Microsoft Skype Hit By Alleged DDoS Attack, Causes Connectivity Challenges

Microsoft has confirmed an outage in its Skype offering, which caused connectivity issues earlier this week and is allegedly the result of a Distributed Denial of Service attack.

Skype users started complaining about connectivity issues on Monday, with hours of downtime. The issues continued into Tuesday, with users losing connectivity and having trouble exchanging messages on the communications platform. The outage appeared to primarily affect Europe.

It is not clear if the connectivity issues affected just the consumer Skype application, or also Skype for Business.

Microsoft confirmed the issues with the service in a Tweet and on its blog, saying Monday that they were “aware of an incident where users will either lose connectivity to the application or may be unable to send or receive messages. Some users will be unable to see a black bar that indicates them that a group call is ongoing, and longer delays in adding users to their buddy list.” On Tuesday Microsoft updated the blog post to say it was “seeing improvements” but some users still were having issues with the service and the company was “working on that.”

Microsoft further updated the blog on Tuesday, saying it had made “some configuration corrections and mitigated the impact.”

“We are continuing to monitor and we will post an update when the issue is fully resolved,” Microsoft said.

Microsoft did not confirm reports at the time that the outage was the result of a DDoS attack. A hacker group, called CyberTeam, claimed responsibility for the attack in a tweet, saying “Skype Down by Cyberteam.”

Michael Goldstein, president and CEO of LAN Infotech, a Fort Lauderdale, Fla.-based Microsoft partner, called the incident “pretty scary,” assuming reports of a DDoS attack were true. He said it is concerning for small and medium businesses if a company as large as Microsoft can be hit by such an attack.

“It is definitely showing how the bad guys, how the dark side, is still looking to push [against big companies],” Goldstein said.

Goldstein said his company views Skype for Business as a “critical product” for both its own business and for its clients. He said he hopes Microsoft is working to bolster its Skype for Business product, as well as its consumer Skype product, against further attacks.

The reports of a DDoS attack against Microsoft come just a few months after a massive DDoS attack on Dyn caused significant Internet outages on the East Coast. The incident took down many popular websites, including Twitter and Netflix, as well as more than 1,200 other sites. The attacks in the October attack came from devices infected by the Mirai botnet – a malware that was revealed earlier in the month and spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.


  • 0

Risk Management Pros Say an IoT Security Incident Could Be Catastrophic

A recent survey by the Ponemon Insitute and the Shared Assessments Program of 553 people with a role in risk management in their organizations found that 94 percent of those surveyed said a security incident related to unsecured IoT devices or applications could be catastrophic.

Still, just 44 percent of respondents said their organization has the ability to protect their network or enterprise systems from risky IoT devices, and only 25 percent said their boards require assurances that IoT risks are being appropriately assessed, managed and monitored.

Additionally, 77 percent of respondents said they don’t consider IoT-related risks in their third party due diligence, and 67 percent don’t evaluate IoT security and privacy practices before engaging in a business relationship.

Just 30 percent of respondents said managing third-party IoT risks is a priority in their organization.

“Ready or not, IoT third party risk is here,” Shared Assessments senior vice president Charlie Miller said in a statement. “Given the proliferation of connected devices, today’s cyber climate is evolving and organizations have to shift their focus to the security of external parties, now more than ever.”

“In order to avoid becoming the next big headline, our security tactics have to evolve along with the threats,” Miller added. “New technology and practices are needed to ensure security, and this starts by communicating the risks to the right people and acknowledging potential devastating outcomes when engaging with a third party. Avoiding these problems can no longer be the solution.”

Preventative Measures

In response, the report urges organizations to take the following key steps:

  1. Ensure inclusion of third-party and IoT risks occurs at all governance levels including the board.
  2. Update asset management processes and inventory systems to include IoT devices, and understand the security characteristics of all inventoried devices. When devices are found to have inadequate security controls, replace them.
  3. Continue to leverage and enhance contracts and policies and expand scope to include IoT specific requirements.
  4. Expand third-party assessment techniques and processes to ensure presence and effectiveness of controls specific to IoT devices.
  5. Develop specific sourcing and procurement requirements to ensure only IoT devices that are designed with security functions included and enabled are considered for product selection or acquisition.
  6. Devise new strategies, technologies and tactics directed specifically at reducing threats posed by IoT devices.
  7. Collaborate with industry experts, peers, associations and regulators to ensure IoT risk management best practices are devised, communicated and implemented.
  8. Include IoT in communication, awareness and training at all levels: board, executive, corporate, business unit and third-party.
  9. Recognize the increasing dependence on technology to support the business and the risk posed by this dependence.
  10. Embrace new technologies and innovations, but not at the expense of security, and ensure security controls are included as fundamental and core requirements.

Seventy-two percent of respondents said the pace of innovation in IoT and the varying standards for security make it hard to ensure the security of IoT devices and applications, and 65 percent said the drive for innovation in the IoT ecosystem requires new approaches to IT strategies and tactics.

Breaches and DDoS Attacks

Strikingly, 78 percent of respondents said a data breach involving an unsecured IoT device is likely to occur within the next two years, and 76 percent said the same of a DDoS attack involving an unsecured IoT device.

The concerns come as DDoS attacks become more and more frequent — according to Nexusguard’s Q1 2017 DDoS Threat Report, DDoS attack frequency surged by 380 percent in the first quarter of 2017, compared to the same time period the previous year.

The percentage of days with attacks larger than 10 Gbps rose significantly between January 2017 (48.39 percent) and March 2017 (64.29 percent).

Radware vice president of security Carl Herberger told eSecurity Planet by email that the rapid proliferation of unsecured IoT devices is driving the increase in DDoS attacks. “The Mirai attack made headlines last year, but it should not be considered a one-off,” he said. “Instead, this event was a predictor of what is to come.”

“Hackers are constantly developing new ways to leverage connected devices with little to no security protections to form larger and larger botnets that are able to execute dangerous and sizable DDoS attacks,” Herberger added. “We’ve seen various botnets appear over the last year, including Hajime, BricketBot and Persirai, demonstrating that IoT devices have become a new battleground for hackers.”

“Until manufacturers, the government, and consumers take a hard look at IoT security, the threat of bigger, more frequent IoT-fueled DDoS attacks will only loom larger,” Herberger said.


  • 0

4 School Districts in Florida Attacked By Moroccan Hackers

A group of hackers from Morocco allegedly tried to hack the US voting systems. In an attempt, they hacked four school districts from Florida.

According to reports, several hacking attempts were said to be made on the US voting system and culprits were mostly believed to be from Russia. However, it seems that another group also wanted to try and interfere with the election.

MoRo, a hacking group from Morocco, managed to breach defenses of four different school district networks. Their main goal was to try and find their way into the sensitive government systems from there. The UDT (United Data Technologies), which is a company that investigates such attacks, has stated that hackers managed to get into these networks via phishing attacks.

Miami Herald reports that they managed to infect school networks through malware by sending infected images via email. Unsuspecting workers clicked on images, which was enough for malware to infect the devices. A similar attack has also targeted one of the Florida city networks.

Upon entering school systems, hackers remembered to turn off logs that recorded who entered the systems. This has made it very difficult to discover what exactly they did once inside. Still, UDT analysts managed to find that hackers spent around three months in the system. They used this time to test defenses and map out the systems, and they even posted a photo of a man dressed as an ISIS fighter.

The only named one of these four districts which were Miami-Dade, which is also the largest one in Florida. It is believed that attackers that hacked this and other three districts initially intended to steal personal data from thousands of students. Then they realized that they could access much more than that.

Apart from personal information, the school also handles Social Security numbers for former and current students, and also their parents. Not to mention all of the school employees. Still, they seem to have failed in obtaining any of this data, despite the three months of access. Analysts even claim that hackers didn’t manage to access voting systems at all.

“They weren’t just looking for the names of kids and valuable Social Security numbers, UDT found. The hackers were also searching for some way to slip into other sensitive government systems, including state voting systems.”

This is only considered to be an attempted hack, and when it comes to attempts, there were seven of them. Despite the ISIS-related picture being posted on district’s website, Miami-Dade claims that there is no evidence of any access or malware in their computer systems.

It is believed that the first attack occurred in the fall. It was in November when the ISIS-inspired photo appeared, and it stayed up for 24 hours. That same photo appeared on another school district’s website a month later.

UDT claims that schools were only an entry point to the city and county systems. And even those systems would only serve as aiding in their search of a backdoor to the bigger, government systems. The National Cyber Security Alliance’s executive director, Michael Kaiser, has stated that it’s not unusual for school district networks to be connected to bigger networks.

Therefore, it would make sense for a hacking group to go for an easy target and then make their way to the main one. According to UDT, hackers even bragged about their achievements online. They even mentioned their plans of getting into voting systems and wanting to bring it down. The weird part is that this happened a month after the voting was over, in December.

Still, the FBI was contacted by the UDT, and malware was re-engineered. There was no evidence of stolen data, but the FBI still refused to comment on this incident. Whatever the point of these attacks was, the awareness of security’s importance in the school districts was raised.


  • 0

DDoS attacks continue to morph

According to Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks, while reflection and amplification techniques have come to characterise a large number of complex, multi-vector DDoS attacks, the latest approach is to use reflection to exploit connection-less lightweight directory access protocols (CLDAPs).

Traditionally, large attacks based on reflection or amplification were the likes of NTP, DNS, SNMP, SSDP, SQL RS or Chargen. “But this new trend has now been discovered ‘in the wild’, with the force to generate highly efficient and destructive results,” he says.

What is CLDAP?

CLDAP is essentially a computer networking protocol designed for legitimate users to query and modify stored data on X.500 directory systems. It is typically used on Windows Exchange servers and domain controllers.

By providing directory and access control, one can use CLDAP to locate printers on a network, find a phone number of an employee, or see the security groups a user belongs to, for instance.

The modus operandi involves the attacker spoofing the source of a connectionless protocol, pinging the server with ultra-small queries. The server then responds to the victim with a far larger response. Initial findings suggest that this approach can amplify the initial response in the region of 46 to 55 times the size.

“This makes CLDAP attacks highly efficient. A well-orchestrated attack that exploits an organisation’s vulnerabilities could very quickly achieve massive total attack size, and bring down the digital systems of all but the largest and best-protected organisations.”

Primary targets

Reports* from cloud giant Akamai show that the largest example of CLDAP reflection as the sole vector resulted in a payload of 52 bytes, amplified to as much as 70 times in this case – creating an attack data payload of 3,662 bytes, a peak bandwidth of 24Gbps, and 2 million packets per second.

CLDAP attacks have primarily targeted the software and technology industry. Other industries targeted include internet and telecom, media and entertainment, education, retail and consumer goods, and financial services.

Fighting back

To effectively resist this type of DDoS attack, organisations need to thoroughly address the potential threat at a network level, by covering a number of bases:

  • Prevent abuse: Ensure that you have anti-spoofing deployed at the edges of your networks.
  • Detect attacks: Leverage flow telemetry exported from all network edges to Arbor technology, to automatically detect, classify, traceback, and alert on DDoS attacks.
  • Ready mitigation techniques: Deploy network infrastructure-based reaction/ mitigation techniques such as Source-Based Remotely-Triggered Blackholing (S/RTBH) and flowspec at all network edges.
  • Mitigate attacks: Deploy intelligent DDoS mitigation systems at strategic points within your network.
  • Minimise damage: Deploy Quality-of-Service (QoS) mechanisms at all network edges to police CLDAP traffic down to an appropriate level.
  • Remediate CLDAP services: Proactively scan for and remediate abusable CLDAP services on the ISP and customer networks to reduce the number of abusable CLDAP servers.

“Like many other reflection techniques, organisations must always have ingress filtering in place. Unless there is a real need for your firm to have CLDAP available over the internet, you shouldn’t expose this protocol,” concludes Hamman.


  • 0

DDoS attacks hitting ‘record-breaking’ levels as volumes increase 380%

DDoS attackers are hitting hard, fast and with no breaks in between, leading to record-breaking attacks over hours or even days, according to Nexusguard’s Q1 2017 Threat Report.

Those record-breaking attacks over Valentine’s Day, Chinese New year and other ‘typically quiet’ periods during the season.

“In APAC, a lengthy attack January 28-31, the period of Chinese New Year, lasted 2 days, 19 hours, and 40 minutes. It was a widespread, disruptive event that left celebrants weary and exhausted upon returning to work,” the report says.

DDoS attack volumes have also risen 380% since the same time last year, according to Nexusguard’s statistics, based on 16,600 attacks.

While 51% of attacks lasted fewer than 90 minutes, 4% exceeded 1440 minutes. 77.3% of attacks were less than 10Gbps, while 20% were between 10-200Gbps and 2% exceeded 200Gbps.

The United States, China and Japan rounded out the top three sources for attacks. The rest of APAC was relatively unused as an attack source.

However it’s not just DDoS attacks that are on the rise: HTTP flood attacks jumped 147% in the last quarter alone. It is now one of the leading volumetric attacks, exceeding both TCP and DNS attacks.

The company cites the Internet of Things as a major weak point, particularly as the range of insecure devices and connections expodes. DDoS attacks can be persistent and long-lasting, which is a major area of concern.

“IoT botnets are only the beginning for this new reign of cyber attacks. Hackers have the scale to conduct gigantic, continuous attacks; plus, teams have to contend with attacks that use a combination of volumetric and application aspects,” comments Nexusguard’s CTO Juniman Kasman.

Those attacks are not happening in isolation. 93% of attacks combine application and volumetric vulnerabilities. Multiple DDoS attacks can also overwhelm systems.

The company warns that organisations that haven’t invested in – or haven’t upgraded – multi-layered defense mechanisms run the highest risk of attack exposure.

“This early data for 2017 shows that enterprises need to employ multi-layered defenses that use nimble resources, including large, redundant scrubbing networks and around-the-clock security operations if they hope to keep from drowning in the deluge of new attacks,” Kasman adds.


  • 0

Operators beware: DDoS attacks—large and small—keep increasing

Despite years’ worth of warnings and countermeasures, distributed denial of service (DDoS) attacks continue to escalate. Every year sees more of them, with increasing duration and severity.

The frequency was up by 380% in the first quarter of 2017 compared to the first quarter of 2016, according to Nexusguard, which compiled this set of statistics (PDF) in a new report. From the fourth quarter of 2016 to the first quarter of 2017, HTTP attack counts and total attack counts increased by 147% and 37% respectively.

Examples of increasing severity include a 275 Gbps attack that took place during Valentine’s Day (there have been significantly larger attacks) and an attack spanning 4,060 minutes that occurred over the Chinese New Year, the company said.

The percentage of days with sizable attacks (larger than 10Gbps) grew appreciably within the quarter for 48.39% in January to 64.29% in March.

Lengthier attacks at erratic intervals are becoming the norm, the company said.

A separate, simultaneously published report from Corero Network Security said its customers have been hit by an increasing number of small DDoS attacks. Though attacks of 10 Gbps or smaller would seem less severe, what’s insidious about them is that they are apt to sneak under minimum detection thresholds. Though the DDoS attacks themselves might not be that disruptive, they can give hackers the access to wreak plenty of other damage.

Corero CEO Ashley Stephenson said in a statement, “Short DDoS attacks might seem harmless, in that they don’t cause extended periods of downtime. But IT teams who choose to ignore them are effectively leaving their doors wide open for malware or ransomware attacks, data theft or other more serious intrusions. Just like the mythological Trojan Horse, these attacks deceive security teams by masquerading as a harmless bystander—in this case, a flicker of internet outage—while hiding their more sinister motives.”

Nextguard believes part of the increase in DDoS activity is a ripple effect of increased botnet activity that occurred in the fourth quarter.

This is in part a reference to the Mirai botnet, which was first identified in the latter half of 2016. Mirai provided a means to take over connected deviceswith inadequate built-in security safeguards (webcams, some set-top boxes, etc.), and use them to launch sustained attacks, sometimes with spectacular results.

Those attacks revealed the Achilles’ heel in the internet of things: Many IoT applications are based on the distribution of large numbers of very inexpensive devices, which can be made so cheaply in part by adopting only minimal security, if any.

The DDoS problem is worldwide, but nearly a quarter of the attacks are launched from the U.S. (followed by China and Japan). That’s likely to remain the case, as more U.S. households install “smart” devices that have poorly guarded IP addresses, making them susceptible to hijacking in the service of more DDoS attacks.

“IoT botnets are only the beginning for this new reign of cyberattacks. Hackers have the scale to conduct gigantic, continuous attacks; plus, teams have to contend with attacks that use a combination of volumetric and application aspects,” said Nexusguard CTO Juniman Kasman, in a statement.

The two largest sources of DDoS attacks were China and Japan, with Russia a distant third.

The release of such results is meant to emphasize what should be obvious: companies that haven’t upgraded their security are the most vulnerable.


  • 0

What’s next for DDoS attacks?

Distributed denial of service (DDoS) attacks have been threatening organizations across the globe in recent years, damaging corporate reputations and causing down time that has inconvenienced customers at best and crippled businesses at worst. 2016 marked a watershed for the volume, virulence and sophistication of attacks. However, this is just the beginning, the worst is yet to come.

According to the findings of the recent Neustar Worldwide DDoS Attacks and Cyber Insights Research Report, more than eight in ten organisations surveyed globally have been attacked at least once in the previous 12 months (an increase of 15 percent since 2016). Furthermore, 85 percent of those attacked were hit more than once.

Despite knowing the threats, companies are still struggling to detect and respond to DDoS attacks effectively and efficiently. In fact, 40 percent of respondents globally were only alerted to a DDoS attack by customers, a major embarrassment for their brands. This figure is up from 29 percent in 2016.

What is new for DDoS?

It is crucial to highlight that the DDoS attack size, complexity, and ferocity will continue to grow this year. Multi-vector attacks, termed advanced persistent denial of service (APDoS), have become near-universal experience – demonstrating that attackers are consolidating the most effective methods to launch multi-pronged attacks on the network, servers and software in organizations. Using botnets such as the Mirai botnet of insecure Internet of Things devices to perform attacks and probe for vulnerabilities will also shape DDoS attack strategies and experiences in 2017.

Permanent Denial of Service (PDoS) attacks, or ‘phlashing’, is another way to wreak havoc in 2017. PDoS attack code aims to render a target device useless. Attackers can remotely or physically replace the software controlling connected hardware such as routers or printers with a version that does nothing, or even overload power subsystems. The potential damage could be significant. Consider the fire hazard an overheating smartphone can be, for example; or managing a disaster without a communications network.

DDoS attack in APAC

With organisations across Asia Pacific (APAC) being attacked more often, businesses should regularly re-examine the effectiveness of existing security strategies, including DDoS mitigation. The consequences of a DDoS attack can be significant.

After a DDoS attack 33 percent of APAC organizations reported average revenue losses of $250,000 or more, with 49 percent taking three hours or longer to detect the attack, and 42 percent taking at least three hours to respond.

Further, DDoS attacks are often used to mask with other cybercrime activities. The installation of ransomware and malware in concert with DDoS attacks was reported by 49 percent of organisations in APAC. In 2017, the victims of DDoS attacks around the world have experienced more malware (43% reported vs 37% a year before), network breaches/damage (32% vs 25%), customer data theft (32% vs 21%), ransomware (23% vs 15%), financial theft (21% vs 14%) and lost intellectual property (21% vs 15%).

While nine in 10 companies globally are investing more in DDoS-specific defenses today, stronger defenses are likely needed to mitigate the growing risk and likely impact of a major DDoS attack quickly and effectively.

Finding the right solution

Currently, there are several solutions in the market that organisations could consider.

Several low cost content delivery network (CDN) style services can offer inexpensive DDoS protection, however they may impose usability issues and be unable to stop a significant attack.

Similarly, DDoS mitigation appliances can be effective against certain types of attacks, however increasingly popular large-scale floods can overwhelm circuit capacity and render the appliance ineffective.

On demand cloud where network traffic is redirected to a mitigation cloud is reliable and cost effective. However, it is dependent on swift failover to the cloud in order to avoid downtime.

Always routed cloud, on the other hand, involves the redirection of web traffic on a constant basis. The constant redirection can affect network latency, even during non-attack conditions, and additional services may be required to address application layer attacks.

Adopting a DDoS mitigation approach that includes a managed appliance and cloud (hybrid) is the best option, yet can be costly. The appliance will stop any DDoS attack within the circuit capacity feeding the network, and automatically trigger cloud mitigation, if the circuit is in danger of becoming overwhelmed.

DDoS attacks are likely to frustrate even more organizations from now on, with new attack vectors, and a focus on destroying the utility of devices Those working to protect the customer experience, revenues, and brand reputations can best protect themselves from attacks by working with knowledgeable partners that have an extensive experience with identifying and addressing contemporary DDoS attacks, plus access to multiple sources of intelligence and a drive to continually improve on its expertise.


  • 0

What’s business continuity management and why does your business need it?

Reality check: Modern businesses rely on their digital capabilities now more than ever. Downtime has become a terrifying thing to even utter, let alone consider. This is why an effective business continuity plan has become a cornerstone in every business, with IT-centric businesses being no exception. Business Continuity is all about identifying what your key products are and what you can do to ensure that business continues as usual even in the case of disruptions or catastrophes, no matter the size or cause.

In truth, business continuity planning is not such an alien concept even to regular consumers. Ever planned a holiday? Whenever planning a holiday, we think of the worst case scenarios and how we can come out of them unscathed, without ruining our well-earned trip. We set up plans in case something goes wrong with our ‘core services’ and we’re prepared for it. We search for additional taxi services in the area despite having booked a cab already, or we check for alternate routes should we rent a car. It’s never a good idea to go on a vacation unprepared for something to go wrong, and a business should be no different.

Being the largest multi-site data centre provider in Malta, we are experienced in the business of keeping our customers’ systems online at all costs. The ideal IT services provider should strive to deliver a redundant solution in every component within their setup. At BMIT, we take great care in adopting this approach, from upgrading our core infrastructure services all the way to training our technical team to adopt best-practice methods for optimal business continuity management. Improving redundancy should always be the utmost priority when it comes to introducing new products within an IT Services provider’s portfolio.

Business continuity planning is not such an alien concept even to regular consumers

Studies show that the average total cost of unplanned application downtime per year is €1 billion to €2.5 billion for the Fortune 1000 companies. An hour of infrastructure failure costs an average of €100,000 with the number jumping fivefold to €500,000 to €1m in the case of a critical application failure; certainly not numbers to scoff at.

The digital world undergoes changes every day and it is imperative to constantly keep working to ensure that the systems are up-to-date and relevant to the present realities. The introduction of new ranges of systems and services that protect customers against common business continuity pitfalls always helps to cement the provider’s commitment to ensure the clients’ uptime.

With the world fast approaching an almost completely digitally-dependent era, the dangers of the dark side of the internet become an ever-present reality for the modern digital business. In recent years Distributed Denial of Service attacks, otherwise known as DDoS attacks, have emerged as one of the most disruptive ways in which a business can be brought down to its knees. DDoS attacks are weapons of mass disruption aimed at paralysing internet systems including networks, websites and servers, resulting in lost revenues, compromised site performance and tarnished reputations.

BMIT has had to take these dangers into consideration, especially since even ISPs can be targeted, which would put us at a risk of not being able to provide a connection for our customers. In recent years, we’ve launched a multi-tiered DDoS protection and mitigation system to protect our customers from even the most vicious of DDoS attacks.

From our experience in the industry, we learnt that best-practice is for our private network’s bandwidth needs to be sourced from multiple providers and delivered across multiple redundant links in order to eliminate the risks of our customers going offline through an outage. This setup ensures that our clients are hosted on a reliable and certified ISO27001 network which does not rely on a singular connection.

At BMIT we offer clients various features which help ensure continuity for their business. We now have a multi-tiered DDoS protection and mitigation system protecting our redundant 40gbps private international network. This network consists of multiple geographically-separated links, each of which can take over traffic load should there be any faults in the other links.

Moreover, we have multiple data centres and international points of presence which form a key part of business continuity plans for our customers. Geo-redundancy is a critical aspect of business continuity for international customers, and our presence across countries addresses this. For example, some clients mirror their servers from one data centre to another. In addition, we also offer several backup options as well as managed services options to help our clients achieve a robust business continuity plan.

As part of our portfolio, our customers can also tap into several tools to manage their systems, including advanced firewall solutions as well as virtual load-balancing services. Ultimately, each of our redundant service offerings is a step forward in our customers’ pursuit to ensuring their business stays up.

Customers’ feedback is vital and should always be taken into consideration. Good business continuity practices are a top priority for clients and usually the main reason why providers with great core infrastructures for business continuity retain customers.


  • 0

The dark, dangerous, and insanely profitable world of DDoS attacks

Imagine a business model with a 95 percent profit margin. As wonderful as this sound, this business is certainly not something that most would want to get into. We’re talking, of course, about the criminal enterprise of Distributed Denial of Service (DDoS) attacks.

This form of cyber-crime has grown exponentially over the past few years, giving CIOs and digital business leaders sleepless nights about whether they’ll be the next victim. Powerful DDoS attacks have a devastating effect: flooding web servers and hauling companies offline, causing untold financial and reputational damage.

“The popularity of DDoS has spawned a criminal underworld, with thousands of service providers hiding out on the so-called ‘Dark Web’,” explains Arbor Network’s territory manager for Sub-Sahara, Bryan Hamman.

These nefarious organisations offer to execute DDoS attacks for as little as just a few dollars. One simply chooses the type of attack (do you want to use web servers or connected botnets?), the magnitude, the duration, and indicates the victim that they’re targeting.

“These Dark Web services have made it very simple to enlist the resources needed for a DDoS attack. Self-service portals and bitcoin payment systems guarantee one’s anonymity and eliminate the need for direct contact with the service provider,” says Hamman.

He adds that reports and status updates are all published via these portals, allowing customers to track the impact of their attacks. In some cases, there are even bonuses for each attack that’s commissioned – so DDoS providers even have a form of loyalty programme.

Soft targets

Cyber-security company Kaspersky Lab recently found that the most basic attack (sold at about USD25 per hour) resulted in a profit to the service provider of about USD18 per hour.

But the second revenue stream emerges with those DDoS attacks that demand a ransom from companies in return for restoring services and bringing the victim back online. In these cases, profit shares from the ransoms can push the overall profit margins to over 95 percent.

The intended victims themselves are priced differently – with the likes of government websites, and organisations known to have some form of defence in place, commanding a much higher premium, notes Hamman.

“It’s interesting to note the level of awareness and information held by the DDoS service providers, as they distinguish between the soft targets and the more difficult quests. Those organisations with the most advanced DDoS defences are far less likely to be targeted,” he explains.

The answer

“With such rich pickings available for cyber-criminals, it shows that the scourge of DDoS isn’t likely to slow down anytime soon,” highlights Hamman.

Almost all types of organisations today are totally dependent on connectivity to sustain their business. As we rapidly adopt Cloud architectures and new mobility or virtual office solutions, all of our data, applications and services are only available when we’re connected.

So it stands to reason that organisations should ensure they have professional and dedicated DDoS prevention solutions in place. “Companies need to have what we term ‘layered protection’ – incorporating broad DDoS attack detection and mitigation, alongside network visibility and actionable security intelligence.”

“By remaining on the cusp of the latest DDoS protection tools, it becomes possible to thwart any attacks from the growing legion of DDoS attackers out there,” he adds.
And, when these criminal services are so immediately available for hire, with just a few clicks of the mouse, the threat of DDoS is ever-present for all businesses and industries.

By Bryan Hamman, Arbor Network’s territory manager for Sub-Sahara


  • 0

Examining the FCC claim that DDoS attacks hit net neutrality comment system

Attacks came from either an unusual type of DDoS or poorly written spam bots.

On May 8, when the Federal Communications Commission website failed and many people were prevented from submitting comments about net neutrality, the cause seemed obvious. Comedian John Oliver had just aired a segment blasting FCC Chairman Ajit Pai’s plan to gut net neutrality rules, and it appeared that the site just couldn’t handle the sudden influx of comments.

But when the FCC released a statement explaining the website’s downtime, the commission didn’t mention the Oliver show or people submitting comments opposing Pai’s plan. Instead, the FCC attributed the downtime solely to “multiple distributed denial-of-service attacks (DDoS).” These were “deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host,” performed by “actors” who “were not attempting to file comments themselves; rather, they made it difficult for legitimate commenters to access and file with the FCC.”

The FCC has faced skepticism from net neutrality activists who doubt the website was hit with multiple DDoS attacks at the same time that many new commenters were trying to protest the plan to eliminate the current net neutrality rules. Besides the large influx of legitimate comments, what appeared to be spam bots flooded the FCC with identical comments attributed to people whose names were drawn from data breaches, which is another possible cause of downtime. There are now more than 2.5 million comments on Pai’s plan. The FCC is taking comments until August 16 and will make a final decision some time after that.

The FCC initially declined to provide more detail on the DDoS attacks to Ars and other news organizations, but it is finally offering some more information. A spokesperson from the commission’s public relations department told Ars that the FCC stands by its earlier statement that there were multiple DDoS attacks. An FCC official who is familiar with the attacks suggested they might have come either from a DDoS or spam bots but has reason to doubt that they were just spam bots. In either case, the FCC says the attacks worked differently from traditional DDoSes launched from armies of infected computers.

A petition by activist group Fight for the Future suggests that the FCC “invent[ed] a fake DDoS attack to cover up the fact that they lost comments from net neutrality supporters.”

But while FCC commissioners are partisan creatures who are appointed and confirmed by politicians, the commission’s IT team is nonpartisan, with leadership that has served under both Presidents Obama and Trump. There’s no consensus among security experts on whether May 8 was or wasn’t the result of a DDoS attack against the FCC comments site. One security expert we spoke to said it sounds like the FCC was hit by an unusual type of DDoS attack, while another expert suggested that it might have been something that looked like a DDoS attack but actually wasn’t.

Breaking the silence

FCC CIO David Bray offered more details on how the attack worked in an interview with ZDNet published Friday. Here’s what the article said:

According to Bray, FCC staff noticed high comment volumes around 3:00 AM the morning of Monday, May 8. As the FCC analyzed the log files, it became clear that non-human bots created these comments automatically by making calls to the FCC’s API.

Interestingly, the attack did not come from a botnet of infected computers but was fully cloud-based.

By using commercial cloud services to make massive API requests, the bots consumed available machine resources, which crowded out human commenters. In effect, the bot swarm created a distributed denial-of-service attack on FCC systems using the public API as a vehicle. It’s similar to the distributed denial of service attack on Pokemon Go in July 2016.

This description “sounds like a ‘Layer 7′ or Application Layer attack,” Cloudflare Information Security Chief Marc Rogers told Ars. This is a type of DDoS, although it’s different from the ones websites are normally hit with.

“In this type of [DDoS] attack, instead of trying to saturate the site’s network by flooding it with junk traffic, the attacker instead tries to bring a site down by attacking an application running on it,” Rogers said.

“I am a little surprised that people are challenging the FCC’s decision to call this a DDoS,” Rogers also said. Cloudflare operates a global network that improves performance of websites and protects them from DDoS attacks and other security threats.

When asked if the FCC still believes it was hit with DDoS attacks, an FCC spokesperson told Ars that “there have been DDoS attacks during this process,” including the morning of May 8. But the FCC official we talked to offered a bit less certainty on that point.

“The challenge is someone trying to deny service would do the same thing as someone who just doesn’t know how to write a bot well,” the FCC official said.

FCC officials said they spoke with law enforcement about the incident.

Spam bots and DDoS could have same effect

DDoS attacks, according to CDN provider Akamai, “are malicious attempts to render a website or Web application unavailable to users by overwhelming the site with an enormous amount of traffic, causing the site to crash or operate very slowly.” DDoS attacks are “distributed” because the attacks generally “use large armies of automated ‘bots’—computers that have been infected with malware and can be remotely controlled by hackers.” (Akamai declined to comment on the FCC downtime when contacted by Ars.)

In this case, the FCC’s media spokesperson told Ars the traffic did not come from infected computers. Instead, the traffic came from “cloud-based bots which made it harder to implement usual DDoS defenses.”

The FCC official involved in the DDoS response told us that the comment system “experienced a large number of non-human digital queries,” but that “the number of automated comments being submitted was much less than other API calls, raising questions as to their purpose.”

If these were simply spammers who wanted to flood the FCC with as many comments as possible, like those who try to artificially inflate the number of either pro- or anti-net neutrality comments, they could have used the system’s bulk filing mechanism instead of the API. But the suspicious traffic came through the API, and the API queries were “malformed.” This means that “they aren’t formatted well—they either don’t fit the normal API spec or they are designed in such a way that they excessively tax the system when a simpler call could be done,” the FCC official said.

Whether May 8 was the work of spam bots or DDoS attackers, “the effect would have been the same—denial of service to human users” who were trying to submit comments, the FCC official said. But these bots were submitting many fewer comments than other entities making API calls, suggesting that, if they were spam bots, they were “very poorly written.”

The official said a similar event happened in 2014 during the previous debate over net neutrality rules, when bots tied up the system by filing comments and then immediately searching for them. “One has to ask why a bot would file, search, file, search, over and over,” the official said.

If it was just a spam bot, “one has to wonder why, if the outside entity really wanted to upload lots of comments in bulk, they didn’t use the alternative bulk file upload mechanism” and “why the bots were submitting a much lower number of comments relative to other API calls,” the official said.

The FCC says it stopped the attacks by 8:45am ET on May 8, but the days that followed were still plagued by intermittent downtime. “There were other waves after 8:45am that slowed the system for some and, as noted, there were ‘bots’ plural, not just one,” the FCC official said. On May 10, “we saw other attempts where massive malformed search queries also have hit the system, though it is unclear if the requestors meant for them to be poorly formed or not. The IT team has implemented solutions to handle them even if the API requests were malformed.”

Was it a DDoS, or did it just look like one?

There is some history of attackers launching DDoS attacks from public cloud services like Amazon’s. But the kind of traffic coming into the FCC after the John Oliver show might have looked like DDoS traffic even if it wasn’t, security company Arbor Networks says. Arbor Networks, which sells DDoS protection products, offered some analysis for its customers and shared the analysis with Ars yesterday. Arbor says:

When a client has an active connection to a website which is under heavy load, there is a risk that the server will be unable to respond in a timely fashion. The client will then start to automatically resend its data, causing increased load. After a while, the user will also get impatient and will start to refresh the screen and repeatedly press the “Submit” button, increasing the load even further. Finally, the user will, in most cases, close the browser session and will attempt to reconnect to the website. This will then generate TCP SYN packets which, if processed correctly, will move to the establishment of the SSL session which involves key generation, key exchange, and other compute intensive processes. This will most likely also timeout, leaving sessions hanging and resulting in resource starvation on the server.

A spam bot would behave in the same manner, “attempting to re-establish its sessions, increasing the load even further,” Arbor says. “Also, if the bot author wasn’t careful with his error handling code, the bot might also have become very aggressive and start to flood the server with additional requests.”

What the FCC saw in this type of situation might have looked like a DDoS attack regardless of whether it was one, Arbor said:

When viewed from the network level, there will be a flood of TCP SYN packets from legitimate clients attempting to connect; there will be a number of half-open SSL session which are attempting to finalize the setup phase and a large flood of application packets from clients attempting to send data to the Web server. Taken together, this will, in many ways, look similar to a multi-faceted DDoS attack using a mix of TCP-SYN flooding, SSL key exchange starvation, and HTTP/S payload attacks.

This traffic can easily be mistaken for a DDoS attack when, in fact, it is the result of a flash crowd and spam bot all attempting to post responses to a website in the same time period.

DDoS attacks generally try to “saturate all of the bandwidth that the target has available,” Fastly CTO Tyler McMullen told Ars. (Fastly provides cloud security and other Web performance tools.) In the FCC’s case, the attack sounds like it came from a small number of machines on a public cloud, he said.

“Another form of denial-of-service attack is to make requests of a service that are computationally expensive,” he said. “By doing this, you don’t need a ton of infected devices to bring down a site—if the service is not protected against this kind of attack, it often doesn’t take much to take it offline. The amount of traffic referenced here does not make it obvious that it was a DDoS [against the FCC].”

Server logs remain secret

The FCC declined to publicly release server logs because they might contain private information such as IP addresses, according to ZDNet. The logs reportedly contain about 1GB of data per hour from the time period in question, which lasted nearly eight hours.

The privacy concerns are legitimate, security experts told Ars.

“Releasing the raw logs from their platform would almost certainly harm user privacy,” Rogers of Cloudflare told Ars. “Finally, redacting the logs would not be a simple task. The very nature of application layer attacks is to look exactly like legitimate user traffic.”

McMullen agreed. “Releasing the logs publicly would definitely allow [the details of the attack] to be confirmed, but the risk of revealing personal information here is real,” he said. “IP addresses can sometimes be tied to an individual user. Worse, an IP address combined with the time at which the request occurred can make the individual user’s identity even more obvious.” But there are ways to partially redact IP addresses so that they cannot be tied to an individual, he said.

“One could translate the IP addresses into their AS numbers, which is roughly the equivalent of replacing a specific street address with the name of the state the address is in,” he said. “That said, this would still make it clear whether the traffic was coming from a network used by humans (e.g. Comcast, Verizon, AT&T, etc) or one that primarily hosts servers.”

Open by design

The FCC’s public comments system is supposed to allow anyone to submit a comment, which raises some challenges in trying to prevent large swarms of traffic that can take down the site.

The FCC has substantially upgraded its website and the back-end systems that support it since the 2014 net neutrality debate. Instead of ancient in-house servers, the comment system is now hosted on the Amazon cloud, which IT departments can use to scale computing resources up and down as needed.

But this month’s events show that more work needs to be done. The FCC had already implemented a rate limit on its API, but the limit “is tied to a key, and, if bots requested multiple keys, they could bypass the limit,” the FCC official told us.

The FCC has avoided using CAPTCHA systems to distinguish bots from humans because of “challenges to individuals who have different visual or other needs,” the official said. Even “NoCAPTCHA” systems that only require users to click a box instead of entering a hard-to-read string of characters can be problematic.

“Some stakeholders who are both visually impaired and hearing impaired have reported browser issues with NoCAPTCHA,” the FCC official said. “Also a NoCAPTCHA would mean you would have to turn off the API,” but there are groups who want to use the API to submit comments on behalf of others in an automated fashion. Comments are often submitted in bulk both by pro- and anti-net neutrality groups.

The FCC said it worked with its cloud partners to stop the most recent attacks, but it declined to share more details on what changes were made. “If folks knew everything we did, they could possibly work around what we did,” the FCC official said. Senate Democrats asked the FCC to provide details on how it will prevent future attacks.

While the net neutrality record now contains many comments of questionable origin and quality, the FCC apparently won’t be throwing any of them out. But that doesn’t mean they’ll hold any weight on the decision-making process.

“What matters most are the quality of the comments, not the quantity,” Pai said at a press conference this month. “Obviously, fake comments such as the ones submitted last week by the Flash, Batman, Wonder Woman, Aquaman, and Superman are not going to dramatically impact our deliberations on this issue.”

There is “a tension between having open process where it’s easy to comment and preventing questionable comments from being filed,” Pai said. “Generally speaking, this agency has erred on the side of openness. We want to encourage people to participate in as easy and accessible a way as possible.”


  • 0