As US launches DDoS attacks, N. Korea gets more bandwidth—from Russia

Fast pipe from Vladivostok gives N. Korea more Internet in face of US cyber operations.

As the US reportedly conducts a denial-of-service attack against North Korea’s access to the Internet, the regime of Kim Jong Un has gained another connection to help a select few North Koreans stay connected to the wider world—thanks to a Russian telecommunications provider. Despite UN sanctions and US unilateral moves to punish companies that do business with the Democratic People’s Republic of Korea, 38 North’s Martyn Williams reports that Russian telecommunications provider TransTelekom (ТрансТелеКо́m) began routing North Korean Internet traffic at 5:30pm Pyongyang time on Sunday.

The connection, Williams reported, offers a second route for traffic from North Korea’s Byol (“Star”) Internet service provider, which also runs North Korea’s cellular phone network. Byol offers foreigners in North Korea 1Mbps Internet access for €600 (US$660) a month (with no data caps).

Up until now, all Byol’s traffic passed through a single link provided by China Unicom. But the new connection uses a telecommunications cable link that passes over the Friendship Bridge railway bridge—the only connection between North Korea and Russia. According to Dyn Research data, the new connection is now providing more than half of the route requests to North Korea’s networks. TransTelekom (sometimes spelled TransTeleComm) is owned by Russia’s railroad operator, Russian Railways.

A Dyn Research chart showing the new routing data for North Korea's ISP.

A Dyn Research chart showing the new routing data for North Korea’s ISP.

According to a Washington Post report, The Department of Defense’s US Cyber Command had specifically targeted North Korea’s Reconnaissance General Bureau—the country’s primary intelligence agency—with a denial-of-service attack against the organization’s network infrastructure. That attack was supposed to end on Saturday, according to a White House official who spoke with the Post.

While the unnamed official said the attack specifically targeted North Korea’s own hacking operations, North Korea has previously run those operations from outside its borders—from China. So it’s not clear whether the attack would have had any impact on ongoing North Korean cyberespionage operations.


  • 0

National Lottery hit by DDoS attack – down 90 mins at peak demand time

On Saturday the UK National Lottery’s website was down – just as those players who stake online, rather than in retailers, were trying to pick their numbers and part with their cash – thanks to a DDoS attack.

On Saturday the UK National Lottery’s website was down – just as those players who stake online, rather than in retailers, were trying to pick their numbers and part with their cash – thanks to a DDoS attack.

Hitting a retail business causes it to loose money, but in the case of many time-sensitive events, that money can never be recouped,  which was why newspaper print unions were so strong – yesterday’s news is no good tomorrow, and a bet now on last night’s lottery won’t win you much either. Both the gaming sites and the DDoS attackers know this, making gaming both highly targeted and highly defended.

On the other hand, although there are other lotteries, there are not a lot of direct competitors to the National Lottery, so while it offered an apology to those customers unable to use its smartphone app or access its website, a quick fix is likely to retain their custom, but each hit is a direct revenue loss.

According to downdetector, and later confirmed by the National Lottery, the cause was indeed a DDoS attack, but it is not clear if it was the subject of a ransom, or if it might have been a demonstration of capability ahead of a future threat of attack.

Kirill Kasavchenko, principal security technologist at Arbor Networks emailed SC Media UK to comment:  “This latest DDoS attack shows that cyber-criminals are still up to old tricks, this time deliberately targeting the National Lottery website at a time of peak demand. We can also see that response plans are often not up to scratch, with the incident lasting 90 minutes. Websites who are unable to contain a DDoS attack like this risk losing their audience to competitors if they are unable to minimise the disruption, so it is essential that organisations expect cyber-attacks and know how they will respond.

“All organisations must examine their current DDoS defences, and decide whether their current processes are robust enough to ensure operations will not be halted by a DDoS attack. To guard against such attacks, organisations should implement best current practices for DDoS defence. That includes hardening network infrastructures, ensuring complete visibility of all network traffic, and implementing sufficient DDoS mitigation capacity and capabilities. Those mitigation defences ideally should be a combination of on-premises and cloud-based DDoS mitigation services. It is also crucial that organisations ensure their DDoS defence plan is kept updated and is rehearsed on a regular basis.”


  • 0

US pressured North Korea by overwhelming hackers with data traffic

The US is no stranger to hacking North Korea, but it’s usually in a bid to directly thwart the country’s military ambitions. Now, however, those attacks are being used as a diplomatic strategy. The Washington Post has learned that President Trump ordered a broad pressure campaign against North Korea that led to the US conducting a denial of service attack against North Korea’s spying office, the Reconnaissance General Bureau. The move flooded the RGB’s servers with traffic that effectively strangled their internet access, including the Bureau 121 group responsible for the North’s hacking campaigns. And while it clearly didn’t change Kim Jong Un’s mind, it does appear to have had a practical effect.

Reportedly, the initiative was designed to be temporary and only lasted for half a year — Trump signed the order in March, and it ended on September 30th. It wasn’t destructive, either. According to the Post‘s sources, however, North Korean hackers were complaining about the ability to do their jobs during that period.

North Korea certainly isn’t going to get much sympathy. With that said, it raises questions about the use of cyberattacks as a pressure tactic. It no doubt sends the message that the US can cripple a hostile country’s digital warfare capabilities if it wants, but there is the concern that it could escalate an already tense situation. After all, North Korea is the sort of country that claims you can declare war with a tweet — while that’s hyperbolic, it might interpret a denial of service attack as an act of aggression that merits revenge.


  • 0

Australian companies face an increasing threat from domestic DDoS instigators

Mobile botnets, targeted DDoS attacks pose growing threat to Australian targets.

Australian organisations are being hit by over 450 distributed denial of service (DDoS) attacks every day and fully a quarter of them are coming from domestic sources, analysts have warned as figures show DDoS attacks making a resurgence after nearly a year of decline.

New figures from the Arbor Networks ATLAS service – which collects data on DDoS attacks and malware from 400 service providers – suggested that Australian targets suffered 14,000 attacks of various intensity in August alone.

The largest of the attacks, in early August, measured 51.9 Gbps in intensity while the heaviest volume of packets – 15.8 million packets per second – came in an attack later in the month.

While the United States was the largest source of the attacks – comprising 30 percent of the overall total – the lion’s share of the remainder came from Chinese (24 percent), Australian (24 percent), and UK (23 percent) sources.

The August figures reinforce the resurgent threat from DDoS attacks, which flood targets with data in an effort to interrupt their operation for even a short period. They also reflect the continuing flexibility of attackers that were able to build a botnet out of mobile devices to instigate a high-impact DDoS extortion campaign against numerous travel and hospitality organisations.

hat botnet, called WireX, was embedded in around 300 Google Play Store applications and had spread to estimated 130,000 to 160,000 bots that produced over 20,000 HTTP/HTTPS requests per second. On August 17 WireX was taken down through a concerted effort involving Google, Akamai, Cloudflare, Flashpoint, Oracle Dyn, RiskIQ, Team Cymru, and other organisations.

Instigated by devices from over 100 countries, WireX changed quickly as the attacker “learned rapidly to try different techniques to try to thwart the defenders,” Arbor Security Engineering & Response Team (ASERT) principal engineer Roland Dobbins wrote in his analysis of the attack.

WireX reflects the ingenuity being applied to the creation of DDoS attacks as identified in Akamai’s recent Q2 2017 State of the Internet Security Report.

Analysing attacks remediated over Akamai’s core content distribution network, that report noted a 28 percent quarter-on-quarter increase in the total number of DDoS attacks as well as increases in infrastructure layer (by 27 percent), reflection-based (21 percent), and average number of attacks (28 percent) per target.

Changing geographic distribution showed that “geographic profiling is a real and potentially imminent threat to Australia,” Akamai Asia-Pacific senior security specialist Nick Rieniets said in a statement. “When there are changes like this in the threat landscape and when new threats are released, companies need to recognise, acknowledge and assess that volatility, and change their security controls accordingly, and in a timely manner.”

Akamai’s DDoS analysis suggested that the PBot botnet had been tapped once again to generate the biggest DDoS attacks observed in the second quarter. PBot – which Rieniets called “proof that the minute threat actors get access to a new vulnerability they can work out how to weaponise it” – appeared to have primarily infected around 400 Web servers, boosting the volume of data produced per device compared with previous infections such as last year’s Internet of Things-focused Mirai botnet.

The range and efficacy of DDoS attack tactics have highlighted the need for businesses to remain disciplined about their protections, security experts have warned.

“It’s important that organizations implement best current practices (BCPs) for their network infrastructure, application/service delivery stacks, and ancillary supporting services,” Arbor’s Dobbins writes. “This will allow the organization to maintain availability and ensure continuous service delivery even in the face of attack.”

With many organisations found to not have a formal DDoS defense plan in place – and many that do, never rehearsing it – Dobbins said testing needed to become a habit: “It is critical that organizations devise and rehearse their DDoS defense plans in order to ensure that they have the requisite personnel, skills, operational processes, communications plans, and support services in place to defend their Internet properties in a timely and effective manner.”


  • 0

How Big is Your DDoS Mitigation Gap?

The DDoS mitigation industry is scaling up capacity following a consistent increase in the number of DDoS attacks and recent indications that IoT-based DDoS attacks are expected to grow significantly.

The DDoS attack vector continues to wreak havoc in 2017, with a reported 380% spike in the number of DDoS attacks identified in Q1, compared to the same period last year. A recent study shows a year on year increase of 220% in the number of different types of malware designed to hijack IoT devices.

DDoS Mitigation providers are taking heed, with Arbor dedicated to quadrupling their capacity to 8Tbps by the end of 2017, and both Neustar and OVH committing to capacities of over 10Tbps.

A DDoS mitigation Gap occurs whenever DDoS traffic bypasses a company’s DDoS mitigation defenses, and penetrates the target network.

The reasons for such gaps vary from some types of DDoS attacks that are completely unnoticed by DDoS mitigation, to a range of configuration issues that let through traffic that should be mitigated.

However the problem is that visibility of DDoS mitigation gaps is currently nonexistent to those cybersecurity practitioners who are responsible for production uptime.

Companies do not know how well their mitigation is performing, or where their configuration problems are, leaving them and their vendors to troubleshoot issues at the very worst possible time, that is, when systems are down at the height of a DDoS attack.

Results from over 500 DDoS tests run by MazeBolt on companies from a wide range of industries, shows that on their first test, companies failed 41% (on average) of DDoS tests – simulations of real DDoS attacks conducted in a highly controlled manner to help companies understand their mitigation gap so they can strengthen their mitigation proactively.

This means that after a company has deployed their DDoS mitigation strategy, on average it will stop only six out of ten attacks.

To solve this, with insight about where their DDoS mitigation posture was leaking, companies could go back to vendors to reconfigure settings and harden their DDoS mitigation posture.

As depicted in the bar chart below, by repeating the testing cycle only three times, companies were able to reduce their mitigation gap from an average of 41% in the first test to an average of 25% in the second and only 15% in the third – reflecting a 65% strengthening of their DDoS mitigation.

Paraphrasing Heraclitus one might say you can never test the same DDoS mitigation twice, but our data clearly shows that testing it three times will strengthen it considerably.


  • 0

Protecting an online presence – DOSarrest’s technology leads the way

With over a decade of experience protecting websites from malicious traffic, DOSarrest has lead the way from the start. It was one of the first to supply its client base with a real-time statistical dashboard and an intuitive configuration management console. Fast forward to today where it has just released its 5th major software upgrade; it’s these types of leading-edge features and services and a forward-looking road map that keeps it in the top tier of cloud-based DDoS mitigation companies.

Some of DOSarrest’s new enhancements, just released, include an all-new front-end which supplies customers with 15 different statistical displays that are fully interactive, allowing customers to view just the statistics they are interested in. It’s clear from the work the company has put into this system that it knows what’s required to stay on ahead of the ‘bad actors’. It has also redeveloped its back-end software using the latest tools, including a new distributed database structure, which has the advantage of allowing it to develop and deploy new features in a matter of minutes, for attacks not yet even known.

DOSarrest has also fine-tuned their cloud-based Web Application Firewall (WAF), which unlike many of their competitors’ is based on a positive security model, not a negative security model. Most people and even some security techs are not aware of the difference. Have a quick read of the blog post regarding the latest Equifax breach to get a real-life explanation of what happened and how DOSarrest’s cloud-based WAF would have prevented such a devastating data breach.

DOSarrest doesn’t seem to follow its competitors or hyped up media trends; this must be due to its experience over its rivals in the DDoS protection arena. It has just installed a big data analytics cluster, which feeds its customer portal with real-time interactive displays. One asks why big data for a customer portal? DOSarrest will tell you that the real reason is to leverage machine learning. Machine learning, which has been tried by many organizations but proved to be not worth the effort and eventually abandoned by most enterprises, is not the case at DOSarrest. It has leveraged its big data cluster in conjunction with machine learning to yield some impressive results.

DOSarrest states that the most difficult attacks to stop are the ones you don’t really notice. By this it articulates that if a website runs 10 Mb/sec of legitimate traffic it’s very possible to throw 75 Kb/sec of sophisticated, well-placed malicious traffic at the website and cause the website to slow considerably and eventually stop responding to legitimate visitors. Its machine learning system finds this small amount of malicious traffic and blocks it. DOSarrest states it’s like being able to find a needle in a haystack.

In order to prove the point regarding small sophisticated attacks being the most difficult to detect and mitigate, DOSarrest has developed a website attack/stress simulator. This is a brand-new service called the Cyber Attack Preparation Platform (CAPP) and the company is running beta tests for a select number of customers. This service allows customers to login into a platform, input their attack target website, then choose from a selection of over 30 different attacks and even combination attacks. Along with the attacks, it enables users to choose from a variety of regions where one wants the attack to originate from, some of the choices being Europe, eastern or western US, Canada or Asia, or all of them. It also allows one to choose the size of the botnet and the intensity of each bot. Given that this privately-controlled botnet is dangerous in the wrong hands, it is strictly controlled and throttled on a per-user basis.

In summary DOSarrest has proven itself to be a leader in fully-managed cloud-based DDoS protection services and is constantly adding capacity, enhancements, new technology and related security services to its portfolio. Should you be thinking of security for your website operations, DOSarrest is a very experienced, capable and customer-oriented solution provider.


  • 0

CHJ Tech. Teams up with DOSarrest to deliver Internet Security Solutions for the Singapore Government

SINGAPORE, Sept. 25, 2017 (GLOBE NEWSWIRE) — CHJ Technologies Singapore announced today that they have been chosen as one of the 6 approved vendors to supply cloud based DDoS protection and Web Application security services for the Singapore government over the next 3 years.  The Singapore Government expects to spend SGD $50m to keep government websites going even under an attack.  CHJ is the exclusive distributor of DOSarrest Internet security services in Singapore and is utilizing their DDoS and WAF solutions to satisfy the Singapore government’s security requirements.

Linus Choo, Managing Director of CHJ Technologies states “CHJ Technologies has a substantial track record providing cyber security services in Singapore. Having first been awarded DDoS mitigation contracts with the Singapore government in 2014, we are both elated and honored to have been awarded for a second time in this latest tender.  We feel that this renewal of our services is a testament to the calibre of services our team provides and our partnership with DOSarrest.

“Understanding the strategic importance of cyber security services, we align and integrate perfectly with the investments our government is making in DDoS protection and other cyber security services, this makes the continuation of our collaboration with the government all the more valued.  This is a very significant accomplishment for both CHJ Technologies and DOSarrest.”

Mark Teolis, CEO of DOSarrest explains “It was a very rigorous process to meet all the requirements of the Singapore government’s security specifications, in the end we beat out many competitors 3 years ago and we did it again this year.” Teolis adds “CHJ Tech is a great match for us, their staff on the ground and customer support paired with our technology is a home run.”

Choo adds “We are actively exploring other opportunities in the Asean region as a partner with DOSarrest.“

About DOSarrest Internet Security:
DOSarrest, founded in 2007 in Vancouver, B.C., Canada, is one of only a couple of companies worldwide to specialize in only cloud based DDoS protection services.  Additional Web security services offered are Cloud based Web Application Firewall (WAF), Vulnerability Testing and Optimization (VTO), DataCenter Defender – GRE as well as cloud based global load balancingand a simulated DDoS attack Platform.

For more information:

About CHJ Technologies:

Founded in 1987 and headquartered in Singapore, we have become one of Asia’s leading and fastest-growing managed cybersecurity service providers. Our expertise and product lines enable organizations to discover, risks and mitigate them. Continually pushing boundaries, we protect our customers’ critical assets and information wherever it lives – in the cloud and on-premises.

For more information:

Contact Information:
Lew Yong-He
+65 6896 7998


  • 0

How enterprises can fend off DDoS attacks

Though distributed denial of service attacks have been around more than two decades, recently we have seen a spate of DDoS attacks that have increased in complexity and variability. Both the size and frequency of DDoS attacks have gone up, and criminals use these sophisticated attacks to target sensitive data, not just to disrupt businesses. Some recent attacks have exceeded 1 Tbps while the average DDoS attack peaked at 14.1 Gbps in the first quarter of 2017, according to Verisign’s DDoS trends report.

The largest volumetric and highest intensity DDoS attack observed by Verisign in Q1 2017 was a multi-vector attack that peaked over 120 Gbps and around 90 Million packets per second (Mpps). This attack sent a flood of traffic to the targeted network inexcess of 60 Gbps for more than 15 hours.

In a new report, Imperva warns about a new type of ferocious DDoS attack that uses ‘pulse waves’ to hit multiple targets. “Comprising a series of short-lived bursts occurring in clockwork-like succession, pulse wave assaults accounted for some of the most ferocious DDoS attacks we mitigated in the second quarter of 2017. In the most extreme cases, they lasted for days at a time and scaled as high as 350 gigabits per second (Gbps). We believe these represent a new attack tactic, designed to double the botnet’s output and exploit soft spots in traditional mitigation solutions,“ says Robert Hamilton, director, Imperva.

“DDoS attacks are rarely complex. They are the result of a volumetric based attack which results in a platform, application or service being rendered unavailable for the user. The biggest changes we have seen through evolution over the last few years are mostly within the amount of bandwidth attackers have at their disposal. This is due to the amount of more interconnected devices we now have on the Internet. We have three main types of DDoS attack, one is a volumetric, which accounts for most DDoS attacks, secondly we have application and lastly protocol level attacks,” says Warren Mercer, security researcher at Cisco Talos.

Ransom is another growing trend in DDoS. “Ransom related attacks seem to be a trending issue as of late. Too many organisations are paying out these ransom requests, in an effort to remove themselves from the cross hairs of a DDoS attack – this behaviour likely causes an increase in ransom attack activity. Besides the financial loss that a company may experience by paying the ransom, companies must consider that they will still be subject to a DDoS attack even after the ransom has been paid,” says Stephanie Weagle, VP, Corero.

What do you do if you are a CISO dealing with massive DDoS attack? What are your tips for CISOs dealing with massive DDoS attacks? “First thing would be to make sure the network is well prepared for such attacks. Making sure that there are protections and processes in place is critical. It’s also important to remember that the DDoS attack might not be the actual attack but just a distraction,” says Kalle Bjorn, director-systems engineering, Fortinet.

Mohammed Al Moneer, regional director,  A10 Networks, says the challenge for defenders is to distinguish good and bad behaviour largely by analysing the instrumented data available from server logs and traffic behaviour reported from networking tools.  In effect, threat hunting is the act of finding a needle in a haystack of logs and flow data.  Unlike the stealth required for dropping malware or stealing data, DDoS is loud and does not hide in the shadows.

Alaa Hadi, regional director, Arbor Networks, says these very large attacks must be mitigated in the cloud, as close to the source as possible. I would also caution CISOs that to have cloud protection is only a partial defence against modern DDoS attacks. They also target applications and infrastructure, like firewalls, with low and slow attacks that cannot be detected in the cloud. The place to protect against these attacks is on-premise, with a tight connection to the cloud, as a means of providing mitigation support for large attacks. Only with this multi-layer, hybrid approach is a business fully protected from DDoS attacks.

Another alarming trend in DDoS has been the rise of DDoS attacks using IoT devices, as we have seen in the case of Mirai botnet, which infected tens of millions of connected devices.

“IoT can have positive implications across several core industries such as manufacturing, retail, transportation, and healthcare. However, it’s important to bear in mind that a higher number of connected devices translates to more points of entry for attackers to penetrate. Criminals can leverage these end points to steal confidential information from businesses, distribute malware, or takeover the capacity and network bandwidth of connected ‘things’ to carry out massive strikes. The necessary tools and best practices to mitigate such threats are well-known and available in the application security field,” says Hadi Jaafarawi, managing director, Qualys Middle East.

Bjorn from Fortinet adds compromised IoT devices are a massive potential traffic generator source for attackers. Securing the organisations own systems would prevent them from being used in attacks against others. Manufacturers should also work actively to ensure their own devices are fixed when vulnerabilities are found, unfortunately there are multiple IoT devices on the market that cannot be even upgraded, this means that the security will lie on the network where the devices connect to.


  • 0

DDoS Extortion Group Sends Ransom Demand to Thousands of Companies

A group of DDoS extortionists using the name of Phantom Squad has sent out a massive spam wave to thousands of companies all over the globe, threating DDoS attacks on September 30, if victims do not pay a ransom demand.

The emails spreading the ransom demands were first spotted by security researcher Derrick Farmer and the threats appear to have started on September 19 and continued ever since.

Hackers looking for small $700 ransoms

The emails contain a simple threat, telling companies to pay 0.2 Bitcoin (~$720) or prepare to have their website taken down on September 30.

Sample of a Phantom Squad DDoS ransom email
Sample of a Phantom Squad DDoS ransom email

Usually, these email threats are sent to a small number of companies one at a time, in order for extortionists to carry out attacks if customers do not pay.

This time, this group appears to have sent the emails in a shotgun approach to multiple recipients at the same time, a-la classic spam campaigns distributing other forms of malware.

Because of this, several experts who reviewed the emails and ransom demands reached the conclusion that the group does not possess the firepower to launch DDoS attacks on so many targets on the same day, and is most likely using scare tactics hoping to fool victims into paying.

Extortionists are not the sharpest tool in the shed

The size of this email spam wave is what surprised many experts. Its impact was felt immediately on social media [1, 2, 3, 4] and on webmaster forums, where sysadmins went looking for help and opinions on how to handle the threat.

Bleeping Computer reached out to several security companies to get a general idea of the size of this spam wave.

“Not sure how widespread it is in terms of volume, but they are certainly spamming a lot of people,” Justin Paine, Head of Trust & Safety at Cloudflare, told Bleeping.

“We’ve had 5 customers so far report these ‘Phantom Squad’ emails,” he added. “These geniuses even sent a ransom threat to the noc@ address for a major DDoS mitigation company.”

Extortionists are “recycling” email text

Radware engineers received similar reports, so much so that the company issued a security alert of its own.

Radware security researcher Daniel Smith pointed out that the extortionists may not be the real Phantom Squad, a group of DDoS attackers that brought down various gaming networks in the winter of 2015 [1, 2].

Smith noticed that the ransom note was almost identical to the one used in June 2017 by another group of extortionists using the name Armada Collective. Those extortion attempts through the threat of DDoS attacks also proved to be empty threats, albeit some were successful.

“The part that I find interesting is the low ransom request compared to the ransom request last month,” Smith told Bleeping Computer. “Last month a fake RDoS group going by the name Anonymous ransomed several banks for 100 BTC.”

Experts don’t believe the group can launch DDoS attacks

This shows an evolution in ransom DDoS (RDoS) attacks, with groups moving from targeting small groups of companies within an industry vertical to mass targeting in the hopes of extracting small payments from multiple victims.

“This is what the modern RDoS campaign has come to,” Smith also said. “In the spring of 2016 after a lull in RDoS attacks, a group emerged calling themselves the Armada Collective, but their modus operandi had clearly changed. This group claiming to be Armada Collective was no longer targeting a small number of victims but instead were targeting dozens of victims at once without launching a sample attack.”

“As a result, these attackers were able to make thousands of dollars by taking advantage of public fear and a notorious name. Several other copycat groups that emerged in 2016 and 2017 also leveraged the names of groups like, New World Hackers, Lizard Squad, LulzSec, Fancy Bear, and Anonymous.”

“To launch a series of denial-of-service attacks, this group will require vast resources. Therefore, when a group sends dozens of extortion letters, they typically will not follow through with a cyber-attack,” Smith said.

Smith’s opinion is also shared by Paine, who recently tweeted “ransom demands from this group = spam” and “empty threats, zero attacks from this copycat.”

Victims should report extortion attempts to authorities

Japan CERT has issued a security alert informing companies how to handle the fake demands by reporting the emails to authorities.

Today, security researcher Brad Duncan also published an alert on the ISC SANS forums, letting other sysadmins and security researchers know not to believe the ransom threats.


  • 0

DDoS protection, mitigation and defense: 7 essential tips

Protecting your network from DDoS attacks starts with planning your response. Here, security experts offer their best advice for fighting back.

DDoS attacks are bigger and more ferocious than ever and can strike anyone at any time. With that in mind we’ve assembled some essential advice for protecting against DDoS attacks.

1. Have your ddos mitigation plan ready

Organizations must try to anticipate the applications and network services adversaries will target and draft an emergency response plan to mitigate those attacks.

IBM’s Price agrees. “Organizations are getting better at response. They’re integrating their internal applications and networking teams, and they know when the attack response needs to be escalated so that they aren’t caught off guard. So as attackers are becoming much more sophisticated, so are the financial institutions,” she says.

“A disaster recovery plan and tested procedures should also be in place in the event a business-impacting DDoS attack does occur, including good public messaging. Diversity of infrastructure both in type and geography can also help mitigate against DDoS as well as appropriate hybridization with public and private cloud,” says Day.

“Any large enterprise should start with network level protection with multiple WAN entry points and agreements with the large traffic scrubbing providers (such as Akamai or F5) to mitigate and re-route attacks before they get to your edge.  No physical DDoS devices can keep up with WAN speed attacks, so they must be first scrubbed in the cloud.  Make sure that your operations staff has procedures in place to easily re-route traffic for scrubbing and also fail over network devices that get saturated,” says Scott Carlson, technical fellow at BeyondTrust.

2. Make real-time adjustments

While it’s always been true that enterprises need to be able to adjust in real-time to DDoS attacks, it became increasingly so when a wave of attacks struck many in the financial services and banking industry in 2012 and 2013, including the likes of Bank of America, Capital One, Chase, Citibank, PNC Bank and Wells Fargo. These attacks were both relentless and sophisticated. “Not only were these attacks multi-vector, but the tactics changed in real time,” says Gary Sockrider, solutions architect for the Americas at Arbor Networks. The attackers would watch how sites responded, and when the site came back online, the hackers would adjust with new attack methods.

“They are resolute and they will hit you on some different port, protocol, or from a new source. Always changing tactics,” he says. “Enterprises have to be ready to be as quick and flexible as their adversaries.”

3. Enlist DDoS protection and mitigation services

John Nye, VP of cybersecurity strategy at CynergisTek explains that there are many things enterprises can do on their own to be ready to adjust for when these attacks hit, but enlisting a third-party DDoS protection service may be the most affordable route. “Monitoring can be done within the enterprise, typically in the SOC or NOC, to watch for excessive traffic and if it is sufficiently distinguishable from legitimate traffic, then it can be blocked at the web application firewalls (WAF) or with other technical solutions. While it is possible to build a more robust infrastructure that can deal with larger traffic loads, this solution is substantially costlier than using a third-party service,” Nye says.

Chris Day, chief cybersecurity officer at data center services provider Cyxtera, agrees with Nye that enterprises should consider getting specialty help. “Enterprises should work with a DDoS mitigation company and/or their network service provider to have a mitigation capability in place or at least ready to rapidly deploy in the event of an attack.”

“The number one most useful thing that an enterprise can do — if their web presence is that critical to their business — is to enlist a third-party DDoS protection service,” adds Nye. “I will not recommend any particular vendor in this case, as the best choice is circumstantial and if an enterprise is considering using such a service they should thoroughly investigate the options.”

4. Don’t rely only on perimeter defenses

Everyone we interviewed when reporting on the DDoS attacks that struck financial services firms a few years ago found that their traditional on-premises security devices — firewalls, intrusion-prevention systems, load balancers —were unable to block the attacks.

“We watched those devices failing. The lesson there is really simple: You have to have the ability to mitigate the DDoS attacks before it gets to those devices. They’re vulnerable. They’re just as vulnerable as the servers you are trying to protect,” says Sockrider, when speaking of the attacks on banks and financial services a few years ago. Part of the mitigation effort is going to have to rely on upstream network providers or managed security service providers that can interrupt attacks away from the network perimeter.

It’s especially important to mitigate attacks further upstream when you’re facing high-volume attacks.

“If your internet connection is 10GB and you receive a 100GB attack, trying to fight that at the 10GB mark is hopeless. You’ve already been slaughtered upstream,” says Sockrider.

5. Fight application-layer attacks in-line

Attacks on specific applications are generally stealthy, much lower volume and more targeted.

“They’re designed to fly under the radar so you need the protection on-premises or in the data center so that you can perform deep-packet inspection and see everything at the application layer. This is the best way to mitigate these kinds of attacks,” says Sockrider.

“Organizations will need a web protection tool that can handle application layer DoS attacks,” adds Tyler Shields, VP of Strategy, Marketing & Partnerships at Signal Sciences. “Specifically, those that allow you to configure it to meet your business logic. Network based mitigations are no longer going to suffice,” he says.

Amir Jerbi, co-founder and CTO is Aqua Security, a container security company, explains how one of the steps you can take to protect against DDoS attacks is to add redundancy to an application by deploying it on multiple public cloud providers. “This will ensure that if your application or infrastructure provider is being attacked then you can easily scale out to the next cloud deployment,” he says.

6. Collaborate

The banking industry is collaborating a little when it comes to these attacks. Everything they reveal is carefully protected and shared strictly amongst themselves, but in a limited way, banks are doing a better job at collaborating than most industries.

“They’re working among each other and with their telecommunication providers. And they’re working directly with their service providers. They have to. They can’t just work and succeed in isolation,” says Lynn Price, IBM security strategist for the financial sector.

For example, when the financial services industry was targeted, they turned to the Financial Services Information Sharing and Analysis Center for support and to share information about threats. “In some of these information-sharing meetings, the [big] banks are very open when it comes to talking about the types of attacks underway and the solutions they put into place that proved effective. In that way, the large banks have at least been talking with each other,” says Rich Bolstridge, chief strategist of financial services at Akamai Technologies.

The financial sector’s strategy is one that could and should be adopted elsewhere, regardless of industry.

7. Watch out for secondary attacks

As costly as DDoS attacks can be, they may sometimes be little more than a distraction to provide cover for an even more nefarious attack.

“DDoS can be a diversion tactic for more serious attacks coming in from another direction. Banks need to be aware that they have to not only be monitoring for and defending the DDoS attack, but they also have to have an eye on the notion that the DDoS may only be one aspect of a multifaceted attack, perhaps to steal account or other sensitive information,” Price says.

8. Stay vigilant

Although many times DDoS attacks appear to only target high profile industries and companies, research shows that’s just not accurate. With today’s interconnected digital supply-chains (every enterprise is dependent on dozens if not hundreds of suppliers online), increased online activism expressed through attacks, state sponsored attacks on industries in other nations, and the ease of which DDoS attacks can be initiated, every organization must consider themselves a target.

So be ready, and use the advice in this article as a launching point to build your organization’s own anti-DDoS strategy.


  • 0