How to ward off Distributed Denial of Service ‘DDoS’ attack, online retailing’s natural enemy

Ever since they emerged several years ago as trouble for e-commerce sites, distributed denial of service, or DDoS, attacks have continued to evolve as threats to online retailing. Having first appeared as efforts by computer geeks to prove what they could do to stall web site operations, they morphed into attacks by criminals out to extort monetary rewards, as well as activists out to force recognition of a political cause, says Jeff Lyon, president of Black Lotus, a security technology and services firm that specializes in mitigating the effects of DDoS attacks.

Regardless of the reasons behind the attacks, many have targeted e-commerce sites more than other types of web sites, Lyon says.

The reason?

“E-commerce sites are most susceptible to DDoS attacks because the attackers know that if they take down an e-commerce site, they can take an entire business offline,” Lyon says. “If an insurance site is taken down, it hurts, but it doesn’t ruin the business.”

There are two general types of DDoS attacks: bandwidth floods, which try to overwhelm one or more web servers with enough traffic to make them crash; and application layer attacks, which try to hit particular features on a web site. The application layer attacks, which focus on one internal part of a web site, can be the most difficult to detect, Lyon says. That’s partly because they’re not noticed at the level of Internet service providers, leaving it up to an individual site to fend for itself, he adds.

Once a DDoS application layer attack breaks through a site’s firewall, it will direct a large number of traffic hits on a particular site feature—a shopping cart, for instance—where it may also cause the feature itself to make a huge number of data pulls from databases both inside and outside of the web site. As in many web sites, a single feature on a page—for instance, a shopping cart that shows images of several cross-sell products, shipping information, and product pricing—may be pulling all that information from multiple databases. The back-and-forth flow of a huge number of data requests and data uploads in an application layer DDoS attack can make that application crash, Lyon says.

Black Lotus is one of several vendors of security technology and services designed to identify and block DDoS attacks before they can do much damage. The company is growing, Lyon says, with DDoS monitoring and prevention technology that ranges in cost from about $1,000 to $4,500 or more per month. The technology includes software designed to recognize whether traffic hitting a web site—or a particular internal component of a site such as a product listing or shopping cart—is driven by legitimate activity or software bots initiating a DDoS attack. When site traffic follows a pattern highly uncommon to typical visitors—for instance, when it sends an extremely high volume of hits to a shopping cart without completing a cart transaction—Black Lotus software will block it. “Once web traffic shows such a predictable pattern, we take it off a site as an attacker,” Lyon says.

Black Lotus, which is privately held and doesn’t release revenue figures, is on pace to double its revenue this year over 2011, following steady 50% annual growth since 2007, Lyon says. The company expects long-term growth, he adds, operating in a market between larger web site protection systems from companies such as VeriSign Inc. and Akamai Technologies Inc., and companies such as CloudFlare that offer DDoS protection technology for as little as $200 per month per web site.


Using Human Behavioral Analysis to Stop Distributed Denial of Service ‘DDoS’ attack at Layer 7

As hackivists and hackers of all types have honed their distributed denial-of-service (DDoS) attack techniques, they’ve learned to get around a lot of the typical Layer 4 network heuristics intended to detect these attacks and moved on to elsewhere in the stack. Experts today say organizations need to do a better job detecting attacks at the application layer if they don’t want their networks knuckling under DDOS pressure.

“The conventional way of doing DDoS mitigation is using network heuristics, looking at the packet header or looking at the aggregate of the packet and seeing how that compares to the known good behavior,” said Jeffrey Lyon, president and CEO of Black Lotus. “You’re looking for that anomaly in the data set to mitigate the attack at Layer 4. But Layer 4 is very difficult to use to determine if the attack even exists if it is a very small attack.”

According to figures from DOSarrest, a DDoS mitigation services, approximately 85% of the attacks that it sees have a Layer 7 component to them. The general idea behind an attack is to overload systems by using HTTP GET or POST requests with high impact on server resources, wrote Kurt Marko in July in InformationWeek Reports’ “Why a DDoS Mitigation Service Could Save Your Assets.” He explained that the technique is very effective at lower volumes and can fly under the radar because it looks like normal Web traffic. Such attacks are typically designed by developers who might do their homework by looking over websites for page requests that aren’t cacheable and are CPU-intensive.

“Layer 7 attacks are tough to defeat, not only because the incremental traffic is minimal, but because it mimics normal user behavior,” he wrote.

This is where Black Lotus hopes to step in with a new launch announced this week that uses a patent-pending form of heuristics it calls Human Behavioral Analysis (HBA) to put the microscope on Layer 7 traffic for better detection of this tricky attack technique.

“We’re taking it a step further in trying to determine whether every single person visiting a customer’s website is, in fact, a real human,” he said. “It is heuristics at the application layer.”

Black Lotus, a DDoS mitigation service provider with a decade of experience in helping organizations of all sizes fight these attacks, has been developing and refining HBA for three years now, Lyon said.

“Up until this calendar year, we’ve kept it very secret,” he said, explaining that it took time to develop and figure out the patent situation.

During that time, the company helped customers interested in trying a “new mitigation method” by using HBA without explicitly giving away what it was. The success it saw from these deployments and the forward progress of its patent application helped the company move forward with the product’s launch this week. As it starts to publicly market HBA, Lyon said Black Lotus will not only service traditional enterprise customers in competition with bigger players like VeriSign and Prolexic, but it will also go after traditionally underserved markets like pre-IPO small organizations that couldn’t normally afford the five- or six-figure price tags generally asked for in this market.


Four Steps to Defeat a Distributed Denial of Service ‘DDoS’ Attack

Millions of computers around the world are controlled by cybercriminals. These
computers, infected with “bot” malware, automatically connect to command and
control servers which then instruct the bots to carry out illicit activity. Malicious
users can rent these networks of bots, or botnets, to conduct powerful Distributed
Denial of Service (DDoS) attacks.
The rise of hacktivism has produced a new source of DDoS attacks: the voluntary
DDoS hacker. Hacktivist groups like Anonymous and LulzSec recruit hundreds
and thousands of non-technical users through social networking sites to help
perform powerful DDoS attacks. Simple browser-based attack tools make it easy for
Hacktivist groups to unleash large-scale attacks that can bring down even the most
popular Websites.
DDoS attacks, whether launched by bots or by hacktivist recruits, are not isolated,
but a regular issue for many organizations. According to recent survey of IT decision
makers, 74% reported suffering one or more DDoS attacks in the past 12 months.
Of these, 31% said that the attacks disrupted service.1 Whether the motivation is
political, financial or just random, DDoS attacks can be extraordinarily costly for the
targeted organizations.

DDoS Attacks Explained

DDoS attacks are denial of service (DoS) attacks initiated from multiple machines in order to disrupt normal
operations. Traditional DoS attacks attempt to over-utilize network, server, or application resources to disable
access to the targeted service. DDoS attacks amplify the effects of DoS attacks by using thousands of machines
to launch their assaults. The two main classes of DDoS attacks are network DDoS attacks and application
DDoS attacks.

Network DDoS Attacks

Network DDoS attacks, sometimes termed ‘volumetric’ attacks, flood network resources with excessive requests
from hundreds or thousands of sources. These attacks may combine a massive number of requests with TCP
negotiation and fragmentation exploits to overwhelm devices at the network level. Common network DDoS
attacks include SYN flood, teardrop, smurf, ICMP flood, and TCP fragment attacks.

Application DDoS Attacks

Application DDoS attacks are DDoS attacks targeted at overwhelming Web server, application server or
database resources. While application-based attacks still only account for 26% of all DDoS attacks, they are more
sophisticated and much more challenging to stop. Application DDoS attacks usually bypass most traditional
network security devices because attack traffic often mimic regular traffic and cannot be identified by network
layer anomalies.
Some application DDoS attacks simply flood a Web application with legitimate requests in an attempt to
overwhelm server processing power. Other attacks exploit business logic flaws. For example, a Website’s
search mechanism may require excessive processing by a back end database server and become a target.
An application DDoS attack could exploit this weakness by performing thousands of search requests using
wildcard search terms to overwhelm the back end application database.
“Slowloris” emerged as a perilous application DDoS attack in 2009. This attack disrupts application service
by exhausting web server connection pools. In the Slowloris attack, the attacker sends an incomplete HTTP
request and then periodically sends header lines to keep the connection alive, but never sends the full request.
Without requiring much bandwidth, an attacker can open numerous connections and overwhelm the targeted
Web server. While multiple patches have been created for Apache and other web servers to mitigate this
vulnerability, it nonetheless demonstrates the power of more sophisticated DDoS attacks.

The End Game for DDoS

DDoS attacks have targeted a diverse range of organizations, from government institutions and banks, to social
networking companies and even root name server operators. The motivations for DDoS attacks vary: financial,
political, religious, entertainment, or even personal notoriety. Many organized cyber criminals use DDoS to
extort money from online sites. Authorities convicted a Russian gang of blackmailing over 50 organizations,
extracting over $4 million from British companies, typically online gambling sites.2
Hacktivism is another key motivation for DDoS attacks. Whether driven by national patriotism or the desire to
squelch the opinions of an ideological foe, DDoS is the weapon on choice. Regional hacktivist groups have
performed DDoS attacks on government Websites since the mid-1990s. However, in 2010, a new breed of
hacktivism emerged. Groups such as Anonymous and LulzSec began bombarding a wide swath of government
and private sector Websites with Web application attacks and DDoS attacks.
Anonymous took on MasterCard, Visa and PayPal in one of its first hacktivist campaigns in late 2010. Imperva’s
ADC tracked the “Operation Payback” and witnessed how this campaign evolved. In the first stage of the
campaign, individuals used a manually-tuned DDoS attack tool. The tool was later enhanced to become an
automated DDoS attack tool, allowing any individual without any technical knowledge to participate in a fullfledged
DDoS attack. In effect, participants were joining forces to form a “voluntary botnet.”3 In 2011 and 2012,
Anonymous and LulzSec performed a number of high-profile attacks, bringing down Sony, Nintendo, News
Corp, PBS, Pentagon, CIA, and many others.

DDoS Botnets-for-Hire

While hacktivist attacks often rely on voluntary hackers, most DDoS attacks are executed by criminal botnet
services. DDoS rental fees typically start at $50 for small attacks, but some researchers have seen DDoS prices
as low as $9. To attract customers, botnet owners advertise their services, continually seeking to outclass
their botnet brethren. Owners promote their services in underground forums and mailing lists. In the case
of the powerful IMDDOS botnet, the owners actually set up a public Website to showcase their offering.4 On
a message board, one botnet operator touted that his botnet offered “the best combination of quality and
service” and special pricing for regular customers. Options included HTTP attacks, downloading flood, POST
flood, and ping commands “tuned to perfection.”5 Like slick advertising executives, botnet operators and even
bot malware creators promote their offerings with carefully fine-tuned messaging.

For fast DDoS protection against your e-commerce website click here,


Massive DDoS attack hits Chechen news agency

A massive distributed denial of service (DDoS) attack that peaked at 45 million packets per second (pps) has smashed into the Chechen internet news agency Kavkaz Center.

The attack was said to be among the largest on record. It lasted two months and took the agency’s main Sweden-based server and mirror sites offline last month.

Visnet, a European DDoS mitigation vendor recruited by the agency, did not know who was behind the attacks.

“The origin of the attack is undetermined as this pasting was orchestrated to use spoofed IPs,” the company told SC.

However the agency has plenty of enemies within Russia. It was deemed “an official organ” of the Emarat Kavkaz terrorist organisation that operates within the North Caucasus. The UN Security Council says the outfit is linked to Al-Qaeda.

Russia has since pressured Swedish authorities to take down the web site which is hosted by PRQ, a company owned by the founders of The Pirate Bay.

The Kavkaz Center alleged in a blog this week that the attacks peaked when Russia’s UN ambassador Vitaly Churkin raised Moscow’s bid to take down the site at a UN Security Council meeting.

The DDoS SYN flood peaked at some 25 gigabits per second and sent up to 2 million pps to the agency’s mirror sites.

One of the largest packet-per-second attacks on the public record was detected in November last year.

Paul Sop, chief technology officer of DDoS prevention agency Prolexic told SC at the time that the 69 million pps attack targeted a Taiwanese retailer from servers based in China.

Application layer attacks were traditionally the most common form of DDoS according to Prolexic, but have been overtaken by infrastructure layer attacks via ICMP, SYN and UDP floods


3 steps to dodge the Distributed Denial of Service ‘DDoS’ bullet

It is an all-too-common headline: Prominent website brought down by attackers. The backstory to this growing threat to business is a distributed denial-of-service (DDoS). It is important that businesses are aware and take proactive steps to prevent becoming the next victim and headline of a DDoS attack.

This article explains DDoS attacks and offers steps to minimise their impact or ideally completely prevent them from happening to you.

The risk is real and increasingly dangerous

If you think you’re too small, too irrelevant or don’t have enough money to be an interesting victim for an attacker, think again. Any organisation is a possible victim and most of us are vulnerable to a DDoS attack. Whether you’re a Fortune 500 global enterprise, a governmental agency or a small- to mid-sized businesses (SMB) – we’re all on the target list of today’s cyber-thugs. Even security-savvy businesses with plenty of financial resources and experts to protect themselves have fallen victim to this threat, including Amazon, Visa, Sony, Monsanto, PostFinance, PayPal and Bank of America.

Recently, the number of DDoS incidents has increased significantly. Attacks have also grown in scale, well exceeding traffic volumes of 100 Gbps. One prolonged attack on an ecommerce site in Asia involved a botnet of over a quarter million zombie computers, many reportedly based in China.

DDoS comes in assorted flavors

At the most basic level, a DDoS attack is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DDoS attack may vary, it generally consists of the efforts of one or more people to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.

Typically, this is done through the coordinated efforts of distributed botnets, employing up to hundreds of thousands of zombie computers, machines which have been previously infected and are remotely controlled, just awaiting their commands. DDoS attacks work either by initiating floods of traffic to overwhelm server resources by brute force, or by exploiting inherent vulnerabilities to crash the target server.

Flood attacks include ICMP floods (e.g., smurf and Ping flood attacks), SYN floods (using bogus TCP/SYN packets), and other application-level floods. Flood DDoS attacks often leverage the asymmetric power of large distributed botnets. These can create multiple threads to send overwhelming amounts of requests to disable web servers.

Crash attacks often send malformed packets that take advantage of operating system bugs. Application-level DDoS attacks attempt to crash systems by leveraging exploits on server applications (e.g., buffer overflows or fork bombs). Malware-borne DDoS attacks can compromise potential botnet systems with a Trojan, which in turn triggers the download of a zombie agent.

Moreover, attacks have become more sophisticated. For example, botnets might not only flood broadcasted packets at a targeted server, but also intrusively establish connections with servers to initiate overwhelming volumes of bogus application transactions from within.

Why DDoS?

Criminals use DDoS because it is cheap, hard to detect, and highly effective. DDoS attacks are cheap because they can leverage distributed networks of thousands of zombie computers taken over by worms or other automated methods. For instance, the DDoS attack MyDoom used a worm to distribute the launching of flood attacks. Because these botnets are globally sold and available on the black market, an attacker might buy the use of a botnet for less than $100 for a flood attack, or contract specific attacks for as little as $5 an hour.

DDoS is hard to detect because they often use normal connections and mimic normal authorised traffic. As a result, it is also highly effective because, typically, the targeted servers mistakenly trust the traffic, and so facilitate the attacks by executing the requests that ultimately overwhelm them. For example, in HTTP-GET flood attacks (e.g., MyDoom), the requests are sent over normal TCP connections and are recognised by the web server as legitimate content.

Driven by money or ideology

Financially driven DDoS attacks are typically based on either extortion or competition.  Extortion schemes often profit by demanding significant ransoms from victim organisations in order to prevent denial of service. For instance, one UK e-gambling site was reportedly brought down by a DDoS attack after refusing ransom demands.

Attacks by unscrupulous business competitors are more prevalent than might be expected. One industry survey found that more than half of all DDoS attacks on U.S. enterprises were driven by competitors seeking an unfair business advantage.

Ideological attacks can be launched by governmental entities or grassroots “hacktivists.” Hacktivists tend to seek publicity by obstructing high-profile organisations or sites symbolising conflicting political views or practices. Perhaps one of today’s most notorious examples for hacktivists is the loosely affiliated group Anonymous, who have claimed the responsibility (and publicity) for bringing down sites of such high-profile organisations as the FBI and the CIA, and have targeted websites in over 25 countries across 6 continents.

Who is next?

Since hacktivist agendas can be volatile and unpredictable, any business might be targeted as a symbol of the latest cause du jour.  Sites for high-profile organisations (e.g., Facebook) or events (e.g., the Olympics, Euro Cup or U.S. Elections) are particularly likely targets.

In the case of government-launched cyber-war DDoS attacks, not only .gov targets are vulnerable. Such attacks can also target affiliated vendors who supply key infrastructure, communications or transportation services, or seek to cripple key business or financial transaction servers.

Cloud-based services may now also be especially vulnerable to targeted attack. Because sites that require excessive amounts of computations or transactions (e.g., comprehensive search engines or data mining sites) are already pressed for resources, they are also preferred targets for DDoS attacks.

What IT can do

Clearly IT needs be vigilant and take preemptive steps against DDoS attacks. Industry analyst firm Gartner states that DDoS mitigation should be “a standard part of business continuity/disaster recovery planning and be included in all Internet service procurements when the business depends on the availability of Internet connectivity.”

To do so effectively, a business must be forewarned, prepared and resilient against DDoS attack.

IT needs to be forewarned

Simply speaking, IT should know its ISP. IT should collaborate on having an effective response plan in place with its service providers. In many instances, the ISP can be the first line of defense for DDoS.

IT should know its bottlenecks. A well-prepared IT organisation should identify the parts of the network that are most likely to be overwhelmed by a DDoS attack, such as Internet pipe, firewall, intrusion prevention (IPS), load balancer or servers. Further, IT needs to closely monitor these potential points of failure under attack, and evaluate whether to upgrade or optimise their performance and resiliency.

Finally, the IT staff should know its traffic. IT cannot control what it cannot see. Therefore, IT should scan and monitor both inbound and outbound traffic to gain visibility into unusual volumes or patterns that might identify targeted sites or disclose botnets within the network.  For full preparedness, IT also needs visibility into Layer 7 traffic in order to identify and control blended and application-layer DDoS attacks.

IT needs to be prepared

The IT organisation should invest in evaluating and implementing appropriate countermeasure products and services. For instance, some next-generation firewalls feature integrated intrusion detection and prevention countermeasures against known DDoS attacks, which can be updated automatically with continuous up-to-the-moment signatures.

Ideally, IT will want a firewall to deeply scan both inbound and outbound traffic—including visibility into applications—and monitor and alert management on suspect patterns. IT should make sure that the firewall solution enables remediation of DDoS attacks by blocking, filtering or redirecting traffic based upon identified patterns, volumes or characteristics.

For comprehensive traffic intelligence, IT may also consider implementing traffic flow analytics software that can examine usage data by application or user, look at data over different time periods and correlate traffic data from multiple sources, such as NetFlow and IPFIX.

Going forward, IT leaders should keep appraised of emerging technologies to add to the arsenal, such as IP geolocation, which could help identify suspicious geographic sources of inbound packets.

IT needs to be resilient

As described, denial of service attacks are built upon overwhelming and bottlenecking systems. Wherever possible, IT should enhance the network’s resiliency with highly redundant, high-performance components, and policy-based bandwidth management.

For example, certain next-generation firewalls can combine massively scalable multi-core design with near-wire-speed deep-packet scanning technology to enable simultaneous, multi-threat and application scanning and analysis of unlimited files sizes and connections at multi-gigabit speeds. Such firewalls can be configured for optimal performance and flexibility under attack, with active/active high availability (HA) failover, application intelligence and control, and bandwidth prioritisation.


If an organisation does business anywhere on the Internet, it is likely not a question of if, but when it will be targeted by a DDoS attack. Yet there is much IT can do to minimise and deflect the impact. The IT organisation should closely collaborate with company leadership to be forewarned of where their vulnerabilities lie, be prepared with appropriate countermeasures, and be resilient with high performance, high redundancy network security components.

For fast DDoS protect click here.


How To Select A Distributed Denial of Service ‘DDoS’ Mitigation Service

Late last month, two members of the hacker group LulzSec pleaded guilty to launching distributed denial-of-service (DDoS) attacks against entities ranging from the state of Arizona to Nintendo to the CIA. Yet despite extensive media coverage of such attacks, chief information security officers are still surprised when their companies get hit.

This is not an unforeseeable lightning bolt from the blue, people. The cyber world is full of anonymous arsonists, and too many businesses are operating without a fire department on call. A few sprinklers won’t cut it when things flare out of control. Firewalls and intrusion-prevention system appliances are no substitute for specialized DDoS backup when an attack escalates.

Proactively securing a mitigation service can be a good insurance policy–in fact, it’s better than insurance, which pays off only after damage is done. That’s because mitigation services are designed to prevent destruction from occurring in the first place. Not only can a mitigation service act as a deterrent–many attackers will move on to easier prey when they see an initial DDoS attack fail–but these providers have the capacity and expertise to rapidly scale DDoS countermeasures against coordinated, professional attacks. That can mean keeping your website online even under heavy bombardment.

Big And Small Companies At Risk

Denial-of-service attacks used to be something that happened to other people, those with high online visibility. Not anymore. “We’ve seen very small companies come to us and they can’t figure out why they’re under attack,” says Chris Richter, VP of security products and services at Savvis. They ask, “‘What have we done?'”

Blame the proliferation of prepackaged DDoS toolkits, such as the Low Orbit Ion Cannon and Dirt Jumper, for the fact that no one’s safe. Like any brute-force tactic, DDoS relies on the fact that any attack, even the most rudimentary, repeated with sufficient volume and frequency, can effectively shut down a network or website. Botnets often span thousands or millions of systems worldwide; Akamai, for example, provides a real-time attack heat map. In early July, attack rates were almost 30% above normal, with hot spots in Delaware and Italy. Geographic dispersion, coupled with network traffic crafted to look like legitimate connections from normal users, makes DDoS attacks both extremely effective and difficult to defeat if you’re not an expert with the right tools.

There are three main distributed denial-of-service categories:

>> Volumetric attacks overwhelm WAN circuits with tens of gigabits per second of meaningless traffic–so-called ICMP or UDP floods.

>> Layer 3 attacks abuse TCP. For example, SYN floods overload network equipment by starting but never completing thousands of TCP sessions using forged sender addresses. SYN floods can be in excess of 1 million packets per second, largely in response to the wider deployment of hardware countermeasures on firewalls and other security appliances, says Neal Quinn, COO of DDoS mitigation specialist Prolexic.

>> Layer 7 floods use HTTP GET or POST requests to overload application and Web servers. From the attacker’s perspective, L7 exploits aren’t anonymous. The attacking client’s identity (IP address) is exposed because a TCP handshake must be completed. Attackers who use this approach consider the risk outweighed by the technique’s effectiveness at much lower volumes and the traffic’s stealthy nature. Requests are designed to look like normal Web traffic, factors that make L7 attacks hard to detect.

Our InformationWeek 2012 Strategic Security Survey shows that the increasing sophistication of threats is the most-cited reason for worry among respondents who say their orgs are more vulnerable now than in 2011, and L7 attacks are certainly sophisticated. They’re also getting more common: Mark Teolis, founder and CEO of DOSarrest, a DDoS mitigation service, says 85% of the attacks his company sees have a Layer 7 component. Attackers leveraging L7 are often developers; they may do some reconnaissance on a website, looking for page requests that aren’t cacheable and are very CPU-intensive–things like filling a shopping cart, searching a database, or posting a complex form.

Teolis says that a mere 2 to 3 Mbps increase in specially crafted L7 traffic can be crippling. “We’ve had gaming sites tell us they can handle 30,000 customers, but if 100 hit this one thing, it’ll bring down the entire site,” he says.

Layer 7 attacks are tough to defeat not only because the incremental traffic is minimal, but because it mimics normal user behavior. Teolis has seen attacks where an individual bot may hit a site only once or twice an hour–but there are 20,000 bots involved. Conventional network security appliances just can’t handle that kind of scenario. And meanwhile, legitimate customers can’t reach your site.

Why Us?

The motivations for a DDoS attack are as varied as the perpetrators. For many, it’s just business, with targets strategically chosen by cyber criminals. Others are political–a prime example is LulzSec hitting the Arizona Department of Public Safety to protest the state’s strict immigration law, SB 1070. And for some, it’s just sport.

Given this randomness, it’s impossible to predict the need for professional distributed denial-of-service mitigation. For example, Teolis says one of DOSarrest‘s customers was the Dog Whisperer, that guru of man’s best friend. “If Cesar Millan can get attacked, anyone is fair game,” he says.

Purchasing mitigation services requires the same kind of budgeting as any form of IT security: What you spend on controls should be proportional to the value of the data or website. So, while any organization with an online presence is at some risk, those with financial or reputational assets that could be seriously damaged by going dark should take DDoS mitigation most seriously.

Everyone should take these preparatory steps.

>> Do online reconnaissance: Follow what’s being said about your company online, particularly on public social networks, and look for chatter that might hint at extortion or hacktivism. Subscribe to security threat assessment reports covering the latest DDoS techniques and incidents. Prolexic is one source for threat advisories; US-CERT also has overviews, like this one on Anonymous.

>> Heed threat mitigation recommendations: DDoS threat reports typically include details about the attack signature and recommended mitigation steps. For example, a recent Prolexic report on the High Orbit Ion Cannon identifies specific attack signatures, in this case HTTP requests, and content filter rules to block them. For L3/L4 attacks, incorporate these rules into your firewall; do likewise for L7 attacks if your firewall supports application-layer filtering.

>> Have a communications strategy: Know what you’ll tell employees, customers, and the media should you be the victim of an attack. Don’t wait to make statements up on the fly.

>> Have an emergency mitigation backup plan: Although most DDoS mitigation services operate on a monthly subscription basis, if you haven’t signed up and an attack overwhelms your defenses, at least know who you’re gonna call. Quinn and Teolis say their services can be operational and filtering DDoS traffic within minutes, though of course it will cost you.

What To Look For In DDoS Mitigation

At the risk of oversimplification, DDoS mitigation services are fundamentally remote network traffic filters. Once your system detects an attack affecting your network or servers, you redirect traffic to the service; the service filters out the junk and passes legitimate packets to their original destinations. In this sense, it’s like a cloud-based spam filter for websites.

This traffic redirection, so-called on-ramping, is typically done via DNS. The mitigation provider creates a virtual IP address, the customer makes a DNS A record (hostname) change pointing to the remote VIPA, traffic flows through the mitigation provider’s filters, and the provider forwards only legitimate traffic on to the original site. Those facing attacks on multiple systems can divert entire subnets using Border Gateway Protocol advertisements, using Generic Routing Encapsulation tunneling to direct traffic to the mitigation provider. Advertising a new route to an entire address block protects an entire group of machines and, says Quinn, has the advantage of being asymmetrical, in that the mitigation service is used only for inbound traffic.

The most important DDoS mitigation features are breadth of attack coverage, speed of service initiation (traffic on-ramping), and traffic capacity. Given the increasing popularity of application-layer attacks, any service should include both L3/4 and L7 mitigation technology. Services may segment features into proactive, before-the-attack monitoring and reactive, during-the-incident mitigation.

Customers with monthly subscriptions should demand typical and maximum mitigation times–measured in minutes, not hours–backed up by a service-level agreement with teeth. Even those procuring emergency mitigation services should expect fairly rapid response. Most DDoS specialists staff operations centers 24/7.

With DDoS mitigation, procrastination can be expensive. For those 70% of customers who first turn to DOSarrest in an emergency, the setup fee for the first month is around $3,500 to $4,000, depending on the complexity of the site. In contrast, an average monthly cost on a subscription basis is $700 per public-facing IP address.

Filtered bandwidth is another way to differentiate between services. Some, like Prolexic, adopt an all-you-can-eat pricing model. For a flat fee per server, customers can use the service as often as they need with as much bandwidth as required. Others, like DOSarrest, keep the “use as often as you like” model but include only a certain amount of clean bandwidth (10 Mbps in its case) in the base subscription, charging extra for higher-bandwidth tiers. Teolis says 10 Mbps is sufficient for at least 90% of his company’s customers.

A few services use a pricing model akin to an attorney’s retainer, with a low monthly subscription but hefty fees for each DDoS incident. Richter says Savvis is moving to this model, saying that customers want usage-based pricing that resembles other cloud services. Prolexic’s Quinn counters that this pricing structure leads to unpredictable bills.

Bottom line, there’s a DDoS service to suit your tolerance for risk and budgetary volatility.

Optional services available from some providers include postattack analysis and forensics (what happened, from where, and by whom) and access to a managed network reputation database that tracks active botnets and sites linked to fraudulent or criminal activity, a feature that facilitates automated blacklisting to help prevent attacks in the first place.

Aside from looking at service features, evaluate each company’s technical expertise and track record. DDoS mitigation specialists, for whom this is a core business (or perhaps their only business) arguably have more experience and focus than Internet service providers or managed security providers for which DDoS mitigation is just a sideline. Not surprisingly, Quinn, whose company was among the first to offer DDoS mitigation as a service, suggests customers should make vendors show evidence that DDoS mitigation is something they do regularly, not as a rare occurrence.

Make sure the service has highly qualified staff dedicated to the task. Ask whether the provider has experts available 24/7 and how long it will take to access someone with the technical ability and authority to work on your problem.

Unfortunately there’s no rule of thumb for measuring the DDoS mitigation return on investment; it’s really a case-by-case calculation based on the financial value of the site being attacked. It relies on factors such as the cost in lost revenue or organizational reputation for every minute of downtime. Quinn cites a common analyst cost estimate, which Cisco also uses in its product marketing, of $30 million for a 24-hour outage at a large e-commerce site.

There’s a cruel asymmetry to DDoS attacks: They can cost thousands to mitigate, inflict millions in damage, and yet attackers can launch them on the cheap. A small botnet can be rented for as little as $600 a month, meaning a serious, sustained attack against multiple targets can be pulled off for $5,000 or $10,000.

With damages potentially two or three orders of magnitude higher than the DDoS mitigation costs, many organizations are finding mitigation a worthwhile investment. In fact, three-quarters of DOSarrest‘s customers don’t wait for a DDoS attack to flip the switch, but permanently filter all of their traffic through the service. That makes sense, particularly if it’s a high-value or high-visibility site, if your traffic fits within the cap, or if you’re using an uncapped service like Prolexic. These services use the same sorts of colocation hosting centers where companies would typically house public-facing websites, and they do geographically distributed load balancing and traffic routing to multiple data centers. That makes the risk of downtime on the provider’s end minimal. And this approach could actually reduce WAN costs since it filters junk before it ever touches your systems.


If a mitigation service is too expensive, there are things IT can do to lower the exposure and limit the damage from DDoS attacks (discussed more in depth in our full report):

1. Fortify your edge network: Ensure that firewall and IDS systems have DoS features turned on, including things like dropping spoofed or malformed packets, setting SYN, ICMP, and UDP flood drop thresholds, limiting connections per server and client, and dynamically filtering and automatically blocking (at least for a short time) clients sending bad packets.

2. Develop a whitelist of known good external systems: These include business partner gateways, ISP links and cloud providers. This ensures that stringent edge filtering, whether done on your firewall or by a DDoS service, lets good traffic through.

3. Perform regular audits and reviews of your edge devices: Look for anomalies like bandwidth spikes. This works best if the data is centrally collected and analyzed across every device in your network.

4. Understand how to identify DDoS traffic: Research attack signatures and have someone on your network team who knows how to use a packet sniffer to discriminate between legitimate and DDoS traffic.

5. Prepare DNS: Lower the DNS TTL for public-facing Web servers, since these are most likely to be attacked. If you need to protect an entire server subnet, have a plan to readvertise BGP routes to a mitigation service.

6. Keep public Web servers off your enterprise ISP link: With Web servers being the most common DDoS target, Michael Davis, CEO of Savid Technologies and a regular InformationWeek contributor, recommends Web hosting with a vendor that doesn’t share your pipes. “Your website may be down, but at least the rest of your business is up,” says Davis.

7. Practice good server and application security hygiene: Layer 7 attacks exploit operating system and application security flaws, often using buffer overflows to inject attack code into SQL databases or Web servers, so keep systems patched.

For DDoS protection please click here.

Source: Darkreading

Distributed Denial of Service DDoS attacks are evolving to take advantage of mobile

The technology world isn’t exactly starved for acronyms. These days, however, one stands out: DDoS.

It’s short for distributed denial of service, tech-speak for cyber attacks that overwhelm computers and make websites disappear. The cost in revenue, customer service and brand equity is often huge.

E-commerce companies, for example, have taken losses in the millions of pounds. And while an attack might last a day or two, a company’s call centre could field questions about it for weeks.

When customers, partners and shareholders hear you were knocked offline, your public reputation takes a major hit.
How DDoS works

Who launches DDoS attacks? Extortionists and cut-throat competitors are the main culprits.

So-called hacktivists like the cyber-gang Anonymous have joined the fun, targeting corporations or governments whose policies they oppose.

In one common scenario, an attacker floods a network connection with tens of gigabits of traffic, creating bottlenecks in firewalls, routers or even the connection itself.

When the next request for service tries to come or go, the network connection is clogged. The request is denied. Communication stops.

Another frequent occurrence: an attacker floods a target with hundreds of thousands of requests per second. When the receiving server attempts to process them, it quickly clogs and shuts down. Upon the next request, the server is unavailable.
Rapidly spreading threat

The first DDoS attacks occurred in the late 1990s.

By 2000, e-commerce sites were targeted and the business world quickly took notice.

It is now widely agreed that attacks occur thousands of times each day, with annual growth assessments as high as 45%.

One reason: low-cost, freely distributed DDoS attack technologies. Tools such as the low orbit ion cannon (LOIC) – a favourite piece of attack software – let anyone with a computer unleash a deadly barrage.

For as little as £50 a day you can even rent a botnet, an ad hoc network used to amplify attacks.

According to some sources, there are now over 50 popular DDoS tools – and the number is growing fast.

Besides becoming more numerous, attacks are growing in sophistication.

In the past, they mainly targeted the network layer of internet infrastructure. Now however, many zero in on internet-facing applications.

The idea is to exploit weaknesses and sap server resources.

Often going unnoticed, this tactic can be quite effective. For example, using the LOIC tool an attacker can target your website’s log-in page, overpowering back-end databases with costly CPU (central processing unit) queries.

The result can be the same as from a larger attack – an outage.
False sense of security

Like the internet itself, DDoS attacks are global.

On the list of countries generating the most attacks are China, Ukraine, India and the United States, though reports vary.

However, things aren’t always as they seem. Thanks to a rise in spoofed IP (internet protocol) addresses – packets of data whose sources have been forged – you can’t always be sure where the trouble starts.

Without advanced IP technologies, it can be difficult to know an attacker’s actual location. In truth, tracing an attack’s origin doesn’t always aid your defence.

Neither does the false hope that traditional measures will safeguard websites.

One shibboleth: “My ISP (internet service provider) will defend me from DDoS attacks.”

In truth, if an attack threatens your ISP’s network, you will be taken offline to protect other customers.

Another myth: firewalls or intrusion detection systems will keep you safe.

In fact, either can become a bottleneck, helping to achieve the attacker’s goal of slowing or shutting you down. During DDoS attacks, firewalls go down faster than the servers they are meant to protect.
The risks ahead

Last September, Damballa Labs reported that thousands of compromised Android devices were linked to criminal botnets.

During one two-week stretch, 20,000 devices were involved, an eye-opening milestone.

When you think about it, though, this shouldn’t come as a surprise. Mobile device infrastructure is expanding fast, essentially creating a second-tier wireless internet.

Unfortunately, mobile security hasn’t kept pace. Mobile devices are not only susceptible to malware infections but can also be used to download free attack tools.

That’s right, you can launch a DDoS attack from most smartphones or tablets.

Looking ahead, expect the DDoS threat to continue growing briskly. Attack tools will evolve. So will methodologies.

Money and ideology will always be powerful motives. The only thing that won’t change is the importance of the internet, making DDoS attacks a when, not an if.


Distributed Denial of Service ‘DDoS’ attack: What You Need to Know

Distributed Denial of Service (DDoS) attacks are one of the most malicious kinds of attacks an eCommerce website can suffer. The aim of the hacker isn’t to gain information, but to take your whole website down. What is a DDoS attack, why do hackers use DDoS attacks and how can you guard against it? Read on.

==> How a Denial of Service Attack Works

A denial of service attack is a flooding attack. Basically, the hacker floods your pipeline with so much bogus traffic that your website is unable to handle authentic traffic.

Think of it like your mailbox. If every day you got 10,000 letters that looked like real letters but contained junk, you’d have a very hard time finding any real letters addressed to you.

Usually DDoS attacks are done with “slave” machines or botnets. Hackers who control tens or hundreds of thousands of hacked computers all point those computers’ traffic to your server at once. All this combined traffic can quickly take your server offline.

==> Why Do Hackers Do DDoS Attacks?

If hackers have no financial incentive from DDoS attacks, why do they do it?

For one, hackers could do it just because they can. They could view it as a challenge. Hackers will often try to take down websites as a test of skill.

They could do it because something you did angered them. For example, Anonymous famously took down MasterCard’s website after they backed PayPal’s decision to freeze Wikileaks’ accounts.

It’s also possible that there actually is a financial incentive. For example, someone could have paid the hacker to take your site down. Or the hacker could be a competitor who’d benefit from your site going down.

If your site goes down on Halloween, for example, the one day when you do 40% of your business, your next competitor stands to gain significantly. Or the hacker could be shorting your company’s stock, if you’re publically traded.

==> Defending against a DDoS Attack

Defending against a small DDoS is quite simple. All you need to do is set up your systems to quickly ferret out the real traffic from the fake by reading just the packet headers.

That means instead of fully evaluating each request coming into your servers, your servers start to “scan” the requests. They quickly dump anything that looks like an attack packet, while letting the rest through.

On the other hand, defending against a massive DDoS attack is extremely challenging. Even the best sysadmins will have a lot of trouble defending against an attack with hundreds of thousands of computers. The above technique doesn’t work, because even evaluating just the headers takes too long.

Once you get to this level of attack, you’ll need a sysadmin who really knows what they’re doing to reconfigure your server to withstand the attack. You may need to up your bandwidth or add more CPU power to defend against the attack.

DDOS attacks are one of the rarer forms of attacks you’ll face. Generally, attackers will try to gain access to your database, steal your customer’s data or use some other form of more monetizable theft. If you do find yourself facing a small DDoS attack, you should be able to deflect it by reconfiguring your servers. If you’re facing a giant DDoS attack, however, you may have to bring in specialists.


How Distributed Denial of Service ‘DDoS’ attack works

Often it starts with the plan of a criminal to build a botnet. So, this malicious person goes to an underground marketplace, buys a piece of malware, a bot and a control server software. In addition, he/she might even be able to buy an initial distribution of the bot by letting somebody infect a webpage (which might be unpatched or have a weak password or somehow else being unsecured) or any other distribution channel for malware you might know of (e.g. social engineering):

Now, the criminal is ready to go. He/she might own a certain number of PCs called Zombies. He can now offer his “services” on the same online black market, he initially purchased the malware from and might find “customers” like spammers, phishers, blackmailers or any other criminals:

Here you see the reason why we leverage our Malicious Software Removal Tool to go after the largest botnets. It is all about protecting the ecosystem.

So, I could basically rent a botnet to flood a web server with any kind of junk in order to take it offline – this is called a Distributed Denial of Service attack. I often compare this with spam – not for your Inbox but for your web server. The server is still up and running but kept busy sorting junk from legitimate traffic.

There are often different motivations behind this:

  • Remember the times of Al Capone? Where the criminals attacked shops and then offered them a service to protect them? The same can happen here: A criminal runs a DDoS against your website and takes it down for a few minutes. Then he lets it come up again and tells you that he can protect you from these attacks – I would call this blackmailing.
  • We often see such attacks with a political background. You see a conflict happening somewhere and one party (or both) is trying to take down the website of the other.
  • Sometimes it is more a “I do not like you” background. Microsoft has been attacked as well from time to time….

If you need help protection against Distributed Denial of Service ‘DDoS’ attacks click here.


DDoS: Sophisticated Website Attacks Can Doom Your Marketing Campaigns

Chief information officers (CIOs) and chief marketing officers (CMOs) don’t always work together closely. Each person surely understands the other’s value, but they speak fundamentally different languages. They also have intrinsically different operating philosophies. However, a CIO and a CMO clearly have overlapping interests and mutual priorities, so they need to join forces to get the job done.

Now, there’s an even more critical reason for CMOs and CIOs to work together. That reason can be summed up in four letters: DDoS (Distributed Denial of Service attack). A lack of cooperation could be deadly for every marketing initiative.

For marketing professionals suspicious of geek-speak, here’s a primer. A DDoS attack is when your network gets flooded with so many requests that it gets overwhelmed and no longer recognizes the good requests from the bad ones. So, your network stops responding and gets shut down. That means your website will go down, your landing pages become unavailable, and your entire business starts to look questionable.

Your website is the face your company shows to the world. Unfortunately, some bad guys out there focus on throwing mud all over it.
What Do Attackers Want?

You need to know two types of bad guys exist out there: the old-fashioned kind, who is out to make a buck, and a newer breed of “hacktivists” who have different motives than outright theft. These are mostly anonymous groups who team up to embarrass a public or private entity (while showcasing their own skills along the way). Their weapon of choice is a DDoS attack.

Using a range of tools and tactics, hacktivists essentially crash the system. For example, the e-mail server is typically the communications lifeblood of every organization. Perpetrators can use a variety of freely available technologies to send in a hailstorm of fraudulent incoming mail and other requests to disable e-mail communications. Among many such examples, the Low Orbit Ion Cannon (LOIC) is an open-source network stress testing and Denial of Service application that’s widely available. It can be aimed with deadly precision at not just e-mail but Web applications and even the firewall. Even with traditional hardware defenses and backup resources, huge networks can be disabled for long periods.

Some of this will sound familiar because that’s exactly what happened to this very outlet. MarketingProfs’ service provider was recently hit with a DDoS attack that affected some operations.

For CIOs, a DDoS attack is a major headache. For CMOs, it can spell disaster.

The network infrastructure is like an online marketer’s supply (and demand) chain. Without the ability to meet incoming requests or adequately maintain communications, core marketing capabilities are rendered useless. In the short term, every marketing initiative suffers badly; in the long term, the entire user experience—and the overall brand—takes a serious hit.
How to Plan Your Defense

No one is suggesting that marketing executives acquire IT skills overnight or even become immersed in the minutiae of DNS defenses. However, given that marketing is among the functions hardest hit by DDoS attacks, some education and planning is in order.

Here are some questions to help with your planning.

Does the organization have a plan in place to cope with a DDoS attack? Again, the goal of such an assault is not to steal data (though that might also happen when defenses are down) but to halt all operations and put an embarrassing “Closed” sign on your front door. A series of attacks were launched recently at high-profile targets, and quite a few attacks crippled communications and required a major allocation of resources.
Are there adequate defenses in place to ward off a DDoS attack? (This can only be managed in cooperation with the IT department.) Has a mitigation solution been identified? Has technology (ISP, hosting firewall, appliance, etc.) been added to your toolkit to combat incoming threats? Do Service-Level Agreements (SLAs) with Internet Service Providers afford enough protections? This is a difficult question to answer because the newest variant of DDoS attacks is more potent than before, and there is a finite amount of capacity to handle them. More to the point, an ISP might conclude that the sheer scale of incoming traffic will affect operations with its other clients and turn off the spigot altogether, as may have been the case with MarketingProfs own outage.
What steps has your company taken to protect the user experience? In most marketing campaigns, this is critical. Even a slight hiccup can send customers elsewhere, never to return. Has the organization done enough testing, allocated resources to ramp up support as needed, and ensured that bandwidth-intensive bottlenecks are temporarily addressed or redirected as infrastructure is reassigned?
Also, is there a plan in place for when a Web outage occurs? The IT team will definitely prioritize the issue of bringing everything back up, but is there any alternative channel available to explain the problem or to just get the word out?
Similarly—and this might be seen as an IT-centric issue—is there a priority list in place to ensure the order in which online services and applications are brought back online and who in Marketing should be told when something is down? After all, these marketing campaigns are based around e-mail, web services, and so on. This may be an IT function, but it should be a marketing decision.

A sophisticated network assault can spell disaster for a company, but it doesn’t have to be that way. Working together, CIOs and CMOS can ensure that even the most deadly DDoS attack is mitigated or is rendered irrelevant. That might be the best alternative of all.