Tag Archives: denial of service

Organizations Must Adapt to Evolving DDoS Attacks

Distributed Denial-of-Service (DDoS) attacks are becoming larger, more frequent, and more complex than ever before. According to Arbor Networks’ 12 th Annual Worldwide Infrastructure Security Report (WISR), attack size has grown 7,900% since its initial report – a compound annual growth rate (CAGR) of 44%. The most recent attacks are significantly larger than anything previously seen, and can now disrupt even the largest internet service providers. This data shows that DDoS attacks have become more than just a nuisance: they are rapidly increasing in size and now threaten to disrupt core Internet infrastructure. Within the broader spectrum of risks for corporate security and IT decision makers, DDoS attacks present a nettlesome and growing challenge for several reasons. First, while the underlying technology behind DDoS attacks hasn’t changed much, the number of internet-connected devices in the world that can be compromised has dramatically increased. In addition, the level to which DDoS attacks have become automated and commoditized has also increased. The Mirai-enabled attacks showed off the former; they used an army of internet-connected IoT devices to generate unprecedented levels of traffic. In the past, a connection to the internet required significant hardware and expense. These days, even light bulbs can be connected to a network, which provides a lot more sources for traffic. Second, the amount of skill required to successfully run a DDoS attack has been lowered over the last twenty years. While large attacks such as Mirai take some amount of coordination and planning, in many cases a connection to the right forum and a small amount of money ($50-100) can buy you a short attack that can take down unprotected web services. Why DDoS attacks are hard to prevent The best way to think about the DDoS problem is to imagine a river system, like the Mississippi or Columbia. At the end of those systems, where they meet the ocean, it’s very obvious that there’s a lot of water moving through those rivers: but at the source of all that water — at the little tiny creeks and streams and rivulets where the water first gathers — those sources don’t necessarily look like that much. Volumetric-style DDoS attacks, whereby attackers simply flood a target with more data than their connection can handle, use a similar effect: each network only cares about sending IP packets to the “next hop”, without a holistic view or awareness of what the total, internet-wide traffic picture looks like. So, at the source of a DDoS attack, it can be difficult to differentiate between someone uploading a file and someone perpetrating an attack. What actually matters is whether that one traffic flow joins together with a bunch of other traffic to form a giant river, or if the traffic flow is bounced off a server in such a way that it magnifies the size of the traffic many-fold. In either case, by the time you notice that you’ve got a really huge river of traffic coming at you, it may already be too late. Emerging approaches to combat DDoS attacks A promising approach to DDoS can be found with the DDoS Defense for a Community of Peers (3DCoP) project, which uses peer-to-peer collaboration so that like-minded organizations (such as a group of universities, government agencies, banks, or ISPs) act together to rapidly and effectively detect and mitigate DDoS attacks. With a peer-to-peer collaborative approach, the target of a DDoS attack can send out distress calls to the origin of any traffic it sees. The receivers of these distress calls can then take a look at the traffic they’re seeing, and either pass that message on appropriately or take local action. Universities, for example, might learn that what looks like normal traffic coming out from one of their student labs looks like a big attack to a target, and use this information to shut off or rate-limit that lab. Other approaches involve technologies like BGP FlowSpec, an improvement over conventional IP blacklisting. FlowSpec allows a victim of a DDoS to ask its upstream service providers and intermediate networks to block specific kinds of traffic, with a good level of granularity. Organizations can also relocate services into the cloud, as some cloud operators deploy sensors that can detect and mitigate attacks earlier. Unfortunately, today’s largest attacks are too large for cloud operators to handle, and the attacks may impact geographic regions or critical internet infrastructure. In the end, there are a variety of methods to filter and redirect traffic, especially for those systems housed in the cloud. However, for the biggest attacks, and for institutions that cannot create replicated versions of their systems in the cloud, techniques such as 3DCoP are key in mitigating DDoS risk. Specifically, we believe that it is only through rapid, real-time collaboration that DDoS attacks can be correctly identified, sourced, and addressed; without such collaboration, institutions must rely on phone calls and manual router updates, while a river crashes down around them. Source: https://www.infosecurity-magazine.com/opinions/organizations-adapt-evolving-ddos/

Continue Reading:
Organizations Must Adapt to Evolving DDoS Attacks

Data-centres and the DDoS risk

It is imperative that cloud users ensure that their vendor(s) of choice can provide the visibility and protection they need. Cloud adoption continues to accelerate as businesses look to reap the cost, scale and flexibility benefits that are on offer. Whether a business uses a large, well-known public cloud operator or one of the smaller, more focused, specialist cloud / outsourcing organisations they are becoming more reliant on data and application services which are, in most cases, accessible via the Internet. Unfortunately, this means that access to these services is conditional on the availability of connectivity – and a significant threat here is a Distributed Denial of Service (DDoS) attack – a threat that exhausts the resources available to a network, application or service so that genuine users cannot gain access. Increasing attacks on data-centres According to Arbor’s Worldwide Infrastructure Security Report (WISR) the majority of data-centre operators now offer cloud services. In fact they are as common as managed hosting and colocation, demonstrating how rapidly ‘cloud’ has been adopted. Data-centres have been a magnet for DDoS activity for a number of years, but 2016 saw a step change with the WISR indicating that nearly two-thirds of data-centres saw DDoS attacks, with over 20 per cent of those seeing more than 50 attacks per month – a big jump from 8 per cent in 2015. Data-centres are now being targeted more frequently and with larger attacks, and they will only continue to grow. Worryingly, Arbor’s WISR also revealed that 60 per cent of data-centre operators had seen an attack that completely saturated their Internet connectivity last year. This is significant, as if Internet bandwidth is completely saturated then all data-centre infrastructure is effectively cut-off from the outside world – regardless of whether it was a part of the original target. For cloud and data-centre environments ensuring shared infrastructure is protected is of utmost importance given the size and complexity of today’s DDoS attacks. The weaponisation of DDoS has made it easy for anyone to launch a large volumetric or advanced multi-vector attack and this shows through in the data we have from data-centre operators. For example, 60 per cent of data-centres who experienced a DDoS attack in 2016 saw at least one attack that completely saturated their Internet connectivity – effectively disconnecting them, and their customers, from the connected world. The impact of a successful DDoS attack to a data-centre operator can be significant from an operational and customer churn / revenue loss perspective. The proportion of data-centre operators experiencing revenue loss due to DDoS attacks grew from 33 per cent to 42 per cent from 2015 to 2016, with nearly a quarter of data-centre respondents to the WISR indicated that the cost of a successful DDoS attack was in excess of $100K, illustrating the importance of the right defensive services and solutions. Before we discuss defences though, it is almost impossible to right a DDoS related article without mentioning IoT. 2016 was without doubt the year where weaponised IoT botnets came to the fore, with attacks against Dyn and more garnering significant media attention. Cloud processing of IoT related data is driving increases in scale for data-centre connectivity, but IoT devices can just as easily be subsumed into botnets and used to send unwanted DDoS traffic at those same data-centres. Given the numbers of IoT devices out there, the likelihood of an attack against one piece of cloud infrastructure having a broader impact is only going to increase. Combating today’s attackers To deal with high magnitude attacks, in most cases, data-centres need to leverage a cloud or ISP based DDoS protection service –and this is happening. Data-centre operators have been one of the top organisation types driving the growth in cloud and ISP managed DDoS protection services over the past couple of years.  The WISR shows us that over a half of data-centre operators now implement layered DDoS protection, a proportion that has been steadily increasing year-on-year.  This is the recognised best-practice and allows data-centre operators to protect themselves and their customers from the impact of an attack. Layered DDoS protection employs a cloud and ISP based DDoS protection service to deal with high magnitude attacks, plus a defensive solution at the data-centre perimeter to proactively deal with more focused, advanced attacks. Integrating these two layers together, so that they work in harmony, can provide complete protection from the DDoS threat – protecting the availability of both infrastructure and customer services. In fact, many data-centre operators are now leveraging the protections they have put in place to offer add-on, sticky DDoS protection services to their customers. Businesses are increasingly aware of both their dependence on cloud, and the threat DDoS poses, and are looking to ensure that their providers are adequately protected. Technology and services are however only a part of the solution, having incident response plans in place is also important so that businesses can deal efficiently and effectively with any attack. Arbor’s WISR reveals that 57 per cent of data-centre operators carried out DDoS defence simulations in 2016, up from 46 per cent in 2015. This is very encouraging, as exercising incident responses plans, on at least a quarterly basis, is best-practice. Future security of data centres The data-centres that support cloud application and data services are becoming ever more important to our businesses, but with nearly two-thirds of data-centres experiencing DDoS attacks last year, and over 20 per cent of those seeing more than 50 attacks per month, it has never been more important to ensure the right defences are in place. It is imperative that cloud users ensure that their vendor(s) of choice can provide the visibility and protection they need, and the telemetry that allows them to monitor what is going on. Increasingly customers of cloud services want a holistic view of the threats they face, across the 3 pillars of security and their cloud, on-premise data and applications services. This isn’t easy to achieve, but to balance the benefits of cloud against business risks it is something we need, especially in today’s cyber threat landscape. Source: http://www.itproportal.com/features/data-centres-and-the-ddos-risk/

View article:
Data-centres and the DDoS risk

Hacked: How Business Is Fighting Back Against the Explosion in Cybercrime

Business is under assault from cybercriminals like never before, and the cost to companies is exploding. Here’s what you need to know about safeguarding your digital assets. 1. Under attack In the summer of 2015, several of New York’s most prestigious and trusted corporate law firms, including Cravath Swaine & Moore and Weil Gotshal & Manges, found themselves under cyberattack. A trio of hackers in China had snuck into the firms’ computer networks by tricking partners into revealing their email passwords. Once inside the partners’ accounts, the thieves snooped on highly sensitive documents about upcoming mergers. Then, from computers halfway around the world, the cybercrooks allegedly traded on the purloined information, netting $4 million in stock market gains. Like most other victims of corporate espionage, the firms preferred to keep mum about having been victimized. They feared antagonizing other digital thugs as well as damaging their reputations as keepers of clients’ secrets. Instead, word of the attack leaked in the press and then was confirmed by federal prosecutors and the firms themselves. The Feds made public their discoveries and trumpeted their efforts to bring the alleged perpetrators to justice. “This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world,” said Preet Bharara, then the U.S. Attorney in Manhattan. “You are and will be the targets of cyberhacking because you have information valuable to would-be criminals.” It may have been a shock to the system for the legal community, but the incident only served to underscore a hard truth that CEOs, company directors, and network security experts have been grappling with for some time now: Business is under assault like never before from hackers, and the cost and severity of the problem is escalating almost daily. The latest statistics are a call to arms: According to Cisco, the number of so-called distributed denial-of-service (DDoS) attacks—assaults that flood a system’s servers with junk web traffic—jumped globally by 172% in 2016. Cisco projects the total to grow by another two and a half times, to 3.1 million attacks, by 2021. Indeed, the pace of cyberassaults is only increasing. Internet security firm Nexusguard reports that it observed a 380% increase in the number of DDoS attacks in the first quarter of 2017 compared with a year earlier. As the number and scale of network attacks grow, the toll on business is rising. The average total cost of a data breach in the U.S. in 2014 was $5.85 million, according to research from IBM and the Ponemon Institute, and this year it’s estimated to be $7.35 million. According to a report earlier this year from business insurer Hiscox, cybercrime cost the global economy more than $450 billion in 2016. The WannaCry ransomware attack alone, which crippled computers in more than 150 countries in May, could cost as much as $4 billion according to some estimates. What is slowly dawning on corporate hacking victims is how vulnerable and defenseless they really are, even when their opponents may be three guys in a room halfway around the world. Expensive data-security systems and high-priced information security consultants don’t faze today’s hackers, who have the resources to relentlessly mount assaults until they succeed. In the New York law-firm case, for example, prosecutors said the attackers attempted to penetrate targeted servers more than 100,000 times over seven months. It has become abundantly clear that no network is completely safe. Where once companies thought they could defend themselves against an onslaught, they’re now realizing that resistance is, if not futile, certainly less important than having a plan in place to detect and neutralize intruders when they strike. But there remains a gaping chasm between awareness of the threat and readiness to address it: A survey last fall by IBM and Ponemon of 2,400 security and IT professionals found that 75% of the respondents said they did not have a formal cybersecurity incident response plan across their organization. And 66% of those who replied weren’t confident in their organization’s ability to recover from an attack. Cybercrime is metastasizing for the same reason online services have become so popular with consumers and businesses alike: Ever-more-accessible technology. Hacking is easier than ever thanks to the ever-growing number of online targets and the proliferation of off-the-shelf attack software. The very Internet networks that were built for convenience and profit are exposing their users to a steady stream of new threats. What’s more, the tense state of affairs is a glaring example of how the entire nature of business has changed in the digital age. In most cases, technology is much more than just a supplement to a company’s core operations. For scores of the world’s most valuable companies—from Alphabet to Amazon to Facebook to Uber—the assets that live on their networks are their core operations. No sector of corporate America is safe. Hackers have plundered big retailers like Neiman Marcus and Home Depot for credit card and customer information. They’ve burrowed into banks like JPMorgan Chase. Even tech companies can’t seem to protect themselves. Yahoo’s ineptitude in repelling (or even being aware of) hackers forced it to reduce its sale price to Verizon. Google and Facebook recently fell victim to a hacker who conned their accountants into wiring him a total of more than $100 million. And OneLogin, a startup that bills itself as a secure password management service, recently lost certain customer data to hackers. In one survey, 66% of security and I.T. professionals replied that they weren’t confident that their organization could recover from a cyberattack. It’s not like companies aren’t trying to play defense. Accenture estimates that companies worldwide spent $84 billion in 2015 to protect against attacks. That spending is an acknowledgment that every company needs to safeguard its digital assets, which in turn requires knowing about the criminals that keep coming at them and what defenses they can build to minimize the damage. 2. A new breed of criminal Hacking is particularly frustrating for corporate executives who don’t understand their enemy. Embezzlers or extortionists? Sure. But faceless gangs of nasty nerds? It’s often harder for CEOs to wrap their brains around the motivation of their antagonists—or their audacity. “At the C-level they feel violated,” says Jay Leek, a venture capitalist pursuing cybersecurity investments and a former chief information security officer at private equity giant Blackstone. “I witness this emotional ‘What just happened?’ You don’t walk in physically to a company and violate it.” The brazenness Leek describes is a hallmark of hackers who—despite their mystique in popular culture—are basically everyday thieves, like bank robbers. Where hackers are different, however, is that they rarely meet in person. Instead, they convene in online forums on the “dark web,” an anonymous layer of the Internet that requires a special browser to access. Deep in the forums, crooks hatch hacking plots of all sorts: breaking into corporate databases or selling stolen Social Security numbers or purchasing inside information from unscrupulous employees. Cybercriminals have proved adept at adopting successful corporate strategies of their own. A recent development has seen the cleverest crooks selling hacking tools to criminal small-fry. It’s analogous to semiconductor companies licensing their technology to device manufacturers. According to a report from security software giant Symantec, gangs now offer so-called ransomware as a service, a trick that involves licensing software that freezes computer files until a company pays up. The gangs then take their cut for providing the license to their criminal customers. If it weren’t all blatantly illegal, the practices would be laudably corporate. “Cybercriminals no longer need all the skills to complete any particular crime,” says Nicole Friedlander, a former assistant U.S. Attorney in charge of the key Southern District of New York’s complex fraud and cybercrime unit. “Instead, they can hire other cybercriminals online who have those skills and do it together.” In that sense, hackers have become service providers like doctors or lawyers or anyone else, says Friedlander, who joined the New York office of law firm Sullivan & Cromwell last year.           Graphic by Nicolas Rapp But the bad guys aren’t all freelancers. In fact, some of the most sinister hacking outfits operating today are “state-sponsored” groups supported, or at least loosely supervised, by governments. That includes the Russians who are believed to have hacked into the Democratic National Committee last year and the North Korean team credited with unleashing the WannaCry malware as a moneymaking scheme. 3. Playing defense In early March, the information security team at ride-hailing giant Uber leaped into action: An Uber employee had reported a suspicious email message, and similar reports were flooding in from all over the company. Uber’s databases contain the email addresses and personal information of millions of riders around the world, making security a particularly pressing issue. And the company has had its share of problems as a caretaker of sensitive data. In 2014, Uber suffered a breach that exposed the insurance and driver’s license information of tens of thousands of drivers; it took the mega-startup months to discover and investigate the incident and fully notify its drivers. As soon as the alarm was raised in March, Uber established an “incident commander” to manage the developing situation. The job of the incident commander—a term of art in cybersecurity circles—is to keep the company informed about potential attacks. It turned out that the attack was targeting users of Google’s Gmail service, not Uber itself. But anyone with a Gmail address was vulnerable. Later that same day Google fixed the vulnerability in its Gmail service, allowing Uber’s incident commander to stand down. Uber’s reaction is an example of the vigilance with which companies must treat the torrent of threats coming at them every day. John “Four” Flynn, a former Facebook executive who now is chief information security officer for Uber, says the key to cybersecurity incidents—which he defines as everything from a data breach to a stolen laptop—is to have a clear communication strategy. “During an incident, the role of executives is to give support,” says Flynn. “There’s no room for confusion about who’s in charge.”           Graphic by Nicolas Rapp   Flynn has every right to sound confident in his authority. The chief information security officer, or CISO, is possibly the hottest job in the C-suite today. Cybercrime is so serious that these formerly little-known and unloved executives now typically have a direct line to boards of directors—a big break from the past. Before, the CISO would report to the chief information officer, who was responsible for buying and operating computers, not obsessing over flies in the ointment. If the CISO sounded the alarm over a breach, too often he or she ended up being the one sacrificed to appease top management. “It was my job to tell my boss his baby was ugly,” one former information security executive laments. These days, though, smart companies treat hacking threats like other existential risks to their business—recessions, terrorist attacks, and natural disasters come to mind—and plan accordingly. The CISO is pivotal in maintaining readiness. “If you’re a Fortune 500 company, you already have a response,” says Leek, the former executive at Blackstone, which had several portfolio companies that suffered breaches, including arts-and-crafts merchant Michaels Stores. “But people forget to take it out, blow the dust off, and recall: ‘Let’s do what we decided when we had a sound mind.’ ” Having a clear line of authority and a good action plan take a company only so far. At some point it has to call the cops, specifically the Federal Bureau of Investigation or the U.S. Secret Service. Both agencies have reach and power that allow them to take the fight to foreign cybercrooks. On several occasions, U.S. law enforcement agents working undercover on the dark web have managed to lure presumed offenders out of hiding with phony deals, and then had them apprehended in and extradited to the U.S. During the incident, the role of executives is to give support,” says Uber’s chief information officer. “There’s no room for confusion about who’s in charge.” Calling law enforcement has downsides, however. The likely outcome—an investigation—imposes burdens on the victim company in terms of money and time. And it increases the chance that sensitive details about the hack will leak publicly. That’s why the best course of action is for companies to avoid FBI-level hacking incidents in the first place. A new, multibillion-dollar industry has sprung up to help. 4. An industry is born The videoconference camera looked like any other. But unbeknownst to its corporate owner, the device was working overtime: Hackers had captured the microphone remotely and were using it to spy on every meeting that took place in the boardroom. The company, which does not want to be identified, finally got wise to the spying scheme thanks to Darktrace, a global cybersecurity company that uses artificial intelligence to detect aberrant activity on client networks. Darktrace CEO Nicole Eagan says her company noticed the camera had been gobbling abnormal amounts of data. This raised a red flag, enabling Darktrace to notify its client that something was amiss. Darktrace is just one of hundreds of firms that offer help to combat the hacking epidemic. Once a stodgy corner of enterprise software, cybersecurity has become a hot sector for venture capitalists. Investors put some $3.5 billion into a total of 404 security startups last year, according to New York research firm CB Insights. That’s up from $1.8 billion for 279 investments in 2013.           Graphic by Nicolas Rapp   For executives, all of this entrepreneurial activity translates into a dizzying array of security options. There are newcomers like Tanium, for instance, which offers a service that lets companies see who is on their network. Publicly traded Palo Alto Networks makes a kind of intelligent firewall that uses machine learning to thwart intruders. There are also a host of niche security firms such as Area 1 (which specializes in defending against phishing scams) and Lookout (which is a mobile-phone-focused security service). With all of this firepower arrayed against it, how can cybercrime continue to grow so fast? One answer is that some of the glitzy defense systems don’t work as advertised. Security insiders grumble about firms bamboozling clients with “blinky lights” in order to sell “scareware”—software that plays to customers’ insecurities but doesn’t protect them. At the end of the day, though, humans are as much to blame as software. “The weak underbelly of security is not tech failure but poor process implementation or social engineering,” says Asheem Chandna, an investor with Greylock Partners and a Palo Alto Networks director. Chandna notes that most hacking attacks come about in two ways, neither of which involves a high level of technical sophistication: An employee clicks on a booby-trapped link or attachment—perhaps in an email that appears to be from her boss—or someone steals an employee’s log-in credentials and gets access to the company network. While cyberdefense tools can mitigate such attacks, some will always succeed. Humans are curious creatures and, in a big organization, there will always be someone who clicks on a message like, “Uh-oh. Did you see these pictures of you from the office party?” When it comes to hacking, a penny of offense can defeat a dollar’s worth of defense. That’s why the fight against hacking promises to be a never-ending battle.   Source: https://fortune.com/2017/06/22/cybersecurity-business-fights-back/

See the article here:
Hacked: How Business Is Fighting Back Against the Explosion in Cybercrime

Bigger & smaller – DDoS threats here to stay with conflicting trends

The noise created by distributed denial of service attacks is higher than ever – with vendors and attackers complicating the picture – but what do enterprises need to worry about? Distributed Denial of Service (DDoS) attacks were one of the most talked about threats at InfoSecurity Europe 2017. One of the things vendors couldn’t agree on however, is the trend for their size and thus whether we should be defending against increasing numbers of small attacks or more frequent mega-attacks. Corero Network Security, who met with SC during the conference, said in a press release that, “the greatest DDoS risk for organisations is the barrage of short, low volume attacks which mask more serious network intrusions”. Research from the firm says that “despite several headline-dominating, high-volume DDoS attacks over the past year, the vast majority (98 percent) of the DDoS attack attempts against Corero customers during Q1 2017 were less than 10 Gbps per second in volume.” It added: “they are just disruptive enough to knock a firewall or intrusion prevention system (IPS) offline so that the hackers can target, map and infiltrate a network to install malware and engage data exfiltration activity.” Ashley Stephenson, CEO at Corero Network Security, explains: “Short DDoS attacks might seem harmless, in that they don’t cause extended periods of downtime. But IT teams who choose to ignore them are effectively leaving their doors wide open for malware or ransomware attacks, data theft or other more serious intrusions. Just like the mythological Trojan Horse, these attacks deceive security teams by masquerading as a harmless bystander – in this case, a flicker of internet outage – while hiding their more sinister motives.” DDoS protection has traditionally been something that major enterprises were able to deploy by having their traffic run through a supplier network at huge cost. The alternative was to switch traffic over to their DDoS protection provider in the event of an attack – but this could cause a delay of about 20 minutes while the company under attack found who to call and explain what was happening, the whole time that the attack was escalating. Instead, Laurent Gil, co-founder at Zenedge, explained to SC Media UK how his company’s approach to DDoS protection is different. “We have an always-on monitoring system on the cloud so there is nothing to install for the customer, it’s the same SSL as an ‘always on’ solution, but always on in the cloud for monitoring and analysing of traffic patterns and when the early signs of an attack are spotted, we automatically re-route traffic to our scrubbing centre within 60 seconds – down from the 20 minutes it takes non-automated systems,” Gil told SC. He added that because the traffic only switched on demand, when there is an attack, it is less cost than if it had to be handled all the time and with a 60 second response, it still mitigated against the attack ramping up. “It’s a tectonic shift in the market,” says Gil, adding, “We we can onboard many more enterprises, without them spending millions of dollars, which is what’s needed for a for mid-market enterprise. DDoS protection did not exist for these companies because they couldn’t afford it. It’s not that the traditional prime protection providers are losing revenues, but the market is much wider now than it was previously.” In contrast to Corero, veteran vendor Imperva, hosted sessions which could be misconstrued as ‘humble-brags’ named “how we stopped a 650Gbps DDoS attack over lunch”. Imperva points out that the source code of the Mirai botnet going open source has meant that the Tools, Tactics and Procedures (TTP) of botnet criminals have taken a step up. And naturally, it is prepared to protect against this threat with one of it’s “behemoth” data centre appliances. Imperva’s Robert Hamilton, director of product marketing, hosted the sessions and said “DDoS attacks aren’t going away anytime soon”. Raj Samani, chief scientist of Mcafee told SC: “The number is completely subjective. When we saw the beginnings of DDoS as an extortion tactic it was brushed off since the throughput wasn’t significant enough to worry most enterprises, then all of a sudden the firepower increased to in excess of 50Gbps. Whilst this number for many organisations can be easily managed (as we saw with DDoS providers withstanding 620Gbps attacks), the reality is that the firepower of DDoS attacks are on the up. What is the magic number that will cause concern? Well, it will be whatever hasn’t been tested against!” That may be the case, but then Akamai, another DDoS protection giant says in its Q1 2017 State of the Internet report that “the mega attacks are outliers that represent the limits enterprises must be prepared to defend against. However, the overwhelming number of smaller attacks means that these mega attacks have little impact on the trend lines that defend the median attack size, which is a better indicator of what an organisation is most likely to see.” Akamai raises another important point: the rise in use of IoT devices which are compromised for malicious use – such as using an “internet-enabled toaster to mine bitcoins” – are likely to end up contributing to harsher DDoS attacks as these devices are eventually recruited into the mega-botnets which carry out such attacks. A new report from Kaspersky Lab, also released after InfoSec, shows that when organisations are attacked by a DDoS, “customer-facing resources suffer more in banking, than in any other sector.” “For example, 49 per cent of banks that have suffered a DDoS attack have had their public website affected (compared to 41 percent of non-financial institutions) and 48 percent have had their online banking affected when they’ve been targeted by DDoS.” “Recovering from DDoS is also more expensive for banks than non-financial organisations. The report shows that a DDoS incident can cost a financial institution US$ 1,172,000 (£917,427) to recover from, compared to US$ 952,000 (£745,000) for businesses in other sectors.” Kirill Ilganaev, head of Kaspersky DDoS Protection, Kaspersky Lab said in a press release, “In the banking sector reputation is everything, and security goes hand-in-hand with this. If a bank’s online services come under attack, it is very difficult for customers to trust that bank with their money, so it’s easy to see why an attack could be so crippling. If banks are to protect themselves effectively from the price tag of an online banking cybersecurity incident, they first need to become more prepared for the dangers DDoS attacks pose to their online banking services. This threat should be featuring higher on banks’ security priorities.” Kaspersky Lab is encouraging financial institutions to share security intelligence to be better prepared for dealing with the threat of an attack on their online banking services. Source: https://www.scmagazineuk.com/bigger-smaller–ddos-threats-here-to-stay-with-conflicting-trends/article/668725/

Read this article:
Bigger & smaller – DDoS threats here to stay with conflicting trends

Ten steps for combating DDoS in real time

To the uninitiated, a distributed denial-of-service (DDoS) attack can be a scary, stressful ordeal. But don’t panic. Follow these steps by David Holmes, senior technical marketing manager: Security, F5 Networks, to successfully fight an attack: If you appear to be suffering a volumetric attack, it helps to have a historical sense of your own traffic patterns. Keep a baseline of normal traffic patterns to compare against. If you have determined that you are under a DDoS attack, record the estimated start time in your attack log. Monitor volumetric attacks. Remember to keep a monitoring web page open to indicate when the attack may be over (or mitigated). You will need to follow (up to) 10 steps for your DDoS mitigation: Step 1: Verify the attack Not all outages are caused by a DDoS attack. DNS misconfiguration, upstream routing issues, and human error are also common causes of network outages. You must first rule out these types of non-DDoS attacks and distinguish the attack from a common outage. · Rule out common outages: The faster you can verify the outage is a DDoS attack, the faster you can respond. Even if the outage was not caused by a misconfiguration or other human error, there may still be other explanations that resemble a DDoS attack. · Check outbound connectivity: Is there outbound connectivity? If not, then the attack is so severe that it is congesting all inbound and outbound traffic. Check with your usual diagnostic tools (such as traceroute, ping, and dig) and rule out all such possibilities. · Rule out global issues: Check Internet weather reports, such as Internet Health Report and the Internet Traffic Report, to determine if the attack is a global issue. · Check external network access: Attempt to access your application from an external network. Services and products that can perform this kind of monitoring include: Keynote testing and monitoring, HP SiteScope agentless monitoring, SolarWinds NetFlow Traffic Analyzer, and Downforeveryoneorjustme.com. · Confirm DNS response: Check to see if DNS is responding for your website. The following UNIX command resolves a name against the OpenDNS project server: % dig @208.67.222.222 yourdomain.com Step 2: Contact team leads. Once the attack is verified, contact the leads of the relevant teams. If you have not filled out any quick reference sheets or a contact list, create one now or use our templates. When an outage occurs, your organisation may hold a formal conference call including various operations and applications teams. If your company has such a process in place, use the meeting to officially confirm the DDoS attack with team leads. · Contact your bandwidth service provider: One of the most important calls you can make is to the bandwidth service provider. List the number for your service provider in your contact sheet. The service provider can likely confirm your attack, provide information about other customers who might be under attack, and sometimes offer remediation. · Contact your fraud team: It is especially important to invoke the fraud team as soon as the attack is verified. DDoS attacks can be used as cover to hide an infiltration. Logs that would normally show a penetration may get lost during a DDoS attack. This is why high-speed, off-box logging is so important. Step 3: Triage applications Once the attack is confirmed, triage your applications. When faced with an intense DDoS attack and limited resources, organisations have to make triage decisions. High-value assets typically generate high-value online revenue. These are the applications you will want to keep alive. Low-value applications, regardless of the level of legitimate traffic, should be purposefully disabled so their CPU and network resources can be put to the aid of higher-value applications. You may need the input of team leads to do this. Ultimately, these are financial decisions. Make them appropriately. Create an application triage list; it takes only a few minutes to fill one out, and will greatly assist in making tough application decisions while combating an actual DDoS event. Decide which applications are low priority and can be disabled during the attack. This may include internal applications. Step 4: Protect partners and remote users. · Whitelist partner addresses: Very likely you have trusted partners who must have access to your applications or network. If you have not already done so, collect the IP addresses that must always be allowed access and maintain that list. You may have to populate the whitelist in several places throughout the network, including at the firewall, the Application Delivery Controller (ADC), and perhaps even with the service provider, to guarantee that traffic to and from those addresses is unhindered. · Protect VPN users: Modern organisations will whitelist or provide quality-of-service for remote SSL VPN users. Typically this is done at an integrated firewall/ VPN server, which can be important if you have a significant number of remote employees. Step 5: Identify the attack Now is the time to gather technical intelligence about the attack. The first question you need to answer is “What are the attack vectors?” There are four types of DDoS attack types, these are · Volumetric: flood-based attacks that can be at layers 3, 4, or 7; · Asymmetric: designed to invoke timeouts or session-state changes; · Computational: designed to consume CPU and memory; and · Vulnerability-based: designed to exploit software vulnerabilities. By now you should have called your bandwidth service provider with the information on your contacts list. If the attack is solely volumetric in nature, the service provider will have informed you and may have already taken steps at DDoS remediation. Even though well-equipped organisations use existing monitoring solutions for deep-packet captures, you may encounter cases where you have to use packet captures from other devices, such as the ADC, to assist in diagnosing the problem. These cases include: SSL attack vectors and FIPS-140. Step 6: Evaluate source address mitigation options If Step 5 has identified that the campaign uses advanced attack vectors that your service provider cannot mitigate (such as slow-and-low attacks, application attacks, or SSL attacks), then the next step is to consider the following question: “How many sources are there?” If the list of attacking IP addresses is small, you can block them at your firewall. Another option would be to ask your bandwidth provider to block these addresses for you. · Geoblocking: The list of attacking IP address may be too large to block at the firewall. Each address you add to the block list will slow processing and increase CPU. But you may still be able to block the attackers if they are all in the same geographic region or a few regions you can temporarily block. The decision to block entire regions via geolocation must be made as a business decision. Finally, if there are many attackers in many regions, but you don’t care about any region except your own, you may also use geolocation as a defence by blocking all traffic except that originating from your region. · Mitigating multiple attack vectors: If there are too many attackers to make blocking by IP address or region feasible, you may have to develop a plan to unwind the attack by mitigating “backwards”; that is, defending the site from the database tier to the application tier, and then to the web servers, load balancers, and finally the firewalls. You may be under pressure to remediate the opposite way; for example, mitigating at layer 4 to bring the firewall back up. However, be aware that as you do this, attacks will start to reach further into the data centre. Step 7: Mitigate specific application attacks If you have reached this step, the DDoS attack is sufficiently sophisticated to render mitigation by the source address ineffective. Tools such as the Low Orbit Ion Cannon, the Apache Killer, or the Brobot may generate attacks that fall into this category. These attacks look like normal traffic at layer 4, but have anomalies to disrupt services in the server, application, or database tier. To combat these attacks, you must enable or construct defences at the application delivery tier. Once you have analysed the traffic in Step 4, if the attack appears to be an application-layer attack, the important questions are: Can you identify the malicious traffic? Does it appear to be generated by a known attack tool? Specific application-layer attacks can be mitigated on a case-by-case basis with specific F5 counter-measures. Attackers today often use multiple types of DDoS attack vector, but most of those vectors are around layers 3 and 4, with only one or two application-layer attacks thrown in. We hope this is the case for you, which will mean you are nearly done with your DDoS attack. Step 8: Increase application-level security posture. If you have reached this step in a DDoS attack, you’ve already mitigated at layers 3 and 4 and evaluated mitigations for specific application attacks, and you are still experiencing issues. That means the attack is relatively sophisticated, and your ability to mitigate will depend in part on your specific applications. Asymmetric application attack: Very likely you are being confronted with one of the most difficult of modern attacks: the asymmetric application attack. This kind of attack can be: · A flood of recursive GETs of the entire application. · A repeated request of some large, public object (such as an MP4 or PDF file). · A repeated invocation of an expensive database query. Leveraging your security perimeter: The best defence against these asymmetric attacks depends on your application. For example, financial organisations know their customers and are able to use login walls to turn away anonymous requests. Entertainment industry applications such as hotel websites, on the other hand, often do not know the user until the user agrees to make the reservation. For them, a CAPTCHA (Completely Automated Public Turning test to tell Computers and Humans Apart) might be a better deterrent. Choose the application-level defence that makes the most sense for your application: A login wall, human detection or real browser enforcement. Step 9: Constrain resources. If all the previous steps fail to stop the DDoS attack, you may be forced to simply constrain resources to survive the attack. This technique turns away both good and bad traffic. In fact, rate limiting often turns away 90 to 99 percent of desirable traffic while still enabling the attacker to drive up costs at your data centre. For many organisations, it is better to just disable or “blackhole” an application rather than rate-limit it. · Rate shaping: If you find that you must rate-limit, you can provide constraints at different points in a multi-tier DDoS architecture. At the network tier, where layer 3 and layer 4 security services reside, use rate shaping to prevent TCP floods from overwhelming your firewalls and other layer 4 devices. Connection limits: Connection limits can be an effective mitigation technique, but they do not work well with connection-multiplexing features. Application tier connection limits should provide the best protection to prevent too much throughput from overwhelming your web servers and application middleware. Step 10: Manage public relations Hacktivist organisations today use the media to draw attention to their causes. Many hacktivists inform the media that an attack is underway and may contact the target company during the attack. Financial organisations, in particular, may have policies related to liability that prevent them from admitting an attack is underway. This can become a sticky situation for the public relations manager. The manager may say something like, “We are currently experiencing some technical challenges, but we are optimistic that our customers will soon have full access to our online services.” Journalists, however, may not accept this type of hedging, especially if the site really does appear to be fully offline. In one recent case, a reporter called a bank’s local branch manager and asked how the attack was proceeding. The branch manager, who had not received media coaching, responded, “It’s awful, we’re getting killed!” If the DDoS attack appears to be a high-profile hacktivist attack, prepare two statements: · For the press: If your industry policies allow you to admit when you are being externally attacked, do so and be forthright about it. If policy dictates that you must deflect the inquiry, cite technical challenges but be sure to prepare the next statement. · For internal staff, including anyone who might be contacted by the press: Your internal statement should provide cues about what to say and what not to say to media, or even better, simply instruct your staff to direct all inquiries related to the event back to the PR manager. Include a phone number. Anton Jacobsz, managing director at Networks Unlimited, a value-adding reseller of F5 solutions throughout Africa, notes that it is the organisations focusing on a holistic security strategy that are considered forward-looking and ahead of the digital economy curve. “In a digital age – where sensitive or personal information is at risk of being exposed, and where geo-location and sensor-based tools track movements – organisations need to be prepared for a cyber attack. It has become essential to scrutinise security throughout the entire operation and offerings in order to build the strongest cornerstones for establishing trust between company, employees and consumers,” says Jacobsz. Source: http://www.itnewsafrica.com/2017/06/ten-steps-for-combating-ddos-in-real-time/

Read More:
Ten steps for combating DDoS in real time

If You Learn of DDoS Attacks from Customers, You’ve Already Failed

If your customers notice something’s wrong before your own security specialists do, you’ve failed on multiple levels When Benjamin Franklin said, “Time is money,” he gave the world an aphorism that would be quoted frequently by businesspeople for more than 200 years. For all his wit and insight, of course, Franklin could never have foreseen the many scenarios for which his pithy observation would come to apply. It turns out that among the most relevant applications of the quote in today’s digitally driven world is in the realm of cybersecurity. Why? Because for organizations that suffer a cyberattack, a slow response can prove very costly. In an early 2017 survey of more than 1,000 IT and business decision makers, nearly two-thirds of the respondents said they could lose $100,000 per hour or more if a distributed denial of service (DDoS) attack were to disrupt their peak business periods. On the bright side, 8 in 10 of the organizations responding to the Neustar-sponsored survey said they’ve learned about new DDoS attacks from their internal security and IT teams – at least sometimes. Less encouraging is the fact that 40% also said they have, at times, received their first notification of attacks from their customers. If your customers notice something’s wrong before your own security specialists do, you’ve failed on multiple levels. The ideal DDoS defense is to recognize an emerging threat and neutralize it before it even gains a foothold – and certainly before your customers experience any negative impacts. If customers start complaining about an inability to access your websites or other services, you’ve already started to lose money before you’re even aware of the problem. Beyond causing staggering monetary losses for many corporations, successful DDoS attacks can alienate customers and shake their confidence in the victim’s ability to secure its own systems. By extension, customer then worry about the security of their own interactions with the company, and about the safety of any customer data the company may hold. The resulting customer churn and reduced loyalty can result in additional financial consequences. In this regard, another Franklin quote sadly holds true: “It takes many good deeds to build a good reputation, and only one bad one to lose it.” Fortunately, there are many security tools and services available to organizations that decide to be proactive in their DDoS defenses. As is often the case when it comes to cybersecurity, the most effective defenses will leverage a layered approach. The first-level of defense for DDoS attacks ideally will be provided by the network or Internet service provider, which is often the first to see – and block – suspicious network activity. For those attacks that still manage to get through, companies need their own DDoS identification and mitigation solutions. Some of those solutions may be on-premises appliances and other controls, while others may be provided by cloud-based or managed security services providers. Such “security-as-a-service” offerings are rapidly gaining in popularity, especially if an attack’s scale exceeds the capabilities of the on-premises protections. In short, there’s little excuse to be reactive, rather than proactive, when it comes to DDoS defenses. And, yes, Franklin once again provides some sage advice to those who may be too cavalier in their attitudes about DDoS threat. “By failing to prepare, you are preparing to fail.” Source: http://www.csoonline.com/article/3200084/leadership-management/if-you-learn-of-ddos-attacks-from-customers-you-ve-already-failed.html

See the original article here:
If You Learn of DDoS Attacks from Customers, You’ve Already Failed

FCC says DDOS attacks, not net neutrality comments, tied up comments system

The federal agency did not provide any evidence of the alleged attacks, which occurred as HBO comedian John Oliver urged viewers to flood the FCC with comments. The Federal Communications Commission (FCC) on Monday said that consumers trying to use its Electronic Comment Filing System ran into delays Sunday night because of multiple distributed denial-of-service (DDoS) attacks — not due to a deluge of comments from net neutrality proponents, as early reports suggested. “Beginning on Sunday night at midnight, our analysis reveals that the FCC was subject to multiple distributed denial-of-service attacks (DDos),” FCC chief information officer David Bray said in a statement. “These were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host. These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC.” The statement followed news reportssuggesting the FCC site was once again overwhelmed by commenters trying to voice their support for net neutrality at the behest of comedian John Oliver. On his HBO show Sunday night, Oliver urged viewers to leave comments at goFCCyourself.com, a URL that redirects visitors to the FCC’s proposal to reverse net neutrality rules. In 2014, net neutrality supporters managed to bring down the FCC comments system after Oliver made a similar plea for commenters to flood the site. The FCC didn’t offer any evidence of the DDoS attacks, nor did the agency immediately answer questions about how the incident was handled. ZDNet will update this article if the FCC responds. At least one pro-net neutrality group, Fight for the Future, expressed skepticism about the agency’s claim that the problems were caused by DDoS attacks. “The FCC’s statement today raises a lot of questions, and the agency should act immediately to ensure that voices of the public are not being silenced as it considers a move that would affect every single person that uses the Internet,” Fight for the Future Campaign Director Evan Greer said in a statement. By Monday afternoon, the FCC’s comments system appeared to be functioning, and there were more than 179,000 comments on the site. FCC Chairman Ajit Pai acknowledged to CNET’s Maggie Reardon on Monday that he favors “a free and open internet” — meaning he favors rolling back the Obama-era net neutrality rules. However, he said the committee has an “open mind” and will consider the public comments that are collected. “It’s not a decree,” he said of the proposal. “The entire purpose of this process is to get public input. Then, after the record is closed, we apply what the DC Circuit calls a ‘substantial evidence test.’ We look through the record, figure out what the right course is based on facts in the record. Then we make the appropriate judgment. I don’t have any predetermined views as to where we’re going to go.” Source: http://www.zdnet.com/article/fcc-says-ddos-attacks-not-net-neutrality-comments-tied-up-comments-system/

Read more here:
FCC says DDOS attacks, not net neutrality comments, tied up comments system

Cybercriminals Breached Over a Billion Accounts Last Year

Cybercriminals had a very good year in 2016 — and we all paid the price. These digital bandits became more ambitious and more creative and that resulted in a year marked by “extraordinary attacks,” according to the 2017 Internet Security Threat Report from Symantec. “Cyber crime hit the big time in 2016, with higher-profile victims and bigger-than-ever financial rewards,” the report concluded. The bad guys made a lot of money last year,” said Kevin Haley, director of Symantec Security Response. “They keep getting better and more efficient at what they do; they managed to fool us in new and different ways.” Some of the damage done last year: Data breaches that exposed 1.1 billion identities, up from 564 million in 2015 More ransomware attacks with higher extortion demands Some of the biggest distributed denial of service (DDoS) attacks on record, causing “unprecedented levels of disruption” to internet traffic. Cyber thieves have traditionally made their money by stealing a little bit from a lot of people. They’ve focused on raiding individual bank accounts or snagging credit card numbers. But that’s starting to change, as criminal gangs are going after the banks themselves, the reported noted. “It takes a lot of sophistication and a lot of patience — you really need to understand what you’re doing — but if you can break into the bank, you can steal millions of dollars at once,” Haley told NBC News. “It’s like those big heist movies we see. Cybercriminals are now pulling off these big heists with specialists, sophisticated tools and some great imagination in what they do.” Email Is Back as the Favorite Way to Attack Malicious email is now “the weapon of choice” for a wide range of cyber attacks by both criminals and state-sponsored cyber espionage groups. Symantec found that one in 131 emails was malicious last year, up dramatically from 2015, and the highest rate in five years. Email attacks are back because they work, the report noted: “It’s a proven attack channel. It doesn’t rely on vulnerabilities, but instead uses simple deception to lure victims into opening attachments, following links, or disclosing their credentials.” Remember: It was a simple spear-phishing attack — a spoofed email with instructions to reset an email password — that was used to attack the Democrats in the run-up to the 2016 presidential election. “People are comfortable with email. They read it,” Haley said. “Even when people are suspicious, the bad guys know how to fool us.” Most malicious email is disguised as a notification — most commonly an invoice or delivery notice from a well-known company. In many cases, the malicious attachment is a simple Word document. Most people don’t think of a Word file as dangerous or malicious. And for the most part, they’re not. But these clever crooks have a “social engineering” trick to get you to do what they want. The information on the malicious document is deliberately unreadable, which is unsettling. A note tells the intended target to click a button that will make it possible to read the message. Do that, and you’ve turned on the macros that allow the malware to download onto your computer. Just like that, they’ve got you. Ransomware: Everyone Is at Risk Ransomware attacks have grown more prevalent and destructive, which is why Symantec called them “the most dangerous cyber crime threat facing consumers and businesses in 2016.” The number of ransomware infections detected by Symantec grew by 36 percent last year, skyrocketing from 340,000 in 2015 to 463,000 in 2016. And it’s expected to remain a major global threat this year. This devious malware locks up computers, encrypts the data and demands payment for the unique decryption key. In the blink of an eye, entire computer systems can become useless. Ransomware is most often hidden in innocuous-looking email, such as a bogus delivery notice or invoice. For-hire spam botnets make it easy for the crooks to send hundreds of thousands of malicious emails a day for very little cost. It’s a lucrative crime. The average ransomware demand shot up from $294 in 2015 to $1,077 last year. Research by Symantec’s Norton Cyber Security Insight team found that 34 percent of the victims worldwide pay the ransom. In the U.S. that jumps to 64 percent. This willingness to pay could explain why America remains their prime target, with more than one-third of all ransomware attacks. New Targets: The Cloud, Internet of Things and Mobile Devices From security cameras and baby monitors to thermostats and door locks, our households are now filled with devices connected to the internet. Weak security makes the Internet of Things (IoT) an easy target for all sorts of malicious activity. Most of these devices have simple and common default passwords, such as “admin” or “123456,” that can’t be changed or are rarely changed. Last year, cybercriminals harnessed the power of these connected devices to do some serious damage. Tens of thousands of infected IoT devices, such as security cameras and routers, became a powerful botnet that launched high-profile (DDoS) attacks that successfully shut down websites. The DDoS attack in October against Dyn, a cloud-based hosting service, disrupted many of the world’s leading websites, including Netflix, Twitter and PayPal. Cloud attacks have become a reality and Symantec predicts they will increase this year. “A growing reliance on cloud services should be an area of concern for enterprises, as they present a security blind spot,” the report cautioned. Symantec said it saw a two-fold increase in attempted attacks on IoT devices over the course of last year. Cyber criminals are also targeting mobile devices. Most of the attacks are focused on the Android operating system, which has the largest share of the mobile market. Attacks on iOS devices remain relatively rare. Improvements in Android’s security architecture have made it increasingly difficult to infect mobile phones or to capitalize on successful infections, the report noted. But the volume of malicious Android apps continues to increase, growing by 105 percent last year. The 2017 Internet Security Threat report can be downloaded from Symantec’s website. Want to fight back? Norton has a list of tips on how to protect yourself and your devices on its website. Source: http://www.nbcnews.com/tech/tech-news/cybercriminals-breached-over-billion-accounts-last-year-n753131

Visit site:
Cybercriminals Breached Over a Billion Accounts Last Year

Teenage hacker jailed for masterminding attacks on Sony and Microsoft

Adam Mudd jailed for two years for creating attack-for-hire business responsible for more than 1.7m breaches worldwide. A man has been jailed for two years for setting up a computer hacking business that caused chaos worldwide. Adam Mudd was 16 when he created the Titanium Stresser program, which carried out more than 1.7m attacks on websites including Minecraft, Xbox Live and Microsoft and TeamSpeak, a chat tool for gamers. He earned the equivalent of more than £386,000 in US dollars and bitcoins from selling the program to cyber criminals. Mudd pleaded guilty and was sentenced at the Old Bailey. The judge, Michael Topolski QC, noted that Mudd came from a “perfectly respectable and caring family”. He said the effect of Mudd’s crimes had wreaked havoc “from Greenland to New Zealand, from Russia to Chile”. Topolski said the sentence must have a “real element of deterrent” and refused to suspend the jail term. “I’m entirely satisfied that you knew full well and understood completely this was not a game for fun,” he told Mudd. “It was a serious money-making business and your software was doing exactly what you created it to do.” Mudd showed no emotion as he was sent to a young offender institution. During the two-day hearing, Jonathan Polnay, prosecuting, said the effect of Mudd’s hacking program was “truly global”, adding: “Where there are computers, there are attacks – in almost every major city in the world – with hotspots in France, Paris, around the UK.” The court heard that Mudd, who lived with his parents, had previously undiagnosed Asperger syndrome and was more interested in status in the online gaming community than the money. The court heard that the defendant, now 20, carried out 594 of the distributed denial of service (DDoS) attacks against 181 IP addresses between December 2013 and March 2015. He has admitted to security breaches against his college while he was studying computer science. The attacks on West Herts College crashed the network, cost about £2,000 to investigate and caused “incalculable” damage to productivity, the court heard. On one occasion in 2014, the college hacking affected 70 other schools and colleges, including Cambridge, Essex and East Anglia universities as well as local councils. Mudd’s explanation for one of the attacks was that he had reported being mugged to the college but claimed no action was taken. Polnay said there were more than 112,000 registered users of Mudd’s program who hacked about 666,000 IP addresses. Of those, nearly 53,000 were in the UK. Among the targets was the fantasy game RuneScape, which had 25,000 attacks. Its owner company spent £6m trying to defend itself against DDoS attacks, with a revenue loss of £184,000. The court heard that Mudd created Titanium Stresser in September 2013 using a fake name and address in Manchester. He offered a variety of payment plans to his customers, including discounts for bulk purchases of up to $309.99 for 30,000 seconds over five years as well as a refer-a-friend scheme. Polnay said: “This is a young man who lived at home. This is not a lavish lifestyle case. The motivation around this we tend to agree is about status. The money-making is by the by.” When he was arrested in March 2015, Mudd was in his bedroom on his computer, which he refused to unlock before his father intervened. Mudd, from Kings Langley in Hertfordshire, pleaded guilty to one count of committing unauthorised acts with intent to impair the operation of computers; one count of making, supplying or offering to supply an article for use in an offence contrary to the Computer Misuse Act; and one count of concealing criminal property. Ben Cooper, defending, appealed for his client to be given a suspended sentence. He said Mudd had been “sucked into” the cyber world of online gaming and was “lost in an alternate reality” after withdrawing from school because of bullying. Mudd, who was expelled from college and now works as a kitchen porter, had been offline for two years, which was a form of punishment for any computer-obsessed teenager, Cooper said. The “bright and high-functioning” defendant understood what he did was wrong but at the time he lacked empathy due to his medical condition, the court heard. Cooper said: “This was an unhappy period for Mr Mudd, during which he suffered greatly. This is someone seeking friendship and status within the gaming community.” But the judge said: “I have a duty to the public who are worried about this, threatened by this, damaged by this all the time … It’s terrifying.” Source: https://www.theguardian.com/technology/2017/apr/25/teenage-hacker-adam-mudd-jailed-masterminding-attacks-sony-microsoft

Link:
Teenage hacker jailed for masterminding attacks on Sony and Microsoft

CLDAP reflection attacks may be the next big DDoS technique

Security researchers discovered a new reflection attack method using CLDAP that can be used to generate destructive but efficient DDoS campaigns. DDoS campaigns have been growing to enormous sizes and a new method of abusing CLDAP for reflection attacks could allow malicious actors to generate large amounts of DDoS traffic using fewer devices. Jose Arteaga and Wilber Majia, threat researchers for Akamai, identified attacks in the wild that used the Connection-less Lightweight Directory Access Protocol(CLDAP) to perform dangerous reflection attacks. “Since October 2016, Akamai has detected and mitigated a total of 50 CLDAP reflection attacks. Of those 50 attack events, 33 were single vector attacks using CLDAP reflection exclusively,” Arteaga and Majia wrote. “While the gaming industry is typically the most targeted industry for [DDoS] attacks, observed CLDAP attacks have mostly been targeting the software and technology industry along with six other industries.” The CLDAP reflection attack method was first discovered in October 2016 by Corero and at the time it was estimated to be capable of amplifying the initial response to 46 to 55 times the size, meaning far more efficient reflection attacks using fewer sources. The largest attack recorded by Akamai using CLDAP reflection as the sole vector saw one payload of 52 bytes amplified to as much as 70 times the attack data payload (3,662 bytes) and a peak bandwidth of 24Gbps and 2 million packets per second. This is much smaller than the peak bandwidths of more than 1Tbps seen with Mirai, but Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said this amplification factor can allow “a user with low bandwidth [to] DDoS an organization with much higher bandwidth.” “CLDAP, like DNS DDoS, is an amplification DDoS. The attacker has relatively limited bandwidth. By sending a small message to the server and spoofing the source, the server responds to the victim with a much larger response,” Williams told SearchSecurity. “You can only effectively spoof the source of connectionless protocols, so CLDAP is obviously at risk.” Arteaga and Majia said enterprises could limit these kinds of reflection attacks fairly easily by blocking specific ports. “Similarly to many other reflection and amplification attack vectors, this is one that would not be possible if proper ingress filtering was in place,” Arteaga and Majia wrote in a blog post. “Potential hosts are discovered using internet scans, and filtering User Datagram Protocol destination port 389, to eliminate the discovery of another potential host fueling attacks.” Williams agreed that ingress filtering would help and noted that “CLDAP was officially retired from being on the IETF standards track in 2003” but enterprises using Active Directory need to be aware of the threat. “Active Directory supports CLDAP and that’s probably the biggest reason you’ll see a CLDAP server exposed to the internet,” Williams said. “Another reason might be email directory services, though I suspect that is much less common.” Source: http://searchsecurity.techtarget.com/news/450416890/CLDAP-reflection-attacks-may-be-the-next-big-DDoS-technique

Read more here:
CLDAP reflection attacks may be the next big DDoS technique