DDoS attacks hitting ‘record-breaking’ levels as volumes increase 380%

DDoS attackers are hitting hard, fast and with no breaks in between, leading to record-breaking attacks over hours or even days, according to Nexusguard’s Q1 2017 Threat Report.

Those record-breaking attacks over Valentine’s Day, Chinese New year and other ‘typically quiet’ periods during the season.

“In APAC, a lengthy attack January 28-31, the period of Chinese New Year, lasted 2 days, 19 hours, and 40 minutes. It was a widespread, disruptive event that left celebrants weary and exhausted upon returning to work,” the report says.

DDoS attack volumes have also risen 380% since the same time last year, according to Nexusguard’s statistics, based on 16,600 attacks.

While 51% of attacks lasted fewer than 90 minutes, 4% exceeded 1440 minutes. 77.3% of attacks were less than 10Gbps, while 20% were between 10-200Gbps and 2% exceeded 200Gbps.

The United States, China and Japan rounded out the top three sources for attacks. The rest of APAC was relatively unused as an attack source.

However it’s not just DDoS attacks that are on the rise: HTTP flood attacks jumped 147% in the last quarter alone. It is now one of the leading volumetric attacks, exceeding both TCP and DNS attacks.

The company cites the Internet of Things as a major weak point, particularly as the range of insecure devices and connections expodes. DDoS attacks can be persistent and long-lasting, which is a major area of concern.

“IoT botnets are only the beginning for this new reign of cyber attacks. Hackers have the scale to conduct gigantic, continuous attacks; plus, teams have to contend with attacks that use a combination of volumetric and application aspects,” comments Nexusguard’s CTO Juniman Kasman.

Those attacks are not happening in isolation. 93% of attacks combine application and volumetric vulnerabilities. Multiple DDoS attacks can also overwhelm systems.

The company warns that organisations that haven’t invested in – or haven’t upgraded – multi-layered defense mechanisms run the highest risk of attack exposure.

“This early data for 2017 shows that enterprises need to employ multi-layered defenses that use nimble resources, including large, redundant scrubbing networks and around-the-clock security operations if they hope to keep from drowning in the deluge of new attacks,” Kasman adds.

Source: https://securitybrief.co.nz/story/ddos-attacks-hitting-record-breaking-levels-volumes-increase-380/

  • 0

Ten steps for combating DDoS in real time

To the uninitiated, a distributed denial-of-service (DDoS) attack can be a scary, stressful ordeal. But don’t panic. Follow these steps by David Holmes, senior technical marketing manager: Security, F5 Networks, to successfully fight an attack:

If you appear to be suffering a volumetric attack, it helps to have a historical sense of your own traffic patterns. Keep a baseline of normal traffic patterns to compare against. If you have determined that you are under a DDoS attack, record the estimated start time in your attack log. Monitor volumetric attacks. Remember to keep a monitoring web page open to indicate when the attack may be over (or mitigated). You will need to follow (up to) 10 steps for your DDoS mitigation:

Step 1: Verify the attack
Not all outages are caused by a DDoS attack. DNS misconfiguration, upstream routing issues, and human error are also common causes of network outages. You must first rule out these types of non-DDoS attacks and distinguish the attack from a common outage.

· Rule out common outages: The faster you can verify the outage is a DDoS attack, the faster you can respond. Even if the outage was not caused by a misconfiguration or other human error, there may still be other explanations that resemble a DDoS attack.
· Check outbound connectivity: Is there outbound connectivity? If not, then the attack is so severe that it is congesting all inbound and outbound traffic. Check with your usual diagnostic tools (such as traceroute, ping, and dig) and rule out all such possibilities.
· Rule out global issues: Check Internet weather reports, such as Internet Health Report and the Internet Traffic Report, to determine if the attack is a global issue.
· Check external network access: Attempt to access your application from an external network. Services and products that can perform this kind of monitoring include: Keynote testing and monitoring, HP SiteScope agentless monitoring, SolarWinds NetFlow Traffic Analyzer, and Downforeveryoneorjustme.com.
· Confirm DNS response: Check to see if DNS is responding for your website. The following UNIX command resolves a name against the OpenDNS project server: % dig @208.67.222.222 yourdomain.com

Step 2: Contact team leads.
Once the attack is verified, contact the leads of the relevant teams. If you have not filled out any quick reference sheets or a contact list, create one now or use our templates. When an outage occurs, your organisation may hold a formal conference call including various operations and applications teams. If your company has such a process in place, use the meeting to officially confirm the DDoS attack with team leads.

· Contact your bandwidth service provider: One of the most important calls you can make is to the bandwidth service provider. List the number for your service provider in your contact sheet. The service provider can likely confirm your attack, provide information about other customers who might be under attack, and sometimes offer remediation.
· Contact your fraud team: It is especially important to invoke the fraud team as soon as the attack is verified. DDoS attacks can be used as cover to hide an infiltration. Logs that would normally show a penetration may get lost during a DDoS attack. This is why high-speed, off-box logging is so important.

Step 3: Triage applications
Once the attack is confirmed, triage your applications. When faced with an intense DDoS attack and limited resources, organisations have to make triage decisions. High-value assets typically generate high-value online revenue. These are the applications you will want to keep alive. Low-value applications, regardless of the level of legitimate traffic, should be purposefully disabled so their CPU and network resources can be put to the aid of higher-value applications. You may need the input of team leads to do this.

Ultimately, these are financial decisions. Make them appropriately. Create an application triage list; it takes only a few minutes to fill one out, and will greatly assist in making tough application decisions while combating an actual DDoS event. Decide which applications are low priority and can be disabled during the attack. This may include internal applications.

Step 4: Protect partners and remote users.
· Whitelist partner addresses: Very likely you have trusted partners who must have access to your applications or network. If you have not already done so, collect the IP addresses that must always be allowed access and maintain that list. You may have to populate the whitelist in several places throughout the network, including at the firewall, the Application Delivery Controller (ADC), and perhaps even with the service provider, to guarantee that traffic to and from those addresses is unhindered.
· Protect VPN users: Modern organisations will whitelist or provide quality-of-service for remote SSL VPN users. Typically this is done at an integrated firewall/ VPN server, which can be important if you have a significant number of remote employees.

Step 5: Identify the attack
Now is the time to gather technical intelligence about the attack. The first question you need to answer is “What are the attack vectors?” There are four types of DDoS attack types, these are
· Volumetric: flood-based attacks that can be at layers 3, 4, or 7;
· Asymmetric: designed to invoke timeouts or session-state changes;
· Computational: designed to consume CPU and memory; and
· Vulnerability-based: designed to exploit software vulnerabilities.

By now you should have called your bandwidth service provider with the information on your contacts list. If the attack is solely volumetric in nature, the service provider will have informed you and may have already taken steps at DDoS remediation. Even though well-equipped organisations use existing monitoring solutions for deep-packet captures, you may encounter cases where you have to use packet captures from other devices, such as the ADC, to assist in diagnosing the problem. These cases include: SSL attack vectors and FIPS-140.

Step 6: Evaluate source address mitigation options
If Step 5 has identified that the campaign uses advanced attack vectors that your service provider cannot mitigate (such as slow-and-low attacks, application attacks, or SSL attacks), then the next step is to consider the following question: “How many sources are there?” If the list of attacking IP addresses is small, you can block them at your firewall. Another option would be to ask your bandwidth provider to block these addresses for you.

· Geoblocking: The list of attacking IP address may be too large to block at the firewall. Each address you add to the block list will slow processing and increase CPU. But you may still be able to block the attackers if they are all in the same geographic region or a few regions you can temporarily block. The decision to block entire regions via geolocation must be made as a business decision. Finally, if there are many attackers in many regions, but you don’t care about any region except your own, you may also use geolocation as a defence by blocking all traffic except that originating from your region.
· Mitigating multiple attack vectors: If there are too many attackers to make blocking by IP address or region feasible, you may have to develop a plan to unwind the attack by mitigating “backwards”; that is, defending the site from the database tier to the application tier, and then to the web servers, load balancers, and finally the firewalls.

You may be under pressure to remediate the opposite way; for example, mitigating at layer 4 to bring the firewall back up. However, be aware that as you do this, attacks will start to reach further into the data centre.

Step 7: Mitigate specific application attacks
If you have reached this step, the DDoS attack is sufficiently sophisticated to render mitigation by the source address ineffective. Tools such as the Low Orbit Ion Cannon, the Apache Killer, or the Brobot may generate attacks that fall into this category. These attacks look like normal traffic at layer 4, but have anomalies to disrupt services in the server, application, or database tier.

To combat these attacks, you must enable or construct defences at the application delivery tier.

Once you have analysed the traffic in Step 4, if the attack appears to be an application-layer attack, the important questions are: Can you identify the malicious traffic? Does it appear to be generated by a known attack tool?

Specific application-layer attacks can be mitigated on a case-by-case basis with specific F5 counter-measures. Attackers today often use multiple types of DDoS attack vector, but most of those vectors are around layers 3 and 4, with only one or two application-layer attacks thrown in. We hope this is the case for you, which will mean you are nearly done with your DDoS attack.

Step 8: Increase application-level security posture.
If you have reached this step in a DDoS attack, you’ve already mitigated at layers 3 and 4 and evaluated mitigations for specific application attacks, and you are still experiencing issues. That means the attack is relatively sophisticated, and your ability to mitigate will depend in part on your specific applications.

Asymmetric application attack: Very likely you are being confronted with one of the most difficult of modern attacks: the asymmetric application attack. This kind of attack can be:
· A flood of recursive GETs of the entire application.
· A repeated request of some large, public object (such as an MP4 or PDF file).
· A repeated invocation of an expensive database query.

Leveraging your security perimeter: The best defence against these asymmetric attacks depends on your application. For example, financial organisations know their customers and are able to use login walls to turn away anonymous requests. Entertainment industry applications such as hotel websites, on the other hand, often do not know the user until the user agrees to make the reservation. For them, a CAPTCHA (Completely Automated Public Turning test to tell Computers and Humans Apart) might be a better deterrent.

Choose the application-level defence that makes the most sense for your application: A login wall, human detection or real browser enforcement.

Step 9: Constrain resources.
If all the previous steps fail to stop the DDoS attack, you may be forced to simply constrain resources to survive the attack. This technique turns away both good and bad traffic. In fact, rate limiting often turns away 90 to 99 percent of desirable traffic while still enabling the attacker to drive up costs at your data centre. For many organisations, it is better to just disable or “blackhole” an application rather than rate-limit it.

· Rate shaping: If you find that you must rate-limit, you can provide constraints at different points in a multi-tier DDoS architecture. At the network tier, where layer 3 and layer 4 security services reside, use rate shaping to prevent TCP floods from overwhelming your firewalls and other layer 4 devices.

Connection limits: Connection limits can be an effective mitigation technique, but they do not work well with connection-multiplexing features. Application tier connection limits should provide the best protection to prevent too much throughput from overwhelming your web servers and application middleware.

Step 10: Manage public relations
Hacktivist organisations today use the media to draw attention to their causes. Many hacktivists inform the media that an attack is underway and may contact the target company during the attack. Financial organisations, in particular, may have policies related to liability that prevent them from admitting an attack is underway. This can become a sticky situation for the public relations manager. The manager may say something like, “We are currently experiencing some technical challenges, but we are optimistic that our customers will soon have full access to our online services.”

Journalists, however, may not accept this type of hedging, especially if the site really does appear to be fully offline. In one recent case, a reporter called a bank’s local branch manager and asked how the attack was proceeding. The branch manager, who had not received media coaching, responded, “It’s awful, we’re getting killed!”

If the DDoS attack appears to be a high-profile hacktivist attack, prepare two statements:
· For the press: If your industry policies allow you to admit when you are being externally attacked, do so and be forthright about it. If policy dictates that you must deflect the inquiry, cite technical challenges but be sure to prepare the next statement.
· For internal staff, including anyone who might be contacted by the press: Your internal statement should provide cues about what to say and what not to say to media, or even better, simply instruct your staff to direct all inquiries related to the event back to the PR manager. Include a phone number.
Anton Jacobsz, managing director at Networks Unlimited, a value-adding reseller of F5 solutions throughout Africa, notes that it is the organisations focusing on a holistic security strategy that are considered forward-looking and ahead of the digital economy curve.

“In a digital age – where sensitive or personal information is at risk of being exposed, and where geo-location and sensor-based tools track movements – organisations need to be prepared for a cyber attack. It has become essential to scrutinise security throughout the entire operation and offerings in order to build the strongest cornerstones for establishing trust between company, employees and consumers,” says Jacobsz.

Source: http://www.itnewsafrica.com/2017/06/ten-steps-for-combating-ddos-in-real-time/

  • 0

If You Learn of DDoS Attacks from Customers, You’ve Already Failed

If your customers notice something’s wrong before your own security specialists do, you’ve failed on multiple levels

When Benjamin Franklin said, “Time is money,” he gave the world an aphorism that would be quoted frequently by businesspeople for more than 200 years. For all his wit and insight, of course, Franklin could never have foreseen the many scenarios for which his pithy observation would come to apply. It turns out that among the most relevant applications of the quote in today’s digitally driven world is in the realm of cybersecurity.

Why? Because for organizations that suffer a cyberattack, a slow response can prove very costly. In an early 2017 survey of more than 1,000 IT and business decision makers, nearly two-thirds of the respondents said they could lose $100,000 per hour or more if a distributed denial of service (DDoS) attack were to disrupt their peak business periods.

On the bright side, 8 in 10 of the organizations responding to the Neustar-sponsored survey said they’ve learned about new DDoS attacks from their internal security and IT teams – at least sometimes. Less encouraging is the fact that 40% also said they have, at times, received their first notification of attacks from their customers.

If your customers notice something’s wrong before your own security specialists do, you’ve failed on multiple levels. The ideal DDoS defense is to recognize an emerging threat and neutralize it before it even gains a foothold – and certainly before your customers experience any negative impacts. If customers start complaining about an inability to access your websites or other services, you’ve already started to lose money before you’re even aware of the problem.

Beyond causing staggering monetary losses for many corporations, successful DDoS attacks can alienate customers and shake their confidence in the victim’s ability to secure its own systems. By extension, customer then worry about the security of their own interactions with the company, and about the safety of any customer data the company may hold. The resulting customer churn and reduced loyalty can result in additional financial consequences.

In this regard, another Franklin quote sadly holds true: “It takes many good deeds to build a good reputation, and only one bad one to lose it.”

Fortunately, there are many security tools and services available to organizations that decide to be proactive in their DDoS defenses. As is often the case when it comes to cybersecurity, the most effective defenses will leverage a layered approach. The first-level of defense for DDoS attacks ideally will be provided by the network or Internet service provider, which is often the first to see – and block – suspicious network activity.

For those attacks that still manage to get through, companies need their own DDoS identification and mitigation solutions. Some of those solutions may be on-premises appliances and other controls, while others may be provided by cloud-based or managed security services providers. Such “security-as-a-service” offerings are rapidly gaining in popularity, especially if an attack’s scale exceeds the capabilities of the on-premises protections.

In short, there’s little excuse to be reactive, rather than proactive, when it comes to DDoS defenses. And, yes, Franklin once again provides some sage advice to those who may be too cavalier in their attitudes about DDoS threat. “By failing to prepare, you are preparing to fail.”

Source: http://www.csoonline.com/article/3200084/leadership-management/if-you-learn-of-ddos-attacks-from-customers-you-ve-already-failed.html

  • 0

Operators beware: DDoS attacks—large and small—keep increasing

Despite years’ worth of warnings and countermeasures, distributed denial of service (DDoS) attacks continue to escalate. Every year sees more of them, with increasing duration and severity.

The frequency was up by 380% in the first quarter of 2017 compared to the first quarter of 2016, according to Nexusguard, which compiled this set of statistics (PDF) in a new report. From the fourth quarter of 2016 to the first quarter of 2017, HTTP attack counts and total attack counts increased by 147% and 37% respectively.

Examples of increasing severity include a 275 Gbps attack that took place during Valentine’s Day (there have been significantly larger attacks) and an attack spanning 4,060 minutes that occurred over the Chinese New Year, the company said.

The percentage of days with sizable attacks (larger than 10Gbps) grew appreciably within the quarter for 48.39% in January to 64.29% in March.

Lengthier attacks at erratic intervals are becoming the norm, the company said.

A separate, simultaneously published report from Corero Network Security said its customers have been hit by an increasing number of small DDoS attacks. Though attacks of 10 Gbps or smaller would seem less severe, what’s insidious about them is that they are apt to sneak under minimum detection thresholds. Though the DDoS attacks themselves might not be that disruptive, they can give hackers the access to wreak plenty of other damage.

Corero CEO Ashley Stephenson said in a statement, “Short DDoS attacks might seem harmless, in that they don’t cause extended periods of downtime. But IT teams who choose to ignore them are effectively leaving their doors wide open for malware or ransomware attacks, data theft or other more serious intrusions. Just like the mythological Trojan Horse, these attacks deceive security teams by masquerading as a harmless bystander—in this case, a flicker of internet outage—while hiding their more sinister motives.”

Nextguard believes part of the increase in DDoS activity is a ripple effect of increased botnet activity that occurred in the fourth quarter.

This is in part a reference to the Mirai botnet, which was first identified in the latter half of 2016. Mirai provided a means to take over connected deviceswith inadequate built-in security safeguards (webcams, some set-top boxes, etc.), and use them to launch sustained attacks, sometimes with spectacular results.

Those attacks revealed the Achilles’ heel in the internet of things: Many IoT applications are based on the distribution of large numbers of very inexpensive devices, which can be made so cheaply in part by adopting only minimal security, if any.

The DDoS problem is worldwide, but nearly a quarter of the attacks are launched from the U.S. (followed by China and Japan). That’s likely to remain the case, as more U.S. households install “smart” devices that have poorly guarded IP addresses, making them susceptible to hijacking in the service of more DDoS attacks.

“IoT botnets are only the beginning for this new reign of cyberattacks. Hackers have the scale to conduct gigantic, continuous attacks; plus, teams have to contend with attacks that use a combination of volumetric and application aspects,” said Nexusguard CTO Juniman Kasman, in a statement.

The two largest sources of DDoS attacks were China and Japan, with Russia a distant third.

The release of such results is meant to emphasize what should be obvious: companies that haven’t upgraded their security are the most vulnerable.

Source: http://www.fiercetelecom.com/telecom/operators-beware-ddos-attacks-large-and-small-keep-increasing

  • 0

Mini but mighty: Beware minor DDoS attacks that mask graver threats, warns report

Despite detecting an increase in large distributed denial of service attacks in the first quarter of 2017, Corero Network Security has reported that the greatest DDoS threat currently comes from smaller attacks designed to either hide other malicious activities or set the stage for future malicious actions.

Corero, which specializes in DDoS prevention, noted in its just released Q4 2016 – Q1 2017 Trends Report that these “sub-saturation” attacks typically fall within a certain sweet spot: They are short enough in duration and small enough in size to avoid detection by mitigation tools, yet they are still significant enough to serve the attacker’s purpose. According to the company, many legacy and homegrown mitigation tools will not respond to attacks that are less than one Gbps in size and under than 10 minutes in duration, because they do not meet a certain pre-programmed threshold.

“…They are just disruptive enough to knock a firewall or intrusion prevention system (IPS) offline so that the hackers can target, map and infiltrate a network to install malware and engage data exfiltration activity,” said Ashley Stephenson, CEO at Corero Network Security, in a company press release. In other cases, the attackers may simply be testing a network for weaknesses, in anticipation of a future malicious action down the line.

But even if the DDoS attack is detected, network administrators may too busy responding to the outage to realize that there is actually a bigger threat at hand. In an email to SC Media, Stephanie Weagle, vice president at Corero, cited UK-based telecom company TalkTalk as a recent example. In 2015, hackers stole the company’s customer data using a DDoS attack as an effecitve distraction.

“Short DDoS attacks might seem harmless, in that they don’t cause extended periods of downtime. But IT teams who choose to ignore them are effectively leaving their doors wide open for malware or ransomware attacks, data theft or other more serious intrusions,” Stephenson explained. “Just like the mythological Trojan Horse, these attacks deceive security teams by masquerading as a harmless bystander – in this case, a flicker of internet outage – while hiding their more sinister motives.”

According to the report, 80 percent of attempted DDoS attacks that were launched against Corero customers in Q1 2017 were less than 1 Gbps in volume, while 71 percent lasted 10 minutes or less. In Q4, 77 percent of DDoS attacks were less than 1 Gbps in volume, while 73 percent were 10 minutes or less in duration.

While smaller attacks remain the norm, Corero did see a 55 percent rise in DDoS attacks that were 10 Gbps or larger in Q1, compared to the previous quarter.

Corero customers averaged 124 attacks per month in Q1, an increase of nine percent over Q4 2016.

Source: https://www.scmagazine.com/mini-but-mighty-beware-minor-ddos-attacks-that-mask-graver-threats-warns-report/article/666432/

  • 0

Why IoT Botnets Might be the Next Big Worry ?

Rise of IoT globally is still in its early days hence the level of protection is on the lower end.

We all love Internet of Things (IoT), isn’t it? It has brought ‘things’ a.k.a devices, around us to life – from watch, bed, luggage, bulb and clothes to even buildings (in some time). But that love is now turning into a spoiler. The smart band or watch on your wrist and other IoT electronics are being hacked by malware attackers to turn them into an army of zombie machines, and launch botnet attacks.

Much like October 2016 attack that used IoT webcams and video recorders to block user access to many sites including Twitter, Reddit, Spotify, etc., by spamming the domain name service used by them. Read on as Dhruv Khanna, CEO, Data Resolve – cyber intelligence company shares insights on it.

Distributed denialof-service (DDoS) attacks aren’t new. So using IoT devices are of a new type?

There are multiple types. First is the conventional botnets that target your laptop and desktop servers to track your online activity. Second is the enterprise specific attacks called distributed denial-ofservice attack(DDoS) when botnets blocks all your access to the device.

Third is where your activity and data is captured and sent to a third party. Fourth is where your device is remotely controlled and access is blocked until some money is paid to the attacker. IoT botnets are like DDoS attacks that not just use computers in a conventional botnet way but also IoT devices to break into information and data.

But why IoT devices have become favourites to launch attacks?

Rise of IoT globally is still in its early days hence the level of protection is on the lower end. Moreover there are constraints in IoT devices such as using basic version of the operating system, less processing, storage and computational power in terms of setting up anti-virus and firewall and other security applications to them. This makes them an easy target for attackers to use to them as botnet for attack in comparison to using just computers and laptops which are relatively better secured. For e.g. Mirai botnet that target consumer devices like remote cameras, and home appliances.

The ecosystem in India too isn’t making efforts to be ready. Right?

That’s because IoT here is beginning to take its first step, hence, the awareness around it is not significant. On the enterprise side before pushing business services on IOT devices, as a best practice chief information security officers of the company eventually would have to frame a security manual and controls around IOT devices in terms of IOT device on-boarding, incident monitoring and control. Also, there is a need of regulation to control and monitor them.

Are we better off without IoT?

Not really. Advantage of IoT is that it is part of the cloud ecosystem. Securing the cloud is as good as securing the device. That’s why people are not spending too much on the device level but more on the cloud side. In a typical malware attack you are not able to control the source of attack but in IoT device you can as you know where your service is based on the cloud. But if your cloud application is compromised, it would be difficult to trace it.

So, this is next level of cyber security challenge?

It is certainly the next level of attack. For large businesses, it will be a significant hit on their brand along with data. If10,000 of ant vendor devices in the market get compromised then it will impact on the company. It is not impacting just you as an individual but all the devices that are interconnected to your device and vice versa.

Source: https://www.entrepreneur.com/article/295274

  • 0

What’s next for DDoS attacks?

Distributed denial of service (DDoS) attacks have been threatening organizations across the globe in recent years, damaging corporate reputations and causing down time that has inconvenienced customers at best and crippled businesses at worst. 2016 marked a watershed for the volume, virulence and sophistication of attacks. However, this is just the beginning, the worst is yet to come.

According to the findings of the recent Neustar Worldwide DDoS Attacks and Cyber Insights Research Report, more than eight in ten organisations surveyed globally have been attacked at least once in the previous 12 months (an increase of 15 percent since 2016). Furthermore, 85 percent of those attacked were hit more than once.

Despite knowing the threats, companies are still struggling to detect and respond to DDoS attacks effectively and efficiently. In fact, 40 percent of respondents globally were only alerted to a DDoS attack by customers, a major embarrassment for their brands. This figure is up from 29 percent in 2016.

What is new for DDoS?

It is crucial to highlight that the DDoS attack size, complexity, and ferocity will continue to grow this year. Multi-vector attacks, termed advanced persistent denial of service (APDoS), have become near-universal experience – demonstrating that attackers are consolidating the most effective methods to launch multi-pronged attacks on the network, servers and software in organizations. Using botnets such as the Mirai botnet of insecure Internet of Things devices to perform attacks and probe for vulnerabilities will also shape DDoS attack strategies and experiences in 2017.

Permanent Denial of Service (PDoS) attacks, or ‘phlashing’, is another way to wreak havoc in 2017. PDoS attack code aims to render a target device useless. Attackers can remotely or physically replace the software controlling connected hardware such as routers or printers with a version that does nothing, or even overload power subsystems. The potential damage could be significant. Consider the fire hazard an overheating smartphone can be, for example; or managing a disaster without a communications network.

DDoS attack in APAC

With organisations across Asia Pacific (APAC) being attacked more often, businesses should regularly re-examine the effectiveness of existing security strategies, including DDoS mitigation. The consequences of a DDoS attack can be significant.

After a DDoS attack 33 percent of APAC organizations reported average revenue losses of $250,000 or more, with 49 percent taking three hours or longer to detect the attack, and 42 percent taking at least three hours to respond.

Further, DDoS attacks are often used to mask with other cybercrime activities. The installation of ransomware and malware in concert with DDoS attacks was reported by 49 percent of organisations in APAC. In 2017, the victims of DDoS attacks around the world have experienced more malware (43% reported vs 37% a year before), network breaches/damage (32% vs 25%), customer data theft (32% vs 21%), ransomware (23% vs 15%), financial theft (21% vs 14%) and lost intellectual property (21% vs 15%).

While nine in 10 companies globally are investing more in DDoS-specific defenses today, stronger defenses are likely needed to mitigate the growing risk and likely impact of a major DDoS attack quickly and effectively.

Finding the right solution

Currently, there are several solutions in the market that organisations could consider.

Several low cost content delivery network (CDN) style services can offer inexpensive DDoS protection, however they may impose usability issues and be unable to stop a significant attack.

Similarly, DDoS mitigation appliances can be effective against certain types of attacks, however increasingly popular large-scale floods can overwhelm circuit capacity and render the appliance ineffective.

On demand cloud where network traffic is redirected to a mitigation cloud is reliable and cost effective. However, it is dependent on swift failover to the cloud in order to avoid downtime.

Always routed cloud, on the other hand, involves the redirection of web traffic on a constant basis. The constant redirection can affect network latency, even during non-attack conditions, and additional services may be required to address application layer attacks.

Adopting a DDoS mitigation approach that includes a managed appliance and cloud (hybrid) is the best option, yet can be costly. The appliance will stop any DDoS attack within the circuit capacity feeding the network, and automatically trigger cloud mitigation, if the circuit is in danger of becoming overwhelmed.

DDoS attacks are likely to frustrate even more organizations from now on, with new attack vectors, and a focus on destroying the utility of devices Those working to protect the customer experience, revenues, and brand reputations can best protect themselves from attacks by working with knowledgeable partners that have an extensive experience with identifying and addressing contemporary DDoS attacks, plus access to multiple sources of intelligence and a drive to continually improve on its expertise.

Source: https://www.enterpriseinnovation.net/article/whats-next-ddos-attacks-1050008000

  • 0

Lawmakers seek answers on alleged FCC DDoS attack

Five Democratic senators are seeking an FBI investigation into possible cyberattacks on the Federal Communication Commission’s online comment system.

The FCC’s Electronic Comment Filing System crashed in the early hours of May 8 in what the agency called “deliberate attempts by external actors to bombard” the commission and render its systems unusable by legitimate commenters.

Sens. Brian Schatz (D-Hawaii), Al Franken (D-Minn.), Patrick Leahy (D-Vt.), Ed Markey (D-Mass.) and Ron Wyden (D-Ore.) want acting FBI director Andrew McCabe to make an investigation of that May disruption a priority, and also called for an investigation into the source of the attack. The senators’ letter emphasized that they were especially troubled by the disruption of the process of public commentary given that public participation is crucial to the integrity of the FCC’s regulatory process.

The request comes as FCC Chairman Ajit Pai is moving to roll back Obama-era net neutrality regulations over the objections of Democrats in Congress and internet freedom activists.

“Any cyberattack on a federal network is very serious,” the senators wrote. “This particular attack may have denied the American people the opportunity to contribute to what is supposed to be a fair and transparent process, which in turn may call into question the integrity of the FCC’s rulemaking proceedings.”

The senators seek a reply by June 23.

It’s possible, however, that what the FCC is reporting as a DDoS attack was in fact a traffic spike spurred by TV comedian John Oliver, who urged viewers to register their opposition to the net neutrality rollback in an May 7 broadcast.

The partisan fight over FCC actions on net neutrality has cast a political shadow over the attack, the follow-up and any future investigation. Three of the letter’s five signatories (Schatz, Markey, Franken) also signed a May 17 open letter lambasting the FCC’s possible net neutrality rollback.

Wyden and Schatz also sought clarification from Pai about the ability of the agency to protect against DDoS attacks in a separate May 9 letter. The two sought details on the user capacity of the FCC’s website and requested a reply by June 8.

Meanwhile, the FCC is accepting comments on its net neutrality proceeding through Aug. 16.

Source: https://fcw.com/articles/2017/05/31/fcc-ddos-senators-berliner.aspx

  • 0

7 nightmare cyber security threats to SMEs and how to secure against them

Small businesses face a range of cyber threats daily and are often more vulnerable than the larger organisations.

Small businesses that see themselves as too small to be targeted by cyber criminals are putting themselves at direct risk.

In fact, small businesses are at an equal, if not greater risk of being victims of cyber crime – two thirds of small UK firms were attacked by hackers between 2014-2016, according to a report from the Federation of Small Businesses.

Cyber crime can cause massive damage to a young business’s reputation, result in loss of assets and incur expenses to fix the damage caused. These attacks could mean the difference between cutting a profit or going bust.

Legal action could also be taken if businesses are found to have failed to put proper safeguards in place. When new data protection laws are introduced in 2018 under GDPR, complacent businesses risk fines of up to £17 million or 4% of annual turnover (whichever is higher) if they suffer a data breach.

So what can small businesses do to protect themselves and the sensitive data of their customers? These are 7 nightmare cyber security threats and how to secure against them.

Threat 1: internal attacks

This shouldn’t come as a surprise to readers, but internal attacks are one of the largest cyber security threats facing small businesses today. Rogue employees, especially those with access to networks, sensitive data or admin accounts, are capable of causing real damage. Some theories even suggest that the notorious 2014’s Sony Pictures hack – typically linked to North Korea – was actually an insider attack.

To reduce the risk of insider threats, businesses must identify privileged accounts – accounts with the ability to significantly affect or access internal systems. Next, terminate those that are no longer in use or are connected with employees no longer working in the business.

Businesses can also implement tools to track the activity of privileged accounts. This allows for a swift response if malicious activity from an account is detected before the damage can be dealt.

Threat 2: phishing and spear phishing

Despite constant warnings from the cyber security industry, people still fall victim to phishing every day. As cyber crime has become well-funded and increasingly sophisticated, phishing remains one of the most effective methods used by criminals to introduce malware into businesses.

Spear phishing is a targeted form of phishing in which phishing emails are designed to appear to originate from someone the recipient knows and trusts – like senior management or a valued client.

To target victims deemed ‘high value’ — i.e. those with access to privileged accounts — cyber criminals may even study their social media to gain valuable insights which can then be used to make their phishing emails appear highly authentic.

If an employee is tricked by a malicious link in a phishing email, they might unleash a ransomware attack on their small business. Once access is gained, ransomware quickly locks down business computers as it spreads across a network. Until a ransom is paid, businesses will be unable to access critical files and services.

To mitigate the risk posed by phishing – and ransomware – organisations must ensure staff are aware of the dangers and know how to spot a phishing email. Businesses must also ensure they have secure backups of their critical data. Because ransomware locks down files permanently (unless businesses want to cough up the ransom) backups are a crucial safeguard to recover from the hack.

But as ransomware attacks are on the rise, prevention remains better than treatment. Education is the best way of ensuring protection for small businesses.

Threat 3: a dangerous lack of cyber security knowledge

Entire cyber security strategies, policies and technologies are worthless if employees lack cyber security awareness. Without any kind of drive to ensure employees possess a basic level of cyber security knowledge, any measure or policy implemented will be undermined.

A well-targeted spear phishing email could convince an employee to yield their password and user information. An IT team can’t be looking over everyone’s shoulders at once. Because of this, education and training are essential to reduce the risk of cyber crime.

Some employees may not know (or care enough) to protect themselves online, and this can put businesses at risk. Hold training sessions to help employees manage passwords (hint: two-factor authentication for business accounts) and identify phishing attempts. Then provide support to ensure employees have the resources they need to be secure.

Some small businesses will also consider up-skilling members of their IT teams in incident handling, often through popular GCIH training from security vendor GIAC. Incident handling professionals are able to manage security incidents as they happen, and speed the process of recovery if hacks do occur.

Ultimately, even a basic level of knowledge and awareness could mean the difference between being hacked or avoiding the risk altogether.

Threat 4: DDoS attacks

Distributed Denial of Service (DDoS) attacks have overwhelmed some of the largest websites in the world, including Reddit, Twitter, and Netflix. DDoS attacks, which ambush businesses with massive amounts of web traffic, slow websites to a crawl and, more often than not, force crucial services offline.

If a small businesses relies on a website or other online service to function, the outages caused by DDoS attacks will be catastrophic. Most DDoS attacks last between 6-24 hours and cause an estimated £30,000 per hour, according to data from Incapsula, a DDoS prevention firm.

Whilst businesses can’t stop a website or service being targeted in a DDoS attack, they can work to absorb some of the increased traffic, giving them more time to form a response or filter out the spam data.

Ensuring there is extra bandwidth available, creating a DDoS response plan in the event of an attack or using a DDoS mitigation service are all great steps towards reducing the impact of an attack. But that’s just scratching the surface of DDoS mitigation – here are more ways to prevent a DDoS attack.

Threat 5: malware

Malware is a blanket term that encompasses any software that gets installed on a machine to perform unwanted tasks for the benefit of a third party. Ransomware is a type of malware, but others exist, including spyware, adware, bots and Trojans.

To prevent malware from taking hold, businesses should invest in solid anti-virus technology. Plus, operating systems, firewalls and firmware, and previously mentioned anti-virus software must be kept up-to-date.

If services are outdated or not updated regularly, businesses are at a serious risk. Just look at the damage caused when malware infected the UK’s National Health Service through an exploit within an outdated version of Windows XP. And that was just one of the high profile targets affected by the global WannaCry ransomware attack.

Threat 6: SQL Injection

Almost every business relies on websites to operate and many depend entirely on the service they provide online. However, poorly secured websites could be wide open to data theft by cyber criminals.

Of the many attacks that can be staged against a website, SQL injection is amongst the most dangerous and even the largest companies fall victim to it.
SQL injection refers to vulnerabilities that allow hackers to steal or tamper with the database sitting behind a web application. This is achieved by sending malicious SQL commands to the database server, typically by inputting code into forms – like login or registration pages.

It takes a few well-calculated steps to protect against SQL injection. As a precaution, businesses should assume all user-submitted data is malicious, get rid of database functionality that isn’t needed and consider using a web application firewall. For a closer look at SQL injection, take a look at this documentation from Cisco.

Properly preventing SQL injection is primarily a responsibility for a web development or security team, but the change has to be driven from the top. Still not convinced? Take a look at this video from Computerphile to see how effective and dangerous SQL injection can be.

Threat 7: BYOD

Businesses are vulnerable to data theft, especially if employees are using unsecure mobile devices to share or access company data. As more small businesses make use of bring your own device (BYOD) technology, corporate networks could be at risk from unsecured devices carrying malicious applications which could bypass security and access the network from within the company.

The solution is nailing down a defined BYOD policy. A comprehensive BYOD policy educates employees on device expectations and allow companies to better monitor email and documents that are being downloaded to company-owned devices.

Ensure employee-owned devices can access the business network through a VPN which connects remote BYOD users with the organisation via an encrypted channel. A VPN is crucial if employees are using public WiFi networks to access business data. Public Wi-Fi is notoriously unsecure and provides little protection against criminals that might be watching the transfer of sensitive data.

If an attacker does capture encrypted VPN traffic they will only see incomprehensible characters going from you to a VPN server – meaning no sensitive data is leaked.

Source: http://www.information-age.com/7-nightmare-cyber-security-threats-smes-secure-123466495/

  • 0

What’s business continuity management and why does your business need it?

Reality check: Modern businesses rely on their digital capabilities now more than ever. Downtime has become a terrifying thing to even utter, let alone consider. This is why an effective business continuity plan has become a cornerstone in every business, with IT-centric businesses being no exception. Business Continuity is all about identifying what your key products are and what you can do to ensure that business continues as usual even in the case of disruptions or catastrophes, no matter the size or cause.

In truth, business continuity planning is not such an alien concept even to regular consumers. Ever planned a holiday? Whenever planning a holiday, we think of the worst case scenarios and how we can come out of them unscathed, without ruining our well-earned trip. We set up plans in case something goes wrong with our ‘core services’ and we’re prepared for it. We search for additional taxi services in the area despite having booked a cab already, or we check for alternate routes should we rent a car. It’s never a good idea to go on a vacation unprepared for something to go wrong, and a business should be no different.

Being the largest multi-site data centre provider in Malta, we are experienced in the business of keeping our customers’ systems online at all costs. The ideal IT services provider should strive to deliver a redundant solution in every component within their setup. At BMIT, we take great care in adopting this approach, from upgrading our core infrastructure services all the way to training our technical team to adopt best-practice methods for optimal business continuity management. Improving redundancy should always be the utmost priority when it comes to introducing new products within an IT Services provider’s portfolio.

Business continuity planning is not such an alien concept even to regular consumers

Studies show that the average total cost of unplanned application downtime per year is €1 billion to €2.5 billion for the Fortune 1000 companies. An hour of infrastructure failure costs an average of €100,000 with the number jumping fivefold to €500,000 to €1m in the case of a critical application failure; certainly not numbers to scoff at.

The digital world undergoes changes every day and it is imperative to constantly keep working to ensure that the systems are up-to-date and relevant to the present realities. The introduction of new ranges of systems and services that protect customers against common business continuity pitfalls always helps to cement the provider’s commitment to ensure the clients’ uptime.

With the world fast approaching an almost completely digitally-dependent era, the dangers of the dark side of the internet become an ever-present reality for the modern digital business. In recent years Distributed Denial of Service attacks, otherwise known as DDoS attacks, have emerged as one of the most disruptive ways in which a business can be brought down to its knees. DDoS attacks are weapons of mass disruption aimed at paralysing internet systems including networks, websites and servers, resulting in lost revenues, compromised site performance and tarnished reputations.

BMIT has had to take these dangers into consideration, especially since even ISPs can be targeted, which would put us at a risk of not being able to provide a connection for our customers. In recent years, we’ve launched a multi-tiered DDoS protection and mitigation system to protect our customers from even the most vicious of DDoS attacks.

From our experience in the industry, we learnt that best-practice is for our private network’s bandwidth needs to be sourced from multiple providers and delivered across multiple redundant links in order to eliminate the risks of our customers going offline through an outage. This setup ensures that our clients are hosted on a reliable and certified ISO27001 network which does not rely on a singular connection.

At BMIT we offer clients various features which help ensure continuity for their business. We now have a multi-tiered DDoS protection and mitigation system protecting our redundant 40gbps private international network. This network consists of multiple geographically-separated links, each of which can take over traffic load should there be any faults in the other links.

Moreover, we have multiple data centres and international points of presence which form a key part of business continuity plans for our customers. Geo-redundancy is a critical aspect of business continuity for international customers, and our presence across countries addresses this. For example, some clients mirror their servers from one data centre to another. In addition, we also offer several backup options as well as managed services options to help our clients achieve a robust business continuity plan.

As part of our portfolio, our customers can also tap into several tools to manage their systems, including advanced firewall solutions as well as virtual load-balancing services. Ultimately, each of our redundant service offerings is a step forward in our customers’ pursuit to ensuring their business stays up.

Customers’ feedback is vital and should always be taken into consideration. Good business continuity practices are a top priority for clients and usually the main reason why providers with great core infrastructures for business continuity retain customers.

Sources: https://www.timesofmalta.com/articles/view/20170528/business-news/What-s-business-continuity-management-and-why-does-your-business-need.649236

  • 0