Tag Archives: defend against ddos

UK Teen Charged with Running DDoS Booter Service

UK authorities have charged an eighteen-year-old with running a DDoS booter service that was used to launch DDoS attacks on legitimate businesses across the world. According to authorities, the teenager’s name is Jack Chappell, 18, of Stockport, a small town southeast of Manchester, UK. Investigators say Chappell created malware that he installed on devices around the world. He used this malware to create a DDoS botnet to which he then granted access to paying customers. Clients used this DDoS booter service to launch attacks on various companies across the globe. Investigators say that Chappell’s booter was the one that took down NatWest’s online banking system several times in the summer of 2015. Authorities say Chappell’s DDoS-for-hire platform was also responsible for DDoS attacks on the infrastructure of T-Mobile, EE, Vodafone, O2, BBC, BT, Amazon, Netflix, Virgin Media, and the UK’s National Crime Agency (NCA). Following years of investigations, the West Midlands Regional Cyber Crime Unit, together with Israeli Police, the FBI, and Europol’s European Cybercrime Centre, have tracked down the teenager, currently a student at an unnamed university. Authorities say Chappell had a partner, an American national, about whom they did not reveal any information. West Midlands Police charged the teenager today with impairing the operation of computers under the Computer Misuse Act and encouraging or assisting an offense and money laundering crime proceeds. Chappell will appear in a Manchester court tomorrow, July 4, 2017. Authorities did not release the name of Chappell’s DDoS booter service. Source: https://www.bleepingcomputer.com/news/security/uk-teen-charged-with-running-ddos-booter-service/

See the original article here:
UK Teen Charged with Running DDoS Booter Service

Why the Internet of Things could lead to the next great wave of DDoS attacks

Businesses should ensure that they are still securely protected against DDoS attacks, despite the recent growth of other trends such as ransomware. That’s the warning from Arbor Networks, which is urging organisations of all sizes to make sure they stay safe online as DDoS attacks are still rife around the world. Speaking to ITProPortal at the recent InfoSecurity Europe 2017 event in London, Arbor CTO Darren Anstee reinforced the need for businesses to maintain their DDoS protection, despite it being hard to predict who might be hit next. “DDoS is all about targeting the availability of those services that modern businesses rely on,” he noted. In order to combat this growing threat, the company recently revealed an updated version of its APS on-premise, distributed DDoS detection and mitigation platform for enterprise customers. The new release includes Arbor’s latest Cloud Signalling tool, which can help reduce the time to attack mitigation, bringing together on-premise and hybrid cloud migration efforts. The Internet of Things is also set to provide a major new threat landscape for DDoS attacks, Arbor Networks believes, with past attacks such as Mirai and Dyn showing the potential for chaos. “There are a lot of IoT DDoS attacks going on out there”,  Anstee says, noting that most people only hear about these assaults when a big brand is affected. Poor regulation of IoT products has not helped with the spread of potential attacks, with many consumers unaware that the items they are buying will pose some kind of security risk. But Anstee says that commercial pressure could instead play a big role in changing the current landscape, as vendors often return to market trends faster than regulatory pressure. “If you want things to change quickly, you have to get people to get security implemented into their buying process,” he notes, adding that it is a “valid worry” that IoT attacks could scale to affect areas such as smart cities and infrastructure networks soon. “We are going to see IoT devices being used for more nefarious purposes over the next few years…I don’t see the problem going away”. As the recent WannaCry ransomware attack showed, however, businesses need to be protected against all kinds of threats. Anstee noted that ransomware should remain a major concern for companies both large and small likely to be targeted. “It’s a numbers game when it comes to ransomware,” he noted, “it is a very broad brush – if just one or two people pay, it makes it all worthwhile.” In order to stay protected, there are several central steps that companies can take, Anstee added. This includes network segmentation, which would allow infections such as WannaCry to be quickly and easily contained. “It’s not a sexy topic, but it needs to happen in many businesses,” he says. “We’ve all focused on agility, and flattening network infrastructure…but this is really important, as it can stop such attacks propagating within networks, if it’s done properly.” But companies also need to ensure they have proper IT risk management systems, with Anstee noting that some infections WannaCry could have been blocked quickly if proper processes had been in place – and various departments had communicated properly. “You can’t really blame anyone for this,” he concludes, “it really is a lot about talking to each other.” Source: http://www.itproportal.com/news/why-the-internet-of-things-could-lead-to-the-next-great-wave-of-ddos-attacks/

Taken from:
Why the Internet of Things could lead to the next great wave of DDoS attacks

Final Fantasy 14 is experiencing DDoS attacks

Trouble logging in? It may be due to hackers Final Fantasy 14’s servers have been under intense strain this past weekend. It now seems that these issues are the direct result of distributed denial-of-service attacks, Square Enix stated today. The attacks have apparently been going on since June 16, the first day that the game’s second expansion, Stormblood, went live for early access. This past weekend, early adopters were met with congested servers that were filled to capacity. Some queues just to log in surpassed 6,000 users. In the game proper, overwhelmed servers have lead to increased load times and made some quests impossible to complete. Stormblood was officially released yesterday and as of today, massive amounts of access requests due to the alleged hack are continuing to occur. Square Enix has stated that its technicians are doing all they can to defend against the attacks, but they are “continuing to take place by changing their methods at every moment.” The company also assured players that character data and private information associated with accounts have not been affected. Source: https://www.polygon.com/2017/6/21/15845898/final-fantasy-14-stormblood-servers-ddos-attack

View the original here:
Final Fantasy 14 is experiencing DDoS attacks

DDoS attacks continue to morph

According to Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks, while reflection and amplification techniques have come to characterise a large number of complex, multi-vector DDoS attacks, the latest approach is to use reflection to exploit connection-less lightweight directory access protocols (CLDAPs). Traditionally, large attacks based on reflection or amplification were the likes of NTP, DNS, SNMP, SSDP, SQL RS or Chargen. “But this new trend has now been discovered ‘in the wild’, with the force to generate highly efficient and destructive results,” he says. What is CLDAP? CLDAP is essentially a computer networking protocol designed for legitimate users to query and modify stored data on X.500 directory systems. It is typically used on Windows Exchange servers and domain controllers. By providing directory and access control, one can use CLDAP to locate printers on a network, find a phone number of an employee, or see the security groups a user belongs to, for instance. The modus operandi involves the attacker spoofing the source of a connectionless protocol, pinging the server with ultra-small queries. The server then responds to the victim with a far larger response. Initial findings suggest that this approach can amplify the initial response in the region of 46 to 55 times the size. “This makes CLDAP attacks highly efficient. A well-orchestrated attack that exploits an organisation’s vulnerabilities could very quickly achieve massive total attack size, and bring down the digital systems of all but the largest and best-protected organisations.” Primary targets Reports* from cloud giant Akamai show that the largest example of CLDAP reflection as the sole vector resulted in a payload of 52 bytes, amplified to as much as 70 times in this case – creating an attack data payload of 3,662 bytes, a peak bandwidth of 24Gbps, and 2 million packets per second. CLDAP attacks have primarily targeted the software and technology industry. Other industries targeted include internet and telecom, media and entertainment, education, retail and consumer goods, and financial services. Fighting back To effectively resist this type of DDoS attack, organisations need to thoroughly address the potential threat at a network level, by covering a number of bases: Prevent abuse: Ensure that you have anti-spoofing deployed at the edges of your networks. Detect attacks: Leverage flow telemetry exported from all network edges to Arbor technology, to automatically detect, classify, traceback, and alert on DDoS attacks. Ready mitigation techniques: Deploy network infrastructure-based reaction/ mitigation techniques such as Source-Based Remotely-Triggered Blackholing (S/RTBH) and flowspec at all network edges. Mitigate attacks: Deploy intelligent DDoS mitigation systems at strategic points within your network. Minimise damage: Deploy Quality-of-Service (QoS) mechanisms at all network edges to police CLDAP traffic down to an appropriate level. Remediate CLDAP services: Proactively scan for and remediate abusable CLDAP services on the ISP and customer networks to reduce the number of abusable CLDAP servers. “Like many other reflection techniques, organisations must always have ingress filtering in place. Unless there is a real need for your firm to have CLDAP available over the internet, you shouldn’t expose this protocol,” concludes Hamman. Source: http://www.bizcommunity.com/Article/196/661/163351.html

Excerpt from:
DDoS attacks continue to morph

Lawmakers seek answers on alleged FCC DDoS attack

Five Democratic senators are seeking an FBI investigation into possible cyberattacks on the Federal Communication Commission’s online comment system. The FCC’s Electronic Comment Filing System crashed in the early hours of May 8 in what the agency called “deliberate attempts by external actors to bombard” the commission and render its systems unusable by legitimate commenters. Sens. Brian Schatz (D-Hawaii), Al Franken (D-Minn.), Patrick Leahy (D-Vt.), Ed Markey (D-Mass.) and Ron Wyden (D-Ore.) want acting FBI director Andrew McCabe to make an investigation of that May disruption a priority, and also called for an investigation into the source of the attack. The senators’ letter emphasized that they were especially troubled by the disruption of the process of public commentary given that public participation is crucial to the integrity of the FCC’s regulatory process. The request comes as FCC Chairman Ajit Pai is moving to roll back Obama-era net neutrality regulations over the objections of Democrats in Congress and internet freedom activists. “Any cyberattack on a federal network is very serious,” the senators wrote. “This particular attack may have denied the American people the opportunity to contribute to what is supposed to be a fair and transparent process, which in turn may call into question the integrity of the FCC’s rulemaking proceedings.” The senators seek a reply by June 23. It’s possible, however, that what the FCC is reporting as a DDoS attack was in fact a traffic spike spurred by TV comedian John Oliver, who urged viewers to register their opposition to the net neutrality rollback in an May 7 broadcast. The partisan fight over FCC actions on net neutrality has cast a political shadow over the attack, the follow-up and any future investigation. Three of the letter’s five signatories (Schatz, Markey, Franken) also signed a May 17  open letter  lambasting the FCC’s possible net neutrality rollback. Wyden and Schatz also sought clarification from Pai about the ability of the agency to protect against DDoS attacks in a separate May 9 letter. The two sought details on the user capacity of the FCC’s website and requested a reply by June 8. Meanwhile, the FCC is accepting comments on its net neutrality proceeding through Aug. 16. Source: https://fcw.com/articles/2017/05/31/fcc-ddos-senators-berliner.aspx

View article:
Lawmakers seek answers on alleged FCC DDoS attack

7 nightmare cyber security threats to SMEs and how to secure against them

Small businesses face a range of cyber threats daily and are often more vulnerable than the larger organisations. Small businesses that see themselves as too small to be targeted by cyber criminals are putting themselves at direct risk. In fact, small businesses are at an equal, if not greater risk of being victims of cyber crime – two thirds of small UK firms were attacked by hackers between 2014-2016, according to a report from the Federation of Small Businesses. Cyber crime can cause massive damage to a young business’s reputation, result in loss of assets and incur expenses to fix the damage caused. These attacks could mean the difference between cutting a profit or going bust. Legal action could also be taken if businesses are found to have failed to put proper safeguards in place. When new data protection laws are introduced in 2018 under GDPR, complacent businesses risk fines of up to £17 million or 4% of annual turnover (whichever is higher) if they suffer a data breach. So what can small businesses do to protect themselves and the sensitive data of their customers? These are 7 nightmare cyber security threats and how to secure against them. Threat 1: internal attacks This shouldn’t come as a surprise to readers, but internal attacks are one of the largest cyber security threats facing small businesses today. Rogue employees, especially those with access to networks, sensitive data or admin accounts, are capable of causing real damage. Some theories even suggest that the notorious 2014’s Sony Pictures hack – typically linked to North Korea – was actually an insider attack. To reduce the risk of insider threats, businesses must identify privileged accounts – accounts with the ability to significantly affect or access internal systems. Next, terminate those that are no longer in use or are connected with employees no longer working in the business. Businesses can also implement tools to track the activity of privileged accounts. This allows for a swift response if malicious activity from an account is detected before the damage can be dealt. Threat 2: phishing and spear phishing Despite constant warnings from the cyber security industry, people still fall victim to phishing every day. As cyber crime has become well-funded and increasingly sophisticated, phishing remains one of the most effective methods used by criminals to introduce malware into businesses. Spear phishing is a targeted form of phishing in which phishing emails are designed to appear to originate from someone the recipient knows and trusts – like senior management or a valued client. To target victims deemed ‘high value’ — i.e. those with access to privileged accounts — cyber criminals may even study their social media to gain valuable insights which can then be used to make their phishing emails appear highly authentic. If an employee is tricked by a malicious link in a phishing email, they might unleash a ransomware attack on their small business. Once access is gained, ransomware quickly locks down business computers as it spreads across a network. Until a ransom is paid, businesses will be unable to access critical files and services. To mitigate the risk posed by phishing – and ransomware – organisations must ensure staff are aware of the dangers and know how to spot a phishing email. Businesses must also ensure they have secure backups of their critical data. Because ransomware locks down files permanently (unless businesses want to cough up the ransom) backups are a crucial safeguard to recover from the hack. But as ransomware attacks are on the rise, prevention remains better than treatment. Education is the best way of ensuring protection for small businesses. Threat 3: a dangerous lack of cyber security knowledge Entire cyber security strategies, policies and technologies are worthless if employees lack cyber security awareness. Without any kind of drive to ensure employees possess a basic level of cyber security knowledge, any measure or policy implemented will be undermined. A well-targeted spear phishing email could convince an employee to yield their password and user information. An IT team can’t be looking over everyone’s shoulders at once. Because of this, education and training are essential to reduce the risk of cyber crime. Some employees may not know (or care enough) to protect themselves online, and this can put businesses at risk. Hold training sessions to help employees manage passwords (hint: two-factor authentication for business accounts) and identify phishing attempts. Then provide support to ensure employees have the resources they need to be secure. Some small businesses will also consider up-skilling members of their IT teams in incident handling, often through popular GCIH training from security vendor GIAC. Incident handling professionals are able to manage security incidents as they happen, and speed the process of recovery if hacks do occur. Ultimately, even a basic level of knowledge and awareness could mean the difference between being hacked or avoiding the risk altogether. Threat 4: DDoS attacks Distributed Denial of Service (DDoS) attacks have overwhelmed some of the largest websites in the world, including Reddit, Twitter, and Netflix. DDoS attacks, which ambush businesses with massive amounts of web traffic, slow websites to a crawl and, more often than not, force crucial services offline. If a small businesses relies on a website or other online service to function, the outages caused by DDoS attacks will be catastrophic. Most DDoS attacks last between 6-24 hours and cause an estimated £30,000 per hour, according to data from Incapsula, a DDoS prevention firm. Whilst businesses can’t stop a website or service being targeted in a DDoS attack, they can work to absorb some of the increased traffic, giving them more time to form a response or filter out the spam data. Ensuring there is extra bandwidth available, creating a DDoS response plan in the event of an attack or using a DDoS mitigation service are all great steps towards reducing the impact of an attack. But that’s just scratching the surface of DDoS mitigation – here are more ways to prevent a DDoS attack. Threat 5: malware Malware is a blanket term that encompasses any software that gets installed on a machine to perform unwanted tasks for the benefit of a third party. Ransomware is a type of malware, but others exist, including spyware, adware, bots and Trojans. To prevent malware from taking hold, businesses should invest in solid anti-virus technology. Plus, operating systems, firewalls and firmware, and previously mentioned anti-virus software must be kept up-to-date. If services are outdated or not updated regularly, businesses are at a serious risk. Just look at the damage caused when malware infected the UK’s National Health Service through an exploit within an outdated version of Windows XP. And that was just one of the high profile targets affected by the global WannaCry ransomware attack. Threat 6: SQL Injection Almost every business relies on websites to operate and many depend entirely on the service they provide online. However, poorly secured websites could be wide open to data theft by cyber criminals. Of the many attacks that can be staged against a website, SQL injection is amongst the most dangerous and even the largest companies fall victim to it. SQL injection refers to vulnerabilities that allow hackers to steal or tamper with the database sitting behind a web application. This is achieved by sending malicious SQL commands to the database server, typically by inputting code into forms – like login or registration pages. It takes a few well-calculated steps to protect against SQL injection. As a precaution, businesses should assume all user-submitted data is malicious, get rid of database functionality that isn’t needed and consider using a web application firewall. For a closer look at SQL injection, take a look at this documentation from Cisco. Properly preventing SQL injection is primarily a responsibility for a web development or security team, but the change has to be driven from the top. Still not convinced? Take a look at this video from Computerphile to see how effective and dangerous SQL injection can be. Threat 7: BYOD Businesses are vulnerable to data theft, especially if employees are using unsecure mobile devices to share or access company data. As more small businesses make use of bring your own device (BYOD) technology, corporate networks could be at risk from unsecured devices carrying malicious applications which could bypass security and access the network from within the company. The solution is nailing down a defined BYOD policy. A comprehensive BYOD policy educates employees on device expectations and allow companies to better monitor email and documents that are being downloaded to company-owned devices. Ensure employee-owned devices can access the business network through a VPN which connects remote BYOD users with the organisation via an encrypted channel. A VPN is crucial if employees are using public WiFi networks to access business data. Public Wi-Fi is notoriously unsecure and provides little protection against criminals that might be watching the transfer of sensitive data. If an attacker does capture encrypted VPN traffic they will only see incomprehensible characters going from you to a VPN server – meaning no sensitive data is leaked. Source: http://www.information-age.com/7-nightmare-cyber-security-threats-smes-secure-123466495/

See more here:
7 nightmare cyber security threats to SMEs and how to secure against them

What’s business continuity management and why does your business need it?

Reality check: Modern businesses rely on their digital capabilities now more than ever. Downtime has become a terrifying thing to even utter, let alone consider. This is why an effective business continuity plan has become a cornerstone in every business, with IT-centric businesses being no exception. Business Continuity is all about identifying what your key products are and what you can do to ensure that business continues as usual even in the case of disruptions or catastrophes, no matter the size or cause. In truth, business continuity planning is not such an alien concept even to regular consumers. Ever planned a holiday? Whenever planning a holiday, we think of the worst case scenarios and how we can come out of them unscathed, without ruining our well-earned trip. We set up plans in case something goes wrong with our ‘core services’ and we’re prepared for it. We search for additional taxi services in the area despite having booked a cab already, or we check for alternate routes should we rent a car. It’s never a good idea to go on a vacation unprepared for something to go wrong, and a business should be no different. Being the largest multi-site data centre provider in Malta, we are experienced in the business of keeping our customers’ systems online at all costs. The ideal IT services provider should strive to deliver a redundant solution in every component within their setup. At BMIT, we take great care in adopting this approach, from upgrading our core infrastructure services all the way to training our technical team to adopt best-practice methods for optimal business continuity management. Improving redundancy should always be the utmost priority when it comes to introducing new products within an IT Services provider’s portfolio. Business continuity planning is not such an alien concept even to regular consumers Studies show that the average total cost of unplanned application downtime per year is €1 billion to €2.5 billion for the Fortune 1000 companies. An hour of infrastructure failure costs an average of €100,000 with the number jumping fivefold to €500,000 to €1m in the case of a critical application failure; certainly not numbers to scoff at. The digital world undergoes changes every day and it is imperative to constantly keep working to ensure that the systems are up-to-date and relevant to the present realities. The introduction of new ranges of systems and services that protect customers against common business continuity pitfalls always helps to cement the provider’s commitment to ensure the clients’ uptime. With the world fast approaching an almost completely digitally-dependent era, the dangers of the dark side of the internet become an ever-present reality for the modern digital business. In recent years Distributed Denial of Service attacks, otherwise known as DDoS attacks, have emerged as one of the most disruptive ways in which a business can be brought down to its knees. DDoS attacks are weapons of mass disruption aimed at paralysing internet systems including networks, websites and servers, resulting in lost revenues, compromised site performance and tarnished reputations. BMIT has had to take these dangers into consideration, especially since even ISPs can be targeted, which would put us at a risk of not being able to provide a connection for our customers. In recent years, we’ve launched a multi-tiered DDoS protection and mitigation system to protect our customers from even the most vicious of DDoS attacks. From our experience in the industry, we learnt that best-practice is for our private network’s bandwidth needs to be sourced from multiple providers and delivered across multiple redundant links in order to eliminate the risks of our customers going offline through an outage. This setup ensures that our clients are hosted on a reliable and certified ISO27001 network which does not rely on a singular connection. At BMIT we offer clients various features which help ensure continuity for their business. We now have a multi-tiered DDoS protection and mitigation system protecting our redundant 40gbps private international network. This network consists of multiple geographically-separated links, each of which can take over traffic load should there be any faults in the other links. Moreover, we have multiple data centres and international points of presence which form a key part of business continuity plans for our customers. Geo-redundancy is a critical aspect of business continuity for international customers, and our presence across countries addresses this. For example, some clients mirror their servers from one data centre to another. In addition, we also offer several backup options as well as managed services options to help our clients achieve a robust business continuity plan. As part of our portfolio, our customers can also tap into several tools to manage their systems, including advanced firewall solutions as well as virtual load-balancing services. Ultimately, each of our redundant service offerings is a step forward in our customers’ pursuit to ensuring their business stays up. Customers’ feedback is vital and should always be taken into consideration. Good business continuity practices are a top priority for clients and usually the main reason why providers with great core infrastructures for business continuity retain customers. Sources: https://www.timesofmalta.com/articles/view/20170528/business-news/What-s-business-continuity-management-and-why-does-your-business-need.649236

See more here:
What’s business continuity management and why does your business need it?

Report: DDoS attacks are less common, but they’re bigger

Information security company Verisign just published its Distributed Denial of Trends Report for Q1 2017. This report talks about changes in the frequency, size, and type of DDoS attack that the company has observed over the first few months of this year. The main takeaway is this: The number of DDoS attacks has plunged by 23 percent compared to the previous quarter. That’s good! However, the average peak attack size has increased by almost 26 percent, making them vastly more potent at taking down websites and critical online infrastructure. That’s bad. The report also notes that attacks are sophisticated in nature, and use several different attack types to take down a website. While 43 percent use just one attack vector, 25 percent use two, and six percent use five. This, obviously, makes it much more difficult to mitigate against. Verisign’s report also talks about the largest DDoS attack observed by the company in Q1. This was a multi-vector attack that peaked at 120 Gbps, and with a throughput of 90 Mpps. Per the report: This attack sent a flood of traffic to the targeted network in excess of 60 Gbps for more than 15 hours. The attackers were very persistent in their attempts to disrupt the victim’s network by sending attack traffic on a daily basis for over two weeks. The attack consisted primarily of TCP SYN and TCP RST floods of varying packet sizes and employed one of the signatures associated with the Mirai IoT botnet. The event also included UDP floods and IP fragments which increased the volume of the attack. So, in short. The attackers were using several different attack types, and they were able to sustain the attack over a long period of time. This shows the attacker has resources, either to create or rent a botnet of that size, and to sustain an attack over two weeks. The fact that DDoS attacks have increased in potency is hardly a surprise. They’ve been getting bigger and bigger, as bad actors figure out they can easily rope insecure Internet of Things (IoT) devices into their botnets. The Mirai botnet, for example, which took down Dyn last year, and with it much of the Internet, consisted of hundreds of thousands of insecure IoT products. The main thing you can gleam from the Verisign report is that DDoS attacks are increasingly professional, for lack of a better word. It’s not 2005 anymore. We’ve moved past the halcyon days of teenagers taking down sites with copies of LOIC they’d downloaded off Rapidshare. Now, it’s more potent. More commoditized. And the people operating them aren’t doing it for shits and giggles. Source: https://thenextweb.com/insider/2017/05/24/report-ddos-attacks-are-less-common-but-theyre-bigger/#.tnw_RJHfi1AZ

Originally posted here:
Report: DDoS attacks are less common, but they’re bigger

Examining the FCC claim that DDoS attacks hit net neutrality comment system

Attacks came from either an unusual type of DDoS or poorly written spam bots. On May 8, when the Federal Communications Commission website failed and many people were prevented from submitting comments about net neutrality, the cause seemed obvious. Comedian John Oliver had just aired a segment blasting FCC Chairman Ajit Pai’s plan to gut net neutrality rules, and it appeared that the site just couldn’t handle the sudden influx of comments. But when the FCC released a statement explaining the website’s downtime, the commission didn’t mention the Oliver show or people submitting comments opposing Pai’s plan. Instead, the FCC attributed the downtime solely to “multiple distributed denial-of-service attacks (DDoS).” These were “deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host,” performed by “actors” who “were not attempting to file comments themselves; rather, they made it difficult for legitimate commenters to access and file with the FCC.” The FCC has faced skepticism from net neutrality activists who doubt the website was hit with multiple DDoS attacks at the same time that many new commenters were trying to protest the plan to eliminate the current net neutrality rules. Besides the large influx of legitimate comments, what appeared to be spam bots flooded the FCC with identical comments attributed to people whose names were drawn from data breaches, which is another possible cause of downtime. There are now more than 2.5 million comments on Pai’s plan. The FCC is taking comments until August 16 and will make a final decision some time after that. The FCC initially declined to provide more detail on the DDoS attacks to Ars and other news organizations, but it is finally offering some more information. A spokesperson from the commission’s public relations department told Ars that the FCC stands by its earlier statement that there were multiple DDoS attacks. An FCC official who is familiar with the attacks suggested they might have come either from a DDoS or spam bots but has reason to doubt that they were just spam bots. In either case, the FCC says the attacks worked differently from traditional DDoSes launched from armies of infected computers. A petition by activist group Fight for the Future suggests that the FCC “invent[ed] a fake DDoS attack to cover up the fact that they lost comments from net neutrality supporters.” But while FCC commissioners are partisan creatures who are appointed and confirmed by politicians, the commission’s IT team is nonpartisan, with leadership that has served under both Presidents Obama and Trump. There’s no consensus among security experts on whether May 8 was or wasn’t the result of a DDoS attack against the FCC comments site. One security expert we spoke to said it sounds like the FCC was hit by an unusual type of DDoS attack, while another expert suggested that it might have been something that looked like a DDoS attack but actually wasn’t. Breaking the silence FCC CIO David Bray offered more details on how the attack worked in an interview with ZDNet published Friday. Here’s what the article said: According to Bray, FCC staff noticed high comment volumes around 3:00 AM the morning of Monday, May 8. As the FCC analyzed the log files, it became clear that non-human bots created these comments automatically by making calls to the FCC’s API. Interestingly, the attack did not come from a botnet of infected computers but was fully cloud-based. By using commercial cloud services to make massive API requests, the bots consumed available machine resources, which crowded out human commenters. In effect, the bot swarm created a distributed denial-of-service attack on FCC systems using the public API as a vehicle. It’s similar to the distributed denial of service attack on Pokemon Go in July 2016. This description “sounds like a ‘Layer 7’ or Application Layer attack,” Cloudflare Information Security Chief Marc Rogers told Ars. This is a type of DDoS, although it’s different from the ones websites are normally hit with. “In this type of [DDoS] attack, instead of trying to saturate the site’s network by flooding it with junk traffic, the attacker instead tries to bring a site down by attacking an application running on it,” Rogers said. “I am a little surprised that people are challenging the FCC’s decision to call this a DDoS,” Rogers also said. Cloudflare operates a global network that improves performance of websites and protects them from DDoS attacks and other security threats. When asked if the FCC still believes it was hit with DDoS attacks, an FCC spokesperson told Ars that “there have been DDoS attacks during this process,” including the morning of May 8. But the FCC official we talked to offered a bit less certainty on that point. “The challenge is someone trying to deny service would do the same thing as someone who just doesn’t know how to write a bot well,” the FCC official said. FCC officials said they spoke with law enforcement about the incident. Spam bots and DDoS could have same effect DDoS attacks, according to CDN provider Akamai, “are malicious attempts to render a website or Web application unavailable to users by overwhelming the site with an enormous amount of traffic, causing the site to crash or operate very slowly.” DDoS attacks are “distributed” because the attacks generally “use large armies of automated ‘bots’—computers that have been infected with malware and can be remotely controlled by hackers.” (Akamai declined to comment on the FCC downtime when contacted by Ars.) In this case, the FCC’s media spokesperson told Ars the traffic did not come from infected computers. Instead, the traffic came from “cloud-based bots which made it harder to implement usual DDoS defenses.” The FCC official involved in the DDoS response told us that the comment system “experienced a large number of non-human digital queries,” but that “the number of automated comments being submitted was much less than other API calls, raising questions as to their purpose.” If these were simply spammers who wanted to flood the FCC with as many comments as possible, like those who try to artificially inflate the number of either pro- or anti-net neutrality comments, they could have used the system’s bulk filing mechanism instead of the API. But the suspicious traffic came through the API, and the API queries were “malformed.” This means that “they aren’t formatted well—they either don’t fit the normal API spec or they are designed in such a way that they excessively tax the system when a simpler call could be done,” the FCC official said. Whether May 8 was the work of spam bots or DDoS attackers, “the effect would have been the same—denial of service to human users” who were trying to submit comments, the FCC official said. But these bots were submitting many fewer comments than other entities making API calls, suggesting that, if they were spam bots, they were “very poorly written.” The official said a similar event happened in 2014 during the previous debate over net neutrality rules, when bots tied up the system by filing comments and then immediately searching for them. “One has to ask why a bot would file, search, file, search, over and over,” the official said. If it was just a spam bot, “one has to wonder why, if the outside entity really wanted to upload lots of comments in bulk, they didn’t use the alternative bulk file upload mechanism” and “why the bots were submitting a much lower number of comments relative to other API calls,” the official said. The FCC says it stopped the attacks by 8:45am ET on May 8, but the days that followed were still plagued by intermittent downtime. “There were other waves after 8:45am that slowed the system for some and, as noted, there were ‘bots’ plural, not just one,” the FCC official said. On May 10, “we saw other attempts where massive malformed search queries also have hit the system, though it is unclear if the requestors meant for them to be poorly formed or not. The IT team has implemented solutions to handle them even if the API requests were malformed.” Was it a DDoS, or did it just look like one? There is some history of attackers launching DDoS attacks from public cloud services like Amazon’s. But the kind of traffic coming into the FCC after the John Oliver show might have looked like DDoS traffic even if it wasn’t, security company Arbor Networks says. Arbor Networks, which sells DDoS protection products, offered some analysis for its customers and shared the analysis with Ars yesterday. Arbor says: When a client has an active connection to a website which is under heavy load, there is a risk that the server will be unable to respond in a timely fashion. The client will then start to automatically resend its data, causing increased load. After a while, the user will also get impatient and will start to refresh the screen and repeatedly press the “Submit” button, increasing the load even further. Finally, the user will, in most cases, close the browser session and will attempt to reconnect to the website. This will then generate TCP SYN packets which, if processed correctly, will move to the establishment of the SSL session which involves key generation, key exchange, and other compute intensive processes. This will most likely also timeout, leaving sessions hanging and resulting in resource starvation on the server. A spam bot would behave in the same manner, “attempting to re-establish its sessions, increasing the load even further,” Arbor says. “Also, if the bot author wasn’t careful with his error handling code, the bot might also have become very aggressive and start to flood the server with additional requests.” What the FCC saw in this type of situation might have looked like a DDoS attack regardless of whether it was one, Arbor said: When viewed from the network level, there will be a flood of TCP SYN packets from legitimate clients attempting to connect; there will be a number of half-open SSL session which are attempting to finalize the setup phase and a large flood of application packets from clients attempting to send data to the Web server. Taken together, this will, in many ways, look similar to a multi-faceted DDoS attack using a mix of TCP-SYN flooding, SSL key exchange starvation, and HTTP/S payload attacks. This traffic can easily be mistaken for a DDoS attack when, in fact, it is the result of a flash crowd and spam bot all attempting to post responses to a website in the same time period. DDoS attacks generally try to “saturate all of the bandwidth that the target has available,” Fastly CTO Tyler McMullen told Ars. (Fastly provides cloud security and other Web performance tools.) In the FCC’s case, the attack sounds like it came from a small number of machines on a public cloud, he said. “Another form of denial-of-service attack is to make requests of a service that are computationally expensive,” he said. “By doing this, you don’t need a ton of infected devices to bring down a site—if the service is not protected against this kind of attack, it often doesn’t take much to take it offline. The amount of traffic referenced here does not make it obvious that it was a DDoS [against the FCC].” Server logs remain secret The FCC declined to publicly release server logs because they might contain private information such as IP addresses, according to ZDNet. The logs reportedly contain about 1GB of data per hour from the time period in question, which lasted nearly eight hours. The privacy concerns are legitimate, security experts told Ars. “Releasing the raw logs from their platform would almost certainly harm user privacy,” Rogers of Cloudflare told Ars. “Finally, redacting the logs would not be a simple task. The very nature of application layer attacks is to look exactly like legitimate user traffic.” McMullen agreed. “Releasing the logs publicly would definitely allow [the details of the attack] to be confirmed, but the risk of revealing personal information here is real,” he said. “IP addresses can sometimes be tied to an individual user. Worse, an IP address combined with the time at which the request occurred can make the individual user’s identity even more obvious.” But there are ways to partially redact IP addresses so that they cannot be tied to an individual, he said. “One could translate the IP addresses into their AS numbers, which is roughly the equivalent of replacing a specific street address with the name of the state the address is in,” he said. “That said, this would still make it clear whether the traffic was coming from a network used by humans (e.g. Comcast, Verizon, AT&T, etc) or one that primarily hosts servers.” Open by design The FCC’s public comments system is supposed to allow anyone to submit a comment, which raises some challenges in trying to prevent large swarms of traffic that can take down the site. The FCC has substantially upgraded its website and the back-end systems that support it since the 2014 net neutrality debate. Instead of ancient in-house servers, the comment system is now hosted on the Amazon cloud, which IT departments can use to scale computing resources up and down as needed. But this month’s events show that more work needs to be done. The FCC had already implemented a rate limit on its API, but the limit “is tied to a key, and, if bots requested multiple keys, they could bypass the limit,” the FCC official told us. The FCC has avoided using CAPTCHA systems to distinguish bots from humans because of “challenges to individuals who have different visual or other needs,” the official said. Even “NoCAPTCHA” systems that only require users to click a box instead of entering a hard-to-read string of characters can be problematic. “Some stakeholders who are both visually impaired and hearing impaired have reported browser issues with NoCAPTCHA,” the FCC official said. “Also a NoCAPTCHA would mean you would have to turn off the API,” but there are groups who want to use the API to submit comments on behalf of others in an automated fashion. Comments are often submitted in bulk both by pro- and anti-net neutrality groups. The FCC said it worked with its cloud partners to stop the most recent attacks, but it declined to share more details on what changes were made. “If folks knew everything we did, they could possibly work around what we did,” the FCC official said. Senate Democrats asked the FCC to provide details on how it will prevent future attacks. While the net neutrality record now contains many comments of questionable origin and quality, the FCC apparently won’t be throwing any of them out. But that doesn’t mean they’ll hold any weight on the decision-making process. “What matters most are the quality of the comments, not the quantity,” Pai said at a press conference this month. “Obviously, fake comments such as the ones submitted last week by the Flash, Batman, Wonder Woman, Aquaman, and Superman are not going to dramatically impact our deliberations on this issue.” There is “a tension between having open process where it’s easy to comment and preventing questionable comments from being filed,” Pai said. “Generally speaking, this agency has erred on the side of openness. We want to encourage people to participate in as easy and accessible a way as possible.” Source: https://arstechnica.com/information-technology/2017/05/examining-the-fcc-claim-that-ddos-attacks-hit-net-neutrality-comment-system/

Excerpt from:
Examining the FCC claim that DDoS attacks hit net neutrality comment system

‘Cyberattacks could contribute to a dramatic shift in world power’

In our five-minute CIO series, Lior Tabansky explains how cyberattacks could have a seismic effect on the world order. Lior Tabansky is a cyber power scholar at the Blavatnik Interdisciplinary Cyber Research Center (ICRC) and the director of strategy in Tel-Aviv-based cybersecurity consultancy firm CSG. Tabansky brings a refreshing interdisciplinary approach to cybersecurity to the table, facilitated by his political science and security studies, 15 years of hands-on IT professional practice, and high-level think tank, policy and corporate experience. His strategic cybersecurity expertise stems from a unique combination: service in the Israeli Air Force, subsequent career designing and managing business ICT infrastructure, postgraduate political science education and a proven commitment to interdisciplinary, academic policy-oriented research. Tabansky recently wrote an insightful and timely book – Cybersecurity in Israel – co-authored with Prof Isaac Ben-Israel and published by Springer. This comprehensive yet concise work offers an ‘insider’ strategic analysis of Israeli cyber power, with invaluable lessons to be learned by governments and corporations alike. How does one become a cyber scholar? I was always interested in politics and international relations because, since high school, I figured out this was important and I wanted to know how the world works. In parallel, around the mid-90s, the whole PC revolution happened and it fascinated me. And then you realise that things don’t work like they are supposed to, and I learned on my own to play with it and fix it and from there on, I pursued parallel academic tracks. One track was political science and security studies and, in parallel, I began working in IT as an admin because they paid more than other professions. Around 2003, I was doing a master’s on the role of IT in counter-terrorism and that’s how I became more established academically in this field. From there on, technology changed, and I was studying mostly the development of how it can challenge national security. Is most of your work academic? First of all, this subject is not very fashionable in academia because it is mostly current affairs; it relates to policy issues and is constantly moving, so it is on the fringes of the academic world. I had a lot of backlash for trying to pursue proper academic research with things that are constantly moving. It’s a conceptual issue. On top of that, the centre we established at Tel-Aviv University is more like a think tank in terms of influencing policy debates –it is mostly pure research. We also hold our Cyber Week conference in the summer, which attracts 5,000 people and delegations from 50 countries. With cyberattacks on the rise, every individual is threatened. How do you see the world we are in? This is not a purely defence issue, each one of us is affected. This is precisely why, as a civilisation, we build societies, states, cities and so on. The primary duty of the state is to provide security for society. Of course, you need to change a lot and adapt and this is where I think the west, and particularly the US, are doing a particularly bad job. They were the first to develop the whole field, to recognise and publish the deep implications of technology, and yet they are still all the time complaining about China, and now it has switched to Russia; but their governments fail to protect the companies, the citizens and civil society, and maybe they are not even trying. So, the failure is not even trying. This is a very typical problem. We are in the midst of a revolution similar to the industrial revolution and, unless society and states adapt, we will see dramatic shifts in world power. And, sitting where we are sitting, that is not a good thing. The shakes and tremors will come at everyone’s expense. Most of the rest of the world doesn’t like the western world’s dominance, and these are the ones who will continue to challenge the western way of life – it is a dangerous situation. Do you feel that the way the western world is going about cybersecurity – with an emphasis on surveillance rather than defence – is the wrong approach? Yes. It is not a resource issue. The US, for example, has by far the largest resources of all their competitors combined, definitely in defence and security. The NSA has been the largest employer of mathematicians for decades, so they are way ahead of all of us in that field. The problem is politics. How you work these things out and the balance between all sorts of values and security is very difficult, and, of course, no one knows how to get it right. It’s not a resource issue. The US has unlimited resources, manpower and technology, and they can get it right. If you try to focus too much on defence and security, you will harm civil liberties and so on, and no one wants that. The thing is, while we are figuring out how to solve it over the last few decades, your adversaries will try to act more and more in their interests. Has Israel gotten it right? There is much more to be done. We are relatively in a good situation compared to other western democracies. However, it is far away from the ideal situation that we have in security affairs. We pay taxes, we get security, and it works pretty well. Europe is in a great historic anomaly of having several decades of zero wars. This is only because societies got the defence issue right, which includes economics, diplomacy and other things. Unless we get it right in the cyber area, there will be changes. This is what history is about. And if we don’t get it right? Will some countries do better than others? There are a lot of instruments for cooperation between like-minded countries in terms of official bodies such as the EU and NATO and, more importantly, bilateral. This is where the strengths of the west lie, in the freedom to have people meet and develop new ideas. This is our best chance. It is a case of western civilisation versus the rest of the world that wants to compete with us. And yet, when it comes to security, organisations spend a fortune on cyber defence, only to have it unravel because one individual opens a phishing email … I’m happy to hear from you as a technology journalist acknowledge that technology can have human failure. From an information security perspective, we have a good empirical knowledge of how things happen. Most of the important breaches involve insiders; everything involves human behaviour. The top four strategies for cyber defence will mitigate 94pc of all breaches. There are already so many readily available, built-in technology solutions that we can use and yet we don’t, and the problem is with humans. This again brings me to society and politics, and policy and government issues, which are more complicated than a single solution or bunch of solutions. The other issue is, we do not know what the threats will look like. It is much worse when it is cyber because of the rate of change. Therefore, I don’t know if that is the official position of Israeli strategy but the underlying notion is, we don’t know what capability we will need in the future. It’s not like we can design a great aeroplane and it would take 20 years and we get there; we need to have an ecosystem in place that’s dynamic enough to identify changes and to adapt rapidly. It’s a dramatically different mindset from other defence issues. You can’t just plan ahead. It is much more complicated and you need to involve sectors of society, the private sector (whether they like it or not), the education system, academia. The main responsibility for national defence should be the defence organisations. In the last year, attacks such as WannaCry, and the various DDOS attacks on the internet of things and cloud organisations, suggest a worrying spike in attack capabilities. Do you agree? It is very predictable: if you take Moore’s Law and subsequent laws in networking and memory, and continue to extrapolate forward, yes, the internet of things is definitely going to happen. The complexity is growing, the number of potential threat vectors is growing, and it only means that you need to put in place better policies and prioritise where to put the limited funds we have. Unlike the Americans who have unlimited resources, in Israel, we don’t consider DDOS attacks a big problem, but of course we do things to prevent them. The Israeli government’s networks have been withstanding DDOS attacks, larger than the Estonians suffered in 2007, routinely. You need to assume things will go wrong and focus on the more narrow, more critical elements, because we cannot cover everything. Has the best attack not yet been invented? Since 2002, the government has legislated an arrangement for critical infrastructure protection. The concern was not information under threat, but the symbiosis between the operational technology and the information technology. I think this remains the major threat scenario: a disruptive or destructive attack on the systems that underpin our modern life. What would be the typical attack volume on Israel, what are you dealing with? State of the art! Whatever appears on the market, we usually get it first. Even 10 years ago, we had a lot of solutions readily available to deploy to mitigate massive DDOS attacks; even today, it is a matter of where you put your investment. If you spend enough money, you can mitigate any volume of DDOS attack, but is it worth the effort? Attackers are not interested in achieving the specific volume of attack, they are interested in achieving an effect. And the better your defences are, the more it helps you to incur higher costs on them. Source: https://www.siliconrepublic.com/enterprise/israel-cyber-defence

View article:
‘Cyberattacks could contribute to a dramatic shift in world power’