The first DDoS attack was 20 years ago. This is what we’ve learned since.

On the 20th anniversary of the first distributed denial of service attack, cybersecurity experts say the internet must be redesigned to prevent them.

July 22, 1999, is an ominous date in the history of computing. On that day, a computer at the University of Minnesota suddenly came under attack from a network of 114 other computers infected with a malicious script called Trin00.

This code caused the infected computers to send superfluous data packets to the university, overwhelming its computer and preventing it handling legitimate requests. In this way, the attack knocked out the university computer for two days.

This was the world’s first distributed denial of service (DDoS) attack. But it didn’t take long for the tactic to spread. In the months that followed, numerous other websites became victims, including Yahoo, Amazon, and CNN. Each was flooded with data packets that prevented it from accepting legitimate traffic. And in each case, the malicious data packets came from a network of infected computers.

Since then, DDoS attacks have become common. Malicious actors also make a lucrative trade in extorting protection money from websites they threaten to attack. They even sell their services on the dark web. A 24-hour DDoS attack against a single target can cost as little as $400.

But the cost to the victim can be huge in terms of lost revenue or damaged reputation. That in turn has created a market for cyberdefense that protects against these kinds of attacks. In 2018, this market was worth a staggering €2 billion. All this raises the important question of whether more can be done to defend against DDoS attacks.

Today, 20 years after the first attack, Eric Osterweil from George Mason University in Virginia and colleagues explore the nature of DDoS attacks, how they have evolved, and whether there are foundational problems with network architecture that need to be addressed to make it safer. The answers, they say, are far from straightforward: “The landscape of cheap, compromisable, bots has only become more fertile to miscreants, and more damaging to Internet service operators.”

First some background. DDoS attacks usually unfold in stages. In the first stage, a malicious intruder infects a computer with software designed to spread across a network. This first computer is known as the “master,” because it can control any subsequent computers that become infected. The other infected computers carry out the actual attack and are known as “daemons.”

Common victims at this first stage are university or college computer networks, because they are connected to a wide range of other devices.

A DDoS attack begins when the master computer sends a command to the daemons that includes the address of the target. The daemons then start sending large numbers of data packets to this address. The goal is to overwhelm the target with traffic for the duration of the attack. The largest attacks today send malicious data packets at a rate of terabits per second.

The attackers often go to considerable lengths to hide their location and identity. For example, the daemons often use a technique called IP address spoofing to hide their address on the internet. Master computers can also be difficult to trace because they need only send a single command to trigger an attack. And an attacker can choose to use daemons only in countries that are difficult to access, even though they themselves may be located elsewhere.

Defending against these kinds of attacks is hard because it requires concerted actions by a range of operators. The first line of defense is to prevent the creation of the daemon network in the first place. This requires system administrators to regularly update and patch the software they use and to encourage good hygiene among users of their network—for example, regularly changing passwords, using personal firewalls, and so on.

Internet service providers can also provide some defense. Their role is in forwarding data packets from one part of a network to another, depending on the address in each data packet’s header. This is often done with little or no consideration for where the data packet came from.

But that could change. The header contains not only the target address but also the source address. So in theory, it is possible for an ISP to examine the source address and block packets that contain obviously spoofed sources.

However, this is computationally expensive and time consuming. And since the ISPs are not necessarily the targets in a DDoS attack, they have limited incentive to employ expensive mitigation procedures.

Finally, the target itself can take steps to mitigate the effects of an attack. One obvious step is to filter out the bad data packets as they arrive. That works if they are easy to spot and if the computational resources are in place to cope with the volume of malicious traffic.

But these resources are expensive and must be continually updated with the latest threats. They sit unused most of the time, springing into action only when an attack occurs. And even then, they may not cope with the biggest attacks. So this kind of mitigation is rare.

Another option is to outsource the problem to a cloud-based service that is better equipped to handle such threats. This centralizes the problems of DDoS mitigation in “scrubbing centers,” and many cope well. But even these can have trouble dealing with the largest attacks.

All that raises the question of whether more can be done. “How can our network infrastructure be enhanced to address the principles that enable the DDoS problem?” ask Osterweil and co. And they say the 20th anniversary of the first attack should offer a good opportunity to study the problem in more detail. “We believe that what is needed are investigations into what fundamentals enable and exacerbate DDoS,” they say.

One important observation about DDoS attacks is that the attack and the defense are asymmetric. A DDoS attack is typically launched from many daemons all over the world, and yet the defense takes place largely at a single location—the node that is under attack.

An important question is whether networks could or should be modified to include a kind of distributed defense against these attacks.  For example, one way forward might be to make it easier for ISPs to filter out spoofed data packets.

Another idea is to make data packets traceable as they travel across the internet. Each ISP could mark a sample of data packets—perhaps one in 20,000—as they are routed so that their journey could later be reconstructed. That would allow the victim and law enforcement agencies to track the source of an attack, even after it has ended.

These and other ideas have the potential to make the internet a safer place. But they require agreement and willingness to act. Osterweil and co think the time is ripe for action: “This is a call to action: the research community is our best hope and best qualified to take up this call.”

Ref: arxiv.org/abs/1904.02739 : 20 Years of DDoS: A Call to Action

 Source: https://www.technologyreview.com/s/613331/the-first-ddos-attack-was-20-years-ago-this-is-what-weve-learned-since/
  • 0

Ecuador Claims It Suffered 40 Million Cyber Attacks Since Julian Assange’s Arrest

Five days ago, Ecuador revoked Julian Assange’s 7-year long asylum and turned him over to the UK authorities, which promptly arrested the Wikileaks chief.

Since then, Ecuador claims to be under siege from Assange supporters and “groups linked” to him.

Patricio Real, Ecuador’s deputy minister for information and communication technology, said in a statement that the webpages for his country’s public institutions experienced 40 million cyber-attacks.

Among the hardest hit were pages for the central bank, the foreign ministry and the president’s office.

“During the afternoon of April 11 we jumped from 51st place to 31st place worldwide in terms of the volume of cyber attacks,” he said.

The deputy minister said that the attacks “principally come from the United States, Brazil, Holland, Germany, Romania, France, Austria and the United Kingdom,” but that countries from South America also show up on the list.

No major hacking groups were named in Ecuador’s statement, though famed Anonymous apparently made a threat.

Real also didn’t specify what type of attacks Ecuador’s website experience. He mentioned that no hacker managed to steal government data but that the attacks prevented some employees and citizens from accessing their accounts.

As Real called the attacks “volumetric,” he most likely referred to a type of DDoS attack in which hackers send a lot of traffic to a website hoping to overwhelm it.

While this is a serious threat to a network, the attack itself can be perpetrated even by those without a lot of technical knowledge.

Ecuador will receive cybersecurity support from Israel to handle the incidents. It has also made motions to arrest a suspect, Swedish citizen close to Assange.

Right now, Julian Assange is in the UK authorities’ hands and waiting to see if he will be extradited to the US to face conspiracy charges.

He was also stripped of his Ecuador citizenship, which was granted in 2017 under a different Ecuadorian regime.

Source: https://techthelead.com/ecuador-claims-it-suffered-40-million-cyber-attacks-since-julian-assanges-arrest/

  • 0

How HTML5 Ping Is Used in DDoS Attacks

A new type of distributed denial-of-service (DDoS) attack is abusing a common HTML5 attribute to overwhelm targeted victims.

Security firm Imperva reported on April 11 that it has discovered a campaign where hackers abused the <a> tag ping HTML5 attribute in a DDoS attack that generated 70 million requests in four hours. The ping attribute is intended to be used by websites as a mechanism to notify a website if a user follows a given link on a page. Typically, a ping is a single action, but Imperva discovered that hackers have found a way to amplify the ping into a more persistent data flow, triggering the DDoS attack.

“The attacker, probably using social engineering, forced users to visit a website that contained malicious JavaScript,” Vitaly Simonovich, security researcher at Imperva, told eWEEK. “This script generated links with the target site in the ‘ping’ attribute and clicked it without personal involvement of the user. Auto-generated clicks reflected as ping back to the victim, continuously, the entire time the user stayed on the webpage.”

Imperva’s analysis of the attack explained that when the user clicks on the hyperlink, a POST request with the body “ping” will be sent to the URLs specified in the attribute. It will also include headers “Ping-From,” “Ping-To” and a “text/ping” content type.

“We observe DDoS attacks daily,” Simonovich said. “We discovered this attack last month. However, when we looked back in our logs, we noticed that the first time the attack occurred on our network in December 2018, it was using the ping feature.”

The attack that Imperva found was able make use of 4,000 user IPs, with a large percentage of them from China. The campaign lasted four hours, with a peak of 7,500 requests per second (RPS), resulting in more than 70 million requests hitting the target victim’s website.

How the Ping Attack Overwhelms a Server

A simple ping on its own is not enough to disturb a web server and, in fact, for basic availability web servers are regularly hit with ping requests. Ping requests are also low bandwidth and would not likely be able to constitute a volumetric DDoS attack, which aims to overwhelm the available bandwidth of a target server.

The DDoS attack discovered by Imperva, however, was not a basic ping and, according to Simonovich, could impact a web application server in a couple ways:

  1. Targeting the web server using high RPS, the server will be forced into processing the DDoS attack and not handle legitimate traffic.
  2. Targeting the web application by finding an injection point will cause a high resource consumption. For example, the login form will cause a query to the database.

“The attack is performed on the application layer aimed to clog server resources by processing several HTTP requests,” Simonovich explained. “As such, attack bandwidth is not the weakest resource in the chain, but CPU or memory of the server.”

He added that 7,500 RPS is far from the most powerful application DDoS attack, which can reach 100,000 RPS and more, but it is enough to deny availability for a midsize website.

Defending Against Ping DDoS

There are several things that organizations can do to minimize the risk of a Ping DDoS attack.

Imperva recommends that organizations that do not need to receive ping requests on a web server block any web requests that contain “Ping-To” and/or “Ping-From” HTTP headers on the edge devices (firewall, WAF, etc.). DDoS services, including the one that Imperva offers, also can be employed to help limit risk.

“Attackers are constantly looking for new and sophisticated methods to abuse legitimate services and bypass mitigation mechanisms,” Simonovich said. “Utilization of the ping functionality is a good example of this, especially since most of the browsers by default support it. The challenge that attackers are facing is how to force legitimate users to visit the malicious page and stay on this page as long as possible to make the attack run longer.”

Source: https://www.eweek.com/security/how-html5-ping-is-used-in-ddos-attacks

  • 0

DDoS Attack Size Drops 85% in Q4 2018

The sharp decline follows an FBI takedown of so-called “booter,” or DDoS-for-hire, websites in December 2018.

The average distributed denial-of-service (DDoS) attack size shrunk 85% in the fourth quarter of 2018 following an FBI takedown of “booter,” or DDoS-for-hire, websites, in December 2018, researchers report.

Late last year, United States authorities seized 15 popular domains as part of an international crackdown on booter sites. Cybercriminals can use booter websites (also known as “stresser” websites) to pay to launch DDoS attacks against specific targets and take them offline. Booter sites open the door for lesser-skilled attackers to launch devastating threats against victim websites.

About a year before the takedown, the FBI issued an advisory detailing how booter services can drive the scale and frequency of DDoS attacks. These services, advertised in Dark Web forums and marketplaces, can be used to legitimately test network resilience but also make it easy for cyberattackers to launch DDoS attacks against an existing network of infected devices.

The shutdown of prominent booter sites made a pronounced difference in DDoS attack trends for the fourth quarter of 2018, researchers report in Nexusguard’s DDoS Threat Report 2018 Q4. During the most recent quarter, the number of DDoS attacks fell nearly 11% year-over-year, and the maximum attack size decreased nearly 24%. The biggest difference was in attack size, which dropped 85%.

Booter sites are the origin for many DDoS attacks as they make it “fairly simple” for amateur hackers to take down websites, explains Donny Chong, product director at Nexusguard. While the shutdown of booter sites had a positive effect on DDoS trends year-over-year, the growing prevalence of the “bit-and-piece” technique caused attacks to grow quarter-over-quarter.

The bit-and-piece tactic avoids detection by injecting small pieces of malicious code into legitimate traffic across hundreds of IP prefixes, Chong explains. By using small bits of junk, adversaries avoid sounding the alarms that large traffic spikes would set off. Between third and fourth quarters of 2018, this method caused the number of attacks, and the maximum and average attack sizes, to increase 36%, 49%, and 3.75%, respectively, Nexusguard researchers found.

Nexusguard noticed the bit-and-piece trend emerge in the third quarter, when it was the focus of its threat report. Unlike in a typical DDoS attack, in which an actor identifies and targets a particular IP address, bit-and-piece attacks are spread across multiple IP addresses on the same prefix. Diffused traffic can cause service providers to miss large-scale DDoS attacks in progress.

SSDP Amplification Attacks Ramp Up
SSDP amplification attacks are the most popular bit-and-piece attack vector and increased by 3,122% year-over-year and 91.2% quarter-over-quarter, Nexusguard reports. This type of attack, which made up 48.3% of DDoS attacks overall, is launched over UDP via Universal Plug and Play devices (printers, webcams, routers, and servers, for example).

Source: https://www.darkreading.com/vulnerabilities—threats/ddos-attack-size-drops-85–in-q4-2018/d/d-id/1334197

  • 0

DOSarrest Launches New Cloud Based Network Traffic Analyzer Service

VANCOUVER, British Columbia, March 19, 2019 /PRNewswire/ — DOSarrest Internet Security announced today that they have released a new service offering called DOSarrest Traffic Analyzer (DTA). This new service allows subscribers to send their Netflow, Sflow or Jflow network data from their routers and switches to DOSarrest’s Big Data cluster, then login to their portal and graphically see what types and volumes of traffic are flowing in and out of their networks in almost real-time. Using this traffic intelligence, network operators can pinpoint the cause of any congestion, create their own ACLs to white-list or black-list any malicious networks. It gives engineers the intelligence they need to understand how their network is being used and for what purpose.

Some of the real-time graphical and historical information available in the dashboard is

Top 10 Source Countries
Top 10 Source Networks
Top 10 Source ASNs
Top 10 Source Netblocks
Top 10 Destination IPs
Top 10 Destination IPs
Top 10 Protocols and Ports

DOSarrest CTO, Jag Bains states, “I have been running Internet backbones for over 20 years and having something that is this cost effective has always been a problem, most solutions require expensive hardware and licensing or extensive software development. Setup is easy with DTA, just add 1 line to the router config and you’re done.”

This new service can also be combined with DOSarrest’s existing DDoS protection for network infrastructure service, where customers, using the same dashboard can automatically stop any DDoS attack on a customer’s data center or corporate network.

CEO Mark Teolis adds, “This service is really in its infancy, we are already working on version 2 and we plan on releasing a new version every 90 days thereafter. Once the network flow information is in the big data platform, there’s so much that can be done to extract network intelligence, it’s almost impossible to predict today what and how it can help network operators going forward. We are starting to test with some machine learning models to see what it can do.”

About DOSarrest Internet Security:
DOSarrest founded in 2007 in Vancouver, B.C., Canada specializes in fully managed cloud based Internet security services including DDoS protection services, Data Center Defender (DCD), Web Application Firewall (WAF), DDoS Attack testing, as well as cloud based global load balancing.

More information at http://www.DOSarrest.com

Source: https://www.prnewswire.com/news-releases/dosarrest-launches-new-cloud-based-network-traffic-analyzer-service-300814472.html

  • 0

What is shadow IoT? How to mitigate the risk

When someone in your organization starts using internet-connected devices without IT’s knowledge, that’s shadow IoT. Here’s what you need to know about its growing risk.

Shadow IoT definition

Shadow IoT refers to internet of things (IoT) devices or sensors in active use within an organization without IT’s knowledge. The best example is from before the days of bring your own device (BYOD) policies when employees used personal smartphones or other mobile devices for work purposes. “Shadow IoT is an extension of shadow IT, but on a whole new scale,” says Mike Raggo, CSO at 802 Secure. “It stems not only from the growing number of devices per employee but also the types of devices, functionalities and purposes.”

Employees have been connecting personal tablets and mobile devices to the company network for years. Today, employees are increasingly using smart speakers, wireless thumb drives and other IoT devices at work as well. Some departments install smart TVs in conference rooms or are using IoT-enabled appliances in office kitchens, such as smart microwaves and coffee machines.

In addition, building facilities are often upgraded with industrial IoT (IIoT) sensors, such as heating ventilation and air conditioning (HVAC) systems controlled by Wi-Fi-enabled thermostats. Increasingly, drink machines located on company premises connect via Wi-Fi to the internet to accept, say, Apple Pay payments. When these sensors connect to an organization’s network without IT’s knowledge, they become shadow IoT.

How prevalent is shadow IoT?

Gartner predicts that 20.4 billion IoT devices will be in use globally by 2020, up from 8.4 billion in 2017. Shadow IoT has become widely prevalent as a result. In 2017, 100 percent of organizations surveyed reported ‘rogue’ consumer IoT devices on the enterprise network, and 90 percent reported discovering previously undetected IoT or IIoT wireless networks separate from the enterprise infrastructure, according to a 2018 report from 802 Secure.

One-third of companies in the U.S., U.K. and Germany have more than 1,000 shadow IoT devices connected to their network on a typical day, according to a 2018 Infloblox report on shadow devices. Infoblox’s research found that the most common IoT devices on enterprise networks are:

  • Fitness trackers such as Fitbits, 49 percent;
  • Digital assistants such as Amazon Alexa and Google Home, 47 percent
  • Smart TVs, 46 percent
  • Smart kitchen devices such as connected microwaves, 33 percent
  • Gaming consoles such as Xboxes or PlayStations, 30 percent.
shadow iot infographic v3.0

What are shadow IoT’s risks?

IoT devices are often built without inherent, enterprise-grade security controls, are frequently set up using default IDs and passwords that criminals can easily find via internet searches, and are sometimes added to an organization’s main Wi-Fi networks without IT’s knowledge. Consequently, the IoT sensors aren’t always visible on an organization’s network. IT can’t control or secure devices they can’t see, making smart connected devices an easy target for hackers and cybercriminals. The result: IoT attacks grew by 600 percent in 2018 compared to 2017, according to Symantec.

Vulnerable connected devices are easily discoverable online via search engines for internet-connected devices such as Shodan, Inflobox’s report points out. “Even when searching simple terms, Shodan provides details of identifiable devices, including the banner information, HTTP, SSH, FTP and SNMP services. As identifying devices is the first step in accessing devices, this provides even lower-level criminals with an easy means of identifying a vast number of devices on enterprise networks that can then be targeted for vulnerabilities.”

Why aren’t most shadow IoT devices secure?

When PCs were first released decades ago, their operating systems weren’t built with inherent security, Raggo observes. As a result, securing PCs against viruses and malware remains an ongoing struggle.

In contrast, the iOS and Android mobile operating systems were designed with integrated security, such as app sandboxing. While mobile devices aren’t bullet-proof, they’re typically more secure than desktops and laptops.

With today’s IoT and IIoT devices, “It’s like manufacturers have forgotten everything we’ve learned about security from mobile operating systems,” Raggo says. “There are so many IoT manufacturers, and the supply chain for building the devices is scattered all over the world, leading to a highly fragmented market.”

Because IoT devices tend to be focused on just one or two tasks, they often lack security features beyond basic protocols such as WPA2 Wi-Fi, which has its vulnerabilities. The result: Billions of unsecured IoT devices are in use globally on enterprise networks without IT’s knowledge or involvement.

“I bought 10 or 15 IoT devices a few years ago to check out their security,” says Chester Wisniewski, principal research scientist at Sophos. “It was shocking how fast I could find their vulnerabilities, which means anyone could hack them. Some devices had no process for me to report vulnerabilities.”

Have criminal hackers successfully targeted shadow IoT devices?

Yes. Probably the most famous example to date is the 2016 Mirai botnet attack, in which unsecured IoT devices such as Internet Protocol (IP) cameras and home network routers were hacked to build a massive botnet army. The army executed hugely disruptive distributed denial of service (DDoS) attacks, such as one that left much of the U.S. east coast internet inaccessible. The Mirai source code was also shared on the internet, for criminal hackers to use as building blocks for future botnet armies.

Other exploits are available that enable cybercriminals to take control of IoT devices, according to the Infoblox report. “In 2017, for example, WikiLeaks published the details of a CIA tool, dubbed Weeping Angel, that explains how an agent can turn a Samsung smart TV into a live microphone. Consumer Reports also found flaws in popular smart TVs that could be used to steal data as well as to manipulate the televisions to play offensive videos and install unwanted apps.”

Along with amassing botnet armies and conducting DDoS attacks, cybercriminals can also exploit unsecured IoT devices for data exfiltration and ransomware attacks, according to Infoblox.

In one of the oddest IoT attacks thus far, criminals hacked into a smart thermometer inside a fish tank in a casino lobby to access its network. Once in the network, the attackers were able to steal the casino’s high-roller database.

The future potential of IoT-enabled cyberattacks is enough to give CSOs and other IT security professionals concern. “Consider the damage to vital equipment that could occur if someone connected into an unsecured Wi-Fi thermostat and changed the data center temperature to 95 degrees,” Raggo says. In 2012, for instance, cybercriminals hacked into the thermostats at a state government facility and a manufacturing plant and changed the temperatures inside the buildings. The thermostats were discovered via Shodan, a search engine devoted to internet-connected devices.

To date, the impact of IoT device exploits hasn’t been hugely negative for any particular enterprise, says Wisniewski, in terms of exploiting sensitive or private data. “But when a hacker figures out how to make a big profit compromising IoT devices, like using a brand of smart TVs for conference room spying, that’s when the shadow IoT security risk problem will get everyone’s attention.”

3 ways to mitigate shadow IoT security risks?

  1. Make it easy for users to officially add IoT devices. “The reason you have shadow IT and shadow IoT is often because the IT department is known for saying ‘no’ to requests to use devices like smart TVs,” says Wisniewski. Instead of outright banning IoT devices, fast-tracking their approval whenever possible and feasible—within, say, 30 minutes after the request is made—can help reduce the presence of shadow IoT.

    “Publish and circulate your approval process,” Wisniewski adds. “Get users to fill out a brief form and let them know how quickly someone will get back to them. Make the process as flexible and as easy for the requester as possible, so they don’t try to hide something they want to use.”

  2. Proactively look for shadow IoT devices. “Organizations need to look beyond their own network to discover shadow IoT, because much of it doesn’t live on the corporate network,” Raggo says. “More than 80 percent of IoT is wireless-enabled. Therefore, wireless monitoring for shadow IoT devices and networks can allow visibility and asset management of these other devices and networks.”

    Traditional security products list devices by a media access control (MAC) address or a vendor’s organizationally unique identifier (OUI), yet they are largely unhelpful in an environment with a plethora of different types of devices, Raggo adds. “IT really wants to know ‘what is that device?’ so they can determine if it’s a rogue or permitted device. In today’s world of deep-packet inspection and machine learning, mature security products should provide human-friendly categorizations of discovered assets to ease the process of asset management and security.”

  3. Isolate IoT. Ideally, new IoT and IIoT devices should connect to the internet via a separate Wi-Fi network dedicated to such devices that IT controls, says Wisniewski. The network should be configured to enable IoT devices to transmit information and to block them from receiving incoming calls. “With the majority of IoT devices, nothing legitimate is ever transmitted to them,” he says.

Anything shadowy is a problem

“Shadow anything is a problem, whether it’s an IoT device or any other addressable, unmanaged item,” says Wisniewski. “The key is controlling access to the network from only authorized devices, keeping an accurate inventory of authorized devices, and having clear policies in place to ensure employees know they aren’t allowed to ‘bring their own’ devices and that HR sanctions will be enforced if they do.”

Source: https://www.csoonline.com/article/3346082/what-is-shadow-iot-how-to-mitigate-the-risk.html

  • 0

IoT and DDoS attacks dominate cybersecurity space

Connected devices often get attacked minutes after being plugged in.

IoT devices are being attacked with greater regularity than ever before, new research has suggested.

According to a new report by NETSCOUT, smart products often come under attack within five minutes of being plugged in, and are targeted by specific exploits within a day.

The Threat Landscape Report says IoT device security is ‘minimal to non-existent’ on many devices. That makes the IoT sector among the most vulnerable ones, especially knowing that medical equipment and connected cars fall under the IoT category.

DDoS, in general, is still on the rise, the report adds. The number of such attacks grew by a quarter last year. Attacks in the 100-400 Gbps range ‘exploded’, it says, concluding a ‘continued interest’ hackers have in this attack vector.

The global maximum DDoS attack size grew by 19 per cent last year, compared to the year before.

International institutions, such as the UN or the IMF, have never been this interesting to hackers. DDoS attacks against such organisations had risen by almost 200 per cent last year.

Hackers operate similarly to the way legitimate businesses operate. They employ the affiliate model, allowing them to rake up profits quite quickly.

“Our global findings reveal that the threat landscape in the second half of 2018 represents the equivalent of attacks on steroids,” said Hardik Modi, NETSCOUT’s senior director of Threat Intelligence. “With DDoS attack size and frequency, volume of nation state activity and speed of IoT threats all on the rise, the modern world can no longer ignore the digital threats we regularly face from malicious actors capable of capitalizing on the interdependencies that wind through our pervasively connected world.”

Source: https://www.itproportal.com/news/iot-and-ddos-attacks-dominate-cybersecurity-space/

  • 0

Are Hackers Winning The Denial Of Service Wars?

Distributed denial of service (DDoS) attacks are a particularly pernicious form of cyberattack where the bad actor seeks to take down a web site or even an entire corporate network by flooding it with malicious traffic.

DDoS attacks have been around for years – and many cybersecurity vendors have risen to the challenge, bringing increasingly sophisticated DDoS mitigation technologies to market.

The bad actors’ response is woefully predictable: increasingly advanced approaches to DDoS, leading to an escalating cat-and-mouse game, as enterprises and governments seek to stay ahead of the deluge of bad traffic hitting their networks.

Bring in the Bots

DDoS attackers use numerous Internet protocols, from the HTTP at the core of the web to simpler, lower-level protocols that do little more than request a brief acknowledgement from a server as part of an ongoing interaction. Request too many acknowledgements at one time, however, and the server can bog down.

At the next level of sophistication, hackers send such malicious requests from a ‘spoofed’ IP address, fooling the target server into sending a response to a different server, which is the true target. In this way, hackers dupe unwitting organizations into playing a role in the attack, while the victim only sees traffic from presumably trustworthy sites or services, thus amplifying the effect of an attack by a factor of one hundred or more.

DDoS attacks, however, have reached an even higher level of sophistication, as hackers are now able to compromise millions of computers, smartphones, and even Internet of Things (IoT) devices like security cameras and baby monitors, recruiting these devices into botnets that can launch increasingly massive, unpredictable attacks on global targets.

To make matters even worse, DDoS technology is simple and inexpensive to purchase on the Dark Web – leading to a black market for increasingly innovative DDoS malware. “There has been increased innovation in DDoS attack tools and techniques,” according to the NETSCOUT Threat Intelligence Report. “The availability of such improved tools has lowered the barrier of entry, making it easier for a broader spectrum of attackers to launch a DDoS attack.”

Size Matters

The simplest mitigation is for an enterprise or government agency to have on-premises equipment with sufficient capacity to absorb DDoS traffic, filtering out the malicious messages while allowing legitimate requests through, a process the industry calls scrubbing.

However, with the increasing sizes of the attacks, such a do-it-yourself approach rapidly becomes too expensive. “The increase in the impact and complexity of attacks continues unabated,” says Marc Wilczek, COO of Link11. “When faced with DDoS bandwidths well over 100 Gbps and multi-vector attacks, traditional IT security mechanisms are easily overwhelmed, and unprotected companies risk serious business disruption, loss of revenue and even fines.”

To place 100 gigabits per second (Gbps) into context, the fastest enterprise local-area ‘gigabit Ethernet’ networks generally run at one Gbps, and the fastest home Internet service will run around 100 megabits per second (Mbps) or a bit higher, which equals one tenth as much bandwidth as one Gbps.

Volumetric DDoS attacks – that is, attacks that consist of the sheer volume of traffic – can well exceed 100 Gbps. According to James Willett, VP technology at DDoS mitigation vendor Neustar, his company has mitigated attacks in excess of 460 Gbps. The largest attacks on record have exceeded 1,700 Gbps.

However, such volumetric attacks are easy to detect – and thus mitigation vendors with high mitigation capacities like Neustar’s 10+ Terabit per second (10,000+ Gbps) globally-distributed platform are able to deal with them in a straightforward fashion.

To respond to this mitigation capability, bad actors are mounting more complex attacks that typically involve enough volume to take down average Internet connections, but do so with intermittent bursts of diverse types of traffic over longer periods of time. “One of our clients is a gaming company,” Willett explains. “This client experienced an attack that lasted six days across numerous network protocols. It was an intermittent attack that generated 91 alerts for new attacks. The attacker was probing different network segments, but also using different attack vectors looking for weakness.”

Some attacks take even longer. “The longest DDoS attack in 2016 lasted 292 hours according to Kaspersky Lab’s research, or about 12 days,” according toRuss Madley, cybersecurity specialist at SecureData Europe, formerly head of B2B at Kapersky Lab. “Most online businesses can ill-afford to have their ‘doors closed’ for even an hour, let alone for 292 hours, as criminals take advantage of their poor defences.”

Multifaceted DDoS Mitigation

When a Neustar on-demand customer detects an incoming DDoS attack, it redirects its network traffic to the Neustar network, which scrubs it and returns the bona fide traffic back to the customer’s network.

This mitigation technique requires a level of sophistication commensurate to the attacker’s. “An attacker’s goal is to mimic legitimate traffic as closely as possible, so that it’s harder to figure out what to filter,” Willett explains. “Neustar tweaks and adjusts filtering in real-time, often looking inside the packets to identify patterns of good or bad traffic to help with filtering.”

Understanding what to filter is almost as important as what not to filter. “We use tools like ThousandEyes to determine whether we are scrubbing too much, which impacts clean traffic, or under-scrubbing, which allows too much dirty traffic,” Willett continues. “We also use ThousandEyes and our own monitoring toolsets to monitor clean traffic tunnels at key points in the infrastructure after scrubbing to ensure availability.”

Neustar’s approach is similar to other DDoS mitigation vendors in the market, including Radware, NETSCOUT Arbor (which NETSCOUT acquired in 2015), Akamai Prolexic (acquired in 2014), and F5.

Regardless of the vendor, however, proper configuration is essential. “For DDoS mitigation to continue working properly it needs to be perfectly configured to the specific network it is protecting,” according to The State of DDoS Protection Report by MazeBolt Technologies. “The problem is that enterprise networks are constantly changing with servers and services added to networks to meet new demands. In order to ensure that DDoS mitigation is perfectly configured, enterprises need to match each network change with a respective fine-tuning of their DDoS mitigation posture.”

Industry analysts are also quick to sound a warning around the complexity of DDoS mitigation. “For bad traffic to be diverted to a scrubbing centre in a seamless action to reduce any downtime, organisations need to have seamless integration between cloud and on-premise solutions, implemented in front of an infrastructure’s network to help mitigate an attack before it reaches core network assets and data,” says Sherrel Roche, senior market analyst at IDC.

Gartner IT +0.32% also offers words of caution. “To implement multiple denial-of-service defence measures at different layers would go beyond purchasing a single security product or signing up with a single service provider,” warns Gartner senior research analyst Rajpreet Kaur.

Who are the Bad Actors?

Unless you’re in the business of creating and selling malware on the Dark Web, the path to profit for a DDoS attacker is murkier than, say, cryptojacking or ransomware.

The key question: what’s in it for them? “The DDoS landscape is driven by a range of actors, from malware authors to opportunistic entities offering services for hire. They are a busy group, constantly developing new technologies and enabling new services while utilizing known vulnerabilities, pre-existing botnets, and well-understood attack techniques,” continues the NETSCOUT Threat Intelligence Report.

At the core of such threats: nation-states. “State-sponsored activity has developed to the point where campaigns and frameworks are discovered regularly for a broad tier of nations,” the NETSCOUT report continues. “Our findings include campaigns attributed to Iran, North Korea, Vietnam, and India, beyond the actors commonly associated with China and Russia.”

Kaspersky Lab also has an opinion. “We expect the profitability of DDoS attacks to continue to grow,” Madley adds. “As a result, [we] will see them increasingly used to extort, disrupt and mask other more intrusive attacks on businesses.”

In addition, the situation is likely to get worse. “When cybercriminals do not achieve their goals of earning money by launching simple DDoS attacks, they have two options,” says Alexey Kiselev, business development manager on the Kaspersky DDoS Protection team. “They can reconfigure the capacities required for DDoS attacks towards other sources of revenue, such as cryptomining, or malefactors who orchestrate DDoS attacks have to improve their technical skills.”

Kiselev concludes: “Given this, we can anticipate that DDoS attacks will evolve in 2019 and it will become harder for companies to detect them and stay protected.”

DDoS attacks, therefore, may not be the quickest route to profitability for bad actors, but given the importance of this attack technique to nation-state cyberwar adversaries, we can expect continued innovation on the part of the hackers. Enterprises and government agencies cannot afford to relax their efforts to combat such attacks.

Source:https://www.forbes.com/sites/jasonbloomberg/2019/02/12/are-hackers-winning-the-denial-of-service-wars/#4b701bc228ea

  • 0

The Trouble With Growing Your Own DDoS Protection Methods

If you’re keeping up with what’s happening in the wonderful world of IT, you’re probably reading the blood-curdling headlines about 1.7 Tbps distributed denial of service (DDoS) attacks and gut-wrenching descriptions of average $40,000-per-hour costs of unmitigated attacks. 

You’ve also probably digested the fact that no business is too large or too small to be a target of distributed denial of service attacks. So, it’s natural to start thinking about IT security improvements. In these initial thoughts, it’s tempting to envisage a tidy, on-site operation. It has the latest hardware and software (you’re upgrading), and your IT team is in charge. But hold on a minute. Before you go any further, consider all your options before settling on a DIY security solution. There are many reasons why the wise choice is letting the security pros protect your network.

Five reasons to not DIY

The main reason to pass up DIY mitigation? Its limitations. Although tools and techniques of in-house DDoS mitigation are powerful, they can’t stop swift, massive, and sophisticated volumetric attacks. Remember, in on-premises DIY mitigation plans:

  • Protection starts too late in the attack cycle. DIY protection methods are usually a reaction to the initial attack. By the time the IT security team starts working, much of the damage is done. This is especially relevant in DDoS attacks that include application-layer exploits.
  • The ability to adjust configurations doesn’t always help. IT security pros can respond to an attack by adjusting configuration settings manually. However, this takes valuable time. Also, protection is good only for the same type of attack. This lack of flexibility becomes a problem in multi-vector exploits. When botmasters (human controllers of DDoS bots) change tactics in mid-attack, your protection loses its usefulness. 
  • Your network’s network bandwidth limits DIY protection efforts. Your DDoS protection is only as good as your bandwidth is large. DDoS attacks commonly measure many times more than the volume of enterprise network traffic. 
  • DIY protection can’t always distinguish malware and legitimate users. In-house, DDoS protection methods often involve static traffic rate limitations and IP blacklisting. When you use these relatively old-fashioned methods, legitimate users can be mistaken for malicious software. Being blocked from using your website is a quick way to lose customers. 
  • Prohibitive costs. For many companies wanting to upgrade their DDoS protection, this is the biggest problem of all. Purchasing, installing and deploying hardware appliances carry a hefty price tag that puts DIY protection beyond the budget of most organizations.

Don’t forget to protect your applications

Network users are discovering what IT security pros have known for a while. Volumetric attacks might be the familiar face of DDoS mayhem. In many cases, however, data and application security are also at risk. 

That’s because DDoS attacks are often smokescreens to exploits that look for valuable data and information. In an application-layer DDoS attack, a botnet distracts the security team. While the security pros deal with the immediate problem, bots search for any information that can be sold on the Dark Web. 

If you want to run your own DDoS protection methods, this is bad news. The security of applications that you run onsite is at risk. Given this expanded security scope, you would have to protect your apps by upgrading application-layer security measures. Experts recommend that to secure commercial applications, organizations must have their own remediation process, identity management methods, and infrastructure security procedures.

To run custom applications safely, you should adopt quite a few additional measures. These include application security testing, developer training, DevOps and DevSecOps practices, and maintaining an open source code inventory.

The ace up your sleeve—cloud-based mitigation services

The cloud is where you’ll find a powerful, cost-effective security option. Cloud-based, DDoS mitigation providers offer benefits that DIY methods lack. 

  • Broad DDoS protection. Cloud-based protection secures your infrastructure against attacks on your system’s network and application layers. 
  • No DDoS-related capital or operations costs. Mitigation service specialists offer DDoS protection as a managed service. There’s no need to invest in hardware or software. And, say good-bye to IT labor costs. Your IT staff doesn’t get involved in DDoS mitigation. 
  • No scalability problems. DDoS mitigation providers use large-scale infrastructures, with virtually unlimited bandwidth. 
  • No need to hire expensive talent. In-house DDoS protection solutions require IT pros with expensive, often hard-to-find knowledge and experience. The staffs of DDoS mitigation providers include the security and data specialists needed to keep DDoS attacks at bay.
  • You spend less time and money. When you add up the costs of all required assets and resources, the conclusion is clear. You’ll spend far less time, effort, and budget when you engage off-premises, DDoS protection services.

These are the benefits that most DDoS mitigation services provide. However, advanced mitigation providers go several steps beyond this already high standard of performance. For example, automated defense methods built into DDoS response software eliminate the need for time-consuming human intervention. In fact, these capabilities reduce time to mitigation to mere seconds. (The current industry record is 10 seconds). 

Isn’t it time to take advantage of this IT security firepower? With DDoS mitigation services at your back, you’ll never have to wince at another DDoS screamer headline again.

Source: http://trendintech.com/2019/01/27/the-trouble-with-growing-your-own-ddos-protection-methods/

  • 0

The DDoS landscape: where we are, and where we’re going

If a week is a long time in politics, as former British Prime Minister Harold Wilson observed, a year in cyber security can seem like an eternity. But despite the rapid changes, many things remain constant. We can always expect cyber criminals to embrace new technology as fast as legitimate businesses do, and to use it to launch new types of attacks that are ever more damaging and harder to defend against.

DDoS attacks are a case in point. In April 2018, the UK’s National Crime Agency named DDoS as the leading threat facing businesses. The Agency noted the sharp increase in attacks on a range of organisations during 2017 and into 2018, and advised organisations to take immediate steps to protect themselves against the escalating threat.

DDoS gets bigger, stronger, smarter

This warning was timely, as through late 2017 and into 2018, DDoS attacks got much larger – and that trend is showing no signs of slowing down. In Q3 of 2018, the average DDoS attack volume more than doubled compared to Q1, from 2.2 Gbps to 4.6 Gbps according to Link11´s latest DDoS Report. These attack volumes are far beyond the capacity of most websites, so this is an alarming trend. Compared to Q2, the total number of attacks also grew by 71% in Q3, to an average of over 175 attacks per day.

Attacks also got more sophisticated. 59% of DDoS incidents in Q3 of 2018 used two or more attack vectors, compared with 46% in Q2. Meanwhile, a highly targeted and strategic approach to DDoS attacks was observed as the year went on; our operation centre saw DDoS attacks on e-commerce providers increase by over 70% on Black Friday (23 November) and by a massive 109% on Cyber Monday (26 November) compared with the November average. Attacks are focusing on specific sectors, with the aim of causing more disruption.

DDoS as a service

At the same time, these larger, more sophisticated DDoS attacks are easier for criminals to launch than ever before too, from DDoS-as-a-Service provider. Perhaps the best known of these, Webstresser.org was selling multi-gigabit DDoS attacks on the Darknet for as little as $11 per attack before it was shut down by police in early 2018. Webstresser’s services were used in early 2018 to bring online services from several Dutch banks and numerous other financial and government services in the Netherlands to a standstill. Customers were left without access to their bank accounts for days.

Other services have sprung up to take Webstresser’s place, offering DDoS by the hour for $10, and by the day at bulk discount rates of $200. No expertise is required: just enter your (stolen) credit card details, and the domain you want to target. Even cloud services can be knocked offline, with very little money and little to no technical expertise required to launch an attack.

Web application attacks

Another increasingly targeted component of organisations’ IT estates during 2018 was web applications. 2018 saw high-profile breaches affecting tens of millions of customers from several high-profile companies in the travel and financial sectors. The aim of these attacks is to exfiltrate sensitive data for re-use or resale, with the attackers seeking to exploit weaknesses in the application itself, or the platform it is running on to get access to the data.

2019: predictions and protection

So as 2018 saw attacks growing in volume and complexity, what attacks can we expect to see in 2019?

We have already seen how versatile botnets are for crypto-mining and sending spam – this will extend into DDoS attacks too. Botnets benefit from the ongoing rapid growth in cloud usage and increasing broadband connections as well as the IoT, and the vulnerabilities that they address are on the protocol and application level and are very difficult to protect using standard network security solutions. Bots in public cloud environments can also propagate rapidly to build truly massive attacks.

Attack tactics, for which SSL encryption have long since ceased to be a defence, will gain even more intelligence in the coming months. The only possible answer to this can be defence strategies that cover machine learning and artificial intelligence, which can process large data streams in real time and develop adaptive measures. Highly-targeted attacks, such as those on web applications, will also continue because the rewards are so high – as we’ve seen from the 2018 data breaches we touched on earlier.

Also, 2019 could be the year in which a hacktivist collective or nation-state will launch a coordinated attack against the infrastructure of the internet itself. The 2016 DDoS attack against hosting provider Dyn showed that a single attack against a hosting provider or registrar could take down major websites. DDoS tools and techniques have evolved significantly since then, creating a very real risk of attacks that could take down sections of the Web – as shown by the attack which targeted ISPs in Cambodia. Other forms of critical infrastructure are also vulnerable to DDoS exploits, as we saw in 2018’s attack on the Danish rail network.

In conclusion, tech innovations will continue to accelerate and enable business, and cyber criminals will also take advantage of those innovations for their own gain. With more and more business taking place online, dependence on a stable internet connection rises significantly. Likewise, revenues and reputation are more at risk than ever before. Therefore, organisations must be proactive and deploy defences that can keep pace with even new, unknown threats – or risk becoming the next victim of increasingly sophisticated, highly targeted mega-attacks.

Source: https://www.information-age.com/the-ddos-landscape-123478142/

  • 0