Report: Romania, in top 10 countries with highest number of servers used for DDoS attacks

Romania is in top ten countries with the highest number of command-and-control (C&C) servers used in DDoS attacks, according to the Kaspersky Lab DDoS Q1 2019 report. A total of 2.89% of these servers are located in Romania, which places the country 9th in the world.

Most botnet C&C servers are located in the US (34.10%), followed by The Netherlands with a share of 12.72% and Russia with 10.40%.

The number of DDoS attacks increased by 84% in the first quarter of 2019 compared to the last quarter of 2018, according to Kaspersky Lab. There was a remarkable increase especially in the number of attacks lasting over an hour and the average duration of this type of attack, the same report shows.

“Last year, the number of DDoS attacks dropped continuously, prompting Kaspersky Lab’s experts to assume that cybercriminals who carried out DDoS attacks to get financial gains turned their attention to other sources of income (such as cryptocurrencies). However, first-quarter statistics contradict this trend and show that the number of DDoS attacks blocked by Kaspersky DDoS Protection increased by an astonishing 84% compared to Q4 2018,” Kaspersky Lab said in a press release.

The most visible growth was registered in the category of DDoS attacks lasting more than one hour. Their number doubled and the average duration increased by 487%. These numbers “confirm Kaspersky Lab’s hypothesis that hackers are improving their techniques and are able to launch longer-lasting attacks that are harder to organize.”

To remain protected from DDoS attacks, Kaspersky Lab recommends organizations to make sure web and IT resources can handle large traffic and to use specialized solutions.

Source: https://www.romania-insider.com/romania-servers-ddos-attacks

  • 0

DDoS attacks increase 84 percent in three months

The number of DDoS attacks during the first quarter of 2019 increased by 84 percent compared with the previous quarter according to a new report from Kaspersky Lab.

This reverses last year’s trend of declining DDoS attacks as attackers shifted their attention to other sources of income, such as crypto-mining.

As well as increasing in number attacks are also getting longer. The number of DDoS attacks that lasted for more than an hour doubled in quantity, and their average length increased by 487 percent. These statistics confirm Kaspersky Lab experts’ hypothesis that hackers are evolving their techniques and are now able to launch longer attacks, which are more difficult to organize.

“The DDoS attack market is changing, and new DDoS services appear to have replaced ones shut down by law enforcement agencies,” says Alexey Kiselev, business development manager on the Kaspersky DDoS Protection team. “As organizations implement basic countermeasures, attackers target them with long-lasting attacks. It is difficult to say if the number of attacks will continue to grow, but their complexity is showing no signs of slowing down. We recommend that organizations prepare themselves effectively, in order to withstand sophisticated DDoS attacks.”

Kaspersky recommends that organizations ensure that their web and IT resources can handle high volumes of traffic, and that they use professional solutions that can protect the organization against DDoS attacks regardless of their complexity, strength or duration.

Source: https://betanews.com/2019/05/21/ddos-attacks-increase/

  • 0

Eastern Communications of the Philippines partners with DOSarrest to deliver cloud based Internet Security solutions

VANCOUVER, British Columbia, May 14, 2019 (GLOBE NEWSWIRE) — Leading Philippine based telecommunications carrier selects Internet Security firm DOSarrest to deliver cyber security solutions to their commercial client base. The partnership allows Eastern to provide a number of cloud based security solutions including DDoS Protection, Web Application Firewall, global load balancing and Content Delivery Network(CDN). The partnership also gives Eastern Communications access to DOSarrest’s traffic Analyzer (DTA) and Data Center Defender, a solution that allows its customer to protect thousands of IP addresses at the same time with one automated cloud based service.

Mark Teolis, CEO at DOSarrest States, “We are honored to have been chosen by Eastern to deliver leading edge cloud based security services to their thousands of business customers. Eastern’s forward vision on cybersecurity is on the right track and we will help them deliver.”

“As part of our ‘High Tech’ promise to our customers, we’re expanding our product portfolio to meet their increasingly varied digital needs. Aside from our reliable data and voice services, we’re venturing into cybersecurity and cloud services provided by global innovation leaders,” shared Eastern Communications Co-Coordinator Atty. Aileen Regio.

DOSarrest CTO, Jag Bains comments, “Eastern has the right stuff to be a telecom carrier ahead of the security curve in the Philippines and beyond. Our recently released cloud based traffic analyzer services (DTA) gives their customers a definite edge in the market today on network intelligence.”

“Here in Eastern Communications, we’re excited to partner with leading companies in cybersecurity like DOSarrest. We look forward to offering their services to the Philippine market as part of our commitment to bring best-in-class cybersecurity and cloud solutions to Filipino businesses,” said Eastern Communications Co-Coordinator Ramon Aesquivel.

About Eastern Communications:
Eastern has been operating in the Philippines for over a hundred years and offers a wide range of connectivity options and related telecom services. For more information about Eastern Communications’ latest products and services, visit www.eastern.com.ph.

About DOSarrest Internet Security: 
DOSarrest founded in 2007 in Vancouver, B.C., Canada specializes in fully managed cloud based Internet security services including DDoS protection servicesData Center Defender (DCD), Web Application Firewall (WAF)DDoS Attack testing, as well as cloud based global load balancing.

Source: https://finance.yahoo.com/news/eastern-communications-philippines-partners-dosarrest-230000086.html

  • 0

FBI: Cybercrime Losses Doubled in 2018

The world has embraced digital technology, but cybercrime is putting a serious dent in corporate finances, the FBI finds.

Last year, according to the FBI’s “2018 Internet Crime Report,” reported damages from cybercrime nearly doubled to $2.7 billion, and roughly half of that amount stemmed from business email schemes that zeroed in on wire transfer payments.

The FBI’s Internet Crime Complaint Center (IC3) report said agency received approximately 352,000 complaints about online skullduggery in 2018 — over 900 per day, on average. In recent years, the center has averaged somewhat fewer (about 300,000 complaints); however, between 2014 and 2018, the reported losses more than tripled, leaping from $800.5 million in 2014 to $1.42 billion in 2017 before reaching $2.7 billion last year.

Practically all businesses, irrespective of size and industry, are vulnerable to being victimized by cybercriminals. This makes cyberattacks the single biggest risk for today’s corporate leaders, as highlighted by the World Economic Forum.

“The 2018 report shows how prevalent these crimes are,” says Donna Gregory, chief of the FBI’s IC3 unit. “It also shows that the financial toll is substantial, and a victim can be anyone who uses a connected device.”

Business Email Scams Are Especially Lucrative
The FBI report pegs $1.2 billion of the 2018 losses on business email scamsthat hijack or mimic actual email accounts using social engineering or hacking to transact unauthorized fund transfers. Over time, the wildly successful scam has evolved to include spoofed personal, vendor, attorney, and real estate-related emails.

Hunting down and recovering unauthorized payments is one area where the FBI has made headway. In February, as noted in the report, the FBI established a Recovery Asset Team to focus on repatriating monies lost via business email scams. Last year, the FBI recouped $257 million unwittingly wired by cybercrime victims. That’s a respectable recovery rate of 75%.

The next-biggest moneymaker is “confidence fraud/romance,” where a criminal convinces his quarry that he can be trusted — and then steals from them. Another popular scam is when grandparents are tricked into thinking that a grandchild needs immediate financial help. The IC3 report says that 18,493 confidence scam victims racked up $362.5 million in reported losses in 2018.

Cyber Extortion Keeps Emerging
Last year, extortion generated 51,146 complaints and $83 million in losses, a 242% increase in complaints compared with 2017. Reported incidents included “sextortion” — where a criminal says he’ll send a pornographic video of the target to the target’s family and friends unless he receives a ransom — or distributed denial-of-service (DDoS) attacks, in which networks and systems are swamped with malicious IP traffic unless a “fee” is paid.

The FBI scored a big win when it identified and arrested two ringleaders of Apophis Squad, a cybercriminals-for-hire group that made bomb threats against scores of schools and launched multiple DDoS attacks against websites.

Apophis Squad took inspiration from the activities of another group, Lizard Squad, online hoodlums who also operated a DDoS-for-hire service, issued bomb threats to airlines, and repeatedly directing DDoS attacks at tons of websites. Almost all of its crew were arrested and charged with various online crimes. Until recently, the Apophis Squad’s online presence and DDoS-for-hire service resided on the same server used by a number of other domains linked to Lizard Squad.

Dark Figure Remains High
Cybercrime is a giant multinational business, and it continues to proliferate around the globe. That said, a yet-to-be-determined but undoubtedly massive number of cases still remain unreported or undetected. Many cybercrimes — such as malware, phishing, and ransomware — that have made the news in the past year were responsible for a fairly inconsequential portion of the reported losses. According to the IC3 report, ransomware scams that hit a number of large organizations in 2018 resulted in a relatively paltry $3.6 million in losses.

The IC3 also notes that the total number of reported complaints “only represents what victims report to the FBI via the IC3 and does not account for victim direct reporting to FBI field offices/agents.”

Additionally, the reported losses do not account for lost business, time, wages, or the cost of paying vendors to fix damaged computer networks. Both of these result in considerable margins of error in certain forms of cybercrime, which means that some of the figures are artificially low. The upshot is clear: As businesses everywhere continue to turn to digital technology and transact business online, more and more crime is shifting into the digital realm — and the number of attacks and the size of financial losses is only going to grow.

Source: https://www.darkreading.com/vulnerabilities—threats/fbi-cybercrime-losses-doubled-in-2018/a/d-id/1334595

  • 0

Privacy concerns abound as IoT devices grow in use

Lawmakers tackle safety and security issues, while an Internet Society survey said a majority of people find the devices ‘creepy.’

The safety and security of internet of things (IoT) devices remains a vexing issue for lawmakers, while a survey from the Internet Society shows there is still some way to go before reaching widespread public acceptance of IoT connectivity.

The survey, conducted in six countries by polling firm IPSOS Mori, found that 65% of those surveyed are concerned with how connected devices collect data, while 55% do not trust those devices to protect their privacy. Meanwhile, 63% of those surveyed said they find IoT devices, which are projected to number in the tens of billions worldwide, to be “creepy.”

Those concerns were at the forefront of a hearing last week on IoT security by the U.S. Senate Committee on Commerce, Science and Transportation’s Subcommittee on Security, where lawmakers and witnesses debated how to make the devices safer and more transparent for consumers, and what the role of the federal government should be in legislating that. It’s a dilemma for policymakers and industry leaders who must wrestle with these questions.

“We can’t put the genie back in the bottle,” Internet Society president and CEO Andrew Sullivan told Smart Cities Dive. “We have invented this technology, so we’re going to have to figure out how to cope with it now. We have to figure out how are we going to make this technology something that better serves the people, the consumers who are buying it.”

Risks and concerns

Consumers are turning to internet-connected devices, and while they present enormous opportunities for convenience, they are not without risks.

In prepared testimony before the subcommittee, Robert Mayer, senior vice president for cybersecurity at the United States Telecom Association (USTelecom) said there is “ample evidence of IoT security vulnerabilities,” with incidents like cameras being used for spying, personal information being stolen and hackers taking control of devices like smart thermostats.

“Concerns of this kind can have a massive influence on public perception of technologies, and if not addressed in meaningful ways, trust in the digital ecosystem will erode, causing unpredictable levels of disruption and economic harm,” Mayer’s testimony reads.

There have already been several major hacks of IoT devices, including the Mirai DDoS botnet attack in October 2016 that rocked technology company Dyn and resulted in the dramatic slowing or bringing down of the internet across the East Coast and elsewhere in the world.

In written testimony, Mike Bergman, vice president of technology and standards at the Consumer Technology Association (CTA), warned of the international nature of the attack; 89.1% of the attack traffic originated from devices installed outside the United States, he said.

Source: https://www.smartcitiesdive.com/news/privacy-concerns-abound-as-iot-devices-grow-in-use/553986/

  • 0

Central Asia: The Land of CyberCrime?

The development of the telecommunications infrastructure in Central Asia has increased the online presence of the region dramatically. It has also exposed cybercrime weaknesses. Unfortunately, there has been little education and development of regional expertise around the dangers of information technology. Central Asia as a whole is now facing a growing threat from attacks by cyber-criminal gangs.

2018 digital use in Central Asia 

Responding to this increasing threat governments in the region have made it a priority to protect their countries online data. In a September 2017 speech to the Kazakh Majlis President Nursultan Nazarbaev stated,

“In the last three years alone, the volume of illegal online content has increased 40-fold. This means that we need a reliable cyber-shield for Kazakhstan. We cannot put off the creation of [this shield], we must protect the interests of our country, our culture and our values,”

Currently, only Uzbekistan, Kazakhstan and Kyrgyzstan have made significant inroads into this arena.  All three have engaged in the development of comprehensive legal and regulatory frameworks for cybersecurity. Moreover, they have established and adopted “kontseptsiya” or concept papers for the creation of national cybersecurity strategies’. One example of this being the successful Kazakhstan Cyber Shield. They have also formed Computer Emergency Response Teams or CERTs (CERT-KZ, UZ-CERT, CERT.KG. ).

Additionally, Uzbekistan and Kazakhstan have created dedicated cyber programs at national universities with the intention of training information and cyber experts on domestic CERT agencies. Both governments are now capable of repelling the majority of daily cyber attacks that occur. As Ruslan Abdikalikov, Deputy Chairman of the Committee for Information Security of the Ministry of Defence and Aerospace Industry of Kazakhstan stated at the 2018 SOC-FORUM conference,

“Cyber attacks are fixed every second and their number is growing. We fixed 1 billion of such attacks in 2016. There were 20bn attacks on Kazakhstan last year, on the state information structures. Nobody knows how many attacks business faces. The attacks on the Government increased by 20 times over the past year […] but we protect ourselves from them.”

Cybercrime and Hackmail

Central Asia currently has one of the highest global rates of cyber-criminal activities. This comes despite efforts improving the region’s capacity to deal with cyber attacks or cyber terrorism. Kazakhstan, thanks to its attractive financial situation and high number of internet users, has faced significant issues with cybercrime.  Statistics indicate that it has had the highest rate of cyber infiltration in Central Asia since 2010. At the same time, 85% of internet users have been compromised. In the past year alone, the Kazakh National Security Committee (KNB) announced that 63,000 attacks have occurred. This shows an increase of 38,000 since 2017.

Zeroing in on Kazakhstan’s financial sector, cyber-criminals have not just hacked accounts, but also bank machines and payment terminals. The lion’s share of the attacks has consisted of viruses and phishing attacks. These compromise devices to either generate spam or participate in Distributed Denial of Service (DDoS) attacks. Cyber-criminals have also used compromised machines to launch DDoS attacks. These typically demand that the victim pay a ransom for the attack to stop.

A prime example was Kazakhstan’s Alfa-Bank in 2017. According to Alfa-Bank IT specialist Yevgeny Nozikov, the hackers sought their reward in the form of a ransom. The bank had to pay a sum, in exchange for the hackers to unblock the IT systems. In another case of cyber extortion in March 2012, the owner of a Kyrgyz entertainment website suffered several days of DDoS attacks. A hacker sent a blackmail message warning that the attacks would continue if the owner chose not to pay.

Kyrgyzstan’s 24.kg news agency also noted that the country experiences high amounts of commercial cyber attacks. According to sources, 776 websites belonging to various commercial companies, individuals and government agencies had been hacked in 2017.

What experts say

On average, 20 websites are successfully hacked every five days in the country, while every tenth website is hacked repeatedly. Government officials and cyber-experts throughout Central Asia argue that this is due to the lack of awareness of cybersecurity in the general public.

This point was reiterated by the Kaspersky Lab Cybersecurity Index. The Index demonstrates that in countries like Kazakhstan and Uzbekistan, many users not particularly concerned about the need for any protective cyber measures. As Laziz Buranov, a department head from Uzbekistan’s Information Security Centre (TsOIB), explained to Caravansei,

“Last year, 493 .uz domain sites were subjected to hacker attacks. They were hacked for various reasons. In the majority of cases, the site owners themselves were at fault — they […] used infected and vulnerable software.”

According to Kaspersky Labs many private users and businesses in Kazakhstan and Uzbekistan even utilise pirated software such as unprotected copies of old Windows operating systems for their online activities. Thereby placing at risk all online activities, thanks to the lack of information technology expertise and cybersecurity in the public domain. This lack of expertise means that Central Asia as a whole is extremely attractive to cyber-criminals gangs who view these weaknesses as an invitation to stay.

Is Central Asia a CyberCrime Haven?

In Kazakhstan during the past two years, the criminal cyber gang Cobalt has established itself thanks to the lack of cybersecurity. According to Arman Abdrasilov, Director at TsARKA,  the Astana-based Center for Cyberattack Analysis and Research, Kazakh security experts have seen a rise in the number of domestic computers being hijacked by Cobalt malware. They point to the use of hacked Kazakh servers in the 2016 attack on the Bangladesh Bank. The attack resulted in $81 million worth of loss. This evidence demonstrates the criminal gang has set up shop in Central Asia.

Emerging in 2013, Cobalt is “One of the world’s most dangerous hacker groups […] which specializes in hacking into bank accounts,” stated Abdrasilov. The group first targetedRussian banks with phishing emails. These emails contained programmes that would enable them to gain access to password-protected archives. In turn, this gave them remote access to ATMs, which would then deliver cash to waiting accomplices. Since 2017, the group has branched out from Eastern Europe and Southeast Asia to Europe and North America. According to Europol, Cobalt has attacked banks in 40 countries and caused losses of more than $1.1 billion.

In Central Asia, cybercrime poses a significant risk to banking and financial institutions. Lack of knowledge, expertise and protective procedural training among employees make them vulnerable to attacks like those mentioned above. Authorities are yet to get a handle on dealing with these crimes. Governments are struggling to respond to the attacks. In Kazakhstan, for example, only 3% of online crimes are ever prosecuted.

Risks are Significant

Like a dog chasing its own tail, Central Asian governments are at something of an impasse with their cyber-readiness. While rapidly trying to catch up to the fast-paced global cyber environment, governments have focused heavily on the state IT infrastructure. They have not allocated enough time to educate or develop IT and cyber-knowledge in the general population. While the state apparatus is cyber-ready, the general public is still vulnerable to cybercrimes.

To redress this issue, the governments of the region should look beyond their borders for expertise in developing nation-wide cybersecurity information awareness programmes and domestic information technology specialists. Allies like Russia and China could provide these, as both are regarded at the forefront of cybersecurity. However, engaging help from their usual partner states is also fraught with danger in the current international climate. Both China and Russia are in an expansionist phase. They are utilising any opportunity that may arise to help them advance their own foreign agenda, as illustrated in Ukraine and the South China Sea. This leaves Central Asian countries little option but to develop domestic expertise from other sources, like America and India.

The problem here is that it will take time to develop expertise on a domestic level. Training information technology specialist and cybersecurity experts is an intensive task. Countries like Uzbekistan are now seeking to redress this issue and are implementing programs to right this crucial flaw in their cyber-readiness. It will be several years before these students are cyber-ready. Countries like Kazakhstan, though, are still attracting cyber-criminals at an increasing pace due to the lack of general cybersecurity infrastructure and knowledge at a grassroots level.

Once established, it can be difficult to remove cyber-criminal gangs without allocating significant resources to the task. These are resources the region does not yet possess. While many Central Asian governments are trying to fast track their cyber-readiness, the rapid evolution of malware and cyber threats means they are currently well behind in meeting this threat and will be for the foreseeable future.

Source: https://globalriskinsights.com/2019/04/central-asia-cybercrime-land/

  • 0

Preparing Your Mid-Market Business For Cyberattacks

Security headlines continue to focus on high-profile breaches of Fortune-ranked enterprises. But there is a second story being ignored. Cybercrime syndicates are also targeting, attacking and breaching small, medium and even micro organizations in greater and greater numbers. Multiple industry studies support this claim, including ones from Cisco and Ponemon.

Why exactly are these organizations being targeted, what are the attacks to defend against and how can these organizations start to defend themselves?

Fast Money With Lower Entry Barriers

Midsize organizations are relatively easy targets. Like enterprises, they are rapidly evolving. They have adopted the cloud and development and operations teams, and they have digitized all their valuable assets. But compared to enterprises, midsize organizations have smaller cybersecurity teams, lower organizational security awareness and fewer critical systems to infect —making them easier to breach and ransom. While cybercriminals still see larger enterprises as higher-value targets, midsize organizations have transformed themselves into low-hanging fruit that cybercrime syndicates are happy to snag. Midsize organizations keep the cash flow for cybercrime syndicates going while they try to earn high payoffs with large enterprise compromise.

 Supply Chains Are Vulnerable

Midsize organizations also offer easy entry points into the larger enterprises they service. In many high-profile, large-scale breaches — including the breaches of Target, OPM, Best Buy, Sears and UMG — cybercriminals first compromised their smaller third-party providers and used them to open backdoors into the real target. Large enterprises are taking notice and have begun to demand a high level of cybersecurity maturity from their third-party service providers.

The Evolution Of New Low-Cost Attacks

Attack technologies have evolved. In the past, cyberattacks were relatively resource-intensive, so criminals had to focus their limited resources on large, high-value organizations. However, cybercriminals can now use automated, scalable, on-demand attack infrastructures to quickly launch many sophisticated attacks against a high volume of targets. And smaller organizations are getting caught in this new spray-and-pray approach.

This will only get worse. Every year, cybercriminals will find it easier to launch attacks against many mid-size organizations, use their initial victims and deepen their compromise. And this problem is poised to explode due to artificial intelligence (AI). Cybercrime syndicates have already begun to experiment with AI-driven attack tools. These AI-driven hacking tools will continue to increase the speed and sophistication of cyber threats and only widen the asymmetry between attackers and defenders.

Compromised Machines: Artillery For Future Attacks

Cybercrime syndicates are harvesting small-to-midsize business (SMB) endpoints, converting them into weapons and using them to deploy larger attacks. Most endpoints — including PCs, laptops and mobile devices — are underutilized. Cybercriminals have learned how to compromise these endpoints, run backdoors on them to execute attacks and effectively create a large-scale distributed computing infrastructure to launch their campaigns. They are using thousands of compromised systems to launch smothering DDOS attacks on larger enterprises. They are compromising the email accounts of midsize organizations to bypass spam filters and produce short, effective bursts of phishing emails.

How Can Midsize Organizations Stay Safe?

Cybercrime syndicates will continue to innovate their techniques and scale their attack infrastructure. In fact, with the evolution of AI-driven attacks tools, compromising systems might be a simple voice command away for the attacker. Mid-market businesses will need to focus on the most-used threats because of their limited resources. Luckily, the 80-20 rule applies here, where the large majority of security problems stem from the following handful of threats.

Phishing Attacks

Most mid-size organizations have not implemented mature controls and robust user education programs to prevent phishing attacks, making them high-converting targets for phishing attacks. To get up to speed, midsize organizations need to focus on end-user awareness, strong email gateway security, two-factor authentication (2FA) for authentication and monitoring controls.

Malware Attacks

Malware attacks are more successful against midsize organizations, as they have smaller and simpler networks, and it takes attackers less time to reach organization crown jewels. In fact, according to a report from Verizon, 58% of malware victims are small organizations. As such, midsize organizations need to focus on detecting malware with good endpoint security, detecting lateral movement of attackers with analytics and rapidly containing successful breaches.

Cloud Console And Storage Attacks

As midsize organizations rush to get their cloud-based infrastructure into production, they often fail to realize that on-premise security mindset does not work in the cloud. Take, for example, storage security in the cloud. Small, inadvertent changes in the cloud can produce global high-impact data loss. Many organizations have suffered data exposure, due to Amazon Web Services S3 buckets being configured for public access.

Cybercrime syndicates are actively taking control of organizations by compromising their cloud consoles to steal data and demand ransom. These attacks are not new. Way back in 2014, Code Spaces completely shut downdue to console takeover. But today, automation is making these attacks faster and more common.

To protect against them, midsize organizations should tighten console access with 2FA, establish tighter role permissions and monitor different cloud components stringently. Simply put, a combination of weak console and storage permissions can prove fatal for any midsize organization.

Web Application Attacks

Web applications have been a weak link traditionally. With the current innovation wave incorporating microservices, containers and federated access — it has become more complex to secure.

Right now, the top web application attacks include SQL injection, cross-site scripting and parameter manipulation. This means mid-size organizations need to focus on building robust web application firewall (WAF) protection, continuously monitor all attack events on their web applications and, of course, ensure secure coding as part of their development, security and operations program.

Of course, it is not an asymmetric game in favor of cybercriminals. Artificial intelligence is part of many cybersecurity tools today, making it easier to detect and respond to these emerging scenarios.

Source: https://www.forbes.com/sites/forbestechcouncil/2019/04/24/preparing-your-mid-market-business-for-cyberattacks/#61cc791252ef

  • 0

The first DDoS attack was 20 years ago. This is what we’ve learned since.

On the 20th anniversary of the first distributed denial of service attack, cybersecurity experts say the internet must be redesigned to prevent them.

July 22, 1999, is an ominous date in the history of computing. On that day, a computer at the University of Minnesota suddenly came under attack from a network of 114 other computers infected with a malicious script called Trin00.

This code caused the infected computers to send superfluous data packets to the university, overwhelming its computer and preventing it handling legitimate requests. In this way, the attack knocked out the university computer for two days.

This was the world’s first distributed denial of service (DDoS) attack. But it didn’t take long for the tactic to spread. In the months that followed, numerous other websites became victims, including Yahoo, Amazon, and CNN. Each was flooded with data packets that prevented it from accepting legitimate traffic. And in each case, the malicious data packets came from a network of infected computers.

Since then, DDoS attacks have become common. Malicious actors also make a lucrative trade in extorting protection money from websites they threaten to attack. They even sell their services on the dark web. A 24-hour DDoS attack against a single target can cost as little as $400.

But the cost to the victim can be huge in terms of lost revenue or damaged reputation. That in turn has created a market for cyberdefense that protects against these kinds of attacks. In 2018, this market was worth a staggering €2 billion. All this raises the important question of whether more can be done to defend against DDoS attacks.

Today, 20 years after the first attack, Eric Osterweil from George Mason University in Virginia and colleagues explore the nature of DDoS attacks, how they have evolved, and whether there are foundational problems with network architecture that need to be addressed to make it safer. The answers, they say, are far from straightforward: “The landscape of cheap, compromisable, bots has only become more fertile to miscreants, and more damaging to Internet service operators.”

First some background. DDoS attacks usually unfold in stages. In the first stage, a malicious intruder infects a computer with software designed to spread across a network. This first computer is known as the “master,” because it can control any subsequent computers that become infected. The other infected computers carry out the actual attack and are known as “daemons.”

Common victims at this first stage are university or college computer networks, because they are connected to a wide range of other devices.

A DDoS attack begins when the master computer sends a command to the daemons that includes the address of the target. The daemons then start sending large numbers of data packets to this address. The goal is to overwhelm the target with traffic for the duration of the attack. The largest attacks today send malicious data packets at a rate of terabits per second.

The attackers often go to considerable lengths to hide their location and identity. For example, the daemons often use a technique called IP address spoofing to hide their address on the internet. Master computers can also be difficult to trace because they need only send a single command to trigger an attack. And an attacker can choose to use daemons only in countries that are difficult to access, even though they themselves may be located elsewhere.

Defending against these kinds of attacks is hard because it requires concerted actions by a range of operators. The first line of defense is to prevent the creation of the daemon network in the first place. This requires system administrators to regularly update and patch the software they use and to encourage good hygiene among users of their network—for example, regularly changing passwords, using personal firewalls, and so on.

Internet service providers can also provide some defense. Their role is in forwarding data packets from one part of a network to another, depending on the address in each data packet’s header. This is often done with little or no consideration for where the data packet came from.

But that could change. The header contains not only the target address but also the source address. So in theory, it is possible for an ISP to examine the source address and block packets that contain obviously spoofed sources.

However, this is computationally expensive and time consuming. And since the ISPs are not necessarily the targets in a DDoS attack, they have limited incentive to employ expensive mitigation procedures.

Finally, the target itself can take steps to mitigate the effects of an attack. One obvious step is to filter out the bad data packets as they arrive. That works if they are easy to spot and if the computational resources are in place to cope with the volume of malicious traffic.

But these resources are expensive and must be continually updated with the latest threats. They sit unused most of the time, springing into action only when an attack occurs. And even then, they may not cope with the biggest attacks. So this kind of mitigation is rare.

Another option is to outsource the problem to a cloud-based service that is better equipped to handle such threats. This centralizes the problems of DDoS mitigation in “scrubbing centers,” and many cope well. But even these can have trouble dealing with the largest attacks.

All that raises the question of whether more can be done. “How can our network infrastructure be enhanced to address the principles that enable the DDoS problem?” ask Osterweil and co. And they say the 20th anniversary of the first attack should offer a good opportunity to study the problem in more detail. “We believe that what is needed are investigations into what fundamentals enable and exacerbate DDoS,” they say.

One important observation about DDoS attacks is that the attack and the defense are asymmetric. A DDoS attack is typically launched from many daemons all over the world, and yet the defense takes place largely at a single location—the node that is under attack.

An important question is whether networks could or should be modified to include a kind of distributed defense against these attacks.  For example, one way forward might be to make it easier for ISPs to filter out spoofed data packets.

Another idea is to make data packets traceable as they travel across the internet. Each ISP could mark a sample of data packets—perhaps one in 20,000—as they are routed so that their journey could later be reconstructed. That would allow the victim and law enforcement agencies to track the source of an attack, even after it has ended.

These and other ideas have the potential to make the internet a safer place. But they require agreement and willingness to act. Osterweil and co think the time is ripe for action: “This is a call to action: the research community is our best hope and best qualified to take up this call.”

Ref: arxiv.org/abs/1904.02739 : 20 Years of DDoS: A Call to Action

 Source: https://www.technologyreview.com/s/613331/the-first-ddos-attack-was-20-years-ago-this-is-what-weve-learned-since/
  • 0

Ecuador Claims It Suffered 40 Million Cyber Attacks Since Julian Assange’s Arrest

Five days ago, Ecuador revoked Julian Assange’s 7-year long asylum and turned him over to the UK authorities, which promptly arrested the Wikileaks chief.

Since then, Ecuador claims to be under siege from Assange supporters and “groups linked” to him.

Patricio Real, Ecuador’s deputy minister for information and communication technology, said in a statement that the webpages for his country’s public institutions experienced 40 million cyber-attacks.

Among the hardest hit were pages for the central bank, the foreign ministry and the president’s office.

“During the afternoon of April 11 we jumped from 51st place to 31st place worldwide in terms of the volume of cyber attacks,” he said.

The deputy minister said that the attacks “principally come from the United States, Brazil, Holland, Germany, Romania, France, Austria and the United Kingdom,” but that countries from South America also show up on the list.

No major hacking groups were named in Ecuador’s statement, though famed Anonymous apparently made a threat.

Real also didn’t specify what type of attacks Ecuador’s website experience. He mentioned that no hacker managed to steal government data but that the attacks prevented some employees and citizens from accessing their accounts.

As Real called the attacks “volumetric,” he most likely referred to a type of DDoS attack in which hackers send a lot of traffic to a website hoping to overwhelm it.

While this is a serious threat to a network, the attack itself can be perpetrated even by those without a lot of technical knowledge.

Ecuador will receive cybersecurity support from Israel to handle the incidents. It has also made motions to arrest a suspect, Swedish citizen close to Assange.

Right now, Julian Assange is in the UK authorities’ hands and waiting to see if he will be extradited to the US to face conspiracy charges.

He was also stripped of his Ecuador citizenship, which was granted in 2017 under a different Ecuadorian regime.

Source: https://techthelead.com/ecuador-claims-it-suffered-40-million-cyber-attacks-since-julian-assanges-arrest/

  • 0

How HTML5 Ping Is Used in DDoS Attacks

A new type of distributed denial-of-service (DDoS) attack is abusing a common HTML5 attribute to overwhelm targeted victims.

Security firm Imperva reported on April 11 that it has discovered a campaign where hackers abused the <a> tag ping HTML5 attribute in a DDoS attack that generated 70 million requests in four hours. The ping attribute is intended to be used by websites as a mechanism to notify a website if a user follows a given link on a page. Typically, a ping is a single action, but Imperva discovered that hackers have found a way to amplify the ping into a more persistent data flow, triggering the DDoS attack.

“The attacker, probably using social engineering, forced users to visit a website that contained malicious JavaScript,” Vitaly Simonovich, security researcher at Imperva, told eWEEK. “This script generated links with the target site in the ‘ping’ attribute and clicked it without personal involvement of the user. Auto-generated clicks reflected as ping back to the victim, continuously, the entire time the user stayed on the webpage.”

Imperva’s analysis of the attack explained that when the user clicks on the hyperlink, a POST request with the body “ping” will be sent to the URLs specified in the attribute. It will also include headers “Ping-From,” “Ping-To” and a “text/ping” content type.

“We observe DDoS attacks daily,” Simonovich said. “We discovered this attack last month. However, when we looked back in our logs, we noticed that the first time the attack occurred on our network in December 2018, it was using the ping feature.”

The attack that Imperva found was able make use of 4,000 user IPs, with a large percentage of them from China. The campaign lasted four hours, with a peak of 7,500 requests per second (RPS), resulting in more than 70 million requests hitting the target victim’s website.

How the Ping Attack Overwhelms a Server

A simple ping on its own is not enough to disturb a web server and, in fact, for basic availability web servers are regularly hit with ping requests. Ping requests are also low bandwidth and would not likely be able to constitute a volumetric DDoS attack, which aims to overwhelm the available bandwidth of a target server.

The DDoS attack discovered by Imperva, however, was not a basic ping and, according to Simonovich, could impact a web application server in a couple ways:

  1. Targeting the web server using high RPS, the server will be forced into processing the DDoS attack and not handle legitimate traffic.
  2. Targeting the web application by finding an injection point will cause a high resource consumption. For example, the login form will cause a query to the database.

“The attack is performed on the application layer aimed to clog server resources by processing several HTTP requests,” Simonovich explained. “As such, attack bandwidth is not the weakest resource in the chain, but CPU or memory of the server.”

He added that 7,500 RPS is far from the most powerful application DDoS attack, which can reach 100,000 RPS and more, but it is enough to deny availability for a midsize website.

Defending Against Ping DDoS

There are several things that organizations can do to minimize the risk of a Ping DDoS attack.

Imperva recommends that organizations that do not need to receive ping requests on a web server block any web requests that contain “Ping-To” and/or “Ping-From” HTTP headers on the edge devices (firewall, WAF, etc.). DDoS services, including the one that Imperva offers, also can be employed to help limit risk.

“Attackers are constantly looking for new and sophisticated methods to abuse legitimate services and bypass mitigation mechanisms,” Simonovich said. “Utilization of the ping functionality is a good example of this, especially since most of the browsers by default support it. The challenge that attackers are facing is how to force legitimate users to visit the malicious page and stay on this page as long as possible to make the attack run longer.”

Source: https://www.eweek.com/security/how-html5-ping-is-used-in-ddos-attacks

  • 0