Application layer DDoS attacks rising

Application layer distributed denial of service (DDoS) attacks are on the rise, and organizations must protect themselves from this uptick in application layer attacks and from the overall scourge of multi-vector DDoS attacks. The size, scope and sophistication of distributed denial of service (DDoS) attacks continue to grow at an alarming rate – some recent DDoS attacks have exceeded 1 Tbps, making them the largest on record – but it’s not just the large-scale attacks that can threaten your applications and your business. Despite the perceived spike in DDoS attack size, the average DDoS attack peaked at 14.1 Gbps in 2017’s first quarter, according to Verisign’s DDoS Trends Report (Note: Verisign is an A10 Networks Security Alliance Partner). While that average attack size seems minuscule in comparison to the colossal, record-breaking attacks of late last year, DDoS attacks that target the application layer tend to be smaller and can go unnoticed until it’s too late. These types of attacks are often referred to as “slow-rate” or “low and slow” attacks, meaning they target applications in a way that they look like actual requests from users until they become overburdened and can no longer respond. Application layer attacks, or layer 7 attacks as they’re often called, are typically part of a multi-vector DDoS attack target not only applications, but also the network and bandwidth. The Verisign report estimates that 57 percent of DDoS attacks in Q1 2017 were multi-vector as opposed to single vector attacks. The most common types of application layer DDoS attacks include those targeting DNS services, HTTP and HTTPS. And like other types of DDoS attacks, they have one goal: to take out an application, a website or an online service. According to Imperva’s Q1 2017 Global DDoS Threat Landscape Report, application layer attacks are on the rise. The report found that application layer DDoS attacks reached an all-time high of 1,099 attacks per week in the second quarter of 2017, a rise of 23 percent over the previous quarter’s 892. One reason for the uptick in application layer attacks is the Mirai malware. According to Threat Post, a new variant of Mirai is being used to launch application layer attacks. While Mirai originally carried out Layer 2 and 3 DDoS attacks, some of the more recent Mirai-fueled DDoS attacks, including a 54-hour assault against a U.S. college, are aimed squarely at Layer 7. “Looking at the bigger picture, this variant of Mirai might be a symptom of the increased application layer DDoS attack activity we saw in the second half of 2016,” Imperva’s Dima Bekerman wrote. “That said, with over 90 percent of all application layer assaults lasting under six hours, an attack of this duration stands in a league of its own.” Application layer DDoS attacks becoming shorter in duration – the 54-hour onslaught against the college being an exception to that rule – but are growing in frequency, complexity and persistence. That means attackers target a web server, or an application server, and flood it with just enough traffic to knock it offline. In the case of a web server, it’s sending hundreds to thousands of HTTP requests per second that the server just can’t handle – and BOOM! – the site or service is gone. Because of this, application layer attacks are less expensive for threat actors to carry out and are perceived as harder for security solutions to detect than attacks aimed at the network layer. So how do you protect your applications from this uptick in application layer attacks and from the overall scourge of multi-vector DDoS attacks? Businesses require a high-performance, surgical multi-vector DDoS protection. It’s imperative that a DDoS solution not only detects, but also mitigates attacks large and small – from megabit to terabit in size – including application, volumetric, protocol, resource and IoT-based attacks. A DDoS defense solution should also be able to be deployed in proactive and reactive mode, depending on a business’s preference, to ensure appropriate protection. The right DDoS defense solution not only protects your application layer from attacks, but also your network layer and other vectors, ultimately helping your organization avoid falling victim to a damaging DDoS attack. Source: https://www.csoonline.com/article/3222824/network-security/application-layer-ddos-attacks-rising.html

Read the article:
Application layer DDoS attacks rising

Machine Learning in the DOSarrest Operations

Machine Learning can appear in many different forms and guises, but a general definition of Machine Learning usually incorporates something about computers learning without explicit programming and being able to automatically adapt. And while Machine Learning has been around for decades as a concept, it’s become more of a reality as computational power continues to increase, and the proliferation of Big Data platforms making it easier to capture floods of data. These developments have made ML practical and garnered a lot of interest, as evidenced by the large number of articles in the last two years surrounding AI and machine Learning However despite all this, the adoption of this Machine Learning is still relatively low amongst companies in the tech landscape (Gartner estimating that fewer than 15 percent of enterprises successfully get machine learning into production). And even when you hear about Company X adopting a machine learning strategy, it’s often conflated with another strategy or service within that company, and not truly realizing the automated ‘adaptiveness’ inherent within ML. Those companies that do realize a proper machine learning strategy, understanding and grooming their data as well as identifying the appropriate model/s can see real benefits to their operations, which is why DOSarrest has been developing such a strategy over the last year. Here at DOSarrest, we’ve been focusing on building an Anomaly Detection engine, focusing on the constantly evolving sophisticated application layer attacks. We collect huge amounts of data from disparate sources (e.g. Customized web logs, snmp and flow data, IDS logs, etc.), even when customers are not under attack. This provides an opportunity to identify baselines even in a multi tenant environment. As you would expect, there is a high degree of cardinality within some of the data fields, which can be challenging to work with when working with data in motion, but can have great benefits. With these huge structured data sets, we are able to identify KPI’s (Key Performance Indicators) and statistics that can be leveraged by the engine to identify anomalous behavior and brought to the attention of the Security Ops team, who are then able to investigate and act on the identified pattern. The engine continues to refine the probability of a metric, becoming more accurate over time in determining the severity of an anomaly. The strategy holds great promise, and further developments and refinements to this model will continue to evolve the best Security Operations Center in the business. A more detailed view of an anomaly – this shows a single IP requesting more than 60 times more frequently than a normal visitor. This screen gives an overview of any anomalies, organized by relevant factors. In this case the remote IP address of the requestor. Jag Bains CTO, DOSarrest Internet Security Source: https://www.dosarrest.com/ddos-blog/machine-learning-in-the-dosarrest-operations

Read the article:
Machine Learning in the DOSarrest Operations

What is Machine Learning?

Machine Learning can appear in many different forms and guises, but a general definition of Machine Learning usually incorporates something about computers learning without explicit programming and being able to automatically adapt. And while Machine Learning has been around for decades as a concept, it’s become more of a reality as computational power continues to increase, and the proliferation of Big Data platforms making it easier to capture floods of data. These developments have made ML practical and garnered a lot of interest, as evidenced by the large number of articles in the last two years surrounding AI and machine Learning However despite all this, the adoption of this Machine Learning is still relatively low amongst companies in the tech landscape (Gartner estimating that fewer than 15 percent of enterprises successfully get machine learning into production). And even when you hear about Company X adopting a machine learning strategy, it’s often conflated with another strategy or service within that company, and not truly realizing the automated ‘adaptiveness’ inherent within ML. Those companies that do realize a proper machine learning strategy, understanding and grooming their data as well as identifying the appropriate model/s can see real benefits to their operations, which is why DOSarrest has been developing such a strategy over the last year. Here at DOSarrest, we’ve been focusing on building an Anomaly Detection engine, focusing on the constantly evolving sophisticated application layer attacks. We collect huge amounts of data from disparate sources (e.g. Customized web logs, snmp and flow data, IDS logs, etc.), even when customers are not under attack. This provides an opportunity to identify baselines even in a multi tenant environment. As you would expect, there is a high degree of cardinality within some of the data fields, which can be challenging to work with when working with data in motion, but can have great benefits. With these huge structured data sets, we are able to identify KPI’s (Key Performance Indicators) and statistics that can be leveraged by the engine to identify anomalous behavior and brought to the attention of the Security Ops team, who are then able to investigate and act on the identified pattern. The engine continues to refine the probability of a metric, becoming more accurate over time in determining the severity of an anomaly. The strategy holds great promise, and further developments and refinements to this model will continue to evolve the best Security Operations Center in the business. A more detailed view of an anomaly – this shows a single IP requesting more than 60 times more frequently than a normal visitor. This screen gives an overview of any anomalies, organized by relevant factors. In this case the remote IP address of the requestor. Jag Bains CTO, DOSarrest Internet Security Source: https://www.dosarrest.com/ddos-blog/machine-learning-in-the-dosarrest-operations

Read More:
What is Machine Learning?

Bigger Online Super Series Cancelled due to DDoS Attacks

The Winning Poker Network has cancelled the third leg of its OSS Cub3d series – the Bigger Online Super Series – due to the threat of further DDoS attacks. The Winning Poker Network´s Bigger Online Super Series (BOSS) was scheduled to be a superb finale to a hugely successful three-tiered OSS Cub3d tournament series. The series had started incredibly well, with events in the Mini Online Super Series beating their guarantees by an average of 67% and the “meat in the sandwich” – the Online Super Series – performing much better than had been expected . However, towards the end of last week, a series of DDoS attacks disrupted the series. Connection issues resulted in the cancellation of tournaments – not only the feature events in the Online Super Series, but also many qualifying satellites for the Million Dollar Sunday. Fortunately, the Million Dollar Sunday event was able to go ahead but, due to fears of further disruption, the Winning Poker Network has decided to cancel the remaining events in the OSS Cub3d schedule. New OSS Cub3d Series Scheduled for Later this Month Announcing the cancellation of the Bigger Online Super Series via the Americas Cardroom Twitch stream, the Winning Poker Network´s CEO – Phil Nagy – explained that the measures needed to be put in place to mitigate the threat of further DDoS would not be completed by Wednesday (the start date for the Bigger Online Super Series). He said rather than risk further frustration and disappointment , he was cancelling the series and rescheduling it for later in the month. Rather than just run the seventeen events cancelled from this week, the Winning Poker Network´s CEO announced a whole new OSS Cub3d series that will run from September 24th to October 22nd and feature two Million Dollar Sunday events – one with a half-price buy-in of just $265.00. Nagy said he would also honour the current finishing positions in the OSS Cub3d leaderboard promotion and give Punta Cana Poker Classic packages to the players occupying the top three positions. New Software and Updated Servers will Help Mitigate DDoS Threat Nagy is confident the rescheduled OSS Cub3d series will be able to go ahead without players suffering the disconnection issues that disrupted last weekend´s events. Within two weeks, new software will be released on updated servers that should be able to withstand DDoS attacks . The long-awaited WPN V2 poker client should also provide players with a more enjoyable online poker experience as many of the bugs that exist with the current version of the software have reportedly been fixed. Nagy also announced the Americas Cardroom mobile app is due to be released next week. First put into development in January, and expected to take between nine and twelve weeks, the app will support games of Jackpot Poker and Sit & Go 2.0 . It is not known whether the app will be available for all skins on the Winning Poker Network so, players wanting to play these games on the go may have to create an account with Americas Cardroom in order to access them. Bad Pelican Takes Million Dollar Sunday for $269,800 The fact that the Million Dollar Sunday event was able to go ahead last weekend was good news for “Bad Pelican”. The infrequent visitor to the Winning Poker Network topped a field of 2,698 to collect the $269,800 first prize after fourteen hours of play . The massive field ensured the million dollar guarantee was met and, in total, 405 players cashed in the event. The volume of players on the Winning Poker Network also ensured guarantee-busting prize pools for most of the weekend´s tournaments. Hopefully the next OSS Cub3d series should go without a hitch. As sites on the Winning Poker Network continue to add new features and player benefits, there will be huge expectations for the next OSS Cub3d series , and it will be a huge disappointment – not least for CEO Phil Nagy – if any of the tournaments have to be cancelled due to DDoS attacks or other connection issues. Source: http://www.pokernewsreport.com/bigger-online-super-series-cancelled-due-to-ddos-attacks-21870

Link:
Bigger Online Super Series Cancelled due to DDoS Attacks

#CLOUDSEC2017: DDoS: Large Attacks Shake the Internet but Modest Attacks Cause More Business Damage

Speaking at CLOUDSEC 2017 today Ashley Stephenson, CEO of Corero, explored innovation in DDoS mitigation and ways to defeat the modern day DDoS attack. Stephenson said that whilst, in the last five years, there have been various large-scale DDoS attacks that have made national or even global headline news, these are not good examples of the types of attacks that companies are suffering from day-to-day. Instead, he explained that it is the frequent, modestly sized, short duration modern DDoS attacks that are the real problem as they actually cause organizations the most damage regularly, and it’s those types of attacks that businesses should be focusing on. “The headline-grabbing attacks aren’t always the ones that you really have to worry about with regards to improving your security posture for your business,” Stephenson argued. “Those high-profile attacks are really just the tip of the iceberg. There is much more activity that ends up in real terms doing more harm to businesses below the waterline. If you’re not doing something today to protect your business against these types of threats, then you are exposed.” The reality is, he added, protecting against the everyday types of attacks is something you can do a lot about and you can inform yourselves much more clearly about the consequences and the types of vectors being used through the use of good technology products that are aimed at DDoS specifically. “The very large, internet-overpowering events that occur might make the internet itself creak in certain geographies or services, but there’s very little you can do as an individual corporation to deal with those issues,” Stephenson concluded. Source: https://www.infosecurity-magazine.com/news/cloudsec2017-ddos-large-attacks/

See the original post:
#CLOUDSEC2017: DDoS: Large Attacks Shake the Internet but Modest Attacks Cause More Business Damage

America’s Cardroom, WPN Hit by DDoS Attack Again

It had been a while, but America’s Cardroom seemed due for another cyber attack. Yup, leading into the Labor Day weekend, ACR and its network, the Winning Poker Network, were hit with a Distributed Denial of Service (DDoS) attack, something that is unfortunately not a unique event for either the online poker room or the network. The attack began Thursday evening, affecting, among many other games, ACR’s Online Super Series (OSS) Cub3d. Problems continued all the way through Saturday. America’s Cardroom initially tweeted about the issues at about quarter after eight Thursday night, writing, “We are currently experiencing a DDOS attack, all running tournaments have been paused. Will keep you updated.” A half hour later, ACR announced that it was cancelling all tournaments in progress and providing refunds per the site’s terms and conditions. At about 9:00pm, the site was back up, but the DDoS attacks continued, causing poker client interruptions less than two and a half hours later. Problems continued well into Friday morning until ACR and WPN finally got things under control (temporarily) close to noon. The pattern continued that evening, with games going down after 6:00pm Friday and then resuming, and going down again after 7:00pm. Finally, around noon Saturday, ACR’s techs seemed to get a handle on things “for good.” In a Distributed Denial of Service attack, the attacker (or attackers) floods a server with millions of communications requests at once. It’s not a virus or a hack or anything malicious like that, but the communications overwhelm the server and grind it to a halt. Think of it like the traffic jam to end all traffic jams. It wouldn’t be THAT big of a deal if the attack was coming from one source, but since it is “distributed,” the attacker arranges it so that it originates from literally millions of IP addresses. It makes defending one’s network insanely difficult. To use another brilliant illustration, if you are trapped in a house and a zombie horde is coming for your juicy brains, it’s scary and awful, but if all the zombies decide to come in through the front door, you can probably handle it if properly equipped. If they surround you and just crash in through every door, window, and mouse hole like in Night of the Living Dead, might as well develop a taste for human flesh because you’re screwed. As with other DDoS attacks, the network was contacted by the aggressor, who demanded a ransom of some sort. WPN CEO Phil Nagy went on Twitch and said he refused to cave to any demands. He even posted a brief series of messages from the attacker, who said he was doing it on behalf of a competing poker room (all spelling mistakes what-not his): this is my job anouther site give me money for doos you and i ddos you this is my job Nagy said that he hoped that by at least making it public that it may be another site responsible for the DDoS attack that it will make someone nervous that they could get caught and the attacks will subside. WPN first experienced a major DDoS attack in December 2014, during its Million Dollar Sunday tournament, when it caused disconnections, lag, and registration problems. It happened again in September 2015 and again in October 2015. The network will be re-running many of the tournaments, including the OSS and MOSS, and will cut the buy-in of the million dollar guaranteed OSS tourney in half as well as add an extra Sunday Million. Source: https://www.pokernewsdaily.com/americas-cardroom-wpn-hit-ddos-attack-30342/

Read More:
America’s Cardroom, WPN Hit by DDoS Attack Again

Week in review: Cyber threat hunting, Android DDoS botnet, drone bug bounty

Here’s an overview of some of last week’s most interesting news, podcasts and articles: New, custom ransomware delivered to orgs via extremely targeted emails Ransomware campaigns are usually wide-flung affairs: the attackers send out as many malicious emails as possible and hope to hit a substantial number of targets. But more targeted campaigns are also becoming a trend. Getting a start on cyber threat hunting We live in a world where the adversaries will persist … More ?

View article:
Week in review: Cyber threat hunting, Android DDoS botnet, drone bug bounty

Whitepaper: Understanding pulse wave DDoS attacks

Pulse wave DDoS is a new attack tactic, designed to double the botnet’s output and exploit soft spots in “appliance first cloud second” hybrid mitigation solutions. Comprised of a series of short-lived bursts occurring in clockwork-like succession, pulse wave assaults accounted for some of the most ferocious DDoS attacks we ever mitigated. Reading this whitepaper will help you: Understand the nature of pulse wave DDoS attacks See how they are used to pin down multiple … More ?

More here:
Whitepaper: Understanding pulse wave DDoS attacks

Alleged UK Bank Hacker Extradited From Germany

U.K. officials have extradited the man who allegedly masterminded a cyberattack earlier this year that impacted two of England’s biggest banks. They have accused 29-year-old Daniel Kaye, who was found in Germany, of using an infected computer network to damage and blackmail both Barclays and Lloyds Banking Group, The Financial Times  reported. Following the cyberattack, Lloyds found its digital services crippled on and off for over 48 hours in January 2017, preventing some customers from being able to check their bank balances or send out payments via the network. The assault was a distributed “denial of service” (DDoS) attack, which overwhelms a firm’s website so its services don’t operate properly. The same month, Barclays fought off their own cyberattack, according to the National Crime Agency. These cybercrime attacks occurred just months following a high-profile cyberattack against Tesco Bank that caused 9,000 people to have their money stolen from accounts. HSBC also saw an attack against its personal banking website and mobile app in 2016, causing thousands of customers to be locked out of their accounts. “The investigation leading to these charges was complex and crossed borders,” said Luke Wyllie, the National Crime Agency’s senior operations manager. “Our cybercrime officers have analyzed reams of data on the way. Cybercrime is not victimless, and we are determined to bring suspects before the courts,” the  Financial Times reported. Daniel Kaye is also being accused of operating a cyberattack against Liberia’s largest internet provider, Lonestar MTN. Kaye is scheduled to appear in the U.K.’s Westminster Magistrates Court on Aug. 31. “In January, we were the target of a substantial distributed denial of service (DDoS) attack,” Lloyds Banking Group said in remarks according to news by the  Financial Times . “This was successfully defended but resulted in intermittent and temporary service issues for some customers. There was no attempt to access the bank’s systems and no customer details or accounts were compromised.” Source: http://www.pymnts.com/news/security-and-risk/2017/cybercriminal-daniel-kaye-extradited-following-ddos-cyberattacks/

Read More:
Alleged UK Bank Hacker Extradited From Germany

Google pulls 300 Android apps used for DDoS attacks

A number of security researchers teamed up to fight the WireX botnet. If a random storage manager or video player you downloaded recently has disappeared from your Android device, don’t worry: it might have been for your own good. Google has removed 300 apps from the Play store, which were apparently merely masquerading as legitimate applications. In truth, they were made to hi-jack your phone so it can be used as part of a botnet’s distributed denial of service (DDoS) attacks. WireX, as the botnet is called, pummeled several content providers and delivery networks with traffic from the devices it hi-jacked on August 17th, though it’s been active since around August 2nd. In some cases, it also acted as a ransomware, demanding money from its victim. It was content delivery network Akamai that discovered its existence following an assault on one of its clients. The company then got together with Google and several security researchers from rival companies like Cloudflare, Flashpoint, Oracle + Dyn, RiskIQ, Team Cymru and other organizations to solve the issue. Upon learning that the Play Store is inundated with hundreds of fake WireX apps hiding behind the guise of innocuous programs like storage managers and ringtones, the big G did its part and blocked them all. Here are a few samples of infected apps: In a statement, Mountain View said it’s now also in the process of removing applications from affected devices. It’s unclear how long that would take, though, since based on the team’s research, WireX compromised over 70,000 devices from over 100 countries. Source: https://www.engadget.com/2017/08/29/google-pulls-300-android-apps-wirex-ddos/

Taken from:
Google pulls 300 Android apps used for DDoS attacks