Sony PlayStation Network Taken Down By DDoS Attack

It’s been a bad weekend for Sony Playstation. The entire PlayStation Network was down much of the day after a dedicated distributed denial-of-service (DDoS) attack by online attackers, which left the network inaccessible to users.
It’s possible that EVE Online and Guild Wars 2 have also been hit by the attackers. Developers on the EVE Online forums have announced DDoS issues, and many users on the Guild Wars 2 forums have been reporting login issues.
Sony’s PlayStation Network is an online service that connects PlayStation 3 and PlayStation 4 video game consoles to the Internet and to over-the-top video services such as Netflix.
What’s weird about this attack is that it also includes a security threat against the American Airlines plane in which the President of Sony Online Entertainment, John Smedley, was traveling today. The aircraft along with a full load of passengers was diverted to Phoenix due to a bomb threat.
Two separate hacker groups, Lizard Squad and Famed God, took to social media, Twitter and YouTube, respectively, to claim responsibility for the DDoS attack on the entertainment company, which, according to Sony, inflicted an “artificially high” amount of traffic on the PlayStation Network and Sony Entertainment Network.

At 1.30 p.m. ET, the Lizard Squad took group posted on Twitter that an American Airlines plane, with Sony Online Entertainment president John Smedley on board, had explosives, which caused the grounding of American Airlines flight 362 by way of a bomb threat on Twitter. The flight has since been sent safely on its way.
Smedley later confirmed that his flight flying from Dallas to San Francisco was being diverted to Phoenix, Arizona. “Flight diverted to Phoenix for security reasons,” he said. “Something about the security and our cargo. Sitting on Tarmack.
According to the company, no personal information had been leaked in the attack, but the rolling outage persists in various places, some ten hours or more after the attack began.

Like other major networks around the world, the PlayStation Network and Sony Entertainment Network have been impacted by an attempt to overwhelm our network with artificially high traffic,” Sid Shuman wrote on Sony’s official blog.

Although this has impacted your ability to access our network and enjoy our services, no personal information has been accessed. We will continue to work towards fixing this issue and hope to have our services up and running as soon as possible. We regret any inconvenience this may have caused.

The Federal Bureau of Investigation is investigating the flight incident, Kotaku reported. At the time of writing, the reasons for the attack are still unclear and also there has been no confirmation that the two incidents are connected, but a final tweet by Smedley indicates that he believes it was not a coincidence.

Leave a Comment

DDoS attacks present opportunity for ISPs

Distributed denial of service (DDoS) attacks may strike fear into the hearts of anyone involved in the online space, but protecting against them presents a new business opportunity for Internet service providers (ISPs).

So says Anton Jacobsz, MD of Arbor Networks distributor Networks Unlimited, who adds that the number of DoS attacks is rising worldwide, with the average size of a DDoS attack around 1.2Gbps, according to Arbor Networks’ Threat Analysis System.

Martin Walshaw, senior engineer at F5 Networks, is of the view that the decreasing number of bots now available means that hactivists and other cyber criminals are finding new ways in which to amplify their attacks and, as a result, DDoS attacks are becoming a more popular vector.

Sophisticated DDoS attacks combine high-volume traffic-clogging with stealthy low and slow application-targeted techniques, says John Grady, research manager for security products at IDC.

InfoSecurity Magazine reports that this year the number of network time protocol amplification attacks increased 371.43%. The average peak DDoS attack volume increased a staggering 807.48%.

Jacobsz reveals that in an attack such as this, ISPs tend to ‘black hole’ or switch off the targeted server as quickly as possible, to avoid slowing down services to other customers sharing the affected pipe. “This stops the slowdown of services to other customers, but it also means the attackers achieved their objective – the service under attack goes down,” he says.

With constant uptime critically important for a growing number of businesses, having a service down after an attack could mean significant financial losses. “This paves the way for ISPs to step in and mitigate the risk at service provider level,” says Jacobz. “Not only is this more effective, it has the advantages of allowing the ISP to offer better customer service.”

In an environment where demand for managed security services is growing, ISPs are well positioned to capitalise on the demand for services, says Arbor.

Research firm Frost & Sullivan expects the managed security service provider (MSSP) to grow to around $4 billion by 2016 in North America alone, with the managed security and security monitoring services segment yielding the highest percentage of total revenue in the MSSP market. ISPs can expand their revenue by tapping in to this market, says Arbor Networks.

Because ISPs own the pipes that transmit data across the Internet, they are able to deliver a comprehensive solution that can combat the two primary types of DDoS attacks: high-bandwidth ‘volumetric’ attacks usually generated by Internet bots or compromised PCs grouped together in large-scale botnets; and ‘application-layer’ DDoS attack that target specific services ranging from Web commerce and DNS services to e-mail and online banking, says Jacobsz.

Arbor notes that the best place to stop volumetric DDoS attacks is in the ISP cloud (via network-based DDoS protection) because the saturation happens upstream and can only be remediated in the provider’s cloud. The best place to perform application-layer DDoS detection is in the data centre itself because the attack can only be detected and quickly stopped at the data-centre edge, the company says.

It points out that only ISPs can provide both a network-based service component to stop volumetric DDoS attacks and a CPE-based service component to stop application-layer DDoS attacks – representing a distinct competitive advantage.

Jacobsz says: “If service providers implement protection solutions across the installed base they are able to offer cost efficiencies and better risk mitigation to their customers. When an ISP is already supplying a managed firewall, Secure Socket Layer virtual private network (SSL VPN), intrusion detection system (IDS), intrusion prevention system (IPS) and other security measures, adding an incremental managed DDoS protection service can be relatively straightforward and cost-efficient.”


Leave a Comment

Duck and Cover: Defending Against DDoS Attacks

Denial-of-service attacks are frequently deployed, yet often organizations fail to prepare themselves against the threat. Ted Kritsonis talks to industry experts about using analytics to prevent and respond to DDoS attacks

Cyberattacks don’t always grab headlines among the mainstream press, but when they do, it’s often a case of distributed denial-of-service (DDoS) attacks that have crippled an enterprise or government website, forcing IT departments to devise methodologies to contain the threats and get back up and running.

This external threat can be debilitating for the sheer fact that a DDoS attack, particularly a DNS flood, starves a system’s available resources using any number of infected computers, rendering moot all access from users or customers. Notwithstanding the lost revenue and reputational black-eye stemming from these attacks, the perpetrators don’t always have a singular purpose in mind. It may be financial in some cases, or a competitor aiming to damage a rival, or perhaps even a politically motivated act known as ‘hacktivism.’

“Regardless of gains, DDoS attacks are getting cheaper and cheaper to launch. It’s simple to find many free tools online capable of bringing down a small to moderate site, and botnets can be rented for as little as $100 an hour”, says Sean Power, security operations manager at DOSarrest, a firm specializing in preventing and managing these attacks. “Only the really big impressive attacks make the headlines, and some people may think they are immune for this reason, but that is not the case.”

Attack Methods

Attack vectors can come in thousands of different ways, but they usually break down into one of three categories. Volumetric attacks cause congestion between the target and the internet through the use of botnets. TCP State-Exhaustion attacks go after infrastructure components like load-balancers, firewalls and the application servers themselves. It’s the third category, however, the Application-Layer attacks that are arguably the most dangerous and ubiquitous because they stealthily target an aspect of an application or service using as little as one machine to generate a low traffic rate.

Despite mitigation attempts from IT specialists, Power believes attackers can be shrewd in responding to them by focusing on other vulnerabilities. One example is a headless browser attack, which uses infected computers to participate in a DDoS attack by running it in the background unbeknownst to the user of the infected computer, and fooling mitigation devices into thinking that it is actually legitimate traffic. Because it appears as a simple web browser, it can be effective at sneaking through capable defenses.

The impact can be devastating if not countered promptly and efficiently. At the time of writing, the largest reported DDoS attack was launched in March 2013 against Spamhaus, an international non-profit that battles spam. It had peaked at 300Gbps, three times the size of the previous largest reported attack, making headlines around the world for its scope.

Hackers also benefit from unique attacks that lay low and propagate over time. DNS spoofing has been cited as a form of industrial espionage or blackmail because a company’s DNS server can be compromised to route email to unauthorized mail servers, potentially revealing sensitive internal information and communications.

Playing Defense

Rakesh Shah, director of product marketing and strategy at Arbor Networks, has dealt with threats of varying sizes, and has witnessed clients feel the pain of an attack.

“We know of one company that suffered 90 minutes of downtime because they were unprepared when in the heat of an attack scenario”, says Shah. “They couldn’t connect with key people internally or at their cloud mitigation provider, so that 90 minutes of confusion cost the firm over $1 million in revenue and angered their customer base greatly.”

Shah wouldn’t name the affected firm, but did say there were two levels of preparation its IT department should have pursued. The first was deploying a DDoS defense requiring multi-layered protection that includes both on-site and cloud-based protection. The second, which he feels is often overlooked, is a standard incident response wherein staff know the processes to follow and people to call to minimize the downtime associated with an attack.

Power agrees, suggesting that IT managers must prepare a ‘playbook’ to follow in case a DDoS attack occurs. This blueprint should include building a capable DDoS response team that can monitor the range of legitimate traffic, outline the network’s topology, create robust remote access and follow the procedural plan with efficacy.
From an analytical perspective, this also includes collecting baseline measurements of all network activity as it relates to public access points – for example, graphing and threshold alerts for bits per second and packets per second on major ingress and egress links in the network.

“It bears repeating, but you have to keep your documentation up to date, monitor the DDoS industry for changes and ensure your technology is on top of the latest threats and test both your DDoS defense strategy and your team”, Power advises. “There are companies whose sole expertise is preparing for and defending against sophisticated and large-scale DDoS attacks, and they come in a range of flavors and prices. Make sure you understand your needs and vendors’ service offerings beforehand so that when the need arises, you will have taken that difficult decision-making process out of the equation.”


Traditionally, DDoS attacks have been a looming threat for enterprises and businesses for reasons of extortion and fraud, where cyber-attackers seek a ransom or plant the seeds for fraudulent activity under the guise of an attack. But DDoS attacks have gained more publicity when used as a political tool, particularly from the hacktivist group Anonymous.

The tactic was also deployed as part of geopolitical subterfuge, like the Iran-based Izz ad-Din al-Qassam Cyber Fighters, who targeted US banks from September 2012 and into 2013, along with the Syrian Electronic Army, which has targeted sites as varied as eBay, the Associated Press and the US Marine Corps recruitment page. There is no concrete evidence that either group is state-sponsored, but the implication is clear that no one is immune from an attack, regardless of the motivation behind it.

This has been noted in Arbor Networks’ ninth annual ‘Worldwide Infrastructure Security Report’, which highlighted “dramatic growth in high-volume DDoS attacks” and that 71% of data center operators reported a DDoS attack in 2013, compared to 45% from the year before. Moreover, 36% of those attacks exceeded the total available bandwidth, almost doubling the mark set the year before. But perhaps even more damaging, targets reported a cumulative 35% customer churn rate and 27% revenue loss as consequences of those attacks.

The gloomy stats cast a light on the problem’s pervasiveness, given that Arbor Networks had a mix of 220 service providers and network operators from various industries and categories weighing in. Google collaborated with Arbor Networks by using the latter’s ATLAS global threat monitoring system to build the Digital Attack Map, which reports and visualizes daily attacks and their origins worldwide.

“One of the clear targets that emerged in Europe when reviewing our own data was media and entertainment, specifically news organizations, accounting for 15% of all attacks in North America, and nearly 25% of all attacks in Europe”, notes Martin McKeay, senior security advocate at Akamai. “News organizations aren’t the most heavily secured and protected environments, often lacking in controls that an online merchant or bank might employ, since the cost of downtime for a news organization is much less.”

McKeay adds that the amount of data traveling across Akamai’s networks doubles every 18 months. The increase of broadband and computing power in emerging markets could lead to more intense attacks, although DDoS sizes have yet to grow at the same rate as broadband adoption. Even so, compromised systems tend to originate from the developing world, with China, Indonesia and India leading the charge. Since virtual attacks usually cross real-life borders, litigation is of little recourse.

“The lack of laws concerning different forms of computer abuse in many markets make it harder for the target of the attack to defend themselves legally, and make it nearly impossible for law enforcement agencies to follow up and enforce any such laws that do exist”, he says.

This puts more of the onus on organizations to protect themselves with the right plans and tools in place. Shah says knowledge and preparedness varies from industry to industry and then from company to company within that industry. Low and slow application-layer attacks can be dealt with on-site, including protecting infrastructure like firewalls and IPS, while cloud-based protection is necessary against large-volume attacks.

Attacker Adaptation

Not surprisingly, cyber-attackers are innovating their techniques to deal with emerging defensive methods. Although still a recent trend, malware used for attacks are implementing anti-DDoS capabilities to evade purpose-built DDoS defenses, thereby tying up resources and opening up holes that they can exploit.

“Some think it won’t happen to them, while others think they are protected if they subscribe to a cloud-based DDoS managed service. An organization is not protected from the full spectrum of DDoS attacks unless they have a multi-layered defense in place”, says Shah.

“The hottest trend in DDoS today is the multi-vector attack, combining flood, application and state exhaustion attacks against infrastructure devices all in a sustained attack that dynamically changes. These attacks are popular because they’re often highly effective and difficult to defend against”, Shah concludes.


Leave a Comment

Hijacked anti-DDoS servers used to carry out massive DDoS attack

A massive distributed denial-of-service (DDoS) was carried out earlier this month using very servers designed to prevent the classic type of attack.

In early May, website security company Incapsula was able to help fend off a powerful DDoS attack that was launched using high-capacity servers hijacked from two separate DDoS protection services providers.

The attack, which occurred on May 1 against an unnamed online gaming website, went on for about seven hours and remained at a steady 25 million packets per second (mpps) throughout its duration, Igal Zeifman, product evangelist with Incapsula, told in a Monday email correspondence.

The perpetrators hijacked and leveraged the power of two separate high-capacity servers belonging to unnamed DDoS protection services providers, Zeifman said. He explained that this type of strong network infrastructure, built to defend against volumetric attacks, offers attackers a way to “fight fire with fire.”

Because many of the DNS queries held non-spoofed IP data, Incapsula was able to determine that the compromised DDoS protection services providers were located in Canada and China, Zeifman said, adding that the companies confirmed to Incapsula that its servers were used in the attacks.

“Because mitigation is all about filtering of incoming requests, ongoing traffic tends to be overlooked,” Zeifman said. “In this case, we actually had to notify the DDoS protection providers, for them to notice the outgoing floods from their servers.”


Leave a Comment

Another DNS Provider Targeted in DDoS Attack

PointDNS says most of its DNS servers are online again after a massive DDoS attack late last week took down the service provider.

A post on the company’s Twitter account on Friday said the provider was adding nameservers and working with network providers to restore service to its customers. Many of those same customers took to social media complaining about downtime and unavailability of their own websites and services. According to its website, PointDNS services more than 220,000 domains worldwide.

Earlier today, a post from parent company said services were “back to normal.”

This was the second large attack against a DNS provider in the last two weeks. On April 30, UltraDNA mitigated a DDoS attack that kept most of its customers offline for the better part of a day.

The SANS Institute’s Internet Storm Center said the attack peaked at 100 Gbps against one of UltraDNS’ customers. The attack resulted in latency issues for other UltraDNS customers.

Last week, Incapsula, a cloud-based application delivery company that also sells security services, said it fought back a 25 million packets per second DDoS attack and that many of the DNS queries held non-spoofed IP data. This stands in contrast to many other massive DDoS attacks of late, in particular reflection or amplification attacks, that rely on spoofed addresses to send massive quantities of bad traffic at a target.

The Incapsula-mitigated attack was traced back to IP addresses belonging to a pair of DDoS protection services, which are designed for high-capacity traffic management, Incapsula said. Hackers can take advantage of this to pull off DDoS attacks without amplification.

These latest attacks, meanwhile, continue a trend of volumetric DDoS attacks reaching new heights.

A recent report from Arbor Networks said the provider has already tracked more than 70 DDoS attacks that topped 100 Gbps or more of malicious traffic. The largest on record reached between 325 Gbps and 400 Gbps of traffic.

Almost all of these attacks rely on DNS reflection or a growing number on network time protocol amplification attacks. In both cases, IP addresses are spoofed as the target, and massive amounts of traffic is sent their way at no cost to the attacker.

US-CERT issued an advisory in January warning companies that hackers were exploiting NTP vulnerabilities to flood networks with UDP traffic. NTP servers are publicly available machines used to synchronize computer clocks. With NTP amplification attacks, hackers exploit the MON_GETLIST feature in NTP servers, which returns the IP address of the last 600 machines interacting with an NTP server. Monlists are a classic set-and-forget feature and are vulnerable to hackers making forged REQ_MON_GETLIST requests enabling traffic amplification.

With DNS amplification attacks, attackers take advantage of any number of the 28 million open DNS resolvers on the Internet to launch large-scale DDoS attacks. The motivations are varied. Ideological hackers use them to take down services in protest, while profit-motivated criminals can use DDoS as a cover for intellectual property theft and financial fraud.


Leave a Comment

Older Posts »