For years, the rise of DDoS-for-hire services has caused an explosion of DDoS attacks. Due to their cheap price point and ease of access, they have revolutionised DDoS attacks by giving anyone and everyone access to a tactic that was once the preserve of ‘script kiddies’ with a decent understanding of coding. Nowadays, a quick search of Google and a spare $50 can put DDoS attacks into the hands of just about anyone.
Like any business owners, the attackers behind these services are always looking for new ways to promote them to potential buyers. For example, last week news surfaced about a mobile version of the attack-for-hire service that has gone up for sale on the Google Play store. This service is an update to an already formidable web version, called Ragebooter, which back in 2013 offered powerful distributed denial-of-service attacks capable of knocking individuals and websites offline. So, what does this new service mean for businesses and what are the potential consequences from it?
DDoS-For-Hire Services Are Evolving
The rise of DDoS-for-hire services comes at a time when DDoS attacks are becoming more sophisticated than ever. As these services evolve they have also become more commercial, by offering discounts and loyalty points and now launching a mobile platform to simplify the user journey. The cost of attacks has never been lower, with one DDoS service advertised on a Russian public forum offering attacks from as little as $50 per day. However, Kaspersky believes the average cost is more like $25 per hour, with cyber criminals making a profit of about $18 for every hour of an attack.
By offering such a low-cost, shared DDoS attack infrastructure, these services have attracted thousands of malicious customers and are responsible for hundreds of thousands of attacks per year. At the same time, criminals continue to seek new and cheaper ways to organise botnets for use in DDoS-for-hire attacks, so the plethora of unsecured connected devices that make up the Internet of Things continues to make life easier for them.
But while the cost of launching an attack has reduced so significantly, the costs incurred by the victims for lost revenue and reputation are significant. One can only imagine how many customers an online store could lose if an DDoS attack takes its website offline for an entire day’s trading.
All this makes for an extremely concerning future DDoS attack landscape. With DDoS-for-hire services evolving so quickly, and the capacity for future botnet-driven DDoS attacks growing incrementally, organizations must stay ahead of the game and take steps to ensure they remain protected. The best way for organizations to mitigate those attacks is to work together with internet providers to adopt the latest generation of inline, always on, DDoS protection.
To find out more, please contact us.
Response time in the event of an IT security incident is crucial. Part one of a response is detection; part two is mitigation. Organizations cannot afford to be slow in mitigating distributed denial of service (DDoS) attacks, no matter how large or small the attack. Obviously, in a world where most businesses rely on 24/7 uptime, any network downtime is unacceptable, so IT security teams tend to worry most often about volumetric, crippling attacks. Every minute of downtime resulting from a DDoS attack can cost tens of thousands of dollars—and that’s just the immediate financial loss. As a result of such attacks many service providers, hosting providers and online enterprises lose millions, and their reputation can be significantly harmed.
However, organizations must also guard against and respond immediately to the less visible, surgically-crafted, sub-saturating attacks, because it can take less than a minute for hackers to use a DDoS attack as a smokescreen. A low-threshold DDoS attack can take down traditional edge security solutions so hackers can then map and infiltrate a network to steal data or install malware or ransomware.
Although DDoS attacks have been around for over a decade, the scale and frequency of these attacks are even outpacing the capacity of most providers to be able to absorb them. The attack landscape is changing every day, and attackers are employing new techniques to increase the magnitude and sophistication of attacks and make them more difficult to mitigate using conventional approaches. Hackers now often deploy automated, multi-vector DDoS attacks, automatically throwing all kinds of packet traffic at the system, and changing their techniques on the fly. These techniques make it impossible for DDoS scrubbing centers or humans to respond quickly enough. Shorter, smaller attacks typically evade detection by most legacy and homegrown DDoS mitigation tools, which are generally configured with detection thresholds that ignore low-level activity. Furthermore, if a low-threshold attack is detected, legacy solutions that rely on “swinging out” traffic to be cleansed require too much time; up to twenty minutes, which is plenty of time for hackers to launch a damaging, long-lasting security breach.
Logically, an automated attack requires an automated defense. Without an automated anti-DDoS solution in place, a victim organization would have to constantly monitor and implement countermeasures via human intervention, or with a combination of tools. The Corero SmartWall® Threat Defense System not only uses advanced intelligent filters to ensure multi-vector attacks are stopped in real- time, but also leverages advanced security forensics to provide detailed visibility to determine the nature of the threat. This achieves an optimal level of intelligence and real-time mitigation.
When it comes to protecting your network, seconds matter. Automatic, surgical attack mitigation capabilities are essential to eliminating the DDoS threat.
For more information, contact us.
Academics from the University of Twente (Netherlands); UC San Diego (USA); and Saarland University (Germany) recently conducted research that found that one-third of all /24 networks have suffered at least one DoS attack over the last two years. The research also found that “an average of 3% of the Web sites in .com, .net, and .org were involved with attacks, daily.” The study results were presented in a report titled, “Millions of Targets Under Attack: a Macroscopic Characterization of the DoS Ecosystem,” which the researchers presented at last week’s Internet Measurement Conference in London. (Note that the research seems to refer to both denial of service attacks and distributed denial of service attacks as simply “DoS attacks.”)
Security experts have long recognized that DDoS attacks are an increasing problem, but it is helpful to have large-scale, independent research that validates what vendors and organizations observe. According to a SecurityWeek article, “By combining the direct attacks with the reflection attacks, the researchers discovered that the internet suffers an average of 28,700 distinct DoS attacks every day. This is claimed to be 1000 times greater than other reports have indicated.” To learn that the number of attacks is actually 1,000 times greater than previously thought is quite astounding, indeed. Perhaps it is a wake-up call to those who are unaware of the scope and gravity of the DDoS problem.
One of the most interesting findings from this report is that “low-level, even if repeated, attacks are largely ignored by the site owners. By correlating attacks with the time web sites migrated their DoS defense to third-party DPS companies, the researchers were able to determine what triggers the use of a DPS. They found, in general, that attack duration does not strongly correlate with DPS migration; but early migration follows attacks of high intensity.”
In other words, companies generally do not engage a DDoS protection system for low-level DDoS attacks, and if an attack doesn’t last very long, they don’t engage their third party DDoS protection system. That’s an unfortunate trend because companies can ill afford to ignore low-level, short-duration DDoS attacks. As other DDoS research has found, such attacks serve as a smokescreen for more damaging security breaches. Furthermore, Corero’s DDoS Trends Reports have consistently found that low-threshold DDoS attacks are much more common than volumetric attacks, and that most DDoS attacks are short in duration.
All combined, these findings suggests that many companies are leaving the door open to security breaches. Certainly, many companies are investing in all types of IT security to ward off threats that range from intellectual property theft, data theft, malware and ransomware. It costs a lot of time and money to implement those other security solutions, so it makes little sense to leave the figurative “barn door” open at the network perimeter. DDoS attack protection at the network edge is probably the most important line of defense.
Though the statistics are sobering and not very surprising, it is nonetheless refreshing and helpful to see academic research pertaining to the global scope of denial of service attacks. In this case, the research provides validation of the problem that Corero, along with many other experts and vendors, works hard to resolve.
Corero has been a leader in modern DDoS protection solutions for over a decade; to learn how you can protect your company, contact us.
Local municipal police forces seldom have the resources to track down cyber criminals, but the U.S. federal government has resources, and they want to help stem the surge of distributed denial of service (DDoS) attacks. Last week the U.S. Federal Bureau of Investigation (FBI) issued an appeal to organizations that have been victims of DDoS attacks to share details and characteristics of those incidents with an FBI Field office and the IC3.
Some may argue that it’s not worth reporting incidents because it’s too difficult to identify the hackers. However, in some cases, law enforcement agencies successfully track down perpetrators. As a case in point, GovInfoSecurity.com reported that at the Information Security Media Group's Fraud and Data Breach Prevention Summit in London,
“Detective Constable Raymond Black, a cyber investigating officer for the Metropolitan Police Service, highlighted the upsides of sharing attack information with police. He also emphasized that sharing attack details need not lead to an investigation being launched.
Black noted that a small case - initially not reported to police - involving a September 2015 SQL injection attack and extortion demand against a London-based cigar retailer helped crack the case involving the October 2015 hack attack against London telecommunications giant TalkTalk.”
The FBI wants to know about large and small DDoS attacks, and it requests the following incident details from victims:
- Identify the traffic protocol or protocols used in the DDoS attack - such as DNS, NTP, SYN flood;
- Attempt to preserve netflow and attack-related packet capture;
- Describe any extortion attempts or other threats related to the DDoS attack;
- Share all correspondence with attackers "in its original, unforwarded format";
- Provide information about themselves;
- Estimate the total losses they suffered as a result of the DDoS attack;
- Provide transaction details - if the victim paid a ransom or other payment in response to the attack - including the recipient's email address and cryptocurrency wallet address;
- Describe what specific services and operations the attack impacted;
- List IP addresses used in the DDoS attack.
There is no legal obligation to report attacks, so should organizations report every DDoS attack, large and small? That is an interesting question. No organization is completely immune to DDoS attacks, but some organizations undergo frequent attacks because they have 1) a large attack surface, 2) sensitive data that is worth stealing, or 3) a high profile that is subject to activist attacks. Some attacks are small and sub-saturating, intended to mask a more serious security breach. Others are volumetric attacks, intended to disable a website or business application. Gaming companies, financial service companies, hosting providers and Internet service providers are frequently targeted; if they reported every DDoS attack attempt, the FBI would be very busy, indeed.
No one wants to deal with the costs of a DDoS attack, or be bothered with reporting an incident to law enforcement. There’s no question that it’s better to mitigate an attack than be victimized by one. That’s why it makes sense to have an automated, real-time DDoS protection solution that not only detects and blocks DDoS traffic, but also provides sophisticated DDoS attack forensics.
For more information about how you can protect your network from DDoS attacks, contact us.
Today’s distributed denial of service (DDoS) attacks are almost unrecognizable from the early days of attacks, when most were simple, volumetric attacks intended to cause embarrassment and brief disruption. The motives behind attacks are increasingly unclear, the techniques are becoming ever-more complex and the frequency of attacks is growing exponentially. This is particularly true in light of automated attacks, which allow attackers to switch vectors faster than any human or traditional IT security solution can respond.
The combination of the size, frequency and duration of modern attacks represent a serious security and availability challenge for any online organization. Minutes or even tens of minutes of downtime or latency significantly impacts the delivery of essential services. When you combine these factors, victims are faced with a significant security and service availability challenge. Below are seven do’s and don’ts to ensure that your network is protected from DDoS attacks.
- Document your DDoS resiliency plan. These resiliency plans should include the technical competencies, as well as a comprehensive plan that outlines how to continue business operations under the stress of a successful denial of service attack. An incident response team should establish and document methods of communication with the business, including key decision makers across all branches of the organization to ensure key stakeholders are notified and consulted accordingly.
- Recognize DDoS attack activity. Large, high-volume DDoS attacks are not the only form of DDoS activity. Short duration, low-volume attacks are commonly launched by hackers to stress test your network and find security vulnerabilities within your security perimeter. Understand your network traffic patterns and look to DDoS attack protection solutions that identify DDoS attack traffic in real-time, and immediately remove large and small DDoS attacks.
- Don’t assume that only large-scale, volumetric attacks are the problem. DDoS attackers are getting more sophisticated; their objective is not only to cripple a website, but rather to distract IT security staff with a low-bandwidth, sub-saturating DDoS attack that is a smokescreen for more nefarious network infiltrations, such as ransomware. Such attacks typically are short duration (under 5 minutes) and volume, which means that they can easily slip under the radar without being detected or mitigated by a traffic monitor, or even some DDoS protection systems.
- Don’t rely on traffic monitoring or thresholds. Sure, you can notice when traffic spikes, but will you be able to distinguish between good traffic and bad traffic? And what would you do if you did see a spike? Could you block out only the bad traffic, or would your network resources be overwhelmed anyway? Monitoring your traffic and setting threshold limits is not a form of protection, especially if you consider that small, sub-saturating attacks often go unnoticed by threshold triggers.
- Don’t rely on an IPS or firewall. Neither an intrusion prevention system (IPS) nor a firewall will protect you. Even a firewall that claims to have anti-DDoS capabilities built-in has only one method of blocking attacks: the usage of indiscriminate thresholds. When the threshold limit is reached, every application and every user using that port gets blocked, causing an outage. Attackers know this is an effective way to block the good users along with the attackers. Because network and application availability is affected, the end goal of denial of service is achieved.
- Engage with a mitigation provider. Today many ISPs offer DDoS protection plans, either as a value-added service or a premium service. Find out whether your ISP offers free or paid DDoS protection plans. But contact your ISP long before you are attacked; if you don’t have DDoS protection in place and are already under attack, your ISP probably cannot immediately sign you up then block the DDoS traffic to your site. Alternatively, you could purchase an on-premises or virtual DDoS protection product. DDoS protection comes with diverse deployment possibilities; via an on-premises anti-DDoS appliance, or a virtual machine (VM) instance. Be sure to look for rich, real-time DDoS security event analytics and reporting along with automatic mitigation.
- Pair time-to-mitigation with successful attack protection. As you develop your resiliency plan and choose a method of DDoS protection, time-to-mitigation must be a critical factor in your decision-making process. Bear in mind that DDoS mitigation services can be a useful adjunct to an automated DDoS mitigation solution. However, a mitigation service alone is insufficient because 1) before a service is engaged, someone or something—a computer or human—must detect a DDoS attack in progress, and 2) it takes 20-30 minutes to redirect the “bad” traffic, thus allowing more nefarious security breaches to occur during that time. In the face of a DDoS attack, time is of the essence. Whether waiting a few minutes, tens of minutes, or even more time for a DDoS attack to be mitigated is not sufficient to ensure service availability or security.
Corero has been a leader in modern DDoS protection solutions for over a decade; to learn how you can protect your company, contact us.
Researchers have discovered a massive new botnet, dubbed ‘Reaper’ or ‘IoTroop’, targeting poorly-defended IoT devices to form a ‘zombie army’ of devices that could rock the entire Internet with a powerful DDoS attack. The botnet has reportedly already infected tens of thousands of devices across the globe and is said to have the potential to be even more powerful than the Mirai botnet that launched one of the most impactful cyberattacks of all time. An additional 2 million hosts have been identified, but not yet recruited by the botnet. Unlike Mirai, which works by scanning for and hijacking IoT devices with weak user name or password protection, the Reaper exploits integral vulnerabilities and turns infected devices into botnets that could potentially launch massive Distributed Denial of Service (DDoS) attacks.
Corero’s Security Operations Center has confirmed the spread of Reaper infected machines, to support the latest research. However, this should come as no surprise given that many IoT devices are poorly architected from a security perspective; they are prime targets for hacker infiltration and takeover. Aside from the personal privacy and security concerns that result from these security gaps, the bigger danger is that these connected devices can be harnessed by hackers for a variety of nefarious purposes including to launch dangerous DDoS attacks.
While IoT botnets are typically mobilized for use in DDoS attacks, Corero has yet to see evidence of these attacks in the wild. Industry experts predict that this botnet is intended for various DDoS booter services, available on the Dark Web.
Attackers are becoming more creative and using new techniques to wreak havoc with IoT botnets. These botnets can be rented for any duration, size and scale that the attacker pleases – and aimed at any target. So, it’s probably only a matter of time before the ‘Reaper’ botnet is launched for serious DDoS attacks. So, what exactly can organization do to protect their networks and customers from such attacks?
The sheer volume of devices involved poses a serious challenge. After all, any device that has an Internet connection and a processor can be exploited. For this reason, effective DDoS protection requires both instantaneous visibility into DDoS events, real-time mitigation as well as long-term trend analysis to identify changes in the DDoS landscape and deliver proactive detection and mitigation.
No one can control the security of IoT devices that they don’t own, but you can control your own protection against IoT DDoS attacks by implementing always-on, automated DDoS protection, which can monitor all traffic in real-time, negate the flood of attack traffic at the Internet edge, eliminate service outages and allow security personnel to focus on uncovering any subsequent malicious activity, before any damage has occurred. In addition, telecoms, as internet connectivity and managed security service providers, are more obligated than ever to protect both their networks and their customers, particularly with the modern technology available for them to do so.
For more information, please contact us.