“The amount of traffic, or bandwidth, that is able to be generated and used as a weapon is at an all-time high.,” said one expert.

The company measured threats faced by its customers during a roughly one-year time period, seeing a 211 percent year-over-year increase in attacks.

More commonly known as DDoS attacks, they are designed to flood servers with artificial internet traffic that causes access interruption to websites or network systems.

The firm largely attributed this apparent growth to the establishment of several botnet operations — which serve as a platform to automate and increase attack volume — and malicious actors’ ability to access greater bandwidth to help generate and use such weapons. Dark Web dealers are using these botnets, according to Imperva, to offer more effective cyber tools to would-be customers.

“The amount of traffic, or bandwidth, that is able to be generated and used as a weapon is at an all-time high. This is likely the result of more compromised machines with higher bandwidth,” Imperva Vice President Tim Matthews told FedScoop.

In short, hackers are able to launch denial of service attacks by manipulating a hosting provider to re-route IP addresses towards a preferred server.

Those DDoS attacks recorded by Imperva — recorded between March 2015 and April 2016 — targeted a diverse range of clients. Even so, all of the attacks similarly aimed to disrupt each organization’s digital operations at one of two distinct levels: application or network.

To be clear, an application-based DDoS effectively works to discontinue online access to a specific property, like a website or software service, rather than an entire network.

Because app-based DDoS attacks are by nature less expansive, they typically leverage less traffic. In the past, DDoS-ing an entire network has presented a challenge for hackers due to the sheer artificial traffic required to pull it off. But Imperva’s new report suggests that botnets are significantly changing this dynamic; making it easier for individual operations to disrupt larger segments of the internet.

Another worrisome trend in the DDoS arena, spotted by Imperva, is that when a target gets hit once, it should prepare for another wave. Data shows that 40 percent of affected targets were attacked more than once, while 16 percent were targeted more than five times.

In the past, DDoS attacks have been used to distract an organization from a more malicious data breach, leading to the possible exfiltration of valuable data like customer finances and personal records.

Here’s what a DDoS looks like via a data visualization by cybersecurity firm Norse:

Source: http://fedscoop.com/ddos-attacks-up-211-percent-august-2016

Blizzard’s Battle.net servers hit by yet another DDoS attack

Gaming servers are a top target of DDoS assaults,’ Imperva security researcher Ofer Gayer told IBTimes UK.

Developer Blizzard’s Battle.net servers were hit with yet another DDoS attack on Tuesday (23 August) resulting in latency and connection issues in some of its popular titles including Overwatch, World of Warcraft and Hearthstone. The company acknowledged the interruption on its Twitter support channels in both the US and Europe, indicating that it was not restricted to just one region.

The company also said that its sites and forums were “experiencing issues” at the time in a separate tweet.

Screen Shot 2016-08-24 at 13.41.29

Screen Shot 2016-08-24 at 13.42.43

The latest attack is the second such assault targeting the developer’s servers this month and the third since the launch of its popular hero-based shooter, Overwatch, in May. It also comes at the end of which ran from 2 August to 22 August in celebration of the Olympic Games in Rio.

On 3 August, Blizzard’s Battle.net servers were crippled by another massive DDoS attack that caused connection, login and latency issues across some of its popular titles. The disruption also occurred on the same day Blizzard launched its Summer Games series.

Hacking collective PoodleCorp claimed responsibility for the alleged attack. The same hacker group also claimed responsibility for taking down Pokémon Go’s servers in July.

In June, Blizzard’s servers were hit with another alleged DDoS attack claimed by notorious hacker group Lizard Squad that prevented players from accessing their games.

DDoS attacks, which are difficult to prevent and defend against, have continued to plague online companies’ networks in recent years, particularly those of major gaming companies’ servers.

“Gaming servers are a top target of DDoS assaults,” Ofer Gayer, a senior security researcher at Imperva, told IBTimes UK.“They have been hit with some of the largest and longest attacks on recent record.”

He added that mitigating DDoS attacks on game servers is a “particularly complex task”.

“Since only gaming platforms are highly sensitive to latency and availability issues, they’re ideal DDoS attack targets,” Gayer said. “Gamers are very sensitive to the impact on latency, so what may be considered negligible for most services, can be very frustrating for the gaming community. This can be affected by multiple factors, most prominently the distribution of scrubbing locations and TTM (time to mitigate).”

Imperva’s latest DDoS Threat Landscape Report found that DDoS attacks have increased by a massive 220% over the past year “with no signs of abating”. It also noted that the UK has become the second most popular target for DDoS attacks in the world.

Screen Shot 2016-08-24 at 13.44.58

Blizzard’s official Customer Support Twitter account later confirmed that the “technical issues” they were experiencing earlier have been resolved. At the time of publication, no hacking group has claimed responsibility for the most recent alleged DDoS attack.

Source: http://www.ibtimes.co.uk/blizzards-battle-net-servers-hit-by-yet-another-ddos-attack-1577793

DDoS Attacks Increase 200%; UK Now Second Most Targeted Nation

DDoS attacks have increased by over 200% in the last year, according to new research from Imperva. The uptick in attacks has been attributed to DDoS-for-hire services, the company said.

DDoS attacks are now among the most common cyber threats businesses can face, according to Imperva. Between April 1, 2015 and March 31, 2016 it recorded an average of 445 attacks targeting its customers per week. More than 40% of customers affected were targeted more than once, and 16% were hit more than five times.

The majority of attacks noted by Imperva targeted the application layer, making up 60% of all DDoS attacks. The remainder targeted the network layer. However, Imperva noted that the number of application layer attacks are trending downwards, dropping by 5% year over year. If that trend continues, network layer attacks could be just as common as application layer ones before too long.

The most recent quarter covered by this report shows a big jump in the size of network layer attacks. The biggest recorded attack was 470 Gbps, while many others exceeded 200 Gbps. Imperva now says attacks of this size are a “regular occurrence.”

These increases in DDoS attacks have been attributed to DDoS-for-hire services, where anyone can pay as little as $5 to launch a minute-long DDoS attack on a target of their choice. This means attacks can be launched by just about anyone—whether it’s because of a grudge against a particular company or just boredom.

These now account for 93% of DDoS attacks, up from 63.8% in Q2 2015. Imperva says this has directly led to the increase in overall DDoS numbers.

Another clue to an increase in DDoS-for-hire services and what Imperva calls “casual offenders” is a decrease in attack complexity. Starting in Q2 2015 the company recorded a decrease in multi-vector attacks; attacks using multiple vectors and payloads indicate a more sophisticated, complex attack. However, Q1 2016 saw an increase in the volume of assaults using five or more payloads.

“This countertrend reminds us that—in parallel with the increased “hobbyist” activity—more capable cyber-criminals continue to improve their methods. As per the first rule of the DDoS mitigation industry, attacks continue to get larger and more sophisticated on the high-end of the scale,” the report said.

The report also examined where DDoS attacks generally emerge from. Once again, China tops the list, with a sharp increase recorded in South Korea. The excellent broadband infrastructure in the country enables attacks to easily launch effective attacks, Imperva said.

The UK is now the world’s second most-attacked country, after the United States of America. Most attacks targeted small and medium businesses, but some bigger institutions, including the BBC and HSBC, were hit as well.

Source: http://www.infosecurity-magazine.com/news/ddos-attacks-increase-200/

Teen hacker walks free after carrying out DDoS attacks on bank and e-crime portal

Australian teenager who DDoSed E-crime website, Commonwealth Bank and his own school, walks free

This teen did something and got away with it! Seldom do you see anyone walking away free after creating online mayhem through DDoS attacks but this teen did just that.

A 15-year-old teenage hacker was sentenced to a “family conference” by a judge at the Christies Beach Youth Court in Adelaide, Australia after he targeted Australian Cybercrime Online Reporting Network (ACORN) Portal, Commonwealth Bank of Australia, and his own school servers in February 2016.

In Australian law, a family conference is when the court leaves the punishment to the family and a supervising youth police officer, who must agree with the punishment in order to consider the matter closed. Family conferences may require the teen to apologize publicly, pay compensation to the victims, perform a number of hours of community service, or more.

The youth, who cannot be identified under state law, pleaded guilty to four counts of unauthorised damage of computer systems related to Distributed Denial of Service (DDoS) attacks. However, the very next day, he walked free as the court ordered mediation between his family and victims rather than facing jail time.

The teenager was fortunate for not having to face prison time up to 3 years in youth detention under cyber terrorism laws in Australia, as he is not an adult.

“The penalty for orchestrating a DDoS attack is a maximum of 10 years imprisonment. This is found in the Cybercrime Act 2001, section 477.3 ‘unauthorised impairment of electronic communication.’”

The teenager started his DDoS spree on February 26 when he first attacked CBA that left the bank and some overseas customers unable to access services for more than three hours. The attack “had the potential to cause serious disruption to our services”, says the bank, even though customer money and information was not put at risk.

Later in March, he used his mobile phone in March to disrupt his high school’s information technology systems for “fun” and because he was “bored” in computing studies. Later, the teenager shifted the attacks from the school’s system to its Internet provider.

On April 4, 2016, he launched another attack on the ACORN website, which is used by every Australian police force and multiple federal crime fighting agencies, was shut down for up to six minutes but abandoned later.

He was arrested at his southern Adelaide home after both state and federal authorities tracked his unique internet protocol (IP) address. His school principal reported his crimes through ACORN.

Magistrate Cathy Deland, herself a CBA customer, confessed that she was “making a big step” ordering a “family conference” — a move supported by police — but said the law need to concentrate on rehabilitation, reports Adelaide Now.

She believed that he was unlikely to reoffend and had not demanded any “ransom”.

Ms Deland said his crimes stopped classmates from learning while his attack on the CBA was “just massive”.

She told him: “I don’t know that anyone would be able to put a price on repairing the disruption that you caused. I have no doubt it would have been millions of dollars.

“I have no doubt that you would not have thought much about the consequences. I am in the difficult situation having to weigh up your incredible stupidity against … your rehabilitation.”

The boy and his family refused to comment outside court.

Source: http://www.techworm.net/2016/08/teen-hacker-walks-free-carrying-ddos-attacks-bank-e-crime-portal.html

Attackers could abuse DNSSEC-secured domains for DDoS attacks: report

A majority or 80% of DNSSEC-secured domains could be used to amplify distributed denial of service (DDoS) attacks, at an average factor of 28.9 times, according to a recent report by Neustar which studied nearly 1,350 domains with DNSSEC deployed.

The report points out that the domains had not properly deployed DNSSEC-signing of their domains, leaving them vulnerable to DDoS attacks.

“Neustar has correctly pointed out the additional amplification factor related to misconfigured DNSSEC vs. legacy DNS, where the inclusion of the digital signature allows for a somewhat higher than a normal DNS amplification attack,” says Corero Network Security COO Dave Larson, in a statement.

“However, the point that must be stressed related to this or any other DDoS amplification vectors is that operators of any network – whether they include DNS service or not – should have their networks configured not to respond to spoofed IP requests.  In addition, DNS operators should configure their DNS servers not to respond to ‘ANY’ requests in order to squelch the opportunity for the server to be leveraged for malicious use.”

Larson adds that on the flip side, the impact to the receiving end of the attack can be especially problematic. The fragmented and amplified attack technique, utilizing DNS or DNSSEC can cause outages, downtime and potential security implications for Internet Service Providers if they are relying on out-of-band DDoS protection mechanisms. Furthermore, organizations relying on traditional IT and security infrastructure such as firewalls and load balancing equipment are no match for these attacks.

“A comprehensive in-line and automatic mitigation method for removing DDoS attacks is the recommended approach for dealing with all types of DDoS attacks – DNS and beyond,” noted Larson.

Source: http://www.networksasia.net/article/attackers-could-abuse-dnssec-secured-domains-ddos-attacks-report.1471485281

DDoS attacks on the rise in Asia Pacific

The Asia Pacific region experienced 34,000 distributed denial of service (DDoS) attacks in the second quarter of 2016, according to Nexusguard’s Q2 2016 Threat Report – Asia-Pacific. The figure represents a 43 percent increase from the previous quarter.

Even though Network Time Protocol (NTP) attacks dominated the type of attacks in the region (90 percent), such attacks were less common in other parts of the world (46 percent).

The report also found that attack durations were longer in the Asia Pacific region as compared to global incidents, which is likely due to many scripted attack tools with set duration values.

China remains as one of the top three target countries in the region. According to Nexusguard, a Chinese target was hit 41 times over the course of about a month of constant attacks. Nexusguard researchers attributed these attacks to the malware the victim had hosted over the last two years.

The largest increase was observed in Hong Kong, accounting for a 57 percent rise in attacks.

With hackers are experimenting with new attack methodologies, and events happening in the Asia Pacific region, Nexusguard researchers expect to see a spike in DDoS attacks in the third quarter of this year.

“We expect the upward trend in the frequency of attacks to continue this year, especially with more attention on the Summer Olympics [in Brazil] and political dispute in the APAC region,” said Terrence Gareau, Chief Scientist at Nexusguard.

“And as Pokémon Go gradually launches across the Asian market, Nexusguard analysts expect attack groups will launch more public attacks. This activity increases visibility and positioning as DDoS-for-hire services, the popularity of which we noted from the consistent time durations this quarter,” he added.

Source: http://www.mis-asia.com/resource/security/ddos-attacks-on-the-rise-in-asia-pacific/

What You Need to Know about the Evolution of DDoS

In an attempt to define the modern-day DDoS attack, one must understand – there is more than one type of attack. Starting with the simplest first, network level DDoS attacks are the easiest to launch. They are fundamentally designed to crush networks and melt down firewalls. Aimed at filling state tables and consuming the available resources of network gear, today hackers require larger and larger botnets to be successful. As organizations install bigger pipes and improve their router, firewall, and switch capacity, this type of attack is becoming less effective.  Also, due to law enforcement taking notice of the larger botnets required to be successful, attackers had to devise a better tactic. Hence, the birth of the reflective/amplified attack.

Using open DNS, NTP, and now UPnP devices located all over the Internet, attackers have learned how to amplify their attacks, and today they’re capable of filling large numbers of 10 Gbps pipes; using botnets of only a few-thousand machines. Firewall state tables and network resources are often not consumed in this case. Instead, pipes are filled with more traffic than they can forward. Packets can only travel so fast down a wire and when they backup, outages and latency ensue. It’s not the case of more packets; it’s the case of bigger packets.

As a result of the amplification factor achieved, these attacks are now being fragmented as well. Too many fragmented packets are often a death sentence for devices performing deep packet inspection, like next-generation firewalls and IPS. Attackers can flood them with an excessive amount of fragments, consuming vast amounts of CPU, and these devices often melt down in no time at all. Even the highest performing next-generation firewalls and IPS will feel the effects of this type of attack.

From an attacker perspective, interweave repetitive application-layer attacks designed to consume resources on servers, and you’ve got a recipe for success. Pound the final nail in the coffin by adding specially crafted packet attacks designed to take advantage of weak coding, and simply put – anyone will go offline without the right defenses. Attackers today use all five categories simultaneously, making it even harder to defeat without blocking vast amounts of good traffic.

However, DDoS attacks are not always about bringing organizations offline. Today’s attackers are launching short-duration, partially saturating attacks that are intended to NOT take the victim offline. Instead, they’re designed to consume time, attention, “people” resources, and log storage. If the average enterprise had to choose between suffering from a DDoS attack or a data breach – they’d likely choose a DDoS attack – taking comfort in the fact that their most valuable information would remain intact, and out of the hands of a hacker. However, DDoS is all about hiding other attacks, and your data is the true target.

DDoS is a serious threat – one that has vastly evolved from the simple, easily resolved attacks of the past. Often overlooked as a nuisance, any DDoS activity should raise a red flag for IT departments. When an attack lasts for a few hours (or even a few minutes), most organizations believe the attacker got tired, gave up, or the victim’s defenses withstood the onslaught. The misconception here is a sense of invincibility. However, the real reason the DDoS attack may have subsided is because the attacker achieved their objective – access to your data. Often attackers are targeting your data the whole time, while leading many to believe they’re trying to take organizations offline. Frequently, this is not their intention at all.

This is emphasized by the recent rise in Dark DDoS attacks that act as a distraction to the IT department – while a damaging hack is enacted and data is stolen. If businesses are too complacent about DDoS protection, they can be financially ruined due to brand damage and the immediate decrease in customer confidence they often experience – as a result of an attack. This leads some to the point of no return. Often hidden by the Dark DDoS attack, the losses associated with the compromise of proprietary data ends up costing more to mitigate, than the attack itself. It is quite the vicious cycle.

The most targeted organizations are obviously those who thrive on Internet availability, or gain the attention of hacking groups like Anonymous. Finance, news, social networks, e-retail, hospitality, education, gaming, insurance, government services, etc. are all seriously impacted by an outage. These organizations almost always make the news when downtime occurs, which in turn leads to a loss of customer confidence. In addition, any organization that has sellable data often finds themselves in the cross hairs of a Dark DDoS attack. Remember, attackers in this case want access to your data, and will do just about anything to get it.

Attackers also love notoriety. News-making attacks are often like winning a professional game of chess. Their strategies, skills, and perseverance are all tested and honed. Hacker undergrounds take notice of highly skilled attackers. Often job agreements or an offer for “a piece of the action” is the reward for those with notable skills. While all of this activity may be considered illegal in just about every country, the reward seems to outweigh the punishment. As long as that is the case, attackers will continue their activities for the foreseeable future.

So, what’s the solution? Put the right defenses in place and eliminate this problem – once and for all. It begins with understanding the importance of cloud-based DDoS defenses. These defenses are designed to defeat pipe-saturating attacks closest to their source. They also reduce latency involved with DDoS mitigation, and help eliminate the needs to backhaul traffic around the globe to be cleansed or null routed. Selecting a cloud provider with the highest number of strategically located DDoS defense centers that they operate themselves, makes the absolute best sense.

In addition, selecting a cloud provider who can offer direct connectivity to your organization where applicable is also the recommendation. Diverting incoming traffic to the cloud to be cleansed is normally done via BGP. It’s simple, fast, and effective. However, returning the “clean” traffic back to the customer represents a new set of challenges. Most cloud providers recommend GRE tunnels, but that approach is not always the best. If you can connect “directly” to your cloud provider, it will eliminate the need for GRE and the problems that accompany that approach. The result of a direct connection is quicker mitigation and more efficient traffic reinjection.

Are cloud-based DDoS defenses the end-all? Not really. The industry recognizes a better method called the hybrid-approach. The thought process here is that smaller, shorter DDoS attacks are more effectively defeated by on-premises technology, while larger and longer attacks are more efficiently defeated in the cloud. The combination of the two approaches will stop all DDoS attacks in their tracks. In addition, volumetric attacks are easily defeated in the cloud, closest to the source of attack. Low-and-slow attacks are more effectively defeated closer to the devices under attack. This combined approach provides the best of both worlds.

Complete visibility is another benefit of the hybrid approach. Cloud-based DDoS defense providers who have no on-premises defense technology are blind to the attacks against their own customers. Many cloud providers attempt to monitor firewall logs and SNMP traps at the customer’s premises to help detect an attack. However, that’s comparable to using a magnifying glass to study the surface of the moon – from earth. The magnifying glass is not powerful enough, nor does it offer enough granularity to detect the subtleties of the moon’s surface. Purpose-built, on-premises DDoS defense technologies are the eyes and ears for the cloud provider.

The goal here is to detect the attack before a customer actually knows they’re under attack. This equates to immediate DDoS detection and defense. Detection is actually the hardest part of the DDoS equation. Once an attack is detected, mitigation approaches for the most part are similar from one vendor to another. Using a set of well-defined mechanisms can eliminate nearly every attack. Most defenses are based upon a thorough understanding of the way protocols work and the behaviors of abnormal visitors. Finding a vendor who has the most tools and features in their defensive arsenal is the best practice.

The final recommendation is to select a vendor who has both cloud-based and on-premises defenses, especially if those defenses use the same underlying technologies. On-premises hardware manufacturers who also offer cloud-based services are the way to go. The reasoning is simple. If the cloud defenses are quite effective, adding on-premises defenses of the same pedigree will become even more effective. In addition, the integration of the two approaches becomes streamlined when working with a single vendor. Incompatibilities will never be an issue.

If the recommendations in this article are followed, DDoS will never be an issue for you again. The vulnerability is addressed, the risk is mitigated, and the network is protected. That’s what IT professionals are looking for – a complete solution.

Source: http://virtual-strategy.com/2016/08/15/need-know-evolution-ddos/

New cryptocurrency ‘DDoSCoin’ incentivizes users for participating in DDoS attacks

The number of Distributed Denial of Service (DDoS) attacks, which tries to make an online service unavailable by flooding it with traffic from multiple sources, has been rising at an alarming rate.

In a new research paper, Eric Wustrow, University of Colorado Boulder, and Benjamin VanderSloot, University of Michigan, have put forward the concept of DDoSCoin – a cryptocurrency with a ‘malicious’ proof-of-work (“Proof-of-DDoS”).

“DDoSCoin allows miners to prove that they have contributed to a distributed denial of service attack against specific target servers”, the paper says.

Presented at the Usenix 2016 security conference, the researchers explain the DDoSCoin system which enables miners to select the victim servers by consensus using a proof-of-stake protocol. The authors note that although the malicious proof-of-DDoS only works against websites that support TLS 1.2 (Transport Layer Security), as of April 2016, over 56% of the Alexa top million websites support this version of TLS.

By design, miners are incentivized to send and receive large amounts of network traffic to and from the target in order to produce a valid proof-of-work. These proofs can be inexpensively verified by others, and the original miner can collect a reward. This reward can be sold for other currencies, including Bitcoin or even traditional currencies, allowing botnet owners and other attacks to directly collect revenue for their assistance in a decentralized DDoS attack.

Wustrow told Motherboard that something like DDoSCoin could encourage hacktivists to use the system to incentivize others to perform attacks on their behalf.

“However, it’s probably still easier and more effective to just pay a ‘reputable’ botnet to do this for you,” he said. “On the other hand, something similar to DDoSCoin might lower the barrier to collecting rewards for DoS attacks, ultimately driving down the cost for hacktivist consumers.”

The researchers admit that the paper introduces an idea that could be used to incentivize malicious behavior. To that end, they say that in demonstrating the proof-of-concept and evaluating proof-of-DDoS code, they have only “attacked” websites they have ownership and authority over. They emphasize that they are not publishing a working altcoin that uses this proof-of-DDoS, but rather a conceptual description of one.

Screen Shot 2016-08-15 at 10.55.31
Source: http://www.econotimes.com/New-cryptocurrency-DDoSCoin-incentivizes-users-for-participating-in-DDoS-attacks-262858

Rio 2016: DoS attack made on Swimming Australia website after Mack Horton’s drug remarks

Swimming Australia’s website has been hit by a denial of service (DoS) attack.

The ABC has learned the site is operating in an “under attack” mode in the wake of Olympic gold medallist Mack Horton’s comments about his Chinese competitor Sun Yang being a drug cheat.

While the site has continued to operate, it has deployed software to check the veracity of every browser accessing the page to ensure they are legitimate.

Horton’s social media has been bombarded with hundreds of thousands of negative comments from China.

Swimming Australia is not commenting publicly but it is understood the attack has been referred to the Government for investigation.

Security analyst Marco Ostini from AusCERT, a non-profit organisation that protects organisations from cyber attacks, said DoS attempts were extremely common.

“It’s actually a very difficult problem to put a number on,” he said.

“It’s certain though … based on all malicious metrics on the internet, it’s increasing.”

Mr Ostini said without seeing the internet traffic and logs associated with Swimming Australia’s page it was hard to work out what had happened, but he doubted it was a high-level attack.

“I’d be really surprised if it was [China] state-sanctioned attackers causing trouble for Swimming Australia,” he said.

“It’s possibly more likely just a large amount of interested people who are expressing themselves in possibly posting comments [on the website].”

Source: http://www.abc.net.au/news/2016-08-11/rio-2016-dos-attack-made-swimming-australia-website/7721848

The Hidden Role of DDoS in Ransomware Attacks

Dave Larson offers advice for organisations wishing to protect themselves from the latest types of cyber-extortion

Ransom demands and DDoS attacks are now, more than ever, being used together in inventive new techniques to extract money from victims. This ranges from hackers threatening to launch a DDoS attack unless a ransom is paid, to the recent reports of a multi-layered cyber-attack combining ransomware and DDoS attacks in one. But what is often less understood is the way that sub-saturating DDoS attacks are regularly being used as a precursor to ransomware incursion.  Because these attacks are so short – typically less than five minutes in duration – these low-bandwidth DDoS attacks allow hackers to test for vulnerabilities within a network, which can later be exploited through ransomware. Here we outline some of the typical methods of cyber-extortion involving DDoS attacks, and explain why automatic DDoS mitigation is such a key defence in the ongoing battle against ransomware.

Extortion is one of the oldest tricks in the criminal’s book, and one of the easiest ways for today’s cyber-criminals to turn a profit.  As a result, there are a significant number of techniques that hackers will utilise to try and extract money from victims. One of the most common is DDoS ransom attacks, where attackers threaten to launch a DDoS attack against a victim unless a ransom is paid. These attacks can affect any internet-facing organisation and are often indiscriminate in nature. In May, the City of London Police warned of a new wave of ransom-driven DDoS attacks orchestrated by Lizard Squad, in which UK businesses were told that they would be targeted by a DDoS attack if they refused to pay five bitcoins, equivalent to just over £1,500.  According to the results of a recent survey, 80 percent of IT security professionals believe that their organisation will be threatened with a DDoS attack in the next 12 months – and almost half (43 percent) believe their organisation might pay such a demand.

But despite the prevalence of DDoS ransom attacks, and its longevity as a technique, nothing elicits the same degree of alarm among security teams as the current threat of ransomware. This type of malware is estimated to have cost US businesses as much as US$ 18 million (£13.7 million) in a single year, and has already claimed a string of high-profile victims including hospitals and public bodies. Earlier this month, European police agency Europol launched a new ransomware advice service aimed at slowing down its exponential rise. But when it comes to protecting your organisation’s data from being encrypted and lost, most advice focuses on recovery, rather than prevention. This includes having a good backup policy, which ideally involves serialising data so that multiple versions of the files are available, in case newer versions have been encrypted. But what about taking a more proactive stance?

We know that ransomware is usually delivered via email, inviting respondents to click on a link to download malware. Typically the themes of these emails include shipping notices from delivery companies or an invitation to open other documents that the recipient supposedly needs to review.  It’s true that many of these emails are sent opportunistically and on a blanket basis to a wide number of potential victims. But we are also seeing an increase in more targeted attacks, designed to gain access to a specific organisation’s networks.  After all, attacking a larger, more high-profile organisation would normally command a higher potential ransom reward, so hackers are investing an increasing amount of time researching specific victims and locating their vulnerabilities – usually through a variety of automated scanning or penetration techniques, many of which are increasingly incorporating the use of sub-saturating, low-bandwidth DDoS vectors.

Most people associate the term ‘DDoS’ with system downtime, because the acronym stands for “Distributed Denial of Service”. But DDoS threats are constantly evolving, and many hackers now use them as a sophisticated means of targeting, profiling, and infiltrating networks. Short, sub-saturating DDoS attacks are typically less than five minutes in duration, meaning that they can easily slip under the radar without being detected by some DDoS mitigation systems. Five minutes may seem like an insignificant amount of time – but an appropriately crafted attack may only need a few seconds to take critical security infrastructure, like firewalls and intrusion prevention systems (IPS) offline. While IT teams are distracted by investigating what might be causing these momentary outages on the network, hackers can map the floor plan of their target’s environment, and determine any weak points and vulnerabilities that can later be exploited through other methods, such as ransomware.

It is only by deploying an in-line DDoS mitigation system that is always-on, and can detect and mitigate all DDoS attacks as they occur, that security teams can protect themselves from hackers fully understanding all possible vulnerabilities in their networks. While these short DDoS attacks might sound harmless – in that they don’t cause extended periods of downtime – IT teams who choose to ignore them are effectively leaving their doors wide open for ransomware attacks or other more serious intrusions. To keep up with the growing sophistication and organisation of well-equipped and well-funded threat actors, it’s essential that organisations maintain a comprehensive visibility across their networks to spot and resolve any potential incursions as they arise.

Source: http://www.scmagazineuk.com/the-hidden-role-of-ddos-in-ransomware-attacks/article/514229/