DDoS attacks present opportunity for ISPs

Distributed denial of service (DDoS) attacks may strike fear into the hearts of anyone involved in the online space, but protecting against them presents a new business opportunity for Internet service providers (ISPs).

So says Anton Jacobsz, MD of Arbor Networks distributor Networks Unlimited, who adds that the number of DoS attacks is rising worldwide, with the average size of a DDoS attack around 1.2Gbps, according to Arbor Networks’ Threat Analysis System.

Martin Walshaw, senior engineer at F5 Networks, is of the view that the decreasing number of bots now available means that hactivists and other cyber criminals are finding new ways in which to amplify their attacks and, as a result, DDoS attacks are becoming a more popular vector.

Sophisticated DDoS attacks combine high-volume traffic-clogging with stealthy low and slow application-targeted techniques, says John Grady, research manager for security products at IDC.

InfoSecurity Magazine reports that this year the number of network time protocol amplification attacks increased 371.43%. The average peak DDoS attack volume increased a staggering 807.48%.

Jacobsz reveals that in an attack such as this, ISPs tend to ‘black hole’ or switch off the targeted server as quickly as possible, to avoid slowing down services to other customers sharing the affected pipe. “This stops the slowdown of services to other customers, but it also means the attackers achieved their objective – the service under attack goes down,” he says.

With constant uptime critically important for a growing number of businesses, having a service down after an attack could mean significant financial losses. “This paves the way for ISPs to step in and mitigate the risk at service provider level,” says Jacobz. “Not only is this more effective, it has the advantages of allowing the ISP to offer better customer service.”

In an environment where demand for managed security services is growing, ISPs are well positioned to capitalise on the demand for services, says Arbor.

Research firm Frost & Sullivan expects the managed security service provider (MSSP) to grow to around $4 billion by 2016 in North America alone, with the managed security and security monitoring services segment yielding the highest percentage of total revenue in the MSSP market. ISPs can expand their revenue by tapping in to this market, says Arbor Networks.

Because ISPs own the pipes that transmit data across the Internet, they are able to deliver a comprehensive solution that can combat the two primary types of DDoS attacks: high-bandwidth ‘volumetric’ attacks usually generated by Internet bots or compromised PCs grouped together in large-scale botnets; and ‘application-layer’ DDoS attack that target specific services ranging from Web commerce and DNS services to e-mail and online banking, says Jacobsz.

Arbor notes that the best place to stop volumetric DDoS attacks is in the ISP cloud (via network-based DDoS protection) because the saturation happens upstream and can only be remediated in the provider’s cloud. The best place to perform application-layer DDoS detection is in the data centre itself because the attack can only be detected and quickly stopped at the data-centre edge, the company says.

It points out that only ISPs can provide both a network-based service component to stop volumetric DDoS attacks and a CPE-based service component to stop application-layer DDoS attacks – representing a distinct competitive advantage.

Jacobsz says: “If service providers implement protection solutions across the installed base they are able to offer cost efficiencies and better risk mitigation to their customers. When an ISP is already supplying a managed firewall, Secure Socket Layer virtual private network (SSL VPN), intrusion detection system (IDS), intrusion prevention system (IPS) and other security measures, adding an incremental managed DDoS protection service can be relatively straightforward and cost-efficient.”

Source: http://www.itweb.co.za/index.php?option=com_content&view=article&id=136362:DDoS-attacks-present-opportunity-for-ISPs&catid=359

Leave a Comment

Duck and Cover: Defending Against DDoS Attacks

Denial-of-service attacks are frequently deployed, yet often organizations fail to prepare themselves against the threat. Ted Kritsonis talks to industry experts about using analytics to prevent and respond to DDoS attacks

Cyberattacks don’t always grab headlines among the mainstream press, but when they do, it’s often a case of distributed denial-of-service (DDoS) attacks that have crippled an enterprise or government website, forcing IT departments to devise methodologies to contain the threats and get back up and running.

This external threat can be debilitating for the sheer fact that a DDoS attack, particularly a DNS flood, starves a system’s available resources using any number of infected computers, rendering moot all access from users or customers. Notwithstanding the lost revenue and reputational black-eye stemming from these attacks, the perpetrators don’t always have a singular purpose in mind. It may be financial in some cases, or a competitor aiming to damage a rival, or perhaps even a politically motivated act known as ‘hacktivism.’

“Regardless of gains, DDoS attacks are getting cheaper and cheaper to launch. It’s simple to find many free tools online capable of bringing down a small to moderate site, and botnets can be rented for as little as $100 an hour”, says Sean Power, security operations manager at DOSarrest, a firm specializing in preventing and managing these attacks. “Only the really big impressive attacks make the headlines, and some people may think they are immune for this reason, but that is not the case.”

Attack Methods

Attack vectors can come in thousands of different ways, but they usually break down into one of three categories. Volumetric attacks cause congestion between the target and the internet through the use of botnets. TCP State-Exhaustion attacks go after infrastructure components like load-balancers, firewalls and the application servers themselves. It’s the third category, however, the Application-Layer attacks that are arguably the most dangerous and ubiquitous because they stealthily target an aspect of an application or service using as little as one machine to generate a low traffic rate.

Despite mitigation attempts from IT specialists, Power believes attackers can be shrewd in responding to them by focusing on other vulnerabilities. One example is a headless browser attack, which uses infected computers to participate in a DDoS attack by running it in the background unbeknownst to the user of the infected computer, and fooling mitigation devices into thinking that it is actually legitimate traffic. Because it appears as a simple web browser, it can be effective at sneaking through capable defenses.

The impact can be devastating if not countered promptly and efficiently. At the time of writing, the largest reported DDoS attack was launched in March 2013 against Spamhaus, an international non-profit that battles spam. It had peaked at 300Gbps, three times the size of the previous largest reported attack, making headlines around the world for its scope.

Hackers also benefit from unique attacks that lay low and propagate over time. DNS spoofing has been cited as a form of industrial espionage or blackmail because a company’s DNS server can be compromised to route email to unauthorized mail servers, potentially revealing sensitive internal information and communications.

Playing Defense

Rakesh Shah, director of product marketing and strategy at Arbor Networks, has dealt with threats of varying sizes, and has witnessed clients feel the pain of an attack.

“We know of one company that suffered 90 minutes of downtime because they were unprepared when in the heat of an attack scenario”, says Shah. “They couldn’t connect with key people internally or at their cloud mitigation provider, so that 90 minutes of confusion cost the firm over $1 million in revenue and angered their customer base greatly.”

Shah wouldn’t name the affected firm, but did say there were two levels of preparation its IT department should have pursued. The first was deploying a DDoS defense requiring multi-layered protection that includes both on-site and cloud-based protection. The second, which he feels is often overlooked, is a standard incident response wherein staff know the processes to follow and people to call to minimize the downtime associated with an attack.

Power agrees, suggesting that IT managers must prepare a ‘playbook’ to follow in case a DDoS attack occurs. This blueprint should include building a capable DDoS response team that can monitor the range of legitimate traffic, outline the network’s topology, create robust remote access and follow the procedural plan with efficacy.
From an analytical perspective, this also includes collecting baseline measurements of all network activity as it relates to public access points – for example, graphing and threshold alerts for bits per second and packets per second on major ingress and egress links in the network.

“It bears repeating, but you have to keep your documentation up to date, monitor the DDoS industry for changes and ensure your technology is on top of the latest threats and test both your DDoS defense strategy and your team”, Power advises. “There are companies whose sole expertise is preparing for and defending against sophisticated and large-scale DDoS attacks, and they come in a range of flavors and prices. Make sure you understand your needs and vendors’ service offerings beforehand so that when the need arises, you will have taken that difficult decision-making process out of the equation.”


Traditionally, DDoS attacks have been a looming threat for enterprises and businesses for reasons of extortion and fraud, where cyber-attackers seek a ransom or plant the seeds for fraudulent activity under the guise of an attack. But DDoS attacks have gained more publicity when used as a political tool, particularly from the hacktivist group Anonymous.

The tactic was also deployed as part of geopolitical subterfuge, like the Iran-based Izz ad-Din al-Qassam Cyber Fighters, who targeted US banks from September 2012 and into 2013, along with the Syrian Electronic Army, which has targeted sites as varied as eBay, the Associated Press and the US Marine Corps recruitment page. There is no concrete evidence that either group is state-sponsored, but the implication is clear that no one is immune from an attack, regardless of the motivation behind it.

This has been noted in Arbor Networks’ ninth annual ‘Worldwide Infrastructure Security Report’, which highlighted “dramatic growth in high-volume DDoS attacks” and that 71% of data center operators reported a DDoS attack in 2013, compared to 45% from the year before. Moreover, 36% of those attacks exceeded the total available bandwidth, almost doubling the mark set the year before. But perhaps even more damaging, targets reported a cumulative 35% customer churn rate and 27% revenue loss as consequences of those attacks.

The gloomy stats cast a light on the problem’s pervasiveness, given that Arbor Networks had a mix of 220 service providers and network operators from various industries and categories weighing in. Google collaborated with Arbor Networks by using the latter’s ATLAS global threat monitoring system to build the Digital Attack Map, which reports and visualizes daily attacks and their origins worldwide.

“One of the clear targets that emerged in Europe when reviewing our own data was media and entertainment, specifically news organizations, accounting for 15% of all attacks in North America, and nearly 25% of all attacks in Europe”, notes Martin McKeay, senior security advocate at Akamai. “News organizations aren’t the most heavily secured and protected environments, often lacking in controls that an online merchant or bank might employ, since the cost of downtime for a news organization is much less.”

McKeay adds that the amount of data traveling across Akamai’s networks doubles every 18 months. The increase of broadband and computing power in emerging markets could lead to more intense attacks, although DDoS sizes have yet to grow at the same rate as broadband adoption. Even so, compromised systems tend to originate from the developing world, with China, Indonesia and India leading the charge. Since virtual attacks usually cross real-life borders, litigation is of little recourse.

“The lack of laws concerning different forms of computer abuse in many markets make it harder for the target of the attack to defend themselves legally, and make it nearly impossible for law enforcement agencies to follow up and enforce any such laws that do exist”, he says.

This puts more of the onus on organizations to protect themselves with the right plans and tools in place. Shah says knowledge and preparedness varies from industry to industry and then from company to company within that industry. Low and slow application-layer attacks can be dealt with on-site, including protecting infrastructure like firewalls and IPS, while cloud-based protection is necessary against large-volume attacks.

Attacker Adaptation

Not surprisingly, cyber-attackers are innovating their techniques to deal with emerging defensive methods. Although still a recent trend, malware used for attacks are implementing anti-DDoS capabilities to evade purpose-built DDoS defenses, thereby tying up resources and opening up holes that they can exploit.

“Some think it won’t happen to them, while others think they are protected if they subscribe to a cloud-based DDoS managed service. An organization is not protected from the full spectrum of DDoS attacks unless they have a multi-layered defense in place”, says Shah.

“The hottest trend in DDoS today is the multi-vector attack, combining flood, application and state exhaustion attacks against infrastructure devices all in a sustained attack that dynamically changes. These attacks are popular because they’re often highly effective and difficult to defend against”, Shah concludes.


Leave a Comment

Hijacked anti-DDoS servers used to carry out massive DDoS attack

A massive distributed denial-of-service (DDoS) was carried out earlier this month using very servers designed to prevent the classic type of attack.

In early May, website security company Incapsula was able to help fend off a powerful DDoS attack that was launched using high-capacity servers hijacked from two separate DDoS protection services providers.

The attack, which occurred on May 1 against an unnamed online gaming website, went on for about seven hours and remained at a steady 25 million packets per second (mpps) throughout its duration, Igal Zeifman, product evangelist with Incapsula, told SCMagazine.com in a Monday email correspondence.

The perpetrators hijacked and leveraged the power of two separate high-capacity servers belonging to unnamed DDoS protection services providers, Zeifman said. He explained that this type of strong network infrastructure, built to defend against volumetric attacks, offers attackers a way to “fight fire with fire.”

Because many of the DNS queries held non-spoofed IP data, Incapsula was able to determine that the compromised DDoS protection services providers were located in Canada and China, Zeifman said, adding that the companies confirmed to Incapsula that its servers were used in the attacks.

“Because mitigation is all about filtering of incoming requests, ongoing traffic tends to be overlooked,” Zeifman said. “In this case, we actually had to notify the DDoS protection providers, for them to notice the outgoing floods from their servers.”

Source: http://www.scmagazine.com/hijacked-anti-ddos-servers-used-to-carry-out-massive-ddos-attack/article/346619/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29

Leave a Comment

Another DNS Provider Targeted in DDoS Attack

PointDNS says most of its DNS servers are online again after a massive DDoS attack late last week took down the service provider.

A post on the company’s Twitter account on Friday said the provider was adding nameservers and working with network providers to restore service to its customers. Many of those same customers took to social media complaining about downtime and unavailability of their own websites and services. According to its website, PointDNS services more than 220,000 domains worldwide.

Earlier today, a post from parent company Copper.io said services were “back to normal.”

This was the second large attack against a DNS provider in the last two weeks. On April 30, UltraDNA mitigated a DDoS attack that kept most of its customers offline for the better part of a day.

The SANS Institute’s Internet Storm Center said the attack peaked at 100 Gbps against one of UltraDNS’ customers. The attack resulted in latency issues for other UltraDNS customers.

Last week, Incapsula, a cloud-based application delivery company that also sells security services, said it fought back a 25 million packets per second DDoS attack and that many of the DNS queries held non-spoofed IP data. This stands in contrast to many other massive DDoS attacks of late, in particular reflection or amplification attacks, that rely on spoofed addresses to send massive quantities of bad traffic at a target.

The Incapsula-mitigated attack was traced back to IP addresses belonging to a pair of DDoS protection services, which are designed for high-capacity traffic management, Incapsula said. Hackers can take advantage of this to pull off DDoS attacks without amplification.

These latest attacks, meanwhile, continue a trend of volumetric DDoS attacks reaching new heights.

A recent report from Arbor Networks said the provider has already tracked more than 70 DDoS attacks that topped 100 Gbps or more of malicious traffic. The largest on record reached between 325 Gbps and 400 Gbps of traffic.

Almost all of these attacks rely on DNS reflection or a growing number on network time protocol amplification attacks. In both cases, IP addresses are spoofed as the target, and massive amounts of traffic is sent their way at no cost to the attacker.

US-CERT issued an advisory in January warning companies that hackers were exploiting NTP vulnerabilities to flood networks with UDP traffic. NTP servers are publicly available machines used to synchronize computer clocks. With NTP amplification attacks, hackers exploit the MON_GETLIST feature in NTP servers, which returns the IP address of the last 600 machines interacting with an NTP server. Monlists are a classic set-and-forget feature and are vulnerable to hackers making forged REQ_MON_GETLIST requests enabling traffic amplification.

With DNS amplification attacks, attackers take advantage of any number of the 28 million open DNS resolvers on the Internet to launch large-scale DDoS attacks. The motivations are varied. Ideological hackers use them to take down services in protest, while profit-motivated criminals can use DDoS as a cover for intellectual property theft and financial fraud.

Source: http://threatpost.com/another-dns-provider-targeted-in-ddos-attack/106045

Leave a Comment

DOS: You Got Served

DOS (Denial of Service) attacks come in various different forms and intensities, but all have the same purpose, to take a website offline and damage the organization running that website. The most common use for DOS attacks are ransom missions. A hacker will DOS a site and email the owner, demanding payment or else the website will be taken offline. DOS attacks are also used as a form of protest. In 2009, Iranians DDOS (Distributed Denial of Service) attacked several government websites to protest the presidential election. Anonymous has also used DDOS attacks in “Operation Payback” to protest Megaupload being taken offline. They attacked the websites of UMG (the company responsible for the lawsuit against Megaupload), the United States Department of Justice, the United States Copyright Office, the Federal Bureau of Investigation, the MPAA, Warner Brothers Music and the RIAA, as well as the HADOPI, all on the afternoon of January 19, 2012.

The tool most commonly used to conduct DDOS attacks as protest is LOIC (Low Orbit Ion Cannon). LOIC is a free program you can download for any platform and does nothing but send garbage data to a server. One person downloading this program and trying to take down a server does nothing. Not a single website on the internet will fall to one Low Orbit Ion Cannon. Websites only go down when you have thousands upon thousands of people using LOIC at the same time, on the same server. Much like a real world protest, this clogs up bandwidth on the server, making it very difficult for legitimate traffic to travel through. LOIC is most publicly used by Anonymous. In 2008, they gathered enough people to attack the websites of the Church of Scientology. In 2010, they also attacked the Recording Industry Association of America and the websites of organizations opposed to WikiLeaks during Operation Payback.

While large groups of people can very easily take down a website through coordination, for one hacker to DDOS attack a website, he needs an army of botnets, or infected computers that he can control remotely. Another tactic that hackers use to multiply the amount of data sent is to hijack the NTP (Network Time Protocol). NTP is basically the protocol used to get the current time. What’s important is that you send a small request and get a large response, meaning that if hackers who have the NTP server send the response to a single target website, they can triple the amount of data they use to attack. Luckily, many NTP servers are aware of this vulnerability, and about 4 out of 5 servers have been patched against this type of attack.

Not all DOS attacks require angry mobs of people or thousands of zombie computers. Some attacks exploit vulnerabilities in the computer’s software to remotely crash or hang the computer. Teardrop is one of those attacks. Luckily, no modern computer can be taken down with a Teardrop attack – it was discovered and used on Windows 95, NT, and 3.1. An attacker would send a broken internet packet to the computer, causing it to crash. There was no other destruction of data, unless something had not been saved on the computer at the time, the attack would only cause the computer to blue-screen. A similar attack is the Ping of Death. To attack a computer with the Ping of Death, an attacker would send the largest bit of data in one chunk possible. In order to crash the computer the data would have to be larger than 65,536 bytes. The attacked computer would have nowhere to store the extra bytes in memory and would crash.

There are many forms of DOS attacks, and hackers are finding new vulnerabilities to exploit every day. The most effective attacks are still DDOS attacks, where large groups of people decide to take down a site in a form of protest. Though it may not seem like a government site going down for a couple days matters, DDOS attacks have a real world effect and can be used for peaceful protest or they can be used as a form of extortion from a mafia-like group of hackers.

Source: http://njitvector.com/2014/dos-you-got-served/

Leave a Comment

Older Posts »