crisis. It was an open source project to allow for a transparent economy, in which individuals could be responsible for their own wealth.

The lack of centralisation meant that people could transact globally without the need for intervention or permission from institutions, at a time when trust in the banking system was at an all-time low.

Head of Red Team Services at CyberArk, Shay Nahari, explains to SC Media UK, “The original idea behind cryptocurrencies was to provide a way for network computers to anonymously complete transactions. And today there are credible and legitimate services online and in retail that use cryptocurrency as a form of payment”.

Cryptocurrency has also been successfully used to complete many an international transfer, bypassing hefty banking fees and avoiding lengthy delays. Yet, the anonymity of cryptocurrency makes it a magnet for delinquents of all stripes, particularly on the darkweb.

Cryptocurrency adoption by criminals

Not only are tax evaders and drug barons willfully using it to fly below the radar and move vast sums of undeclared money around, but hackers have discovered the weak links, as well.

Despite the much marketed “anonymity” of Bitcoin, all transactions are visible, and this provides law enforcement authorities with enough data to uncover hackers’ identities. It’s also brought about a rise in the usage of altcoins (Bitcoin alternatives).

Currencies like Monero, that have been designed to be secure and untraceable, are gaining favour in the underground world for protecting the user identity and keeping follow-up transactions anonymous.

Nahari remarks, “Together with the fact that Monero was designed to still be effectively mined with CPU and not just special hardware, and the fact that due to its anonymity, accounts cannot be blacklisted (even if they are identified as malicious) means that bots of infected machines can generate large amounts of money for the attackers while still being almost resilient against law enforcement. As a result, Monero use on the darkweb has risen and its price has risen along with it”.

While all this sounds like a veritable hotbed of malevolent activity, it’s pertinent to remember that digital currencies are not the only vehicle for carrying out nefarious deeds. It’s well known that the US dollar is the criminal’s bill of choice when it comes to money laundering and drug trafficking.

And while it’s true that both currencies can be used for legitimate and illegitimate purposes, cryptocurrency is inherently more trackable than fiat currency. In many countries, the US included, national regulations already require cryptocurrency purchasers to undergo Know Your Customer/Anti-Money Laundering (KYC/AML) protocol before being able to invest.

Moreover, despite the fact that the public at large rarely comes across US$ 100 bills, they make up a massive 80 percent of all US currency.

Large notes in outside currencies have caused a problem for a while now, for their propensity to facilitate criminal activity. In 2010, UK exchange offices ceased sales of €500 notes, after police officials found that some 90 percent of them were used by organised crime.

Jennifer McEntire, manager of financial crime compliance strategy at LexisNexis Risk Solutionscomments, “When you look at money laundering overall, that actually occurs and is easier with traditional currencies. Bulk movement of cash and hand to hand cash transfers are far more common and easier to execute by most people, while remaining truly anonymous. If you’re using a cryptocurrency in an exchange platform, it’s likely that you’re leaving a digital trail in emails, text messages, and device usage. You’re not as anonymous as you think you are”.

Not all cryptocurrencies were created equal

When Bitcoin value soared to just shy of US$ 20,000 (apx £14,000) in December of last year and promptly plummeted back down to under US$ 7,000 (£5,000) in a few short weeks, it became pretty clear that such rampant volatility rendered its usage as a currency challenging, to say the least.

Says McEntire, “Many people in the United States are seeing it as an investment vehicle, they’re seeing the games that are happening. So I think that it can be dangerous in some ways, but not necessarily more dangerous than our traditional markets. Our traditional markets are also volatile. Cryptocurrency isn’t going to go away but the volatility… I would liken and compare to our traditional markets.”

Actually the volatility of cryptocurrency isn’t unique. Even gold, that is historically viewed as a stable asset, has experienced similar surges and crashes over the decades.

Jeremy Epstein, leading speaker on blockchain innovation and CEO of blockchain marketing agency NeverStopMarkerting comments, “The volatility comes from the fact that we are seeing the birth of an entirely new asset class. It’s the first digitally-native currency, built specifically for digital. That’s not the case with our existing fiat systems. As such, it’s tough for all of us to understand how it works and how to value it”.

And while cryptos are often labelled as being “volatile”, not all cryptocurrencies were created equal. There are plenty of stable-value cryptocurrencies on the market whose value is pegged to another asset, such as the dollar. Naturally, corporate treasurers are risk averse and, as adoption becomes more widespread, payments will likely be made using these types of cryptocurrencies, rather than the wildly fluctuating Bitcoin or Ethereum.

Cryptocurrency, blockchain and cyber-security

Just as cryptocurrency has different uses, so too, does the blockchain. One of which will undoubtedly change the face of cyber-security in the not-so-distant future. Cyber-crime remains a constant threat and thorn in the side of many an IT department, costing the global economy some £324 billion a year.

“Equifax is exhibits A-Z on this. Our current IT systems are not built to hold the amount of data that they currently have, particularly personal data. We’re vulnerable because of centralisation. Decentralising and securing the data stores provides greater security”, Epstein remarks.

Because blockchains create an audit trail of all activity by its participants, the process of access control and monitoring is greatly simplified, and can remove human manipulation and error. Thanks to cryptography, blockchain offers practically impenetrable security – the sheer possibilities of combinations in the encryption would take a typical modern PC trillions of years to go through.

Paul Brody, global innovation blockchain leader at EY asserts, “Blockchains are possibly the most secure information technology ever invented. It is, for all practical purposes, impossible to counterfeit Bitcoin or alter transaction histories in these systems. Blockchains hold the promise of creating vastly more secure online transactions and secure, unbreakable digital contracts between users”.

If blockchain is so secure though, that poses a rather awkward question. Why are we always hearing about hacking, theft, and criminal activity?

Brody has an answer to that. “Cryptocurrency blockchains are public”, he points out, “which allows for increased and earlier visibility when thefts occur. And while blockchains are themselves very secure, they operate in an ecosystem that still has many weaknesses, including human error. While you can’t counterfeit bitcoins, you can steal them, and once they are stolen they may very well be gone for good. Various parts of the cryptocurrency ecosystem still require development in order to provide a higher level of security for users”.

Indeed. In fact, EY’s own ICO research found that as much as 10 percent of the total funding through ICOs may have been subject to theft or fraud, to the tune of £290 million.

Cyber-security strategist at Juniper Networks, Nick Bilogorskiy, emphasises, “It is important to make a distinction between the technologies of cryptocurrency and blockchain. While the former has been used mostly for nefarious purposes, the latter has plenty of genuine use cases, for example, decentralised storage, and preventing fraud and data theft. Blockchain technology has no single point of failure, which highly decreases the chances of a successful DDoS attack”.

In fact, blockchain is so secure that cyber-criminals are already finding ways of using it to make their own servers hacker-proof, as recently reported in SC Magazine.

Cryptocurrencies are just the tip of the iceberg

Just as AOL and email were to the internet, cryptocurrencies are the tip of the iceberg when it comes to blockchain technology. After all, they haven’t been banned by the Bank of England and other institutions, despite the growing concern about criminal use cases.

European central banks and regulators, in fact, have a tradition of encouraging innovation (not to mention sniffing out a financial opportunity) and it’s becoming clearer by the day that blockchain presents plenty of these.

Kevin Curran, IEEE senior member and professor of cyber-security at Ulster University says, “The blockchain has an important role to play in the security of the Internet of Things in the days ahead. Scaling the Internet of Things will prove difficult using traditional centralised models. There are also inherent security risks in the Internet of Things, such as disabling them should they become compromised and become parts of botnets., which has become a serious problem already… Blockchain technology could potentially allow billions of connected IoT devices to communicate in a secure yet decentralised ecosystem, which also allows consumer data to remain private”.

Moreover, according to Brody, we can soon expect to see the blockchain touching most areas of our lives. “Cryptocurrencies – and the blockchains they run on – are a technical revolution that should enable a transformational set of new business technologies. It offers secure, reliable, disintermediated collaboration between companies doing business with each other. We think everything from the digital media business to supply chains will be transformed with this technology in the coming years”.

From empowering and connecting people currently overlooked by the legal and banking systems, to resolving electoral fraud, creating transparency in the supply chain, and reducing costs; the potential of the blockchain is practically limitless.

But it isn’t all utopia yet.

While blockchains themselves are natively secure, secondary software, such as wallets and exchanges, are often notably less so. Ownership of open source projects remains an under-addressed issue that may ultimately impact version updating and liability. Smart contracts rely on oracles to report external data, and this technology is still underdeveloped and problematic.

Regulation remains the elephant in the room. Everyone agrees that regulation in some shape or form will have to take place, but no one agrees on what it will look like, the form it will take from jurisdiction to jurisdiction – or the impact it may have on curtailing blockchain innovations.

Until these teething troubles are resolved and we begin to gain a better understanding of the technology, cryptocurrencies may continue to be hijacked by bottom feeding lowlives to facilitate their lifestyles. But whatever your stance on digital money, you’ll surely agree there’s a lot more to crypto than meets the eye.


  • 0

How Creative DDOS Attacks Still Slip Past Defenses

Distributed denial of service attacks, in which hackers use a targeted hose of junk traffic to overwhelm a service or take a server offline, have been a digital menace for decades. But in just the last 18 months, the public picture of DDoS defense has evolved rapidly. In fall 2016, a rash of then-unprecedented attacks caused internet outages and other service disruptions at a series of internet infrastructure and telecom companies around the world. Those attacks walloped their victims with floods of malicious data measured up to 1.2 Tbps. And they gave the impression that massive, “volumetric” DDOS attacks can be nearly impossible to defend against.

The past couple of weeks have presented a very different view of the situation, though. On March 1, Akamai defended developer platform GitHub against a 1.3 Tbps attack. And early last week, a DDOS campaign against an unidentified service in the United States topped out at a staggering 1.7 Tbps, according to the network security firm Arbor Networks. Which means that for the first time, the web sits squarely in the “terabit attack era,” as Arbor Networks put it. And yet, the internet hasn’t collapsed.

One might even get the impression from recent high-profile successes that DDoS is a solved problem. Unfortunately, network defenders and internet infrastructure experts emphasize that despite the positive outcomes, DDoS continues to pose a serious threat. And sheer volume isn’t the only danger. Ultimately, anything that causes disruption and affects service availability by diverting a digital system’s resources or overloading its capacity can be seen as a DDoS attack. Under that conceptual umbrella, attackers can generate a diverse array of lethal campaigns.

“DDoS will never be over as a threat, sadly,” says Roland Dobbins, a principal engineer at Arbor Networks. “We see thousands of DDoS attacks per day—millions per year. There are major concerns.”

Getting Clever

One example of a creative interpretation of a DDoS is the attack Netflix researchers tried out against the streaming service itself in 2016. It works by targeting Netflix’s application programming interface with carefully tailored requests. These queries are built to start a cascade within the middle and backend application layers the streaming service is built on—demanding more and more system resources as they echo through the infrastructure. That type of DDoS only requires attackers to send out a small amount of malicious data, so mounting the offensive would be cheap and efficient, but clever execution could cause internal disruptions or a total meltdown.

“What creates the nightmare situations are the smaller attacks that overwork applications, firewalls, and load balancers,” says Barrett Lyon, head of research and development at Neustar Security Solutions. “The big attacks are sensational, but it’s the well-crafted connection floods that have the most success.”

 ‘We see thousands of DDoS attacks per day—millions per year.’

Roland Dobbins, Arbor Networks

These types of attacks target specific protocols or defenses as a way of efficiently undermining broader services. Overwhelming the server that manages firewall connections, for example, can allow attackers to access a private network. Similarly, deluging a system’s load balancers—devices that manage a network’s computing resources to improve speed and efficiency—can cause backups and overloads. These types of attacks are “as common as breathing,” as Dobbins puts it, because they take advantage of small disruptions that can have a big impact on an organization’s defenses.

Similarly, an attacker looking to disrupt connectivity on the internet in general can target the exposed protocols that coordinate and manage data flow around the web, rather than trying to take on more robust components.

That’s what happened last fall to Dyn, an internet infrastructure company that offers Domain Name System services (essentially the address book routing structure of the internet). By DDoSing Dyn and destabilizing the company’s DNS servers, attackers caused outages by disrupting the mechanism browsers use to look up websites. “The most frequently attacked targets for denial of service is web severs and DNS servers,” says Dan Massey, chief scientist at the DNS security firm Secure64 who formerly worked on DDoS defense research at the Department of Homeland Security. “But there are also so many variations on and so many components of denial of service attacks. There’s no such thing as one-size-fits-all defense.”

Memcached and Beyond

The type of DDoS attack hackers have been using recently to mount enormous attacks is somewhat similar. Known as memcached DDoS, these attacks take advantage of unprotected network management servers that aren’t meant to be exposed on the internet. And they capitalize on the fact that they can send a tiny customized packet to a memcached server, and elicit a much larger response in return. So a hacker can query thousands of vulnerable memcached servers multiple times per second each, and direct the much larger responses toward a target.

This approach is easier and cheaper for attackers than generating the traffic needed for large-scale volumetric attacks using a botnet—the platforms typically used to power DDoS assaults. The memorable 2016 attacks were famously driven by the so-called “Mirai” botnet. Mirai infected 600,000 unassuming Internet of Things products, like webcams and routers, with malware that hackers could use to control the devices and coordinate them to produce massive attacks. And though attackers continued to refine and advance the malware—and still use Mirai-variant botnets in attacks to this day—it was difficult to maintain the power of the original attacks as more hackers jockeyed for control of the infected device population, and it splintered into numerous smaller botnets.

 ‘There’s no such thing as one-size-fits-all defense.’

Dan Massey, Secure64

While effective, building and maintaining botnets requires resources and effort, whereas exploiting memcached servers is easy and almost free. But the tradeoff for attackers is that memcached DDOS is more straightforward to defend against if security and infrastructure firms have enough bandwidth. So far, the high-profile memcached targets have all been defended by services with adequate resources. In the wake of the 2016 attacks, foreseeing that volumetric assaults would likely continue to grow, defenders seriously expanded their available capacity.

As an added twist, DDoS attacks have also increasingly incorporated ransom requests as part of hackers’ strategies. This has especially been the case with memcached DDoS. “It’s an attack of opportunity,” says Chad Seaman, a senior engineer on the security intelligence response team at Akamai. “Why not try and extort and maybe trick someone into paying it?”

The DDoS defense and internet infrastructure industries have made significant progress on DDoS mitigation, partly through increased collaboration and information-sharing. But with so much going on, the crucial point is that DDoS defense is still an active challenge for defenders every day. “

When sites continue to work it doesn’t mean it’s easy or the problem is gone.” Neustar’s Lyon says. “It’s been a long week.”


  • 0

Group-IB Helps Suspend Ukrainian DDoS Attack Group

This case marks the first successful prosecution of cybercriminals in Ukraine, the organization reports.

Group-IB, an international organization dedicated to cyberattack prevention and security product development, announced the takedown of a criminal group that had been launching distributed denial-of-service (DDoS) attacks and extorting companies for over two years.

This marks the first large-scale international case of DDoS extortion in Ukraine that ended with a court sentence, Group-IB reports. The organization worked with law enforcement, cybersecurity firms, and online companies to successfully prosecute the criminals.

The attackers were found as part of an investigation into the September 2015 DDoS attack on international online dating service AnastasiaDate. They demanded $10,000 for stopping the attack, which shut down the site for four to six hours each day of the campaign.

Specialists in Group-IB’s investigation department analyzed the attack, identified the attackers, and discovered other incidents conducted by the same two people: Gayk Grishkyan and Inna Yatsenko, both from Ukraine. The duo later contacted AnastasiaDate in November 2016 to demand ransom and threaten to renew the DDoS attacks on its website.

Both attackers pleaded guilty to the crimes and were each given a five-year conditional sentence. Outside the AnastasiaDate case, Grishkyan and Yatsenko had previously targeted American leasing company Stafford Associated and the PayOnline payment service.


  • 0

New world record DDoS attack hits 1.7Tbps days after landmark GitHub outage

Just a week after code repository GitHub was knocked offline by the world’s largest recorded distributed denial-of-service (DDoS) attack, the same technique has been used to direct an even bigger attack at an unnamed US service provider.

According to DDoS protection outfit Arbor Networks, that US service provider survived an attack that reached an unprecedented 1.7Tbps.

Last week Arbor, Cloudflare and Akamai reported an uptick in amplification attacks that abuse memcached servers to ramp up by traffic by a factor of 50,000.

Within a day of Cloudflare reporting that attackers were abusing open memcached servers to power DDoS attacks, GitHub was taken offline for about 10 minutes by an attack that peaked at 1.35Tbps.

Memcached is a caching system to optimize websites that rely on external databases. Memcached-enabled servers shouldn’t be left exposed to the internet, although at any given time over 100,000 are, according to Rapid7.

The attacks involve spoofing a target’s IP address to the default UDP port on available memcached amplifiers, which return much larger responses to the target.

The attacks appear to be getting larger by the day. Before the attack on GitHub, Arbor Networks reported seeing attacks exceeding 500Gbps.

Arbor Networks’ Carlos Morales predicts memcached attacks won’t be going away any time soon because of the number of exposed memcached servers.

“While the internet community is coming together to shut down access to the many open memcached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit,” he wrote.

Morales’ colleague, Roland Dobbins believes the memcached DDoS attacks were initially used exclusively by skilled attackers who launched attacks manually, but now they’ve been automated via rental ‘booter’ or ‘stressor’ botnets.

He notes that the potential for abusing memcached servers in application attacks was revealed by Chinese researchers in November 2017, but that as early as 2010 researchers had discovered widespread insecure memcached servers across the world.

As Ars Technica reports, some people attacking memcached servers are attaching a ransom note instructing targets to “Pay 50 XMR” or the equivalent of $18,415 to a specified wallet.

Rapid7’s internet-wide Project Sonar scanner found over 100,000 exposed memcached servers at any given time.

Image: Rapid7


  • 0

‘First true’ native IPv6 DDoS attack spotted in wild

First in-the-wild DDOS IPV6 attack hits servers, with portents of more to come. The DNS dictionary attack originated from around 1,900 different native IPv6 hosts, on more than 650 different networks.

The first documented native IPv6 DDoS attack has been spotted in the wild over the weekend.

The DNS dictionary attack originated from around 1,900 different native IPv6 hosts, on more than 650 different networks and targeted authoritative DNS service Neustar’s network.

The distributed attack demonstrates that that hackers are deploying new methods for IPv6 attacks, as widely predicted, not simply replicating IPv4 attacks using IPv6 protocols, according to Neustar.

Barrett Lyon, head of research and development, Neustar, told SC Media UK: “We’ve been expecting this event for a while, but it has now happened. We’ve also seen a real ramping up of IPV4 attacks this year too – nearly double compared to the same period in 2017 – but IPV6 attacks present some unique issues that can’t be easily solved. One example is the sheer number of addresses available to an attacker can exhaust the memory of modern security appliances…”

The total number of possible IPv6 addresses is more than 7.9×1028 times as many as IPv4, which uses 32-bit addresses and provides approximately 4.3 billion addresses. However, due to the greater potential number of IPv6 addresses, a considerably greater attack volume is possible, and as many newer network deployments may support IPV6, but mitigation tools may not, the result is potentially a patchwork quilt of adoption, ideal for attackers to take advantage.

Wesley George, principle engineer, SiteProtect Network Engineering Neustar told SC Media UK: “There is a big challenge here, but there has been a lot of progress made in the last few years. The best practice guidance is out there, and it is clear that IPV6 needs to be treated as a first class citizen now. In many cases it is about visibility – we see companies with great telemetry for IPV4, and it’s essential that security stances are able to do the same for IPV6 traffic.”

Neustar’s UltraDNS service handles 10 percent of all internet traffic, customers include Tesco,, PurpleBricks and NetRefer. The number of Alexa Top 1000 websites currently reachable over IPv6 has hit 26.9 percent, according to the IPv6 launch website, and it is clear that there will be more work for security professionals in the IPV6 pipeline.

Just weeks ago Internet Engineering Task Force (IETF) contributor Fernando Gont helped write RFC 8021, a fix designed to prevent a fragmentation attack vector against IPv6 protocol routers in large-scale networks. The vector, called “atomic fragments” has been the subject of much debate – and was the topic of a Black Hat 2012 presentation.


  • 0