Monthly Archives: October 2017

Millions download botnet-building malware from Google Play

Researchers have discovered a new batch of malicious apps on Google Play, some of which have been downloaded and installed on some 2.6 million devices. The apps’ capabilities The apps posed as legitimate offerings that modify the look of the characters in Minecraft: Pocket Edition (PE). In the background, though, they set out to rope the devices into a botnet. Once they were installed on a target device, they would connect to a C&C server, … More ?

See the original post:
Millions download botnet-building malware from Google Play

DOSarrest releases new API

VANCOUVER, British Columbia, Oct. 18, 2017 (GLOBE NEWSWIRE) —  Internet Security announced today that they have released a new Application Programming Interface(API) for their latest generation of Internet Security Services Software, enabling NSPs, ISPs and Security as a Service companies to directly access any and all of DOSarrest’s cloud based Security Services. This allows any organization to integrate into their existing customer portals any of DOSarrest’s services which include DDoS protection, CDN, best of breed WAF, global load balancing as well as any future services on their aggressive roadmap. Some of the features of the API allow subscribers to auto provision, dynamically spin up/down instances and capacity as required and pick and choose whatever components they need from DOSarrest’s numerous DDoS and WAF elements. This is a new “restful” API, making integration as easy as it gets. Subscribers can also leverage DOSarrest’s Big data analytics engine to manipulate and display logging data as they see fit. Brian Mohammed Director of Sales and Marketing states, “We have had many enquiries from large telcos, especially in Europe, who like and want our service but need an API. We listened and here it is.” Mohammed adds, “This allows virtually anyone to use our services to ensure their customers’ websites are secure from any attack be it large volumetric or a small sophisticated layer 7 attack, all the while it looks like it’s their own service, on-demand.” Mark Teolis, CEO of DOSarrest explains, “We are also willing to build a custom portal for companies that don’t have an in house programming staff to use the new API; why not use our in house development group to help you make it?”  In addition, Teolis states, “Once you subscribe to the new API you will have access to all future services, and there are some good ones on the way.” About DOSarrest Internet Security: DOSarrest founded in 2007 in Vancouver, B.C., Canada is one of only a couple of companies worldwide to specialize in only cloud based DDoS protection services.  Additional Web security services offered are Cloud based W eb A pplication F irewall (WAF) , V ulnerability T esting and O ptimization (VTO) , DataCenter Defender – GRE as well as cloud based global load balancing . Source: https://globenewswire.com/news-release/2017/10/17/1148970/0/en/DOSarrest-releases-new-API.html

More:
DOSarrest releases new API

400 attacks per day: Behind Australia’s growing DDoS attack surface

There is no denying that the number of DDoS attacks has been increasing everywhere around the world, new variants of attacking tools and techniques have been made available to the attackers much faster than we have seen in the past. Based on the statistics we have collected for Australia, the number of DDoS attacks have been increased roughly 25% each year, and we believe that number could become around 30,000 attacks per month by end of 2020. The largest DDoS attack targeting Australia in 2017 is around 228 Gbps in June, although these kinds of multi-gigabit attacks always catch our attention, they don’t really happen very often. Almost 80% of the DDoS attacks seen in Australia are under 2 Gbps, but still could possibly overwhelm the bandwidth of the internet connection for a lot of enterprises. Another interesting observation is that the number of DDoS attacks between 10 to 50 Gbps has been steadily increasing from last year. Given the fact that the attackers are getting more weapons in their arsenal – for example, IoT and mobile devices, this means the size and frequency of the DDoS attacks will keep growing. When we look at the countries where most of the DDoS attacks were being sourced, we have observed that countries such as the US, China, Korea, UK and Germany are usually at the top of the list. As DDoS attacks are typically sourced from infected computer devices (notnets), countries with a high computer population may also have a high infected rate, particularly if pirated software is being used to a large extent in that country. In recent years, with the arrival of IoT botnets, such as Mirai, some Asian countries with a high deployment rate of IoT devices have also been seen as major sources of DDoS attacks. If we turn our focus from the source country to the destination country being attacked most often, we then find the countries which are on the top of the list of the attacking sources, are also high on the list for the receiving side. A possible reason could be that the high computer population and adoption rate in the country also means a lot of business is being conducted over the network, such as the financial sector, consumer sector, government and so on, giving the attackers more targets to aim for. Source: https://securitybrief.com.au/story/400-attacks-day-behind-australias-growing-ddos-attack-surface/

Taken from:
400 attacks per day: Behind Australia’s growing DDoS attack surface

What is cyber terrorism?

How is cyber terrorism defined and how likely is an attack? Everyone is familiar with what “terrorism” means, but when we stick the word “cyber” in front of it, things get a bit more nebulous. Whereas the effects of real-world terrorism are both obvious and destructive, those of cyber terrorism are often hidden to those who aren’t directly affected. Also, those effects are more likely to be disruptive than destructive, although this isn’t always the case. Cyber terrorism incidents One of the earliest examples of cyber terrorism is a 1996 attack on an ISP in Massachusetts. Cited by Edward Maggio of the New York Institute of Technology and the authors of Internet: A Historical Encyclopedia, Volume 2 , a hacker allegedly associated with the white supremacist movement in the US broke into his Massachusetts-based ISP after it prevented him from sending out a worldwide racist message under its name. The individual deleted some records and temporarily disabled the ISP’s services, leaving the threat “you have yet to see true electronic terrorism. This is a promise” While this is a clear example of a cyber-terrorist incident carried out by a malicious, politically motivated individual that caused both disruption and damage, other frequently listed examples fit less clearly into the category of “terrorism”. For example, while attacks that have taken out emergency services call centres or air-traffic control could be considered cyber terrorism, the motivation of the individuals is often unclear. If a person caused real-life disruption to these systems, but had no particular motivation other than mischief, would they be classed as a terrorist? Perhaps not. Similarly, cyber protests such as those that occurred in 1999 during the Kosovo against NATO’s bombing campaign in the country or website defacements and DDoS attacks are arguably online versions of traditional protests, rather than terrorism. Additionally, in the case of civil war, if one side commits a cyber attack against the other then it can be said to be more of an act of war – or cyber war – than one of cyber terror. Again, where there is a cold war between nations, associated cyber attacks could be thought of as sub-conflict level skirmishes. Indeed, the FBI defines cyber terrorism as “[any] premeditated, politically motivated attack against information, computer systems or computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine agents”. Under this definition, very few of the tens-of-thousands of cyber attacks carried out every year would count as cyber terrorism. The future of cyber terrorism As the number of connected devices increases, the likelihood of a more destructive cyber terrorist incident – something on a par with an attack in the physical world – becomes increasingly possible. The security industry is full of stories and proofs of concept about hacking medical devices, with two particularly famous demonstrations being given by New Zealander Barnaby Jack. This opens up the possibility for targeted assassinations or mass-scale killings carried out remotely and potentially across borders. Similarly, there are concerns self-driving vehicles could be turned into remote-controlled missiles and used in an attack, although the counter argument is that such vehicles will make the roads safer in the face of terrorists driving conventional vehicles into crowds. Another possible style of cyber terrorism is disruption of infrastructure in a way that could potentially endanger life. For example, in 2016 an unknown actor caused a disruption that saw two apartment buildings in Finland lost hot water and heating for a week in the dead of winter. In locations as cold as Finland, actions like this could cause illness and death if widespread and sustained. Nevertheless, the likelihood is most serious cyber attacks will be acts of cyber warfare, rather than cyber terrorism, as nation states have larger and more sophisticated resources at hand. Source: http://www.itpro.co.uk/security/29726/what-is-cyber-terrorism

See the original post:
What is cyber terrorism?

More than half of businesses fell victim to DDoS attacks in the past year, survey shows

CDNeworks research shows 54% of businesses were hit by distributed denial of service attacks in the last year, and many feel they are underinvesting in cyber defences. More than half of businesses (54%) have been victims of successful distributed denial of service (DDoS) attacks over the past 12 months, according to research from cloud security firm CDNetworks. The company surveyed 305 organisations in the UK, Germany, Austria and Switzerland about the technologies that protect them from cyber attacks. Some 83% of the respondents felt either confident or very confident about their cyber defences, but 44% felt they were currently underinvesting in anti-DDoS technologies. Chris Townsley, Emea director for CDNetworks, told Computer Weekly that this mix of opinions was strange. “Not only is there widespread complacency – the overwhelming confidence in DDoS protection, undermined by the high proportion of businesses suffering successful attacks – but there is also a significant number of businesses that are worried that they have not invested enough,” he said. “It is odd to see so much confidence alongside such doubt about whether enough is being done.” The survey also found that 64% of organisations said they would be investing more in such technology over the next year, and in terms of expectation of an attack, 79% rated the likelihood of an attack as between “likely” and “almost certain”. This attitude is reflected in the frequency of incidents, with 86% saying they had suffered a DDoS attack in the previous 12 months. The size of attacks is also growing. In the first half of 2015, the largest DDoS attack recorded was 21Gbps, but during the equivalent period in 2016, it was 58.8Gbps. Also, 31% of attacks in the first half of 2016 were 50Gbps or more, but there were no attacks of that size in the first half of 2015. Townsley added: “As the size of attacks increases, businesses need to look more at protection from the edge and not at the origin or datacentre. “As the size of traffic increases, so does the likelihood that the bandwidth of the origin server will be saturated, no matter what protection is in place to keep it up and functioning. “Also, with the frequency of attacks increasing, businesses should move to a mindset of ‘when’ and not ‘if’ an attack will occur.” When asked whether the number of successful attacks was due to businesses buying the wrong security products, Townsley said: “It could be that the type of protection was not suitable, or was suitable for some types of attack but not all. As the types of attack are changing all the time, products can become obsolete.” Source: http://www.computerweekly.com/news/450428288/More-than-half-of-businesses-fell-victim-to-DDoS-attacks-in-the-past-year-survey-shows

Read the original post:
More than half of businesses fell victim to DDoS attacks in the past year, survey shows

Cybersecurity: into the data breach

Cybersecurity has become a significant issue as attacks are increasing. In the new payments ecosystem, where third-party developers can directly interact with banks’ customers, data privacy and security become paramount, according to the World Payments Report 2017 by Capgemini and BNP Paribas . A significant issue to address as the new payments ecosystem evolves is that of cybersecurity. During the past few years, cyberattacks and crimes have increased across the globe, with corporate and financial institution entities, large and small, targeted. The price of increasing collaboration among industry stakeholders in the new payments ecosystem could be an increase in cyber security vulnerabilities. To alleviate this risk, corporates are increasingly turning to their banks for advice on how to strengthen their infrastructures against cyber attacks. To ensure the highest levels of cybersecurity and the security of infrastructures in the new payments ecosystem, each stakeholder must assess security across all the data sources and points of collaboration. The need for robust cyber security solutions to cater to all forms of cyberthreats has never been greater for corporate treasurers as new technologies proliferate and collaboration increases. Of prime importance for corporates in developing defence mechanisms is awareness of potential cyber security risks, regular updating of security profiles and continuous training of employees. This is because attacks perpetrated by cybercriminals are unpredictable in both timing and nature. The vulnerabilities stakeholders face include cyber security, data privacy, data breaches, and payments fraud. The utmost vigilance is required to protect organisations against cyber attacks and all stakeholders, including regulators, must be more proactive regarding cybersecurity, with ownership of the issue taken to prevent attacks. In the new payments ecosystem, third-party developers can directly interact with a partner banks’ customers, raising questions about data privacy and security. In an increasingly networked ecosystem, identifying the source of attack will be a challenge. Verizon’s 2017 Data Breach Investigations Report found that security incidents and data breaches affect both large and small financial organisations almost equally. However, the security of larger banks is difficult to compromise as they invest more in cyber security solutions. Smaller banks, which do not have the same access to resources, are more prone to cyberattacks. A fraud survey by the Association for Financial Professionals and JP Morgan found that the highest levels of fraud in 2016 were perpetrated via cheques. However, there was a surge in wire transfer fraud, from 27 per cent in 2014 to 46 per cent in 2016. An increasing number of cyber security breaches are causing significant losses for banks and corporates across the world. Among recent incidents, in February 2016, a cyberheist at Bangladesh Central Bank resulted in a loss of $81 million and prevented another $850 million worth of transactions from being processed on the Swift network. Similarly, in May 2016 cybercriminals hacked the Swift system and stole $9 million from Ecuadorian bank Banco del Austro. In May 2017, the WannaCry ransomware attack affected more than 150 countries and 200,000 computers, as attackers demanded each of those affected to pay up to $300 worth of bitcoins to unlock their systems. In a survey for World Payments Report , bank executives ranked distributed denial of service (DDoS) attacks and customer payments fraud as the main security challenges they face. Also of concern were the high levels of card fraud, which place a significant cost burden on banks. The increasing adoption of digital offerings in transaction banking is also giving rise to higher levels of payments fraud, making cyber security a top priority for banks and corporates. Customer payments fraud is the top ranked concern for financial technology companies and other survey respondents. This group is much less likely to view DDoS attacks as a threat; data breaches due to hacking attacks was of more concern, as was internal fraud. While banks are investing significantly in cybersecurity solutions, there are still many risks at the corporate level that they cannot manage. Corporates must, therefore, step up their own efforts to manage cybersecurity risk and not leave it all to the banks. They should upgrade their internal systems, train their staff, and review their partners’ systems. The idea of a cyberattacker as a lone figure hacking into systems is now obsolete. Cyberattacks are perpetrated by entities that are set up like companies, with project managers, key performance indicators and operations. Attacks to compromise corporates and banks are designed to be multi-staged, with two main objectives: commercial gain and industry espionage. In general, the funds received via attacks go into the coffers of the organisation, while the intelligence gained during an attack will be used by perpetrators to gain a business advantage. Attacks can happen at any time, and over time, therefore all corporates should be vigilant and on constant guard against attacks. So serious are the growing cyberattack and data breach problems that regulators across the globe should move from their present reactive approach to a more proactive one. Stringent regulations and fines to strengthen cybersecurity laws are required from regulators. Many regulations related to this are, however, still in the inception stage. Europe has relatively the most mature cybersecurity and data privacy laws, with recent initiatives including the Electronic Identification and Trusted Service which was launched in 2016. Effective cybersecurity requires organisations to efficiently and quickly identify, mitigate and manage cyber risks and incidents. All stakeholders are taking measures to strengthen the security of transactions against potential cyber threats. Banks and other stakeholders have three options available to them: collaborating with financial technology companies, making investments in advanced technologies and monitoring tools, and strengthening internal governance to ensure seamless compliance. Collaboration with fintechs This is occurring in several areas including secure authentication and authorisation, account onboarding, identity verification and anti-money laundering. Examples include India’s Yes Bank and FortyTwoLabs’ development of multi-factor authentication tool PI-Control, which enables users to apply for internet banking access, pay bills, transfer funds, seek loans, make remittances and undertake other card transactions. Rabobank in the Netherlands is working with Signicat to provide digital identity solutions that can be easily integrated using API technology. As banks increasingly collaborate with fintechs and regtechs, due diligence, adherence to industry standards and participating in the development of new industry standards has become critical. Investment in advanced technologies and monitoring tools Blockchain technology is still in a nascent stage, with its potential as an enabler of digital identity and payment transaction security still being tested. Banks can leverage the technology to differentiate themselves in the provision of digital identity, authentication and know your customer services. Banks are investing in projects that combine advanced cryptography that supports private or permitted use of blockchain technology with transaction security elements that provider greater transaction visibility. To ensure the highest levels of cybersecurity and transaction security, all the ecosystem participants must assess security from multiple sources in the network. Common security standards and protocols when developing and investing in new technologies and monitoring tools will be increasingly important as collaboration increases. With a common network governing the interfaces between banks and third-party providers, various groups are developing network-based security standards to ensure a secure environment is built around the dynamic payments ecosystem. The ability to respond to cyber threats or attacks in real-time is hampered by legacy security systems. Traditional security monitoring typically identified and reacted to cyber threats in isolation. A modern approach identifies specific unusual patterns or behaviour and alerts operational teams to anomalous activity. Advanced machine learning algorithms are the logical next step as response mechanisms in the event of a threat. Artificial intelligence (AI) systems are being piloted globally, yet legal issues regarding accountability for the actions of such systems persist. Contextualisation of threats (linking the threat to the business and not just to technology) is needed to identify the source and understand the objective behind any attack. Another useful approach is risk-based authentication (RBA) to detect the risk profile of transaction banks and retailers. Using RBA and analytics processes, banks can create a threat matrix of fraud profiles to triangulate the threat instances to their origin and be able to proactively block fraudulent traffic. Behavioural analytics, AI, machine learning and threat matrix can help to continuously monitor the ecosystem network and provide threat intelligence. Banks can undertake various activities such as continuously checking all systems for possible threats, observing markets, scenario simulation, examination of previous attacks, monitoring activities and applications, and establishing a payments control centre to permanently monitor payments and identify exceptional situations. Robust internal governance A robust governance model and standards are imperative for seamless functioning of the new payments ecosystem. Banks and treasurers need to interact with central authorities and regulators to share feedback, which in turn will help to improve compliance. Banks and treasurers are increasingly collaborating with regtechs to ensure compliance. Industry stakeholders must establish common data, technical, legal, functional, and security standards for robust governance. Firms will be well served if they can ensure that security systems have multiple layers to withstand ‘flood’ attacks. To ensure a foolproof system, firms should identify the data needs of all stakeholders before finalising the controls to put in place. With the onset of General Data Protection Regulation (GDPR) and revised Payment Services Directive (PSD2) in the EU, the focus on compliance with data privacy and security has increased. Firms must install a dedicated team to continuously review and update security policies. Additionally, stakeholders should work with the local regulatory authorities to understand the complexity of different regional legal requirements and expectations for each country. Firms must ensure mandatory data privacy and security training is conducted at regular intervals. Educating employees on potential threats and ensuring they keep their systems updated would have prevented, or greatly reduced the impact of, events such as the WannaCry ransomware attack. Source: http://www.bankingtech.com/1019032/cybersecurity-into-the-data-breach/

View article:
Cybersecurity: into the data breach

Dark Web Marketplaces Go Down In Reported Mass DDoS Attack

There seems to be some turbulence going on in the murky world of the dark web, with four of its major drug marketplaces unexpectedly going offline, reports said. The dark web is a section of the internet where people contact each other anonymously without the fear of being monitored. It is usually used by criminals to sell drugs, chemicals, weapons, child abuse images and even offer assassination services. Websites The Trade Route, Tochka, Wall Street Market and Dream Market, were down without any notification or clarification from the sites’ administrators. According to some users of such markets, this might either be a DDoS attack by a hacker or a large scale action by law enforcement authorities.                     However, there are more chances of the former happening than the latter. Some dark web users have also started complaining of botnet attacks.           Another farfetched theory is that this is scam by a bunch of drug dealers — taking off with the money of their clients while not providing them with the required merchandize. With no notification or clarification from the sites’ administrators, the exact reason for the sudden disappearance of such marketplaces remains unclear. However, a user going by the name Automoderator commented on a the subreddit /r/DarkNetMarketNoobs that the WallStreetMarket is not listed currently, as it is facing “very serious issues” and warned others to avoid it all costs. Some other users on the subreddit say that the Dream Market has been working fine on all its mirrors, but, however its main site is down. At the time of writing, the marketplaces were still down, according to dark web marketplace tracker deepdotweb. Many sites on the dark web are also run by law enforcement — the Australian Police ran one of the world’s biggest child porn sites on the dark web between October 2016 and September 2017, called Child’s Play, in an effort to nab pedophiles. The police grabbed the administrator access from two cyber criminals — Benjamin Faulkner and Patrick Falte and started administering the sites. Police even posted more child porn on the site in an effort to convince the viewers that the site had not been taken over by the authorities. By the time they shut down the site, police were able to nab more than 90 pedophiles in Australia and 900 across the world. In case, the marketplaces were being taken over by law enforcement to nab drug traffickers and child porn purveyors, it might be a different case. However the development has many dark web users in a state of paranoia and many users have posted on Reddit reminding other users of such busts. Such attacks on dark web markets in the past have usually begun with large-scale DDoS attacks. In July, a massive trans-continental sting saw two of the dark web’s biggest sites at the time, AlphaBay and Hansa, being taken down. Law enforcement agencies claimed they were able to collect incriminating information on hundreds of buyers and vendors, going as far as threatening to prosecute them. Source: http://www.ibtimes.com/dark-web-marketplaces-go-down-reported-mass-ddos-attack-2601105

See the original article here:
Dark Web Marketplaces Go Down In Reported Mass DDoS Attack

Despite increased spend, why doesn’t DDoS mitigation always work?

Newly published research suggests that while there has been a marked increase in spending to mitigate against Distributed Denial of Service (DDoS) attacks, organisations are still falling victim. Newly published research suggests that while there has been a marked increase in spending to mitigate against Distributed Denial of Service (DDoS) attacks, organisations are still falling victim. The ‘DDoS 2017 Report: Dangerous Overconfidence’, published today by CDNetworks, reveals that spending on DDoS mitigation in the UK has increased over the last year. Indeed, it says that the average annual spend is now £24,200 and 20 percent of businesses are investing more than £40,000 per year. While 83 percent of businesses were confident of their resilience against the business continuity threat, despite the greater investment more than half (54 percent) still ended up victims of a successful DDoS attack during the last 12 months that took their website, network or online app down. According to Kaspersky Lab’s Global IT Security Risks Survey 2017, some 33 percent of organisations have experienced an attack this year, twice the number in 2016. While 20 percent were small businesses, 41 percent were enterprises. Then there’s the Neustar Global DDoS Attacks and Cyber Security Insights report which revealed 92 percent of those attacked reported theft of intellectual property, customer data or financial assets; and 36 percent saw malware activation happening during the DDoS attack. Research by the Imperva Incapsula security team suggests that attack patterns are changing, with high packet rate attacks becoming the norm. An A10 Networks report confirms this to be the case, suggesting that attacks greater than 50Gbps have quadrupled over the past two years and companies experiencing between 6-25 attacks per year also quadrupling in that timeframe. Given the growing threat, and you only have to look at some of the recent victims such as The National Lottery and Blizzard Entertainment  for example, to realise that DDoS mitigation isn’t always working. SC Media UK put the ‘why does DDoS mitigation fail’ question to several vendors providing this type of service. But first, we spoke to Alex Nam, managing director of CDNetworks (US & EMEA) who told us there are various reasons including that some forms of DDoS mitigation don’t protect against all forms of attack. “A layer 7 DDoS attack, which impacts applications and the end-user,” Nam explained, “can only be protected against using web application firewall technology for example.” So not understanding the different types of attack, or the types of technology that can be protected, is a reason why DDoS mitigation often fails according to Nam. Rich Groves, the A10 director of research and development, thinks that the question would be better phrased as ‘what causes DDoS solutions to fail in certain instances?’ as he insists “otherwise it implies DDoS solutions are failing across the board, which isn’t the case.” Kirill Kasavchenko, principal security technologist (EMEA) at Arbor Network, also thinks that there is an important distinction to be made between whether DDoS mitigation fails or the approach to it does. “As the headlines became more dramatic, more vendors have rushed to claim they have a solution for the DDoS problem,” Kasavchenko explains, “this has caused much confusion in the market.” So, for example, elements of a layered security strategy such as IPS devices and firewalls address network integrity and confidentiality but not availability. They are stateful, inline, solutions that not only “are vulnerable to DDoS attacks” but “often become the targets themselves.” Indeed, Arbor’s annual security report shows 40 percent of respondents seeing firewalls fail as a direct result of a DDoS attack. Meanwhile, Ben Herzberg, security research group manager at Imperva, told SC Media that attackers are “changing tactics rapidly specifically to defeat anti-DDoS solutions, such as hit-and-run and pulse wave attacks” which should come as no great surprise to anyone. James Willett, SVP of products at Neustar, explained that attackers “routinely scout and reconnoitre their targets launching throttled attacks to identify defence response, defence tactics, and defence capacity.” Once known, the proper types and sizes of attacks can be readily crafted to overwhelm unsuspecting organisations that lack effective cloud-based mitigation depth. So what should enterprises be doing to ensure that spending on DDoS mitigation is invested wisely? “If they haven’t already, they should consider a cloud-based DDoS mitigation service that automatically routes traffic through the service and only delivers clean traffic,” Ben Herzberg insists, adding “these services are supported by dedicated security staff that track attack patterns on a daily basis and can quickly react to changing attack patterns.” James Willett suggests they need to understand that not all clouds are managed the same. “Organisations can ensure proper investments that reduce impact and minimise disruption risk,” he told SC, “by pressing security providers on their management of good and bad traffic.” Rich Groves agrees that the focus “should be on vendor performance and solution effectiveness rather than on any particular feature set.” The highest-performing DDoS detection and mitigation available to them at the best price range to identify attack traffic and eliminate it, in other words. But perhaps Kasavchenko has the most straightforward advice of all: “The number one thing to do is work with a DDoS mitigation vendor. Vendors who treat DDoS as an add-on are likely to have very limited capabilities…” Source: https://www.scmagazineuk.com/despite-increased-spend-why-doesnt-ddos-mitigation-always-work/article/699729/

Read More:
Despite increased spend, why doesn’t DDoS mitigation always work?

DDoS Attacks Cause Train Delays Across Sweden

DDoS attacks on two separate days have brought down several IT systems employed by Sweden’s transport agencies, causing train delays in some cases. The incidents took place early in the mornings of Wednesday and Thursday, October 11 and 12, this week. The first attack hit the Sweden Transport Administration (Trafikverket) on Wednesday. According to local press, the attack brought down the IT system that manages train orders. The agency had to stop or delay trains for the time of the attack. Trafikverket’s email system and website also went down, exacerbating the issue and preventing travelers from making reservations or getting updates on the delays. The agency used Facebook to manage the crisis and keep travelers informed. Road traffic maps were also affected, an issue that lingers even today, at the time of publishing, according to the agency’s website. Three Swedish transportation agencies targeted Speaking to local media, Trafikverket officials said the attack was cleverly aimed at TDC and DGC, the agency’s two service providers, but they were both aimed in such a way to affect the agency’s services. Trafikverket was able to restore service in a few hours, but the delays affected the entire day’s train operations. While initially, some might have thought this was a random incident, the next day, a similar DDoS attack hit the website of another government agency, the Sweden Transport Agency (Transportstyrelsen), and public transport operator Västtrafik, who provides train, bus, ferry, and tram transport for parts of Western Sweden. Cyber-warfare implications In perspective, both incidents give the impression of someone probing various parts of Sweden’s transportation system to see how the country would react in the face of a cyber-attack and downtime. The DDoS attacks come a week after a report that Russia was testing cyber-weapons in the Baltic Sea region. In April 2016, Swedish officials blamed Russia for carrying out cyber-attacks on the country’s air traffic control infrastructure that grounded flights for a day in November 2015. Source: https://www.bleepingcomputer.com/news/security/ddos-attacks-cause-train-delays-across-sweden/

Read More:
DDoS Attacks Cause Train Delays Across Sweden

Nginx with Stream Module Dynamic Upstream CNAME

In the age on scalable web applications , many organizations turn to cloud-based server hosting to dynamically add additional servers during peak usage, or attain redundancy by having multiple geographic web -server locations. One of the methods used for this is DNS CNAME resolution. Using this option with various cloud hosting providers that support it can allow the following: 1) Load Balancing. The CNAME DNS record can be configured to respond to requests with more then one IP Address, allowing load balancing of multiple origin servers, dynamically scaled by the cloud hosting providers DNS service. 2) Global Server Load Balancing. The cloud hosting DNS can provide different record results in different geographic areas of the world. This can be achieved based on Geo-Location or other methods. 3) Fail-over redundancy. Since the CNAME record is controlled by the cloud provider, upon failure of one data center, all records pointing to a geographic location which has failed can be automatically switched to the remaining data-center. Is there a way Nginx can perform Dynamic DNS resolution, for CNAME or other records used as Upstreams/Origins? Reverse proxies have been a core component of our service since 2007, to say we are experienced in this area is an understatement. Which is why when a customer of ours was having trouble configuring their open-source Nginx to use cnames for their load balancing configuration, they came to us to see if we had any advice or ideas (one of the many benefits being part of a fully managed DDoS mitigation service). The challenge the customer was facing, and which some of you Nginx administrators may be aware of, is that the open-source version of Nginx does not have a built in dynamic DNS resolver. Essentially it will only resolve domains initially on web-server “start”, and “reload”, but will not update the record if a DNS record changes during running operation. After doing some research on various forums and testing in our labs, we identified that in order to use open-source Nginx to dynamically resolve domains, one would have set the domain in a variable, which would then cause Nginx to resolve the domain in the variable dynamically, and according to Nginx’s DNS Cache/TTL . The variable is then used in the “proxy_pass” directive to send the visitor to the correct origin without requiring a reload to be kept up to date. **There is a problem with using the above workaround for Nginx’s “Stream” module; The “Set” directive does not exist. If you attempt to perform the same method on a TCP Pass-through using Nginx Stream, you will find that since the ‘set $variable “value”; ‘ method is not available within Nginx Stream. The previous method cannot be used. Is there a way to perform dynamic DNS resolution within open-source Nginx’s stream module, or is a 3rd party module that could be used? Although there is a “stream-lua-nginx” module by Openresty team being developed that could be used for such a purpose, we are not aware of any free 3rd party Dynamic DNS resolution modules that work with Stream. There is however a way to use essentially the same method as used with the Nginx HTTP Proxy, by using the Nginx Stream Map directive. Above is the relevant configuration file snippet. **This configuration snippet requires that you have a base nginx.conf configuration already setup. Included in the example are the portions of the configuration that should be present within the Nginx “stream” directive. ***Please keep in mind the following facts: 1) Fail-over / Load Balancing behavior works differently then standard Nginx upstreams. Instead of using Nginx upstream load balancing or Passive health-checks, Load Balancing and Redundancy should be handled by the CNAME DNS service itself; Nginx “Upstream” directives are not used in this case, so there is no way to mark a server as down. Since there is more then one worker process in any deployed configuration, Round Robin DNS , where a Nameserver lookup returns more then one resulting record can be used to perform load balancing. 2) Each Nginx “Worker” will perform DNS lookups for requests handled by that worker. This means that if you have 20 worker processes , all 20 will be performing DNS lookups and caching the results , holding the results in memory for the DNS Cache/TTL configured using the Nginx “resolver” directive. You may want to use a local DNS server or caching resolver in order to lower the number of DNS queries made. Scott Girbav DOSarrest Internet Security Senior Network Security Engineer Source: https://www.dosarrest.com/ddos-blog/nginx-with-stream-module-dynamic-upstream-cname/

See the article here:
Nginx with Stream Module Dynamic Upstream CNAME