For more than a month, the online game Final Fantasy 14 has been experiencing connectivity issues due to Distributed Denial-of-Service attacks on its North American data centre. The game developer, Square Enix, reported recently that attacks have shown no signs of stopping and are increasingly difficult to contain. These attacks highlight just how exposed the gaming industry is to DDoS attacks, and reminds us how damaging successful attacks can be.
Hacking groups such as Lizard Squad regularly deploy DDoS attacks against online games in order to establish their DDoS capabilities publicly and demonstrate their potential. While at the same time, gamers regularly use DDoS attacks as a competitive tool, in order to gain a tactical advantage within a game and to disrupt other players’ sessions. As DDoS tools become increasingly widespread and accessible, this problem isn’t going anyway anytime soon. So it’s time for games developers to regain control against DDoS attacks by taking a proactive defence.
Online gaming companies can be subjected to multiple attacks, sometimes dozens per day, ranging in size and scale. Regardless of the motivation, or techniques used to execute the attacks, these cyber events lead to downtime, latency and availability issues. If an attack is severe enough to effectively render the game unplayable for extended periods, the business impact can be significant. Any service downtime equates to a drop in visitors and a corresponding loss of revenue. Beyond immediate revenue loss, disgruntled and impatient customers will turn to other online video gaming sites if the game they are trying to access is unresponsive or unavailable. As a result, gaming providers must enable proactive DDoS defence measures to eliminate the damage associated with a successful DDoS attack.
These solutions incorporate high-performance DDoS technology and can be positioned at the network edge, monitoring and mitigating DDoS attack traffic automatically and in real-time. These solutions do not rely on traffic redirection, sending the attack traffic deeper into the network to a scrubbing centre environment, they do not rely on human intervention, and they do not rely on legacy tools or techniques that some network and security departments use to eliminate DDoS attacks. Innovation in DDoS defence technologies have completely changed the time-to-mitigation window, allowing for automated protection – without impacting good user traffic. To find out more about how real-time DDoS protection can help the gaming industry, take a look through our work with Jagex in this case study, or contact us.
This past spring American International Group (AIG), one of the largest cyber insurance companies, surveyed cyber security and risk experts to gain a deeper understanding of their views of the likelihood and impact of a systemic cyber-attack (an attack on more than one target, focused on a particular industry or sector of the economy). Not surprisingly, distributed denial of service (DDoS) attacks ranked highest among their concerns.
The consensus is not comforting. According to an article in Insurance Journal, “…respondents selected a mass distributed DDoS attack on a major cloud provider as the most likely cross-sector mega event.” In terms of a systemic cyber-attack on one particular industry, the most likely scenario would be an attack on the Financial Services industry with 15 companies breached mass business interruption and a mass DDoS attack coordinated against financial institutions. The fact that so many cyber security experts predict this kind of scenario indicates that DDoS attacks are a serious problem.
With the prevalence of massive cyber-attacks in recent years, it is no wonder that cyber insurance is a growing industry. Of course, there are multiple types of cyber insurance, both in terms of cost and coverage. For companies that are weighing the pros and cons of cyber insurance protection versus DDoS protection, “both” may be better solution than “either/or.”
One thing is for sure, companies should not substitute cyber insurance for DDoS protection. For one thing, it may be more affordable to get DDoS protection. Furthermore, the cyber insurance package may not be able to cover all the costs of a DDoS attack. There are the direct costs that can be measured in dollars, including the amount of business lost due to downtime; the cost of remediation to get systems back online; and the cost to repair or replace damaged systems. There are intangible costs as well, such as loss of business trust and reputation, and lost opportunity costs from business that went elsewhere and won’t come back.
To learn how you can protect your organization from DDoS attacks, contact us.
Recent technology developments have made it possible to see and stop distributed denial of service (DDoS) attacks when they attempt to enter your network, before they can do any damage. With this in mind, we have compiled a list of four elements of a DDoS defense system that will enable your business withstand a DDoS attack, in real-time.
Detection is the first step in DDoS mitigation. Attacks that usually would go unnoticed—specifically small-scale, sub-saturating attacks— leave the door open for hackers to conduct security breaches. Therefore it is critical to implement a system that monitors network traffic for both small-scale and volumetric attacks. As packets attempt to enter the network, it is important to automatically classify the data; to decide whether it is “good” or “bad” traffic. This granular level of analysis is essential so that the system can inspect all traffic and allow good traffic to flow un-interrupted.
Recent technology developments have made it possible to reduce the time to mitigation from minutes to seconds. That’s important, because hackers need only a few seconds to penetrate your network to do more damage via data theft, malware or ransomware.
There are many types of DDoS attacks, and each type has a different profile. Was the attack volumetric or sub-saturating? Was it a Smurf Attack or a DNS Flood, or some combination? It is critical to have a DDoS protection solution that not only blocks all types of distributed denial of service (DDoS) attacks, but also identifies the type of attack vectors, analyzes the digital fingerprint, and gathers intelligence to prepare against emerging threats.
Corero SecureWatch Analytics, part of the SmartWall Threat Defense System, does exactly that, by capturing and indexing data on all the traffic the system sees when under attack, and during peacetime, to enable detailed analysis of any security incidents. It continuously records traffic for subsequent analysis of network flows and trends, providing detailed visibility into detected threats and patterns over time. That kind of visibility, historical reporting and analysis takes your DDoS resiliency plan beyond just attack mitigation.
4. Flexible deployment
When it comes to DDoS solutions, not all are flexible. Fortunately, Corero technology can be deployed in-line at the network edge or in tandem with a 3rd party monitoring, detection or route management solution.
The Bottom Line
Legacy approaches to DDoS mitigation are less effective than today’s solutions, because they rely heavily on manual observation and action, which result in delayed mitigation (and therefore, latency in network performance). An effective DDoS mitigation solution automatically stops attacks in their tracks, and shows you the attack attempts. You or your downstream customers are never impacted, but you can see the evidence of the attack attempts.
Corero is the leader in real-time DDoS defense, if you need expert advice, contact us.
According to Corero’s recent DDoS Trends Report, Corero customers experienced an average of 124 attacks per month in the first quarter of this year (Q1 2017); that’s an increase of 9% compared to Q4 2016. In addition, 79 percent of DDoS attacks that Corero mitigated among its global customer base were less than 1Gbps in volume in Q1 2017. 98 percent of attacks were 10Gbps or less in volume.
In general, the trend that IT experts across the globe are witnessing is that small, sub-saturating attacks are much more common than large, volumetric attacks, yet the volumetric attacks are much larger in scale and impact than ever before. The mega DDoS attacks that hit high-profile targets such as Dyn, OVH and KrebsonSecurity in the fall of 2016 are prime examples. Corero’s research found a 55% increase in large DDoS attacks of more than 10Gbps in the first quarter of 2017, compared to the previous quarter. Corero’s DDoS experts predict that advanced, volumetric attacks will become more common in the near future.
What’s changed to create these trends? One factor is the increase in devices that are connected to the Internet of Things (IoT). Such devices are riddled with security vulnerabilities, which makes them easy to recruit into botnets. Another factor is that it is easy and affordable for anyone with a grudge and some money to contract with a DDoS-for-hire hacking service online to carry out an attack. Yet another factor is that the hackers freely share the code for launching attacks; hackers unleashed the Mirai botnet source code in October, shortly after the September 2016 attack on KrebsonSecurity.com; on October 21, Dyn experienced a massive DDoS attack.
Awareness is Growing
Enterprises are becoming more aware of the threat. According to a recent Corero survey, 56 percent of those IT and security professionals surveyed feel that DDoS attacks are a greater concern in 2017 than they have been in the past. Their concern is justified; networks are definitely more vulnerable due to the increase in frequency and potency of DDoS attacks.
So which type of DDoS attack should enterprises worry about? The answer is, both.
Small-scale DDoS attacks can be just as dangerous, if not more dangerous, than a massive volumetric attack because they are often used as a diversion tactic, or a “Trojan Horse.” While IT security teams DDoS attack, hackers may be stealing secure data from part of the network, or installing ransomware. Volumetric attacks, though less common are obviously dangerous, especially for high-profile websites that depend on Internet connectivity to generate revenue or provide a service to other high-profile clients.
For more information, contact us.
The Internet of Things brings a host of advantages to consumers and businesses, but it also presents a slew of cyber security concerns. The most prominent concern is that hackers continue to “recruit” IoT devices to create zombie botnets that launch distributed denial of service (DDoS) attacks. This MIT Technology Review article states:
Security experts have warned Congress that this is a very real problem, which is likely to be solved only via regulations on Internet of Things devices. The Trump administration has vowed to crack down on botnets, but its proffered solutions are at best a long shot. That means botnets remain a potent security threat that is incredibly difficult to defend against. And while ransomware may be making the headlines right now, it would pay to remember the bots are still out there.
Some believe that government (s) should impose stricter regulations around the manufacturing of IoT devices, to have the manufacturers bake in better security architecture to their products.
The mandates would undoubtedly mean more regulations, not intended to burden manufacturers but rather to protect everyone who uses the Internet. It’s a step in the right direction; good cyber hygiene should start with the security architecture of devices. However, the regulatory approach is not a panacea:
- Even if an IoT device is built with good security, it must be properly maintained once installed; it is up to humans to change the default password on such devices and install security patches or updates. Unfortunately, we all know how fallible humans tend to be when it comes to cyber maintenance.
- U.S. regulations can’t offer blanket protection; some manufacturers in the U.S. will likely fail to abide by the regulations, either willfully or unintentionally.
- IoT devices are a global problem; the U.S. government can’t mandate the manufacturing of other nations.
- There are still millions of IoT devices that cannot be upgraded, or may fall out of compliance with any new security regulations.
Ultimately, no matter how heavily IoT devices are regulated, many (millions) of devices will be unsecured, worldwide It’s a good idea to have more secure IoT devices; that would make life a bit more challenging for DDoS hackers. But you can’t count on that to solve the problem of IoT botnet-driven DDoS attacks.
Others share this belief. A June 29, 2017 Federal Computer Week (FCW) article, “Why the cyber EO won't solve botnets,” discussed U.S. President Trump’s Executive Order on Cyber Security, which was signed last month. FCW interviewed AT&T's Chris Boyer, chair of the National Institute of Standards and Technology Information Security and Privacy Advisory Board (NIST ISPAB), and wrote:
“Boyer and other board members stressed the need to focus on resiliency and not simply prevention or elimination of botnets. The latter would be unrealistic, they said because botnets will continue to exist and attacks will happen.”
You can’t completely prevent hackers from remotely controlling IoT devices to create zombie botnets as part of DDoS attacks. But you can control your network security, and you can implement a sound DDoS protection solution, whether you bring it in-house or purchase protection via your Internet Service Provider or Hosting Provider.
For more information, contact us.
Starting in May 2018, any organization that operates in Europe or has European resident data could be subject to severe penalties of up to 4 percent of global turnover or €20 Million if they fail to protect the data of European Union residents. This is per the directive of the European Union General Data Protection Regulation, (EU GDPR) which was proposed in 2012, and finalized in April 2016, with enforcement going into effect on May 25, 2018. GDPR will become law in 2018 across all 28 EU member states.
According to the EU GDPR website, personal data is “Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
In the United States there are already numerous regulations to protect confidential and sensitive data, such as the Health Insurance Portability and Accountability Act of 1996 (HIPPA) and Payment Card Industry Data Security Standard (PCI DSS). This EU Parliament protection mechanism adds a new layer of organizational compliance responsibility.
The EU GDPR states: “The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
In this global economy there are many organizations across the globe that have customers or constituents who reside in Europe. Imagine a scenario in which your customer database is raided by hackers; theft of PCI or HIPPA data is becoming much more common, and companies are “on the hook” for protecting that data. The financial and legal ramifications are enormous.
How does this relate to distributed denial of service (DDoS) attacks, you may ask? Well, it is now well-known that hackers often use sub-saturating, low-threshold DDoS attacks as a means to detract attention from their real motive – usually data theft and network infiltration. Such smokescreen DDoS attacks are designed not to deny service but to allow cyber criminals to test for vulnerabilities within a network and monitor the success of new methods, without being detected. A sub-saturating DDoS attack can often result in a damaging, costly breach of sensitive data.
With EU GDPR on the horizon, the financial and legal risks associated with a sensitive data breach are extremely serious. Claiming to be ignorant of malicious activity on your network will not substitute a defense. To keep up with the growing sophistication and organization of well-equipped and well-funded threat actors, it’s essential that organizations maintain a comprehensive visibility across their networks to detect and block any potential DDoS incursions as they arise.
According to ComputerWeekly.com, “Organisations that have failed to heed advice not to wait until the publication of the final text of the GDPR before taking action will face the challenge of having only two years to implement all the necessary changes to their systems and operations to meet the new compliance requirements.”
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is greater. Individuals may also sue entities for compensation, if they have been distressed by an entity’s lack of compliance with the data regulations.
There’s a stopwatch ticking on the EU GDPR website; as of this writing, organizations have 323 days to become compliant. The clock is ticking, so be sure to tighten up your network security before then. Not doing so could cost you a lot of money in penalty fees and lawsuits from individuals.
For more information, contact us.
In an interesting development a couple of weeks ago, the United States Computer Emergency Readiness Team (US-CERT) issued a rare bulletin, warning that a North Korean hacking team, dubbed Hidden Cobra, is actively targeting media, aerospace, financial, and critical infrastructure sectors in the United States and around the world.
According to the bulletin, North Korean hackers were responsible for several attacks that date all the way back to 2009, using DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. The North Korean hackers, also dubbed the Lazarus Group or Guardians of Peace, are believed to be linked to the WannaCry ransomware attack in May, which affected computers in over 150 countries.
The U.S. Department of Homeland Security and the Federal Bureau of Investigation are most concerned right now that the hacking group is using a botnet creation malware called DeltaCharlie that has been used to launch distributed denial of service (DDoS) attacks. According to the US-CERT bulletin,
“DeltaCharlie is a DDoS tool capable of launching Domain Name System attacks, Network Time Protocol attacks, and Character Generation Protocol attacks. The malware operates on victims’ systems as a svchost-based service and is capable of downloading executables, changing its own configuration, updating its own binaries, terminating its own processes, and activating and terminating denial-of-service attacks.”
One interesting aspect about the CERT bulletin is the list of “Mitigation Strategies,” which does not include the fundamental advice of using a DDoS mitigation hardware appliance or scrubbing service. The Bulletin does note: “Network administrators are encouraged to apply the following recommendations, which can prevent as many as 85 percent of targeted cyber intrusions.” That’s OK, unless the cyber intrusion falls into the remaining 15 percent category, I suppose.
On its own, the CERT alert is worrisome. But Cyber Security Intelligence published an additional piece of news last week that it noteworthy; i.e., the North Atlantic Treaty Organization (NATO) would consider a large enough cyber attack against one member an attack on them all. Twenty-nine nations are members of NATO; as cyber war becomes more common, it is more likely that a NATO member may be targeted by an outside nation state.
Before acting, NATO would require substantial evidence that an attack was coordinated by a nation-state, not just an ad hoc group of bad actors. However, figuring out who conducted an attack can take weeks, if not longer because it is extremely difficult for anyone to trace the origins of DDoS attacks. The source is typically 1) a legitimate third-party server, running a service which has been leveraged by an attacker as part of a reflection/amplification attack, or 2) a direct flood attack from a single device, or 3) a botnet of many devices in which the IP source addresses are easily spoofed to ones that cannot be associated with the attacker.
The specter of full-blown cyber warfare is hard to fathom; would it involve DDoS attacks on critical grid infrastructure, and/or financial institutions? Would hospitals, utilities and banking institutions be able to block such an attack? If not, then how long would it take them to recover from a DDoS attack?
There is no reason for alarm at this point, but there is cause for concern, in light of the recent tensions with North Korea, and the US-CERT bulletin, which stated,
“DHS and FBI assess that HIDDEN COBRA actors will continue to use cyber operations to advance their government’s military and strategic objectives.”
As political and cyber threat landscapes continue to evolve, this issue is worth watching.
South Korean financial institutions are bracing themselves for what may be an onslaught of distributed denial of service (DDoS) ransomware attacks in the next few days. That’s largely because last week a DDoS hacking group known as the Armada Collective launched a DDoS attack against a South Korean web hosting company Nayana. The company actually paid the ransom fee in Bitcoin dollars, the equivalent of about 1 million USD.
It’s a case example of how one highly publicized event wherein the targeted victim succumbs to the demand causes the extortion game to spread like wildfire, inspiring other attackers to utilize the extortion technique. According to BleepingComputer.com,
“According to local media, seven banks have received emails that asked the organizations to pay ransoms of nearly $315,000 or suffer downtime via DDoS attacks…Nayana's payment was the largest ransomware payment ever made and may have involuntarily put a giant bullseye on the backs of all South Korean businesses, now considered more willing to pay outrageous ransom demands to be left alone.”
In general, law enforcement agencies discourage companies from giving in to hackers’ demands. In this situation, the Financial Supervisory Service of South Korea has told local banks not to cave into threats by DDoS attackers.
Besides the financial loss that a company may experience by paying the ransom, companies must consider another risk: i.e., that they still will be subject to a DDoS attack by the hacker. After all, caving in to the hackers’ demands offers no guarantee that the attackers will keep their word. Extortionists are not known for their moral code or integrity.
What if a hosting company like Nayana, or a financial institution, had adequate DDoS protection in place? Simply put, the hackers would not have any leverage, and the targeted company would not have to even think about paying any ransom. End of story.
Corero customers that have been faced with DDoS ransomware campaigns have allowed the threats to come and go without succumbing to the ransom requests. In some cases the attacks have been carried out due to “lack of payment,” with attackers launching a variety of attack techniques and methodologies, but the Corero SmartWall® Threat Defense system held strong, fending off any attacks. In other scenarios, DDoS attacks are first launched against the Corero customer, and ransom requests quickly follow, with the promise of ending the attacks after payment has been secured.
In either case, Corero customers have been successfully protected against these attacks with in-line, real-time DDoS protection. Attacks are detected and mitigated instantly, without disruption of good user traffic flow. Unfortunately, too many organizations operate reactively when it comes to DDoS defense, and only look to implement dedicated security solutions after a threat, or once attacks have occurred.
You may argue that it also costs money to purchase DDoS protection, therefore your company wants to take its chances. When weighing the costs and risks, a company may ask, what is the likelihood that our company will undergo a DDoS attack? The answer depends, of course, on your industry and your network attack surface. It is safe to say that some industries are more prone to DDoS attacks: for example, the financial service, web hosting and Internet service provider industries are just a few industries that are commonly targeted. However, DDoS attacks are so easy and inexpensive to launch that it is increasingly likely that any company could be attacked.
Companies have choices in the type of DDoS protection, and they must find a solution that is cost-effective for them. If a company experiences frequent DDoS attacks, then it makes little sense to rely solely on a cloud scrubbing service, because “swinging out” bad traffic can be expensive. It also can be less effective because that approach depends heavily on human security agents noticing DDoS traffic, and it takes more time for the traffic to be rerouted.
DDoS mitigation solutions have evolved, and become more affordable, for companies of all sizes. Small to midsize enterprises can purchase DDoS protection as a service from their hosting or Internet Service Provider. Large enterprises can do the same, or they can have an on-premises DDoS protection appliance to protect their network.
DDoS ransomware attacks are preventable, and an ounce of prevention is worth a pound of cure. Read more about DDoS ransomware here.