Securing your APIs

Covering your APIs

Web APIs are not exactly a new technology. You can find an API for almost any service offered online. The reason for the popularity is not surprising, APIs easily and efficiently facilitate integration between applications. This inter-application communication allows partnerships to efficiently share data and resources, allowing the automation of many tasks that would otherwise require human interaction.

This inter-application access is a double-edged sword. By design these APIs allow external systems to access, and often manipulate, data and processes within your application. This exposes far more of your internal systems and operations than a webserver ever could. Yet despite this risk it is surprising how many companies fail to adequately protect their APIs.

Web APIs, at their heart, are just web requests.

They are transmitted via the HTTP protocol just like web pages. They are stateless transactions, just like web pages. It shouldn’t be any surprise then that web APIs need all the same protection that your webapplication does.

Use SSL Encryption:

I can’t think of a single web API use case where encryption is a bad idea. If we were talking about the same access to data, or functional ability on a website form you wouldn’t hesitate to secure the webpage with HTTPS; it shouldn’t be any less for APIs that carry that same data / functionality plus any authentication credentials that are submitted along with every request. Just because there is no browser warning to the user is no reason to skip an essential security step.

Validate parameters

Just like above, if this was a web form, you wouldn’t skip this right? Just like a web form data validation protects you from malicious code, errors and just plain nonsensical results. Unlike the web form the direct submitter isn’t a rational thinking person, any gaps or errors in data on their side can cause an automated process to submit all kinds of interesting requests.

Web APIs are so much more than web requests.

APIs also grant an elevated level of access to your internal systems, above and beyond what is available in a typical webpage. Furthermore,most API calls happen within applications internal mechanisms, which aren’t going to read error messages or apply common sense to their inputs. This means, compared to websites, APIs are an increased risk and need to be protected as such.

Use Strong Authentication / Authorization

Unlike web pages, which are generally published for public consumption, APIs are designed to share information with specifically authorized partners.There is an important distinction to be made between Authentication and Authorization. Typically, APIs will use the same token for both and use the term authentication token and authorization token interchangeably. Authentication proves the identity of the requestor, and authorization deals with the permissions of the requestor. OAuth and Authentication Tokens are two common ways to implement strong authentication.Forauthorization implementations consider using access control protocols like XACML to define what a user or role may access.

Restrict Methods

Web requests typically use GET or POST requests to retrieve or send data respectively. HTTP allows for many other lesser known methods like PUT, DELETE, or TRACE. These methods can have unexpected consequences on APIs if they are not properly handled. Restrict request methods to only those explicitly required by the API.

Lastly your APIs are publicly available, and you need to be aware of what information is being leaked through them.

Provide Error Handling Routines

Mistakes happen, sooner or later your application will have to deal with unexpected inputs or events, some of which can cause errors in your application. The default error messages often contain sensitive information about the internal workings of your system.

Warning: mysql_connect() [function.mysql-connect]: Can’t connect to MySQL server on ‘localhost’ (10013) in /var/local/www/include/dbconfig.php on line 23

Failure to handle and censor these errors delivers sensitive information to the end user.

Employ Anti-fusking

Sequential or predictable IDs allow visitors to easily guess IDs of resources they shouldn’t have access to. Hash IDs or UUIDs obscure this information. By itself this might not seem like much of a risk, but combined with any other misconfiguration it makes an attacker’s job an order of magnitude easier.

How DOSarrest can help protect your API:

Use DOSarrest VIP as API gateway

Most secure systems recommend separating your internal / sensitive systems from public systems via an intermediary perimeter system, sometimes known as DMZ. The DMZ, often protected by firewalls, serves as control point restricting what is exposed from the internal zones.

The core design of DOSarrest VIP services function exactly like API gateways, restricting access only to what is explicitly permitted.

Protect APIs with Threat Detection / Removal

Web APIs by and large are far more computationally expensive than websites. Consequently, application DoS attacks are far more effective when targeting APIs.

DOSarrest is able to deal with DoS attacks and other threats like SQL injection at a scale much greater than any appliance could ever manage.

Use Proven Solutions

If its’s not tested, it’s not secure. One of the basic principles of security is to only use proven, tested solutions. At DOSarrest we have been providing internet security solutions for over 10 years. We are not an add-on service to another existing business. We are not generalists. Since our inception DOSarrest was created to stop attacks.

Sean Power

Security Solutions Architect

DOSarrest Internet Security


DDoS attacks on UK businesses double in six months

Vulnerable IoT devices and DDoS-as-a-service drive surge in attacks

British businesses are under siege from a growing wave of DDoS attacks, as new figures reveal the number of incidents has almost doubled over the past six months.

UK organisations suffered an average of 237 DDoS attacks per month during Q3 2017, equivalent to eight attacks every single day. This figure is up by 35% from the previous quarter, and more than 90% compared to Q1 2017, according to a new report from DDoS mitigation firm Corero, based on data gathered from attack attempts against its customers.

DDoS attacks work by flooding a target server with so much traffic that it falls over, disrupting normal operations and knocking any related systems or services offline. The tactic is a perennial favourite of cyber criminals and malicious pranksters, as it is cheap and easy to execute.

This has become even more true in recent years. The leaking of the Mirai source code, used to take down a DNS firm providing access to high profile sites like Twitter, has led to an explosion in botnets populated by thousands of unsecured IoT devices, and dark web marketplaces now allow non-technical users to cheaply hire DDoS services that can be directed against whomever they choose.

“The growing availability of DDoS-for-hire services is causing an explosion of attacks,” said Corero CEO Ashley Stephenson, “and puts anyone and everyone into the crosshairs. These services have lowered the barriers to entry in terms of both technical competence and price, allowing anyone to systematically attack and attempt to take down a company for less than $100.”

Cyber criminals are also getting smarter about how they deploy DDoS attacks, the research reveals. Rather than simply using sustained, high-volume attacks, criminals are instead targeting multiple layers of a company’s security simultaneously with short bursts of traffic.

“Despite the industry fascination with large scale, internet-crippling DDoS attacks,” said Stephenson, “the reality is that they don’t represent the biggest threat posed by DDoS attacks today.”

“Often lasting just a few minutes, these quick-fire attacks evade security teams and can sometimes be accompanied by malware and other data exfiltration threats. We believe they are often used in conjunction with other cyber attacks, and organisations that miss them do so at their peril.”


The Internet of Things could easily be the Internet of Threat

In more devices connecting and communicating to each other, we run the risk of one particular threat on the Internet – that of botnets.

The Internet of Things (IoT), unlike SMAC (Social Mobile Analytics Cloud), moved faster from being an industry buzzword to reality. However, what needs to be examined is whether businesses are prepared to fully leverage IoT.

The McKinsey Quarterly for March of 2010defined IoT as: “sensors and actuators embedded in physical objects—from roadways to pacemakers—are linked through wired and wireless networks, often using the same Internet Protocol (IP) that connects the Internet. These networks churn out huge volumes of data that flow to computers for analysis. When objects can both sense the environment and communicate, they become tools for understanding complexity and responding to it swiftly.”

Essentially, vast volumes of information that, primarily, is exchanged between devices. This has several benefits to organizations. One use case to emphasize this is predictive maintenance.

Machines enabled with sensors and connectivity give businesses real-time capability to measure production equipment, allowing for cost-effective approaches to maintenance that can improve both factory productivity and capacity utilization by avoiding breakdowns. In effect, businesses can now move to a model of predict and prevent from repair and replace.

Predictive maintenance and city-wide systems are just two use cases. There are several more that straddle retail environments, offices, and vehicles.

However, in more devices connecting and communicating to each other, we run the risk of one particular threat on the Internet – that of botnets. A botnet is a group of computers/devices connected in a coordinated fashion for malicious purposes; wherein each node within the botnet is referred to as a bot.

Botnets give rise to DDoS (Distributed Denial of Service) attacks much like the one in 2016 that affected ISPs in India, which was in the range of 200 gigabytes per second. At Akamai, we have successfully defended against DDoS attacks exceeding 620 Gbps. What’s important to focus on is not only the size of the attacks but the prevalence of them. In an age where IoT is supposed to be making things better, scope for equally nefarious applications of useful technology exist.

In India, IoT adoption is growing. According to a NASSCOM report titled IoT in India: The Next Big Wave, the IoT market in India is poised to reach USD 15 billion by 2020 accounting for nearly five percent of the total global market.

As the number of devices connecting with each other increases, so does the attack surface. India is already a prime target (and source of) web application attacks – according to data in our Second Quarter, 2017 State of the Internet / Security Report, India is 2nd in the list of countries in Asia Pacific that sourced the most web application attack traffic with close to 12,000,000 (12 Million) web application attacks attributed as originating from the country after China.

While this is a significant number, India also ranks 8th in the list of target countries for Web Application Attacks, globally.

The growth and use cases in IoT are not all for naught, however. While the threat looms, there are ways out. What’s required is awareness and standardization of processes. Threats and remedies to internet-based vulnerabilities are constantly evolving and at times depend on the individual capabilities within organizations. Going forward, there should be a constant exchange of information across organizations.

At a broad level, organizations do collaborate with CERT-In, the Indian Computer Emergency Response Team. While it’s truly positive to see that there’s increased information sharing between individual organizations and the government entity tasked with the Nation’s cybersecurity effort, what would be more impactful is when organizations come together, as a collective, to address the problem and arrive at approaches on how best to move forward, to safeguard their IP and their users.


Distributed-Denial-Of-Service Attacks And DNS

Distributed-denial-of-service (DDoS) attacks have become the scourge of the internet. DDoS attacks use compromised internet devices to generate enormous volumes of data and direct that data at a particular target such as a web server or router. That target either keels over due to some critical resource becoming exhausted, or it finds its connection to the internet saturated by garbage traffic.

DDoS attacks are simultaneously cheap to carry out and expensive to defend against. Almost anyone can order a DDoS attack against any target with no technical knowledge required. All that’s necessary is a website from which to order the attack (yes, such things exist) and some bitcoins with which to pay for it. The attacks generally use botnets with devices that have been compromised and infected with malware. Building internet infrastructure capable of withstanding the volume of data generated by a botnet requires costly over-engineering, commercial DDoS mitigation services or both.

Unfortunately, DDoS attacks have a special relationship to the Domain Name System: DDoS attacks both target and exploit DNS servers. By “target,” I mean that attackers frequently direct DDoS attacks at an organization’s authoritative DNS servers. These are the DNS servers responsible for advertising your DNS data to the rest of the internet; a successful DDoS attack against them will render your customers unable to visit your website or send you email. Every organization with a presence on the internet must have a set of authoritative DNS servers, and given even the most basic information — for example, one of your email addresses or the domain name of your website — a would-be attacker can find the names and addresses of those DNS servers, giving them a list of targets.

A particularly notable DDoS attack on authoritative DNS servers was the attack on Dyn in October 2016.  Attackers used the Mirai botnet to overwhelm Dyn’s DNS servers with a whopping 1.2 terabits per second of traffic. Dyn’s DNS servers couldn’t respond to legitimate DNS queries under the load, which left Dyn’s customers — including the New York Times, Reddit, Tumblr and Twitter — unreachable.

However, DNS servers are not just opportune targets of DDoS attacks. Clever attackers will use DNS servers to make their attacks more effective and to conceal their origins. This is possible for two main reasons: 1) Relatively small DNS queries can elicit large responses, and 2) DNS works over a “connectionless” protocol that’s easily spoofed.

Let’s discuss the first issue: DNS queries are generally small (less than 100 bytes long). However, they can generate much larger responses (4,000 bytes or more). This is what we refer to as amplification. In this case, the amplification factor is 4,000 bytes/100 bytes, or 40x.

Amplification wouldn’t be a problem if DNS responses were always sent back to the source of the query. However, DNS’s use of the User Datagram Protocol (UDP) makes it easy to spoof queries — that is, to send queries that look as though they came from another address. UDP is connectionless: Each UDP “datagram” is independent, like a postcard sent through the postal service rather than a text message in a stream of such messages. All an attacker needs to do is to use the address of his target as the source address in the packet that contains a DNS query — like writing a bogus return address on a postcard — and the DNS server will send the reply to the target rather than the real source of the query.

This makes it easy to enlist DNS servers as unwitting accomplices in a DDoS attack. An attacker can use a botnet to generate a high volume of queries to well-connected DNS servers on the internet, spoofing the source address of their target, and the DNS servers amplify the query traffic into a larger volume of response traffic. Moreover, the traffic that arrives at the target comes from the DNS servers rather than the attacker, making it difficult to trace the attack back to its origin.

Thankfully, there are several mechanisms that can help DNS servers defend against DDoS attacks. One is “anycast,” a configuration technique that lets a distributed group of DNS servers share a single address. The internet’s routing infrastructure directs queries sent to that address to the closest DNS server in the anycast group. This is efficient, of course, but it also implies that an attack launched from one part of the internet can only reach a single DNS server in an anycast group at any time. For example, a DDoS attack using a botnet based in China and targeting the anycast address used by a group of DNS servers would find all of its traffic directed to the closest DNS server in the anycast group. As a result, many organizations, including most DNS hosting companies, use anycast to make their DNS infrastructures resistant to DDoS attacks.

Newer DNS servers also incorporate a mechanism called Response Rate Limiting (RRL) to prevent their use as amplifiers in DDoS attacks. RRL limits the rate at which a particular response is sent to the source of a query. For example, if a DNS server receives too many queries for any records about from the same address, it will throttle responses to that address. If the source of the query is legitimate, this won’t cause a problem: It will cache the response, making duplicate responses unnecessary. But if the queries are spoofed and the DNS server is being used as an amplifier, this will limit the amplification and therefore the damage it can do.

Companies need to anticipate the possibility that their DNS services could be the target of these attacks. Without DNS, all internet applications and services are unreachable, bringing business to a grinding halt. In fact, recent research from Infoblox found that 24% of companies lost $100,000 or more due to downtime from their last DNS attack. Today, far too many businesses put all their eggs in one basket, relying on a single cloud-based DNS provider, leaving them vulnerable to an attack like we saw on Dyn.


Are they prepared: The healthcare industry’s fear of the cyber threat

Infoblox report finds 1 in 4 UK healthcare IT professionals aren’t confident in their organisation’s ability to respond to cyber attacks.

Technology is booming in healthcare organisations with digital transformation policies leading to increased adoption of connected medical devices, big data analytics for faster and more accurate diagnoses, and paperless systems for the easy exchange of patient information.

 As technology becomes more ingrained into core healthcare offerings, there is an increased threat of cyberattacks disrupting services, stealing sensitive patient data, and putting lives at risk. Infoblox commissioned a survey of UK and US healthcare IT professionals to gain a better understanding of whether the healthcare industry is adequately prepared to combat this evolving threat.

Ready for ransomware

Following the significant disruption caused to the NHS by WannaCry in May 2017, many healthcare organisations are preparing themselves for further ransomware attacks. One quarter of participating healthcare IT professionals reported that their organisation would be willing to pay a ransom in the event of a cyber attack. Of these, 85% of UK respondents have a plan in place for this situation.

Dangerous operating systems

The number of connected devices on healthcare organisations’ networks is exploding, with 47 per cent of the large healthcare organisations surveyed indicating that they are managing over 5,000 devices on their network.

One in five healthcare IT professionals reported that Windows XP is running on their network, which has been unsupported since April 2014. 18 per cent indicated that connected medical devices on their network are running on the unsupported operating system, leaving organisations open to exploitation through security flaws in these unpatched devices.

Patching outdated operating systems is impossible for the 7% of IT professionals responding that they don’t know what operating systems their medical devices are running on. Even when the operating system these devices run on is known, a quarter (26%) of large organisations either can’t or don’t know if they can update these systems.

Investing against the threat

85% of healthcare IT professionals reported that their organisation has increased their cyber security spending in the past year, with 12% of organisations increasing spending by over 50%.

Traditional security solutions are the most popular, with anti-virus software and firewalls the solutions most invested in over the past year, at 61% and 57% respectively.

Half of organisation have invested in network monitoring to identify malicious activity on the network; one third have invested in DNS security solutions, which can actively disrupt Distributed Denial of Service (DDoS) attacks and data exfiltration; and 37% have invested in application security to secure web applications, operating systems and software.

Rob Bolton, Director of Western Europe at Infoblox said: “The healthcare industry is facing major challenges that require it to modernise, reform and improve services to meet the needs of ever more complex, instantaneous patient demands. Digital transformation presents a massive opportunity to support the doctors and nurses who work tirelessly – but these new technologies also introduce new cyber risk that must be mitigated.

The widespread disruption experienced by the NHS during the WannaCry outbreak demonstrated the severe impact to health services that can be caused by a cyberattack. It’s crucial that healthcare IT professionals plan strategically about how they can manage risk within their organisation and respond to active threats to ensure the security and safety of patients and their data.”

The report includes a case study on how Geisinger Health uncovered malicious activity on its network and was able to quickly and accurately identify the offending device, containing the malware before it spread throughout the network.

Commenting on the event, Rich Quinlan, senior technical analyst at Geisinger Health, said: “In spite of all the conventional steps we take to protect our internal network, patient care could still be affected. We could have an entire hospital full of useless ultrasound devices because one was brought in with a virus and we have no control over them. And if it was able to exfiltrate data, we would have a compliance issue.”


Man charged for using vDOS hacker for hire against Minnesota firm

Federal prosecutors are charging John Kelsey Gammell, 46, with using hackers for hire to launch DDoS attacks against former employers and other companies.

Gammell has been charged with intentional damage to a protected computer and authorities say he made monthly payments between July 2015 and September 2016 to services like the now defunct vDOS platform along with others to launch periodic attacks and to bring down Washburn Computer Group in Monticello, Minn. according to court records.

Authorities say Gammell also used these services on at least half a dozen other companies as well.

Gammell’s attorney, Rachel Paulose argues that her client never personally attacked the company and that authorities instead should focus their efforts on the hackers for ihire.

“The government has failed to charge a single one of those ‘cyber hit men’ services, named and evidently well known to the government,” Paulose said according to the Star Tribune. “Instead the government’s neglect has allowed the professional cyber hit men for hire to skip off merrily into the night.”

Paulose added that the Washburn attacks were essentially a prank on a dormant site not doing business. If convicted Gammell could serve between 15 and 17 years in prison.


Boston Globe hit by denial of service attacks

The Boston Globe was hit with a second day of attacks by unknown cyberassailants Thursday, leaving and the company’s other websites unavailable for parts of the day.

The Globe’s websites and internal servers were subjected to a distributed denial-of-service, or DDoS, attack, one of the most common forms of computer vandalism. DDoS attackers commandeer hundreds or thousands of computers and other digital devices that are owned by law-abiding users around the world.

These machines are secretly infected with malware that allows attackers to create a so-called botnet that can swamp a target with so much data that its networks become overwhelmed and cannot operate.

Kevin Whalen, a spokesman for digital security company Arbor Networks Inc. of Burlington, said his company has tracked 7.1 million DDoS attacks this year, or about 23,000 a day. Whalen said such attacks have become more common because almost anyone with Internet access and a few dollars can launch them.

“For very short dollars, you can hire someone with a botnet infrastructure to launch an attack against someone you’re upset with,” Whalen said.

As of Thursday afternoon, nobody knew who attacked the Globe network or why. Many DDoS attackers are never identified.

Wade Sendall, the Globe’s vice president of information technology, said the first attack came around 3 p.m. Wednesday. “We think it was a probe,” he said, aimed at testing the Globe network’s defenses and figuring out the best ways to get past them. Even so, the probe repeatedly disrupted the newspaper’s telephones and the editing system used to prepare content for print and online editions.

The attacks resumed around 11 a.m. Thursday, making it impossible for many Globe employees to do their jobs and rendering inaccessible for many readers. By mid-afternoon, Globe technicians and specialists from the company’s Internet provider had set up effective defenses.

“It’s been mitigated for the time being,” Sendall said, “but there’s no reason to think they won’t come back.”

Indeed, Internet security engineers have been fending off DDoS attacks for two decades. While they’ve gotten better at it, the risk of such attacks can never be entirely eliminated.

“It will always be possible to do this,” said Theresa Abbamondi, an Arbor director of product management. “As long as you can send traffic to someone, which is the point of the Internet, you can always send too much traffic.”


Hackers hired for year-long DDoS attack against man’s former employer

US federal prosecutors in Minnesota have charged a 46-year-old man with hiring a cyberhitman – well, technically, three hacking services – to launch a year-long campaign of distributed denial of service (DDoS) attacks on his former employer.

Prosecutors say that John Kelsey Gammell, 46, contacted seven DDoS services and paid monthly subscriptions to three of them in order to bring down Washburn Computer Group, a point-of-sale system repair company in Monticello, Minnesota. Between July 2015 and September 2016, Gammell also allegedly used the services to go after a slew of other targets, including the networks of the Minnesota Judicial Branch, Hennepin County, several banks and a few employment contracting companies he worked at.

According to the Star Tribune, Gammell rejected a plea deal when he appeared in a Minneapolis court last week. The deal would have resolved all charges and capped his possible prison sentence at a mandatory 15 to 17 years. The newspaper reports that a federal magistrate is reviewing motions to dismiss the case or suppress evidence.

In a criminal complaint filed in April 2017, FBI Special Agent Brian Behm said in a sworn affidavit that when Washburn first began experiencing shutdowns of multiple websites, server log files weren’t any help in finding the culprit. That’s because the IP addresses connected to the DDoS attack led back to a US-based virtual private network (VPN) that anonymized the true source of incoming internet access. Like many anonymizing services, the VPN didn’t maintain logging information to show who was using it, Behm explained.

But two taunting emails asking Washburn if the company had any “ongoing IT issues” that they needed help with – sent while the DDoS attacks were ongoing – were a whole lot easier to track. Google and Yahoo, both under grand jury subpoenas, coughed up the IP addresses associated with the email accounts that sent the jeers, which were accompanied by the image of a laughing mouse. The FBI says that the Gmail account and the Yahoo account that sent the messages were created with an IP address associated with Gammell’s home address and an AT&T cellphone number that pointed to Gammell as the subscriber.

A search warrant served on Google showed that between May 2015 and September 2016, Gammell allegedly showed interest in, or made purchases at, seven DDoS-for-hire sites: also known as “booters” or “stressers,” these sites sell monthly subscription fees for buyers to target DDoS attacks against IP addresses or websites of their choosing. You get what you pay for: the premium plans boost the duration and intensity of the attack.

Based on emails, Gammell allegedly had three favorite cyber goon squad services: cStress, vDOS and Prosecutors say he shelled out about $235 to, ranging from the basic “All Included” $19.99 service to the “Premium” service at $39.99. His monthly payments to the services went as high as $199. is offline, but Behm says he found an archived main page that shows that the “Premium” package could be used to “Stress Large Servers and Websites,” that it was capable of “Full Hour Stresses,” and that it provided “30Gbps of Dedicated Bandwidth” and “Unlimited Boots.”

For a criminal enterprise, it was all very cordial, all very professional. Behm says he found an email thanking Gammell for his purchase from another DDoS-for-hire service called inboot. In upgrading to “diamond” monthly membership at, Gammell allegedly praised the service and told his correspondent that he recommends it to others.

Why the persistence, and money spent, in allegedly plaguing a former employer? According to the criminal complaint, Gammell had worked at Washburn for 17 years and had left, under good terms, three and a half years ago. But a dispute boiled up over payment for training services Gammell had provided after he left the company.

According to the Star Tribune, Gammell’s attorney, Rachel Paulose, has argued that it wasn’t Gammell that attacked Washburn. No, it was the “cyberhit men,” she said: why not go after them?

The government has failed to charge a single one of those ‘cyberhitmen’ services, named and evidently well known to the government. Instead the government’s neglect has allowed the professional cyberhitmen for hire to skip off merrily into the night.

Funny thing about that: skipping off merrily into the night doesn’t exactly describe what happened to at least one of Gammell’s purported favorite hitmen services. “Getting busted by Israeli police” is more like it. Back in September 2016, two Israeli teenagers – the co-owners behind vDOS – had their service taken down by a massive hack, and the two 18-year-old men were arrested.

And all the evidence the FBI got from a known security researcher about vDOS? Toss it, Paulose says: the data could have been obtained through hacking.

The Washburn attacks were “essentially a prank on a dormant site not doing business,” she said.

The Star Tribune quoted this comeback from Assistant U.S. Attorney Timothy Rank:

Even if Mr. Gammell thinks it’s a prank, it’s a criminal prank.

Gammell is facing a charge of  “knowingly [causing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally [causing] damage without authorization, to a protected computer.”


The dangers of DDoS overconfidence for European businesses

Is your organisation properly equipped to deal with a DDoS attack?

With cyber-attacks hitting headlines on an almost daily basis, from ransomware to data breaches and increasingly, DDoS attacks, there is no doubt that today’s cybercriminals are becoming more sophisticated. Take the Mirai botnet attack that targeted Dyn in October 2016, for instance. This high-profile attack caused the likes of Twitter, Amazon and even the BBC to be undermined, and is a perfect example of how cybercriminals are taking advantage of connected devices to carry out cyber-attacks en masse. The recent news of the Reaper botnet only adds fuel to fire, and is said to have the potential to carry out even bigger DDoS attacks than the Mirai botnet of last year.

The threat of DDoS attacks for European businesses across all industries is real. But despite warnings in the media, many businesses are confident in their preparedness to withstand a DDoS attack. But reality doesn’t paint the same pretty picture, and businesses’ overconfidence in their DDoS mitigation could actually be putting them in great danger.

The rise of DDoS

Our own research shows it isn’t just the number of DDoS attacks that is growing – the likelihood of being attacked is also on the rise. In 2014, the number of DDoS attacks grew by just 29% year on year, where attacks were mostly targeted at the online gaming industry. But in 2015, attacks grew by an astounding 200% – and these attacks were aimed at the online gaming industry, as well as public sector bodies and financial services too.

Businesses don’t just need to take into account the volume of attacks – the size of attacks is also growing at a somewhat alarming rate. While the largest detected attack in the first half of 2015 was 21Gbps, in 2016, the largest attack was almost three times the size at 58.8 Gbps.

With DDoS attacks becoming a bigger threat to businesses than ever before, CDNetworks investigated the preparedness, investment and confidence of more than 300 businesses across the UK and DACH. While the research shows that European businesses are taking notice, and 64% are set to increase their investment in DDoS mitigation in the next 12 months, the danger is that this investment will simply not be enough.

More investment, less risk?

Even though 79% of businesses think the likelihood of their infrastructure being attacked is likely to almost certain, many believe they aren’t actually at risk of suffering a DDoS attack. In fact, the combination of widespread, recent, and growing investment in DDoS mitigation has led to an overwhelming confidence, and 83% of respondents are either confident, or very confident, in both their current DDoS mitigation arrangements and with how resilient they would be in two years’ time.

But not everyone holds these same high levels of confidence. There is some underlying doubt from a minority (44%) of businesses who harbour doubts about their preparedness, and believe they are currently underinvesting in DDoS mitigation.

The dangers of overconfidence

While recent high-profile DDoS attacks seem to have motivated businesses to invest in DDoS mitigation technologies, when we take a closer look at the number of attacks that have taken place, this confidence is in fact, misplaced. When asked about the frequency of DDoS attacks, 86% confirmed they had suffered a DDoS attack in the last 12 months.

But if confidence is to be proven to be complacency, the number of attacks isn’t what is important – it’s the number of successful attacks that is key. And despite the amount of money companies are investing, and the levels of confidence they have in their DDoS mitigation technology, more than half of respondents (54%) suffered at least one successful attack in the past year. Which means this is more than a contrast of preparedness versus reality.

The complacency of businesses is also echoed in how they believe DDoS will impact them. In short, until you have experienced a successful attack, you cannot really appreciate the damage it can do to your business.

The administrative level is largely oblivious to how their reputation may be affected by failing to protect their business from a DDoS attack, while the C-suite cannot deny it would impact their view of the IT team, and were most likely to rate the impact as catastrophic. Understandably, the heads of the IT department felt the damage most keenly, being most convinced that their department’s reputation would suffer some or serious impact. IT heads therefore need to bear in mind that DDoS attacks are not only commercially damaging, but they will also affect their own prospects.

Ensuring DDoS mitigation

The good news is that enterprises can ensure their DDoS mitigation is not under-provisioned. Firstly, they need to perform a vulnerability test to identify where gaps lie in their systems and network defences. An extensive review of a network’s strengths and weaknesses will show where vulnerabilities lie, and determine whether the DDoS mitigation tools they have in place are fit for purpose. A vulnerability test will highlight the services and technology needed to ensure businesses are protected against DDoS.

Businesses also need to prepare for the worst. The lucky few that have not yet fallen victim to DDoS attacks are the ones that underestimate their severity– and regardless of confidence, business continuity must be a key part of DDoS planning. DDoS attacks can have catastrophic financial, legal, regulatory and brand reputation effects, so aside from the technical requirements of duplicating information, and ensuring recovery time objectives and recovery point objectives match business needs, there are also procedural requirements businesses need to consider. Identifying the crisis team and any security partners immediately for example, as well as having a communications plan in place, will ensure partners, employees, customers and the media are kept informed if an attack does take place.

Finally, with cybercriminal activity becoming more sophisticated, businesses need to be prepared in case a DDoS attack comes with a ransom demand. In such circumstances, paying cybercriminals is not recommended. Instead, businesses should consider having insurance policies in place. There will be some instances where cybercriminals win, and having insurance against data breaches and other types of attack will help to overcome some of the damage.


DDoS attacks increasing once again

Major cyber assaults are seeing on the rise again, Kaspersky Lab report claims.

DDoS attacks are on the rise again as criminals turn to brute force attacks once more, new research has claimed.

The latest DDoS Intelligence report from Kaspersky Lab, covering the third quarter of 2017, says there has been an increase in the number of countries where resources have been targeted.

The number of attacks against gaming and new financial services has also grown.

Kaspersky Lab says resources in 98 countries were DDoSed this quarter, up from 86 the quarter before. Looking at the top ten countries in terms of number of targets, Russia is up from seventh to fourth place, while France and Germany pushed Australia and Italy out of the list.

The top 10 most popular host countries for botnet command servers include Italy and the UK, moving Canada and Germany out of the picture.

The share of Linux botnets is growing, and they are now accounting for 70 per cent of all attacks in Q3, up from 51 per cent in Q2.

The report also says cybercriminals are moving to more sophisticated attacks. It gives an example of the WireX botnet that spread via legitimate Android apps, or the Pulse Wave tech that increases the power of DDoS attacks through vulnearibilities in hybrid and cloud tech.

Kaspersky has also observed an increase in variety of targets.

“Entertainment and financial services – businesses that are critically dependent on their continuous availability to users – have always been a favourite target for DDoS attacks. For them, the downtime caused by an attack can result not only in significant financial losses but also reputational risks that could result in an exodus of customers to competitors,” says Kirill Ilganaev, Head of Kaspersky DDoS Protection at Kaspersky Lab.

“It’s not surprising that gaming services with multi-million turnovers attract the attention of criminals and that new types of financial sites have come under attack. What is surprising, however, is that many companies still don’t pay enough attention to professional protection against DDoS attacks. The recommended approach for these companies is to delegate protection from DDoS attacks to a reliable supplier with deep knowledge of cyberthreats and the methods of combating them, and to reassign the IT resources that are freed up to the development of the business.”