Memcached Servers Being Exploited in Huge DDoS Attacks

Multiple vendors this week say they have seen a recent spike in UDP attacks coming in via port 11211.

Multiple security vendors this week are warning about threat actors for the first time exploiting unprotected Memcached servers to launch dangerously large denial-of-service attacks against target organizations.

German DDoS mitigation service provider Link11, one of those to report on the new activity, says that over the past few days it has observed massive UDP attacks in which Memcached servers have been used as an amplification vector.

Each of the high-bandwidth attacks that Link11 observed in late February has exceeded 100 Gbps, with peaks of well over 400 Gbps. The attacks went on over multiple consecutive days and lasted up to 10 minutes on average, according to the company.

Akamai Technologies says this Monday it mitigated a 190 Gbps Memcached attack that generated over 17 million packets per second. Cloudflare, another vendor to report on the previously unseen attack type, says that over the past two days it has seen an increase in UDP attacks coming in via UDP port 11211, the port associated with Memcached services.

The company says the peak inbound UDP Memcached traffic it has seen so far is 260 Gbps, which is massive for a completely new amplification vector.

Memcached is open source software that many organizations install on their servers to increase performance speed. It works by caching data in system memory and is designed purely for use behind firewalls and on enterprise LANs, says Link11 CTO Karsten Desler. But many organizations have deployed Memcached hosts that are completely accessible from the public Internet. All that attackers have to do is to search for these hosts and then use them to direct high-volume DDoS traffic at a victim.

Desler says a recent Link11 scan showed at least 5,000 Memcached servers deployed on the public Internet that are open for exploit. These servers give attackers a way to generate massive volumes of DDoS traffic with even a relatively small bandwidth connection and minimal input.

“The amplification factor with Memcached servers is hundreds of times larger than DNS,” says Desler. “You need a lot fewer servers to get the same bandwidth [compared to] using DNS, NTP, or any other amplification vector,” he says.

With DNS amplification, for instance, an attacker might be able to generate a 50KB response to a 1KB request. But with a Memcached server, an attacker would be able to send a 100-byte request and get a 100MB or even 500MB response in return. In theory, at least, the amplification could be unlimited, Desler says.

Security researchers have previously warned about Internet-facing Memcached servers being open to data theft and other security risks. Desler theorizes one reason why attackers have not used Memcached as an amplification vector in DDoS attacks previously is simply because they have not considered it and not because of any technical limitations.

Exploiting Memcached servers is new as far real-world DDoS attacks are concerned, says Chad Seaman, senior engineer, with Akamai’s Security Intelligence Response Team. “A researcher had theorized this could be done previously,” Seaman says. “But as Memcached isn’t meant to run on the Internet and is a LAN-scoped technology that is wide open, he thought it could really only be impactful in a LAN environment.”

But the use of default settings and reckless administration overall among many enterprises has resulted in a situation where literally tens of thousands of boxes running Memcached are on the public-facing Internet, Seaman says. “And now the DDoS attackers have found them and appear to be capitalizing on them before significant clean-up efforts take place.”

What makes the attacks worrisome is that Memcached services are deployed on servers and in hardware pools with plenty of bandwidth and resources. Unlike typical reflected attacks with mostly static payloads — like CharGen and NTP — that cannot be easily modified, with Memcached reflection an attacker has much more control over the payload. This gives them to the potential to do a lot more damage, Seaman says.

The primary problem is that Memcached, with its lack of authentication or controls, is world readable and writable. It’s also very fast, as it does all data management directly in memory, and by default it supports key value stores of up to 1MB.”

So, if attackers can find suitably beefy machines and load them up with as many keys as they want, they can use the box to launch waves of traffic with amplification rates far exceeding the norm for DDoS attacks, Seaman says. “In theory, an attack could unleash gigs of traffic from a single machine with a packet that’s only a few dozen bytes.”

Mitigation at this point is basically blocking traffic from source port 11211 at the router, firewall, and elsewhere along the network edge, adds Domingo Ponce, director of global security operations at Akamai. Organizations also need to ensure they have the bandwidth to absorb the attacks while allowing legitimate traffic to remain up.

“It’s real and we’ve seen it,” Ponce says. “At the end of the day, your pipes better be big enough.”


  • 0

What cybersecurity surprises does 2018 hold?

One thing’s for sure: securing ourselves and our organizations will only get more difficult this year.

Bitcoin, the General Data Protection Regulation in Europe and the Internet of Things (IoT) are just three recent developments that will present security professionals with new challenges in 2018. That’s in addition to the usual raft of malware, DDoS attacks and database thefts that have dominated the headlines for some time.

To get a handle on what to expect, we asked two Keeper Security experts – Director of Security and Architecture Patrick Tiquet and Chief Technology Officer Craig Lurey – to peer into their crystal balls to find what 2018 holds. Here’s what they saw.


IoT has been on Patrick’s mind a lot lately, not just because it represents a vast expansion of the attack surface, but also because it opens whole new types of data to compromise. “Every aspect of your everyday life is potentially accessible to anyone anywhere in the world in seconds,” he says. “All your conversations can be accessed, captured and converted.”

Vulnerabilities have already been reported in voice-activated personal assistants, and attackers years ago figured out how to turn on smart phone microphones and cameras without the owner’s knowledge. “We will see a major IoT security disaster this year, and I think it will be bigger than the Dyn hack of 2016,” which originated with printers, security cameras, residential gateways and baby monitors,” Patrick says.

New attack vectors

New attack vectors have also been on Craig’s mind, particularly in light of recentdisclosures of hardware flaws in microprocessors. “There’ll be more activity by hackers around hardware-based attacks that go after the memory of the device,” he says. Particularly concerning is that “Spectre and Meltdown took advantage of hardware flaws but were able to abstract them to the software level.” That makes them harder to stop with conventional anti-malware protections alone. Hardware vulnerabilities may demand a whole new type of protection.


GDPR has many people spooked because of its onerous penalties – violators can be fined up to four percent of annual revenues per incident – as well as the strict set of controls the regulation imposes upon keepers of personal information. Will the European Union enforce GDPR to the full extent of the law, or will the scope of the penalties cause regulators to pull their punches? Patrick thinks it’s the former. “It’s in the EU’s best interest to aggressively enforce the regulation,” he says. “If they don’t, then people will ignore it.” He expects the EU to penalize an assortment of large, medium and small companies “to show that just because you’re small, you don’t get to skate.”

Password alternatives

Many smart phone makers have lately been showing off alternatives to passwords, such as biometric security controls. While these technologies have some promise, they also create new targets for attackers, Craig believes. Cyber criminals will turn more attention to compromising systems that are supposedly super secure, such as two-factor authentication (2FA), he believes. “Meltdown opened up new ways to get in,” by showing how hardware can be exploited he says. “Attackers will look for ways to sidestep 2FA.”

Emergency warning systems

Another intriguing new target for the bad guys is emergency warning systems. Just since the first of the year, citizens in Hawaii and Japan have received false notifications of impending missile attacks. In both cases, human error was the culprit, but attackers will no doubt look for opportunities to create mayhem using the same channels. Imagine the security implications of being able to clear out entire neighborhoods or cities for burglars to mine. “It’s social engineering on a large scale,” says Craig.


Now that the bitcoin bubble is beginning to melt away, practical applications of blockchain will emerge, Patrick believes. So will questions about the security of various blockchain-based technologies. Crypto currencies will be a viable medium of transactions in the future, but Patrick doesn’t believe bitcoin will be the winner. “It relies on massive amounts of electricity, and I don’t think it’s sustainable,” he says. “What makes a currency valuable over the long term is its stability. Bitcoin looks more like a Ponzi scheme right now.” As an alternative, he suggests Digibyte, which is billed as a set of “digital assets that cannot be destroyed, counterfeited or hacked.”

Our experts also shared these quick predictions:

“The security skills gap will become even more pronounced. Companies will be less time available to patch quickly, which will create even more opportunities for ransomware authors.” –Patrick

“More sites will require strong passwords and start defaulting to much longer generated passwords. There’ll be more attention paid to 2FA, but that approach will also be under fire.” –Craig

“State-sponsored hacking will grow and continue to be a concern. I don’t think it’s going away.” –Patrick

“There’ll be a lot more work around security at the software development stage. New cybersecurity degrees and programs will pop up in this area. It deserves its own field of study.” –Craig

One thing is clear from our experts’ prognostications: Securing ourselves and our organizations will only get more difficult this year.


  • 0

Let’s Not Make the Distributed Internet Insecure

We built the internet to be fast and efficient, but made mistakes that have led to the security problems we see today: DDoS attacks, massive breaches, thefts of huge amounts of data, and tampering with systems for either profit or political gain. In building the internet, we prioritized performance, and built the infrastructure assuming people would use it for good. Now we know better. The next generation of internet infrastructure needs to be built assuming that everything can and will be attacked.

A key piece of the next-generation internet will be Distributed Ledger technologies (DLTs) like blockchain. DLTs allow a network of actors who don’t necessarily need to know or trust each other to nevertheless come to agreement on the order of some set of transactions – without some specially empowered and trusted third party. This holds value not only for the cryptocurrencies that have rapidly gained popularity, but also for markets, stock exchanges, games, or any other kind of distributed community you want to participate in without having to trust everyone in the community.

Clearly, if DLTs are going to be used for real-world and meaningful use cases, then they must be protected against all sorts of possible malicious activity, as well as the likelihood of network faults. If DLTs are used to track the ownership of valuable resources (whether currency, diamonds, or real estate) then we have to expect them to be targeted – and need to prepare for that.

Two security risks to DLTs arguably do not receive their fair amount of attention: Distributed Denial of Service (DDoS) attacks, and state manipulation. Both attacks ultimately derive from consolidating the nodes that determine consensus – specifically two different types – that of control and location.

Distributed Denial of Service
A Distributed Denial of Service (DDoS) attack occurs when an attacker is able to flood an honest node on a network with meaningless messages, preventing that node from performing other (valid) duties and roles. In a DLT, those other duties would be the processing required to achieve consensus.

Consensus protocols are the engine of DLTs, and all rely on nodes sending & receiving messages, and processing and validating of those messages. In some DLTs, one or some set of nodes are ‘special’ compared to the rest. If an attacker is able to prevent such a special node from performing those consensus operations with a targeted DDoS, then consensus could be inhibited.

Consensus models fall along a spectrum of how much they empower nodes with special privileges. A single central database is at one extreme, and a DLT where no nodes are special is at the other. DLTs that give some special privileges to some nodes sit in the middle of the continuum. Generally, the more privileges a DLT assigns to a particular node, the more vulnerable it will be to DDoS – because a DDoS against a special node will be more damaging than a DDoS against any normal node. It is consolidation of control over consensus that makes a DLT vulnerable to DDoS.

Leader-based DLTs (such as Paxos, Raft, PBFT, and dPOS) elect a leader from amongst the community of nodes. This leader plays a special role in enabling consensus (for the duration of their turn). Because the normal nodes need to know which of them is the current leader to send messages there, that knowledge could be abused by a DDoS attack against that current leader. As the leader changes, the attacker simply adjusts their target in real time, in a ‘follow the leader’ pattern. If the leader can be tied up by the DDoS, they may be unable to play their key role in enabling consensus for the other nodes.

While proof-of-work DLTs, like Bitcoin and Ethereum, also grant particular nodes special privileges, they guard against DDoS by randomizing the selection of that privileged node via the mining process (and the underlying hashing puzzle). If an attacker hoped to target miners with a DDoS to prevent a new block being added to the chain, they would be unlikely to know *which* miner would win the crypto puzzle and be granted the ability to add the block.

Consequently, the attacker wouldn’t be able to target the miner selected until after the fact. However, while proof-of-work provides DDoS resistance, the mining process introduces inefficiency and slowness, leading to expenses that cause consolidation in location.

Other consensus models guard against DDoS by using a more egalitarian distribution of the burden of determining consensus. When all nodes contribute to consensus, then knocking one out with a DDoS will not stop consensus.

DDoS attacks and the risk of government interference both highlight a fundamental reality – when more nodes secure a network, the network is less dependent on any particular nodes, and that makes it more robust. Prioritizing a few nodes to help reach consensus runs the risk of DDoS attacks, while prioritizing one location runs the risk of government interference.

If blockchain and other distributed ledger technologies are to become ubiquitous, we must understand their limitations, evaluate their security risks, and make choices on our architecture, assuming that the bad guys will be looking for ways to ‘break’ these powerful systems to their advantage as soon as we build them.


  • 0

JenX botnet using video game to recruit IoT devices

Security researchers have found a new botnet that uses flaws connected to the Satori botnet and uses hosting services running multiplayer versions of Grand Theft Auto to infect IoT devices.

Security researchers have found a new botnet that uses flaws connected to the Satori botnet and uses hosting services running multiplayer versions of Grand Theft Auto to infect IoT devices.
According to a blog post by Radware researcher Pascal Geenens, the botnet uses the vulnerabilities CVE-2014-8361 and  CVE-2017-17215, which affect certain Huawei and Realtek routers.
Both exploit vectors are known from the Satori botnet and based on code that was part of a recent public Pastebin post by the “Janit0r,” author of “BrickerBot.”
Geenens said the malware also uses similar techniques as seen in the recently discovered PureMasuta, which had its source code published in an invite-only dark forum as of late.
“Our investigation led us to a C2 server hosted under the domain ‘’ of which the site provides GTA San Andreas Multi-Player mod servers with DDoS Services on the side,” he said.
One service is called Corriente Divina (“divine stream”) and described as “God’s wrath will be employed against the IP that you provide us.” It provides a DDoS service with a guaranteed bandwidth of 90-100Gbps and attack vectors including Valve Source Engine Query and 32bytes floods, TS3 scripts and a “Down OVH” option which most probably refers to attacks targeting the hosting service of OVH, a cloud hosting provider that also was a victim of the original Mirai attacks back in September 2016, according to Geenens.
A short time later, Geenens returned to the site and discovered that the DDoS attack service description had changed with an “upgrade” of services to a guaranteed DDoS volume of 290-300Gbps.
This San Calvicie-hosted botnet is “untypical” for IoT botnets Geenens has seen as it uses servers to perform the scanning and the exploits.
“Nearly all botnets, including Mirai, Hajime, Persirai, Reaper, Satori and Masuta perform distributed scanning and exploiting. That is, each victim that is infected with the malware will perform its own search for new victims. This distributed scanning provides for an exponential growth of the botnet but comes at the price of flexibility and sophistication of the malware itself,” he said.
Geenens said that unless someone frequently plays GTA San Andreas, people will probably not be directly impacted.
“There is nothing that stops one from using the cheap US$ 20 (£14) per target service to perform 290Gbps attacks on business targets and even government related targets. I cannot believe the San Calvicie group would oppose to it,” he added.
Since the discovery, some European providers took down the exploit servers hosted in their datacenters but there are active servers still operational.  He warned that JenX can be easily concealed and hardened against takedowns.
“As they opted for a central scan and exploit paradigm, the hackers can easily move their exploit operations to bulletproof hosting providers who provide anonymous VPS and dedicated servers from offshore zones,” he said. “These providers do not care about abuse. Some are even providing hosting services from the Darknet. If the exploit servers would be move to the Darknet, it would make it much more difficult to track down the servers’ location and take them down.”
Tony Hart, chief architect at Corero Network Security told SC Media UK that this new JenX Botnet is a standard variant of the Mirai/Satori virus with one major difference and that is that it does not self-propagate and is able to recruit new Botnet members through central services.
“This botnet is designed to specifically target gaming providers and is leveraging two known vulnerabilities. Hackers are offering this botnet as DDoS service with a guaranteed bandwidth of 290 to 300 Gbps so anyone can easily buy the services and add any other payloads for maximum impact,” he said.
David Kennerley, director of threat research, Webroot, told SC Media UK that if JenX has the capabilities it boasts then it has the potential to cause havoc upon being directed towards any target entity.
“Every botnet has the potential to stop employees reaching the internet and/or stopping customers from visiting a merchant’s site.  Botnets primary goal is disruption, whether for perceived revenge upon a person or organisation or for blackmail purposes.  Within industry it’s usually about costing the target money,” he said.
“There are two sides to protection.  The first is making sure your equipment doesn’t become part of the botnet.  Keep all devices, especially those “set up and forget” IoT devices, up-to-date and keep abreast of the latest vulnerabilities reported. Importantly, understand which devices need to be internet facing, and correctly configure defensive equipment, like firewalls, and actively monitor all aspects of your IT setup.”
Adam Brown, manager – security solutions at Synopsys, told SC Media UK that IoT software like any other software needs a software security initiative as part of the development cycle making software secure by design. “Surely the future will see IoT device certification, much as we have for hardware today with the addition of a software focus,” he said.
  • 0

Crypto-Mining Attacks Emerge as the New Big Threat to Enterprises

Attackers looking to hijack systems for illegally mining digital currencies have begun eyeing business systems, security vendors say.

 In an ominous trend for businesses, hijacking computers for cryptocurrency mining appears to have become the go-to strategy for cybercriminals looking for a safe and reliable way to generate illegal revenues.

Several vendors in recent days have reported a huge surge in illegal crypto-mining activity involving millions of hijacked computers worldwide. Professional cybercriminals are moving away in droves from less profitable exploits to making money via the surging global interest in digital currencies, said Digital Shadows in the latest warning on this trend.

The activity has begun to pose as much of a threat to businesses as it does to consumers. Security vendor CrowdStrike recently reported that it had seen multiple instances of businesses being impacted by illegal crypto-mining activity. In some cases, mining tools installed illegally on business systems have caused applications and hardware to crash, causing operational disruptions lasting days and sometimes even weeks, says Bryan York, director of services at CrowdStrike.

“We’ve seen an uptick in unauthorized crypto-mining, or cryptojacking, targeting businesses,” he says. “While cryptocurrency mining has typically been viewed as a nuisance, we’ve recently seen several cases where mining has impacted business operations,” York warns.

Mining 101

Crypto mining is a fairly complex process where a computer’s processing resources are used for blockchain transaction verification. Mining is a very CPU-intensive, resource-hogging activity and some digital currencies like Bitcoin require special-purpose hardware to do it. Several other digital currencies like Monero, Zcash, and Ethereum, however, can also be mined by pooling the resources of multiple computers.

In return for installing a mining tool and allowing their computer resources to be pooled for mining, the miners or owners of the computers, receive digital coins in return. Mining itself is a legal activity, and many people around the world allow their systems to be used for the purpose in hopes of making some money on the side.

In recent months, however, cybercriminals have begun surreptitiously installing crypto-mining tools on victim computers and using resources of those compromised systems for the same purpose. Instead of taking over computers to steal data or install ransomware, cybercriminals have simply begun stealing system resources and using this to illegally profit from digital currency mining.

“These attacks are much stealthier than their predecessors,” Cisco’s Talos threat group said in a report this week. “Attackers are not stealing anything more than computing power from their victims and the mining software isn’t technically malware.”

When installing mining software, some criminals have even begun putting limits on things like CPU usage and amount of cores being used to ensure users don’t notice any obvious performance hit as result of mining software running on their system. In theory, victims could remain part of the adversary botnet indefinitely, Talos said in its report.

E-Currency Theft

Illegal crypto-mining is just one form of cryptocurrency fraud. Cybercriminals have also begun stealing tens of millions of dollars directly from electronic wallets used to store digital currency, as well as targeting cryptocurrency exchanges and trading platforms. Michael Marriott, research analyst at Digital Shadows, points to one recent incident where criminals targeted the Initial Coin Offering for blockchain application company Experty and used phishing emails to trick potential coin buyers to send funds to an attacker-owned wallet.

In another incident just this week, thieves emptied a staggering $500 million from Japan’s Coincheck cryptocurrency exchange.

However, illegal mining – especially for Monero – has quickly emerged as one of the most reliable and safe ways for cybercriminals to profit from the cryptocurrency craze. Using the Monero cybercurrency as an example, Talos has estimated that a threat actor using 2,000 hijacked computers can generate $500 per day, or $182,500 per year. There are some botnets with millions of infected systems that criminals can leverage to generate more than $100 million from cryptocurrency mining, according to Talos.

Driving the trend is the easy availability of do-it-yourself kits that almost anyone can use for illegal mining. Criminals can rent mining botnets for as little as $30 to $130 per month, and software for distributing miners for as little as $29, according to Digital Shadows.

“We’ve seen plenty of actors changing their focus to profit from this,” says Marriott from Digital Shadows. “For example, the ransomware variant known as VenusLocker switched its business model to mine bitcoin rather than encrypt files on victims’ computers. Similarly, the RIG exploit kit has incorporated Monero mining into its features,” he says.

Satori, a botnet associated with DDoS attacks, has also recently begun targeting cryptocurrency mining, as has Smominru, a botnet that has infected over 500,000 systems and already generated some $3 million in Monero, Marriott says.

Attackers have also begun searching on sites such as GitHub for keys to cloud services such as AWS in order to use cloud-based machines to mine cryptocurrencies, he notes. “If attackers have access to an organization’s cloud services, then as well as performing mining activity, they could realistically do other malicious acts, such as stealing data or installing malware payloads,” Marriott says.


CrowdStrike has observed crypto-mining attacks within the education, entertainment, financial, healthcare, insurance, and technology sectors, says York. Some of the tools used in the attacks pose a particular threat to enterprises. One example, he says, is WannaMine, a crypto-mining worm that uses sophisticated propagation and persistence methods to spread and remain on systems, he says.

“WannaMine propagates more effectively within a corporate network than it would on consumer network,” he notes. 

It uses the Mimikatz credential-harvester to acquire credentials and move laterally within organizations using the legitimate credentials. “If unsuccessful, WannaMine attempts to exploit the remote system with the EternalBlue exploit used by WannaCry in early 2017. This approach is generally more effective in corporate networks,” he says.

Nick Biasini, a threat researcher at Cisco Talos, says organizations that aren’t already looking for miners on their infrastructure definitely should be. “This is a huge new wave of threats that is being delivered to systems in virtually every way possible,” he says.

Some examples include phishing websites and rogue browser extensions.

Performance degradation is one sign of the activity, he says. A compromised system also periodically reaches out to the broader infected pool with which it belongs, so monitoring network activity is critical. “[But] it is important to note that attackers can throttle resource usage or only mine during off-hours to make it much more difficult to detect,” Biasini adds.


  • 0

DOSarrest releases new Simulated DDoS Attack platform

VANCOUVER, British Columbia, Jan. 23, 2018 (GLOBE NEWSWIRE) — DOSarrest Internet Security announced today that they have released a new Service offering called Cyber Attack Preparation Platform (CAPP). This new service allows customers to login to the CAPP portal and launch DDoS attacks on their own internet assets to see how they’re existing defenses stand up to real world attacks.

This new service enables anyone to choose from a wide variety of stock TCP and HTTP attacks some developed in house and some taken from the wild by DOSarrest over it’s 11 year history in protecting against DDoS attacks. There are over 40 different attacks to choose from, some TCP attacks can generate up to 80 Gb/sec of malicious TCP spoofed traffic, others offer more complex HTTP attacks.

Other major capabilities include;

  • Choose from any or all 5 attack source regions
  • Control the intensity of every bot in the botnet
  • Control the size of the botnet from every attack source region
  • View real time traffic to and from the source and target
  • Other variables include specific target URL’s, packet size, TCP or HTTP port
  • Instant kill button, stops any attack in progress in seconds

CEO of DOSarrest, Mark Teolis states, “We have been using a simulated DDoS attack system for a few years now but our present customers and non-customers alike want to operate the system on their own and see the results. Now they can.”

DOSarrest CTO, Jag Bains comments, “It’s interesting to see how different systems react to attacks, CAPP not only shows you the traffic to the victim but also shows you the traffic response from the victim. A small attack to a target can actually produce a response back that’s 500 times larger.” Bains adds, “This is the best tool I’ve seen to fine tune your cyber security defenses, if you fail you can make changes and launch the exact same attack again, to see if you can stop the attack.”

About DOSarrest Internet Security:
DOSarrest founded in 2007 in Vancouver, B.C., Canada specializes in fully managed cloud based Internet security services including DDoS protection services,  Web Application Firewall (WAF), Vulnerability Testing and Optimization (VTO), DataCenter Defender – GRE as well as cloud based global load balancing.


  • 0

Be Sure To Ask Tough Questions Of Your DDoS Mitigation Solution

Every time I read another report about distributed denial of service (DDoS), I find myself either cringing or smiling. That’s the easiest way to boil down my reactions. Much in the same vein of “each data breach cost one bajillion dollars!” while making my best Dr. Evil face. The scoring, or the methodology used, in general usually causes me to pause if it isn’t immediately clear how the scores were arrived upon. Then there are reports where the ledes can get buried. The juicy pieces that might not seem immediately clear.

Last week the Forrester research team released their Forrester Wave report as it pertained to DDoS Mitigation Solutions. It made for an interesting read. Kudos to all of the companies that scored well in the report. Naturally, each company released their respective “we’re number one” press releases, my own company included. It makes perfect sense that they would all do this as they all have that to be proud of. Beyond that, what jumped out me as I read the report was that 1) appliances don’t scale, 2) the ability to react and respond is paramount and 3) the ability to scale is key.

I was at a conference earlier this year where I had some time to walk the vendor floor. There were two prevalent themes that I took away from this stroll. There were dozens of ransomware protection related startups that were vying for customers attention. But, more relevant to my interests was the swath of ‘DDoS mitigation’ companies that were there. One in particular, who was not on the Wave report, trumpeted that they could afford their customers 1.5 GB of protection from DDoS attacks…with their appliance.

Let that soak in for a moment. This was a company that was using the idea of holding up gauze in front of a semi-truck and hoping it would offer some sort of protection (Hat tip to the late great Robin Williams). When we take into account that there have been documented DDoS attacks in excess of 600 Gbps this seems cold comfort.

A couple years ago I was speaking with a customer that had an appliance-based solution in place. I asked them how they would deal with an attack that exceeded their stated capacity and the response was “we’d buy more boxes.” This ranks right up there with having a line in your disaster recovery report that says you will go to Best Buy to purchase laptops in the event of a calamity.

The Wave report had this passage, “Akamai received favorable feedback on its ability to detect new attack types while yielding few false positives. Reference customers remarked on the company’s responsiveness, expertise, and ability to immediately stop attacks.” A wonderful endorsement from Akamai’s customers. This is important when you have a company that is service based. You can’t just get a signed P.O., drop the product off, and ride off into the sunset. This happened to me back in the 90s when I deployed a security system and I made the naive inquiry as to how we could update the software and how often the updates would be made available. This was met with a slack jawed look from the sales representative. You need to live in the shoes of your customer.

As a customer, you need to be an advocate for your company. You need to be able to ask the tough questions. How will the product scale? How are updates handled? What sort of bench strength does your company have to support my organization? Does the vendor have an acceptable use policy? You don’t want to have the uncomfortable realization that you might be sharing a platform or service with criminal hackers.

A DDoS mitigation solution should be a partner. This isn’t a line item on a budgeting spreadsheet after staplers and coffee creamer. No matter what sort of industry report you might be reading be sure to peel back the layers. You need to advocate for your company and ensure you are getting the best of breed service and support – and are not playing the catcher position on the javelin team!


  • 0

Alleged DDOS attack wipes almost $2,000 off Bitcoin price

BTC now trying to stablize around $9,500

Over the past 24 hours, Bitcoin (BTC) has been on a parabolic run all the way from $10,000 up to almost $11,500. Many including myself feared a sharp correction would be due at any moment, as the kind of growth we saw was not sustainable, not even in the crazy world of crypto.
BTC hit a high of $11, 441 on Bitfinex before tumbling quickly all the way down to $9,000 in just a few minutes. Many went to Twitter to voice opinion that the reason for the drop was a DDOS attacked on many of the largest exchanges around the world. While a mass DDOS attacked has not been confirmed yet, it seems likely it was the cause of the sudden crash.

Screen Shot 2017-11-30 at 08.56.57

Approximately $53 billion was wiped off the total cryptocurrency market cap in under an hour, a figure which calculates the value of Bitcoin and other alternative coins combined. At the time of publishing, Bitcoin was trading close to $9600, but appears to be facing resistance heading back to $10,000 and beyond.


  • 0

3 Key Questions You Should Be Aware Of When Fighting Off Cyber Crime

Fighting cyber crime is an ongoing task that has only been getting harder and harder to accomplish. DDoS attacks against networks have been getting larger and more complex so it is important to know the right questions to ask when one such attack happens. Of course there are obvious questions like ‘Who is doing the attack?’ ‘How are they doing it?’ ‘Why are they doing it?’ and ‘Where from is the attack coming?’ but here are three other questions you need to have at the front of your mind when preparing for a  cyber-attack.     

1. How Do You Protect Your Networks & Applications Against Modern, Sophisticated DDoS Attacks?

According to a recent report, DDoS attacks of greater than 50Gbps have more than quadrupled and companies experiencing between six and 25 attacks per year has ballooned by more than four times since 2015. Defending against this deluge of DDoS is imperative. To do this you need to make sure to utilise three key weapons, detection, mitigation and analytics, when fighting in this war against modern multi-vector DDoS attacks.

Powerful DDoS detection and mitigation software is a must as an effective one will help to discover encrypted and harmful traffic, then dispose of it. The best way of doing this is by analysing the common traffic trends during peace time and then running those findings to help eliminate anomalous changes. This will prevent any potentially harmful traffic from entering your network.

2. How Do You Eliminate The SSL/TLS Blind Spot?

Recent studies show that roughly 70 percent of all traffic is encrypted. That means if your company is not decrypting and inspecting encrypted traffic, there’s no way of knowing what kind of nefarious files or threats are flowing through unnoticed. It seems what you don’t know really can hurt you!

However, by offloading CPU-intensive SSL decryption and encryption functions from third-party security devices, while ensuring compliance with privacy standards, it is possible to eliminate these blind spots completely. There are some great programs out there that can handle this, just make sure you find one that can decrypt traffic because many do not.

3. How Can You Manage Application Delivery Across Hybrid Clouds & On-Premise?

You’re either already running applications in the cloud, or you plan to in the near future. But the move to the cloud introduces a new set of challenges, one of which is: how do you easily manage your on-premise applications and your cloud applications in a centralised fashion?

Well, the best way is to use a cloud-based controller that can connect to and manage all of your applications. These programs can configure and manage policies for other applications as well as collect performance data and other analytics. Some can even be self-managed and automate the set-up process of new applications you install, improving efficiency and saving precious time.

Those are just three of the questions to be had about cyber-security in the workplace. No doubt there will be many more. Thankfully many of these fixes can be implemented almost immediately with very little assembly required. So if you are worried about how secure your network really is then just answer these three questions. Ask them to your IT team and see if they can give you an answer. It is important that everyone knows what to do so that you can keep your network safe from any kind of nefarious attacker.


  • 0

DDoS attacks have doubled in six months, up 91% on first quarter

IoT devices in the dock as DDoS stages a resurgence, but stealth and sophistication also on the rise.

Businesses are being hammered by an average of eight DDoS attack attempts per day, an increase of 35 percent compared to Q2 2017, and a massive 91 percent increase over Q1 2017, according to new figures.

The huge increase in volume is partly due to the prevalence of DDoS services online, often marketed as ‘Booters’ ‘Stressers’ and similar tools, as well as the volume of easily-compromised IoT devices, according to the researchers from Correro. One example being the Reaper botnet, which has allegedly compromised more than one million organisations all across the globe, and has been described as “more sophisticated” than Mirai and “the next cyber-hurricane”.

Russ Madley, head of VSMB & channel, Kaspersky Lab UK said: “While DDoS attacks have been a threat for many years, it’s still important that businesses take them seriously as they are one of the most popular weapons in a cyber-criminal’s arsenal. A DDoS attack can be just as damaging to a business as any other cyber-crime, especially if used as part of a bigger targeted attack. The ramifications can be far-reaching as they’re able to reach deep into a company’s internal systems. Organisations must understand that protection of the IT infrastructure requires a comprehensive approach and continuous monitoring, regardless of the company’s size or sphere of activity.”

Unfortunately, while the sheer volume and scale of attacks has risen, their sophistication has too, with fifth of the DDoS attack attempts recorded during Q2 2017 deploying multiple attack vectors to pick apart victim’s defences. The researchers also pointed out that many less sophisticated DDoS attacks are designed to be a distraction and delaying tactic to tie up internal security experts and resources while a more subtle incursion is under way elsewhere.

Stephanie Weagle, VP, Corero Network Security warned that: “Sophisticated multi-vector DDoS attacks are becoming the new normal, with the potential to knock organisations of all types and sizes offline. Often lasting just a few minutes, these quick-fire attacks can be used as a smokescreen, designed not to outright deny service but to distract from an alternative motive, usually data theft and network infiltration. In order to effectively meet the challenge of this rapidly evolving threat landscape, organisations need to adopt modern DDoS defences that will provide both instantaneous visibility into DDoS events, real-time mitigation as well as long-term trend analysis to identify adaptations in the DDoS landscape.”


  • 0