400Gbps NTP-based DDOS attack – largest DDOS attack in History

Until a week ago, it was believed that Distributed denial-of-service(DDOS) attack against Spamhaus is the largest one in the history.  Now, an even bigger DDOS attack has been recorded by the Content delivery Network CloudFlare.

Matthew Prince, CloudFlare CEO, said in twitter that very big NTP reflection attack was hitting them and appears to be bigger than the Spamhaus attack from last year.

Sponsored Links
According to Matthew, the attack reached 400Gbps which is 100Gbps higher than the ddos attack targeting Spamhaus.

CloudFlare said all websites have returned to production.

Founder of a French hosting firm OVH also said their network received more than 350Gbps traffic, but it is not clear whether it is related or not.

Last month, CloudFlare also wrote an article detailing about the Network Time protocol(NTP) based DDOS attacks that caused trouble for some gaming web sites and service providers.

NTP protocol is UDP-based protocol runs on port 123 which is used by Internet connected computers to set clocks accurately.  A system will synchronize with the server and receives the current time.

Experts says this protocol is prone to amplification attacks because it will response to the packets with spoofed source IP address “and because at least one of its built in commands will send a long reply to a short request. That makes it ideal as a DDoS tool.”

List of open NTP servers on the Internet allows attackers to launch Denial of attack against any target network.

Source: http://www.ehackingnews.com/2014/02/400gbps-ntp-based-ddos-attack-hits.html

DDoS-for-hire service is legal and even lets FBI peek in, says a guy with an attorney

Paying a site to DDoS other sites is perfectly legal, the proprietor behind one such outfit told security journalist Brian Krebs.

Besides which, he says, his service, called RageBooter, even features a nifty backdoor that lets the FBI monitor customer activity.

The conversation took place recently between Krebs and Justin Poland, the US man from Memphis, Tennessee whom Krebs sniffed out via WHOIS lookup and Facebook.

According to Poland, DDoSing the beejezus out of sites is perfectly legal/justifiable/morally kosher because:

  1. It’s “a public service on a public connection to other public servers”;
  2. His service merely takes advantage of default settings of some DNS servers; and
  3. Spoofing a sender address is legal and OK because if a root user of the server doesn’t like it they just have to disable recursive DNS.

Regarding item No. 3, recursion is the act of querying additional DNS servers to resolve queries a DNS server can’t resolve from its own database.

Microsoft, for its part, confirms that yes, attackers can use recursion to deny the DNS Server service and has this TechNet article on how to disable it.

In short, Poland told Krebs, RageBooter is just a “legal testing service”:

How individuals use it is at there [sic] own risk and responsibilitys [sic]. I do not advertise this service anywhere nor do I entice or encourage illegal usage of the product.

How the user uses it is at their own risk. I provide logs to any legal law enforcement and keep logs for up to 7 days.

About that ready accommodation of “any legal law enforcement”: when Krebs asked Poland whether police or other authorities had ever asked for information about his customers, Poland told him that well, actually, he works for the FBI.

From Krebs’ account of the Facebook chat he had with Poland:

I also work for the FBI on Tuesdays at 1pm in memphis, tn. They allow me to continue this business and have full access.

The FBI also use the site so that they can moniter [sic] the activitys [sic] of online users.. They even added a nice IP logger that logs the users IP when they login.

When Krebs called the number Poland gave him to check with the FBI, the man on the other end got peeved and referred him to the FBI’s press office, which in turn wouldn’t confirm or deny any of this.

Poland, for his part, stopped talking with Krebs, saying he’d been instructed to block him. His Facebook page disappeared within moments of Krebs receiving this message:

I have been asked to block you. Have a nice day.

Regarding the legality of hiring a DDoS service, Krebs checked with Mark Rasch, a security expert and former attorney for the US Department of Justice.

Rasch told Krebs that while companies regularly hire network stress-testing services, it’s generally part of a more inclusive penetration testing engagement in which those conducting the tests insist on first getting a “get out of jail free card” – e.g., a notarized letter from the customer stating that the testing firm was hired to break into and probe the security and stability of a targeted site.

Krebs quotes Rasch:

This is also why locksmiths generally force you to show ID that proves your address before they’ll break into a house for you...

The standard in the security industry is not only to require proof that you own the sites that are going to be shut down or attacked, but also an indemnification provision.

I checked with Sophos’ IT security manager, Ross McKerchar, who regularly fends off DDoS attacks, to see what he thought of DDoS legality. Unsurprisingly, he says DDoS should “clearly” be illegal, and the fact that it’s not illegal everywhere is just evidence of the law lagging:

To use an analogy, even if I have a very poor lock and no alarm system it’s still illegal to break in to my property.

The argument regarding reflected DNS attacks is “even weaker”, McKerchar says:

You are at risk to these attacks regardless of your own DNS servers: the problem is that any misconfigured DNS server can be used to attack someone else.

To say that it’s legit to attack company A, because unrelated companies B, C & D have poor security doesn’t really hold water.

None of this is meant to excuse poor security, of course.

To extend the lock analogy even further, McKerchar says:

If a bank had a rubbish lock and no alarm system, I think most people would agree that they bore some responsibility for a break-in. Larger companies should recognize and plan for the risk of DDoS attacks, given they are so easy to execute.

I think it would be fair to say that any company that doesn’t, and depends on their internet-facing systems for revenue is running a major risk, bordering on negligence.

Krebs’ sleuthing on this issue is far more extensive than this write-up. It’s definitely worth a read to check his original article, which provides more on the booter market, the nature of the backdoor which the FBI may or may not have into RageBooter, and how booters’ biggest threats are attacks from each other.

One interesting aspect of these services is how they use PayPal to fund their activities.

When Krebs checked with PayPal about this, the company told him that the use of its service for DDoS-for-hire sites would violate its terms of use agreement.

From its statement to Krebs:

While we cannot share specifics on our customers’ accounts due to our privacy policy, we can confirm that we will review suspicious accounts for malicious activity and work with law enforcement to ensure cyber criminals are reported properly.

We take security very seriously at PayPal and we do not condone the use of our site in the sale or dissemination of tools, which have the sole purpose to attack customers and illegally take down web sites.

PayPal will work with law enforcement to take down something that the FBI might well have its hand in? Up to the elbow and beyond?

Sure. OK. Right.

Eyebrow arched.

Source: http://nakedsecurity.sophos.com/2013/05/21/ddos-for-hire-service-is-legal-and-even-lets-fbi-peek-in-says-a-guy-with-an-attorney/

 

Tips for validating DDoS defenses

Prolexic has issued a number of recommendations that organizations can use to validate their DDoS defenses, as well as protection services they receive from mitigation providers.

Organizations should work closely with their DDoS mitigation providers to complete a professional, planned provisioning and service validation.

The only way to be sure that DDoS protection will be effective is through proactive validation against different types of attack scenarios.

Best practices:

  • With the DDoS mitigation service active, verify that all applications are performing properly.
  • Verify that all routing and DNS is working.
  • In partnership with your mitigation service provider, generate a few gigabits of controlled traffic to validate the alerting, activation and mitigation features of the service.
  • Test small levels of traffic without scrubbing and without any DDoS protection to validate that your on-premise monitoring systems are functioning correctly. This action will also help you identify the stress points on your network.
  • Conduct baseline testing and calibrate systems to remediate any network vulnerabilities.
  • Schedule validation tests on a regular basis (yearly or quarterly) with your DDoS mitigation service provider to validate that the service configuration is still working correctly – and eliminate the risk of network element failures due to DDoS. If network issues arise during testing, your service provider may need to make modifications based on recent changes to your network, such as modified firewall rules, firmware updates and router reconfiguration.

Source: http://www.net-security.org/secworld.php?id=14911

May 7th 2013: OpUSA Banks Face Uncertain Threat DDoS Attack

Banks may be about to endure yet another cyberattack by hacktivist groups.

The hacker collective Anonymous has joined with groups throughout the Middle East and North Africa to vow a series of so-called denial of service attacks this Tuesday against financial institutions, other U.S. firms and government agencies.

The campaign, which hacktivists have dubbed OpUSA, comes in retaliation for what backers say are U.S. war crimes in Iraq, Afghanistan and Pakistan.

“Anonymous will make sure that this May 7th will be a day to remember,” the group wrote in a message posted April 24 on Pastebin, a website used by programmers.

The threat follows a similar campaign against commercial and government targets in Israel by Anonymous, which has claimed responsibility for a series of attacks on financial networks and online sites in that country.

The attacks are expected to consist mostly of “nuisance-level attacks against publicly accessible webpages and possibly data exploitation,” the U.S. Department of Homeland Security warned on May 1 in a bulletin obtained by Krebs on Security. “The criminal hackers behind the OpUSA campaign most likely will rely on commercial tools to exploit known vulnerabilities, rather than developing indigenous tools or exploits.”

“Independent of the success of the attacks, the criminal hackers likely will leverage press coverage and social media to propagate an anti-U.S. message,” DHS added.

No major online sites had been adversely affected as of Monday afternoon, according to Radware, a digital security firm that is monitoring the threat.

Experts say publicly announced attacks can vary in credibility and are sometimes just a bid for attracting attention. “If the attackers follow the same patterns as previously witnessed during the [Operation Israel] attacks, then targets can expect a mixture of attacks,” including “denial of service attacks and web application exploits,” Mike Schiffman, a security researcher at Cisco, wrote recently. “Given the lack of specific details about participation or capabilities, the exact severity of the attack can’t be known until it (possibly) happens.”
For protection against your eCommerce site click here.

Source: http://www.americanbanker.com/issues/178_87/banks-face-uncertain-threat-from-cyberattack-planned-tuesday-1058881-1.html

WordPress Sites Attacked; May Be Prep for DDoS Barrage

If you haven’t used WordPress to publish a blog, you surely have at least visited a WordPress-powered site to read a blog or other content. It’s so easy to use that it has become one of the most popular blogging and Web publishing platforms in the world.

Now, it’s under attack by hackers. And that could put you under attack.

“The attacker is brute-force attacking the WordPress administrative portals, using the username ‘admin’ and trying thousands of passwords,” said CloudFlare, a Web site optimization firm, in its blog. “It appears a botnet is being used to launch the attack and more than tens of thousands of unique IP addresses have been recorded attempting to hack WordPress installs.”

A Rare Target

According to CloudFlare, one of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack.

“These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic,” the company said. “This is a similar tactic that was used to build the so-called itsoknoproblembro/Brobot botnet which, in the fall of 2012, was behind the large attacks on U.S. financial institutions.”

Graham Cluley, a senior security analyst at Sophos, said WordPress was a target because it powers many millions of Web sites around the world.

“If the owners of those Web sites haven’t locked down their sites properly, they could be hijacked by cybercriminals for their own purposes. Sadly, many people do still choose poor username/password combinations,” Cluley said. “Botnets continue to be a major problem. But it’s rare for us to see an attack targeting WordPress sites in this way on this scale .”

Dictionary Attacks

Cluley’s colleague, Sophos security analyst Paul Ducklin, said since it would take too long to try every possible username and password on every known WordPress or Joomla server, this onslaught is using what is known as a dictionary attack. The strategy is to automate the password guessing, speed up the attack, and don’t spend too long on any individual site.

“Not being the low-hanging fruit isn’t a generic solution to this problem, as it’s a bit like outrunning your buddy when you are chased by a hungry lion: It saves you, but leaves someone else to take the hit,” Ducklin wrote in a blog post. “But that is no reason not to move your fruit to higher branches. Remember that if someone breaks into your server, that’s bad for you, but it is also bad for everyone else.”

Ducklin warned that not setting strong passwords gives the crooks a free ride for hosting malware, launching further attacks, publishing phishing pages, disseminating fake updates or bogus information, and much more.

“All with your imprimatur, and, in the end, with your services blacklisted by anyone who’s security conscious. Remember, password-guessing attacks of this sort happen all the time,” he said. “The attack volume in this case has been sufficient to attract global attention, which is a good thing, but it’s currently thought to be only about three times the usual level.

“In other words, even when ‘normal service’ is resumed, we’ll all still be firmly in the sights of the cybercriminals, so take this as a spur to action!”

Source: http://www.cio-today.com/news/WordPress-Web-Sites-Under-Attack/story.xhtml?story_id=033003176VMR&full_skip=1

Top Bitcoin exchange Mt. Gox blames outage on massive DDoS attack

After an outage yesterday that helped cause Bitcoin prices to plummet, No. 1 Bitcoin market Mt. Gox said it is experiencing a major Distributed Denial of Service (DDoS) attack by people aiming to destabilize the currency or profit from it.

Bitcoin is a virtual currency that isn’t regulated by any governments, and people can use to make international monetary transfers free, easy, instantaneous, and hard to trace. The single largest exchange to buy and sell Bitcoins is Mt. Gox, which handles more than 70 percent of Bitcoin trades in the world and facilitates more than 420,000 trades per month.

But yesterday, Mt. Gox went offline, helping drive Bitcoin prices down about $30. Additionally, Bitcoin wallet service Instawallet shut down “indefinitely” due to a hacking incident, and that could have also played a role in the price of Bitcoins dropping.

Mt. Gox writes in a lengthy post on Facebook (emphasis ours):

It’s been an epic few days on Bitcoin, with prices going up as high as $142 per BTC. We all hope that this is just the beginning!

However, there are many who will try to take advantage of the system. The past few days were a reminder of this sad truth.

Mt. Gox has been suffering from its worst trading lag ever, 502 errors, and at one point some users were not able to log in their account. The culprit is a major DDoS attack against Mt.Gox.

Since yesterday, we are continuing to experience a DDoS attack like we have never seen. While we are being protected by companies like Prolexic, the sheer volume of this DDoS left us scrambling to fine-tune the system every few hours to make sure that things don’t go beyond a few 502 error pages and trading lag.

Why has Mt.Gox become the target of a DDoS attack?

It is not yet clear who is behind this DDoS and we may never know, but these actions seem to have two major purposes:

1. Destabilize Bitcoin in general.

It is not a secret Mt.Gox is the largest Bitcoin exchange with more than 80% of all USD trades and more than 70% of all currencies. Mt.Gox is an easy target for anyone that wants to hurt Bitcoin in general.

2. Abuse the system for profit.

Attackers wait until the price of Bitcoins reaches a certain value, sell, destabilize the exchange, wait for everybody to panic-sell their Bitcoins, wait for the price to drop to a certain amount, then stop the attack and start buying as much as they can. Repeat this two or three times like we saw over the past few days and they profit.

Mt. Gox said there isn’t much it can actually do about the DDoS attacks and that all sorts of companies are frequently victims of these sorts of attacks. It did say there was one thing it could do do help protect further from attacks.

“There are a few things that we can implement to help fight the attacks, such as disconnecting the trade engine backend from the Internet,” the company said. “By separating the data center from the Mt. Gox website, we will continue to be able to trade.”

Bitcoin prices are sitting at about $135 per Bitcoin as of this writing. That’s not quite the high of $142 from yesterday but it’s considering the outage and large drop in prices yesterday.

For DDoS protection click here.

Source: http://venturebeat.com/2013/04/04/mt-gox-outage-ddos-attack/

Internet creaks following DDoS attack on Spamhaus

Spamhaus accused Cyberbunker for the attack

UK and Switzerland-based nonprofit organisation Spamhaus, which operates a filtering service, has been hit by distributed denial of service (DDoS) attack, which several security companies claim is the largest DDoS to date.

Spamhaus chief executive Steve Linford said that the company has been under this cyber-attack for more than a week.

“They are targeting every part of the internet infrastructure that they feel can be brought down,” Linford added.

Security firm Kaspersky Lab confirmed the attack and claimed it was the largest DDoS cyber attack. Kaspersky Lab said: “Based on the reported scale of the attack, which was evaluated at 300 Gigabits per second, we can confirm that this is one of the largest DDoS operations to date. There may be further disruptions on a larger scale as the attack escalates.”

The cyberattacks on Spamhaus started when it added the Netherlands-based web hosting firm, Cyberbunker, to its global blacklist.

According to a CloudFlare blogpost, the attack was initially approximately 10Gbps generated largely from open DNS recursors on 18th March, while on March 19, the attack increased in size, peaking at approximately 90Gbps.

The attack fluctuated between 90Gbps and 30Gbps until 01:15 UTC of March 22.

A DDoS attack is an attempt to make a machine or network resource unavailable to its intended users, most commonly by saturating the target machine with external communications requests.

Earlier this year, Gartner predicted that the number of sophisticated attacks on e-commerce and financial industries will increase in 2013. The research firm expects that high-bandwidth DDoS attacks will become the new norm and be particularly damaging to unprepared enterprises.

Source: http://security.cbronline.com/news/internet-slows-down-following-ddos-attack-on-spamhaus-280313

BIGGEST DDoS attack in history FAILS to slash interweb arteries

The massive 300Gbit-a-second DDoS attack against anti-spam non-profit Spamhaus this week didn’t actually break the internet’s backbone, contrary to many early reports.

The largest distributed denial-of-service (DDoS) assault in history began on 18 March, and initially hit the Spamhaus website and CloudFlare, the networking biz hired by the spammer-tracking outfit to keep its systems online, at 90Gbps. After failing to knock the organisation offline, the attackers targeted CloudFlare’s upstream ISPs as well as portions of the networks at internet traffic exchanges in London and Amsterdam.

The volume of this second-wave attack, which began on on 22 March, hit 300Gbps, an unnamed tier-1 service provider apparently told CloudFlare.

By far the largest source of attack traffic against Spamhaus came from DNS reflection, which exploits well-meaning, public-facing DNS servers to flood a selected target with network traffic – this is opposed to the usual tactic of using a huge botnet army of compromised computers.

DNS reflection attacks involve sending a request for a large DNS zone file to a DNS server; the request is crafted to appear as though it originated from the IP addresses of the victim. The server then responds to the request but sends the wad of data to the victim. The attackers’ requests are only a fraction of the size of the responses, meaning the attacker can effectively amplify his or her attack by a factor of 100 from the volume of bandwidth they control.

CloudFlare reckons there were 30,000 DNS servers involved in the attack against Spamhaus, which might have been launched from only a small botnet or cluster of virtual servers. The attack against Spamhaus and CloudFlare proved there is a serious design flaw in the underpinnings of the internet, one that security experts such as Team Cymru and others have been warning about for years – although the use of DNS servers in DDoS attacks is rare, Rob Horton from NCC Group told El Reg.

The open DNS server problem is both a huge and under-reported issue involving 21.7 MILLION DNS resolvers that can be abused to launch equally ferocious attacks in future.

But the good news is that fixing the problem only requires small changes in configuration files that take only minutes. Everybody El Reg has spoken to agrees there’s a problem with open DNS servers with some even suggesting the easily abused resource may replace botnets as a launchpad for DDoS attacks.

Joakim Sundberg, security solutions architect at security appliance maker F5, commented:

The Spamhaus attack is a demonstration of the kind of DDoS attack I have been expecting for some time: DNS Reflection. DNS Reflection attacks will play a more prominent role in DDoS attacks in the future.The major driver for this kind of attack is the decreasing number of bots available for rent, with the authorities more effectively cracking down on major botnets. With a lower number of bots now available, hacktivists and other cyber criminals are finding new ways in which to amplify their attacks.

However there’s deep disagreement about to what extent, if any, the DNS reflection attack thrown against Spamhaus and CloudFlare affected the internet more generally.

CloudFlare’s take of The DDoS That Almost Broke the Internet can be found in a blog post that the states the attacks against it and Spamhus eventually spilled over to knacker internet connections across Europe:

Over the last few days, as these attacks have increased, we’ve seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare. If the internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why.

Even the websites of large corporations or hosting providers would be swept away by an attack of this intensity, judging by CloudFlare’s rhetoric. However, this 300Gbps of traffic amounts to heavy congestion on a slip road that didn’t hold up the main flow of traffic across the interwebs.

We understand a massive dip in a graph of traffic flowing through the London Internet Exchange (LINX) on 23 March, a graphic included in CloudFlare’s blog post, is due to a data-plotting glitch and NOT due to the effects of the attack.

Spamhaus compiles lists of IP addresses of servers and other computers accused of distributing spam or promoted using junk mail. These blacklists are used by ISPs, businesses and spam-filtering firms to block the worst sources of unsolicited marketing mail before applying more computational intensive filtering techniques, such as analysing the actual content of messages.

Junk-mail distributors and the like regularly threaten, sue or DDoS Spamhaus. Some businesses also object to Spamhaus’s alleged vigilante approach to tackling spam.

Spamhaus’s blocklists are distributed via DNS and are widely mirrored in order to ensure the overall system is resilient to attacks. The blacklists were never affected and were even updated, with none of its core infrastructure going titsup, according to Spamhaus.

“Only the website and our email server were affected,” Steve Linford, chief executive for Spamhaus, told the El Reg. “All Spamhaus DNSBL [DNS Block List] services continued to run unaffected throughout the attack. In fact Spamhaus DNSBLs have never once been down since we started them in 2001.”

Linford praised the support of engineers at CloudFlare and Amazon, which supplied load balancing of DNS services, for ensuring its service remained available during the packet carpet bombing. He claimed the attack caused Netflix to slow down and caused congestion elsewhere on the web.

However internet traffic exchanges in both London and Amsterdam – two of the top three peering hubs in Europe, the arteries of the internet – both played down the impact of the attack beyond CloudFlare and its customers.

Malcolm Hutty, head of public affairs at LINX, the London Internet Exchange, said: “Apart from CloudFlare we saw a minor amount of collateral congestion in a small portion of our network which may, or may not have, have affected some members. This would have been accommodated through their normal procedures.”

Ordinary internet users would not have been affected because the DNS flood “only have affected CloudFlare and its customers”, he added.

CloudFlare uses Anycast technology which spreads the load of a distributed attack across all 23 of its data centres. Even so it was left reeling from the weight of the assault, which prompted it to suspend its peering in London.

Overblown reports that the internet slowed down or ground to halt appear to be well wide of the mark. This is not to dismiss the significance of the attack, or take anything away from CloudFlare for helping Spamhaus to weather the storm. The simple fact is the attack amounted to nothing more severe than minor congestion, an assessment backed up by AMX-IX, the Amsterdam internet exchange as well as its counterpart in London.

“We have not experienced any disruptions related to our platform,” a spokeswoman for AMX-IX told El Reg. “When we look at the amount of traffic some of our members and customers exchange we see some increases here and there, but they could easily manage it.”

The New York Times claimed that the attacks against Spamhaus appear to be tied to a dispute with CyberBunker, a website hosting provider in the Netherlands. CyberBunker is accused by Spamhaus of being the world’s most toxic haven of phishing and malware.

CyberBunker is quite open in running a bullet-proof anonymous hosting facility out of a Cold War bunker in the Netherlands where anything goes except child-abuse material and terror-related websites. “Customers are allowed to host any content they like, except child porn and anything related to terrorism,” its online policy states.

The hosting provider told El Reg it denies any involvement in spamming. It declined to respond directly to the accusation in the NYT article that CyberBunker was retaliating against Spamhaus for “abusing its influence” and using vigilante tactics in the fight against spam:

The only thing we would like to say is that we (including our clients) did not, and never have been, sent any spam. We have no further comment. Thank you.

Source: http://www.theregister.co.uk/2013/03/28/spamhaus_mega_ddos_little_collateral_damage/page2.html

Why Anti-DDoS Services Matter in Today’s Business Environment

Although the Internet has been around for a while, the boost in cloud computing has increased the utilization of WAN services. Any organization now using the Cloud or some type of Internet-based service must be aware of the security risks that come with the platform. With the evolution of the modern data center – and the use of cloud computing – has created more targets for attackers to go after. The widespread availability of inexpensive attack tools enables anyone to carry out distributed denial of service (DDoS) attacks. This has profound implications for the threat landscape, risk profile, network architecture and security deployments of Internet operators and Internet-connected enterprises.

With the direct increase in cloud services, organizations are utilizing more Internet services and greater amounts of bandwidth. Because of this, attackers are increasing the size and number of their attacks on targeted organizations. In a recent survey conducted by Arbor Networks the size of volumetric DDoS attacks have steadily grown. The truly troubling piece, however, was the report in 2010 of a 100 Gbps attack. To put that in perspective, that is more than double the size of the largest attack in 2009. This staggering figure illustrates the resources hackers are capable of bringing to bear when attacking a network or service.

Image source: Arbor Networks — Worldwide Infrastructure Security Report, Volume VI

Although these attacks have been simplified in deployment – they’ve certainly evolved in complexity. The methods hackers use to carry out DDoS attacks have evolved from the traditional high bandwidth/volumetric attacks to more stealthy application-layer attacks, with a combination of both being used in some cases.

In working with DDoS-type attacks, administrators must understand the depth of the DDoS problem. Volumetric attacks are also getting larger, with a larger base of either malware-machines or volunteered hosts being used to launch these attacks. Well-known groups, such as Anonymous, have brought a new type of DDoS attack into scope as well – hactivism. As these attacks become more prevalent, IT administrators must have good visibility into the complex threat environment and the true need for a full-spectrum solution. Download this white paper to see how DDoS can affect a business and the true importance for a solid security infrastructure. In this paper, Frost & Sullivan outline the various points in creating an all-encompassing security solution. Key points include:

  • Integrity and Confidentiality vs. Availability
  • Protect Your Business from the DDoS Threat
  • Cloud-Based DDoS Protection
  • Perimeter-Based DDoS Protection
  • Out-of-the-Box Protection
  • Advanced DDoS Blocking
  • Botnet Threat Mitigation
  • Cloud Signaling

The increase in cloud computing will result in more DDoS attacks on organizations. Since more targets are being presented, attackers may use a myriad of reasons to target an IT environment. This white paper outlines the key points in understanding DDoS attacks and how to strategically protect your environment. In creating a solid security solution, administrators are able to secure their infrastructure both at the perimeter and the cloud level.

Source: http://www.datacenterknowledge.com/archives/2013/03/07/why-anti-ddos-products-and-services-are-critical-for-todays-business-environment/

Latest Distributed Denial of Service (DDoS) Attacks on banks: A teachable moment

The websites of major U.S. banks were attacked this week in an ongoing campaign that reflects the changing tactics used in distributed denial of service (DDoS) strikes, a security expert says.

The attackers, who call themselves the Izz ad-Din al-Qassam Cyber Fighters, launched attacks Tuesday against the websites of U.S. Bancorp, JPMorgan Chase & Co., Bank of America, PNC Financial Services Group and SunTrust Banks. The group, which has been targeting banks since September, warned of the latest assault on Pastebin the day before the attacks.

While the DDoS strikes failed to disrupt the banks’ online operations, they did provide some important lessons for enterprises faced with such a threat, said Dan Holden, director of security research at Arbor Networks, which performs DDoS mitigation for some of the targeted banks.

First off, the attacks showed that perimeter defenses such as firewalls and intrusion prevention systems can filter traffic for malware, but are useless against today’s complex DDoS attacks. Instead, corporations need on-premise technology that can provide up-to-the-minute information on an attack before it takes down a website or business application.

Security providers that offload DDoS traffic generated to overwhelm a website need to take another look at their capacity levels, Arbor said. The latest bank attacks show perpetrators are capable of targeting multiple organizations in the same industry, which can strain the capacity of mitigation service providers.

Another lesson learned is over the changing tactics of attackers. DDoS no longer means just flooding a site with traffic. Instead, attackers like the ones targeting the banks are bombarding sites to divert attention away from the application layer, so they can look for vulnerabilities more susceptible to a targeted attack.

“The big lesson learned on the enterprise side is the fact that application DoS can still take you out, even if the traffic is mitigated,” Holden said.

The focus on web applications has changed the profile of attackers. “While these [bank attacks] are not the most sophisticated attacks in the world, it’s obvious these guys are fluent in the web application side of things, as well as the DDoS side,” Holden said.

The application layer attacks were on HTTP, HTTPS and DNS, while the large-scale traffic was on a variety of Internet protocols, including TCP, UDP and ICMP, Arbor said. Login pages or any other page where data is submitted are favorite application targets on banking sites.

The Cyber Fighters launch their attacks from servers with PHP-based web applications that have been compromised, as well as WordPress sites using the out-of-date TimThumb plugin. Poorly maintained sites are easy targets for deploying attack tools.

With the exception of a few tweaks in the latest attacks, the tools used against the banks since September have been similar. The most prominent attack tool is one called Brobot, also called itsoknoproblembro, Arbor said. Two other tools used less often are KamiKaze and AMOS.

So far, none of the attacks have been catastrophic. Interruptions have been brief and intermittent, at best.

The perpetrators and their motive remain unclear. The group has claimed it is protesting YouTube video trailers denigrating the Prophet Muhammad. The crude trailers promoted an amateurish film called the “Innocence of Muslims,” and sparked violent protests in many Muslim countries.

The sophistication of the attacks indicates more than just a grassroots campaign. Theories on the motivation include Iran striking back for U.S.-led economic sanctions and cybercriminals trying to distract banks from noticing fraudulent wire transfers.

Source: http://www.csoonline.com/article/723936/latest-ddos-attacks-on-banks-a-teachable-moment