Hackers Will Target Small Business Through the Internet of Things in 2018, New Report Says

A new report finds hackers are poised to target small businesses that use Internet of Things (IoT) technology to gain access to data from larger global firms in 2018. The  2018 Cybersecurity Predictions by Aon’s Cyber Solutions predicts a small business Internet of Things (IoT) breach will create a domino effect that damages a larger company.

2018 Cybersecurity Predictions

The report also found that while  55 percent of small businesses were breached between 2015 and 2016,  only a small minority see cybersecurity as a critical issue. This is despite the fact that the overall money spent on cybersecurity in 2017 was $86.4 billion, an increase of 7 percent over 2016.

New Threat

The Internet of Things (IoT) is at heart of this new threat.  It’s loosely defined as all software enabled devices we use (from appliances to smartphone sand computers) that can exchange data.

Criminals hijacked hundreds of thousands of Internet of Things (IoT) devices worldwide in 2017. They’ve even fine tuned  social engineering and spear-phishing tactics according to the report.

Jason J. Hogg, CEO of Aon Cyber Solutions explains the looming threat as small businesses use this technology.

“IoT is notoriously unsecured: manufacturers often lack necessary security expertise, constant product innovation creates vulnerabilities, and companies frequently overlook proper patch management programs. Hackers exploit this reality, targeting IoT as a pivot point to enter systems and take control of physical operations.”

Botnets

The report found that hackers favored botnets like “Hajime” and “IoT_reaper” last year. The growing trend caused concerns about DDoS attacks and other issues. DDoS attacks occur when hackers flood servers with bogus data and websites and networks get shut down.

High Cost

Any attack can really harm a small businesses’ operations as well as a larger organization.  There’s always a high cost to having your business shut down for any amount of time. What’s more, there’s lasting reputational damage because these smaller firms are working more and more with big organizations that have a large reach.

Hogg also says there are some other reasons why small businesses are ripe for this new Internet of Things (IoT) cybersecurity threat.

“Small businesses, lacking resources and/or awareness to effectively secure their systems, are particularly vulnerable to cyber attacks on IoT,” he says. “The breach will serve as a wake-up call for small and midsized businesses to implement better security measures so as not to risk losing business.”

Passwords

The report also predicts passwords will continue to be hacked. Multifactor authentication will become critical as hackers learn to get around biometrics.  Larger businesses will adopt standalone cyber insurance policies and chief risk officers will play a larger role.

The report also sees the spotlight on regulation strengthening and widening as calls for a harmonized approach to cyber security get more intense.  It points to the EU’s attempt to set  a universal standard for consumer data privacy and Global Data Protection Regulation (GDPR), that oversees companies collecting data from EU citizens.

Criminals will also target transactions that use points as currency like retailers who use rewards, gift and loyalty programs.  The use of cryptocurrencies will encourage an increase in ransomware attacks in 2018 like the WannaCry ransomware that affected 200,000 computers in 150 countries in 2017.

Source: https://smallbiztrends.com/2018/01/2018-cybersecurity-predictions.html

Why DDoS attacks show no signs of slowing down

Distributed Denial of Service (DDoS) attacks caused substantial damage to organisations across APAC and the world in the past year.

According to Neustar’s recent ‘Worldwide DDoS Attacks and Cyber Insights Research Report’, 84 percent organisations surveyed globally were hit by a DDoS attack in the last 12 months, with 86 percent of those organisations were hit multiple times.

The code used to cause these large outages was published openly, and soon after all sorts of attacks and variants of the original code were causing havoc around the world.

Detection is too slow

DDoS attacks are not only occurring more frequently but are also getting more difficult to detect.

Within APAC, more than half of organisations on average are taking at least three hours to detect an attack and nearly as many took another three hours to respond once an attack was detected.

Alarmingly, slow detection and response can lead to huge damages financially. Around half of all organisations stand to lose an average of $100,000 per hour of peak downtime during an attack. To exacerbate this, 40 percent of organisations hit were notified by their customers of the attacks.

Investment is increasing

The worrying figures above help explain why 90 percent of organisations are increasing their investments in DDoS defences, compared to the previous 12 months – up from 76 percent last year- despite the fact that 99 percent already have some form of protection in place.

The threats faced today, and those anticipated in the future, are clearly forcing organisations to completely reconsider the ways they are currently protecting themselves.

Mitigating against DDOS attacks

Effectively mitigating DDoS attacks has become crucial for organisations that want to avoid damaging financial and reputational loss. In order to combat attacks, organisations need to adequately understand the threat, quantify the risk and then create a mitigation plan that corresponds to their needs.

Whether it’s a large or small scale DDoS attack, to keep up with the growing threat, companies will need newer, adaptable, and scalable defences that include new technology and methodologies.

Developing a mitigation plan

Paying the cost for a DDoS mitigation that exceeds their requirements is like over insuring your car – you are paying a premium for a service that does not match your level of risk/potential loss.

Similarly, implementing a DDoS mitigation that does not cover the risk will likely lead to additional costs, resulting from greater organisational impact and additional emergency response activities.

Once the severity of the risk is understood, there are three key critical elements of producing a good mitigation plan that must be enacted: detection, response and rehearsal.

Detecting an attack

Fortunately, there are several technologies out there that can be used to monitor both the physical and cloud-based environment. An example is how organisations can use Netflow monitoring on border routers to detect a volumetric attack, or provide this data to a third-party for analysis and detection.

They can also look at using appliances to conduct automatic detection and response, again managed internally or by a third-party. In a cloud environment, organisations can choose between a vast array of cloud monitoring tools that allow them to identify degradation and performance, CPU utilisation and latency, giving an indication as accurate as possible of when an attack occurs.

Responding to an attack

The response plan to the attack must be scaled to the organisation’s risk exposure and technology infrastructure. For instance, an organisation operating in the cloud with a moderate risk exposure might decide on a cloud based solution, pay-on-occurrence model.

On the other hand, a financial services company that operates its own infrastructure will be exposed to more substantial financial and reputational risk. Such a company would ideally look for a hybrid solution that would provide the best time to mitigate, low latency and near immediate failover to cloud mitigation for large volumetric attacks.

Rehearsal of your mitigation plan

Regardless of the protection method being deployed, it’s good practice to rehearse it periodically. Periodic testing can not only eliminate gaps or issues in responding to a DDoS attack, but can also prepare the responsible owners to perform their required actions when an actual event occurs.

In summary, DDoS attacks aren’t showing any signs of slowing down anytime soon. The threats associated with DDoS attacks cannot be understated or underestimated. Moreover, by quantifying the risk to the organisation and implementing a right-sized mitigation solution, organisations can effectively and efficiently mitigate the risk of DDoS attacks.

Source: https://securitybrief.com.au/story/why-ddos-attacks-show-no-signs-slowing-down/

DDoS attack and measures to Fight DDoS attack

White hats are in an ongoing battle with black hats for protecting the Internet from DDoS attacks. According to Abhor Network, more than 2000 daily DDoS attacks are observed worldwide.

In 2016, we saw the largest DDoS attack till date on Dyn (a DNS provider). During the attack, Dyn’s servers were loaded with more than  1.2 Tbps of data which crashed the company’s servers. This attack caused major websites like Twitter, Amazon, Reddit, and Netflix to go down. The attack was carried out using IoT devices infected by Mirai malware; which means the attacker might have used your routers, Smart TVs, mobiles, computers and IP cameras to do the DDoS attack.

Since the attackers have started using your Internet-connected devices to launch dangerous attacks (without your knowledge) against  Banks, Telecom, and Media (that speak against some political agendas), it is about time we(users) become aware of DDoS.

What is DDoS Attack?

DDoS is Distributed Denial of Service attack. In this attack, hackers use compromised systems (called botnets) to make online services unavailable to clients. During the attack, the attacker simply overfloods the service provider’s servers with fake traffics from multiple sources (botnets). This causes the servers to crash. Thus, the intended audience are deprived of the services.

In simple words, DDoS attack is like window shoppers swarming your business denying genuine customers from getting your service.

DDoS Attack Nepal
DDoS Attack

Symptoms of DDoS Attack:

According to Wikipedia, the United States Computer Emergency Readiness Team (US-CERT) has identified symptoms of a denial-of-service attack to include:

  • unusually slow network performance (opening files or accessing web sites)
  • unavailability of a particular website
  • inability to access any website
  • a dramatic increase in the number of spam emails received (this type of DoS attack is considered an e-mail bomb).

Additional symptoms may include:

  • disconnection of a wireless or wired internet connection
  • long-term denial of access to the web or any internet services.

Why is DDoS attack so dangerous?

  1. A large-scale attack can affect Internet connectivity of entire geographical regions.
  2. Anyone can buy a week of  DDoS attack at just $150 in the black market. Source: Trendmicro Research
  3. There can be millions of Botnets since many devices these days are connected to the Internet. This makes the attack more dangerous.
  4. There are more than 2000 attacks per day.
  5. Small businesses are an easy target because it is cheap and easy to attack services that don’t have DDoS countermeasures.

How to Fight DDoS attack:

  1. Be prepared by recognizing the symptoms of a DDoS attack.
  2. Get extra bandwidth for your website. This will give you time to fight the DDoS without your service going down.
  3. Monitor your website traffic regularly. Use Web Analytics tools.
  4. If you think you are under attack, contact your ISP or Host Provider.
  5. Use DDoS mitigation specialist companies if you can afford.

In conclusion, spread the words about DDoS attack to everyone you know who owns or wish to own a website. Also, prevent your devices from being compromised– I will write about it on next post. For now, let’s fight DDoS attacks together.

Source: https://www.gadgetbytenepal.com/fight-ddos-attack/

Attackers Clobbering Victims with One-Two Punch of Ransomware and DDoS.

Encrypted systems now being added to botnets in the latest incarnations of ransomware attacks, with experts expecting this to become standard practice.

As if ransomware weren’t bad enough, attackers are now making the most of their attacks by adding victimized machines to distributed denial of service (DDoS) botnets at the same time that they’re encrypted and held hostage, according to warnings from several security research organizations in the last week.

This one-two punch is a natural “Gimme” for profit-minded attackers and one which security pundits expect will be standard issue for most ransomware kits in the near future.

Adding DDoS capabilities to ransomware is one of those ‘evil genius’ ideas,” says Stu Sjouwerman, CEO of KnowBe4, which today issued an alert that a new variant of Cerber ransomware has added DDoS capabilities to its payloads. “Renting out DDoS botnets on the Dark Web is a very lucrative business, even if prices have gone down in recent years. You can expect [bundling] it to become a fast-growing trend.”

 

The new trend was first detailed by researchers with Invincea last week, which found attackers using weaponized Office documents to deliver the threat via a Visual Basic exploit that allows them to conduct a file-less attack. That delivers malware with the underlying binary, giving the bad guys “two attacks for the price of one,” says Ikenna Dike of Invincea.

“First, it is a typical ransomware binary that encrypts the user’s file system and files while displaying a ransom note. Second, the binary could also be used to carry out a DDoS attack,” Dike said in a post. “The observed network traffic looks to be flooding the subnet with UDP packets over port 6892. By spoofing the source address, the host could direct all response traffic from the subnet to a targeted host, causing the host to be unresponsive.”

Seen by many as a perfect example of the mercenary nature of cybercrime, ransomware’s evolution has been driven entirely by black market ROI. According to the FBI, by the end of the year the ransomware market is expected to net the crooks at least $1 billion.

“Relatively high profit margins coupled with the relatively low overhead required to operate a ransomware campaign have bolstered the appeal of this particular attack type, fueling market demand for tools and services corresponding to its propagation,” explained FireEye researchers in an update last week on ransomware activity.

FireEye’s data shows that there was a noticeable spike in ransomware in March this year and that overall figures are on track for ransomware to exceed 2015 levels. This latest trend of DDoS bundling once again shows the lengths to which the criminals will squeeze every last bit of profitability and efficiency from ransomware attacks. It also offers fair warning to enterprises that even with backups, ransomware can pose threats to their endpoints and networks at large.

Even if data is restored on systems plagued by ransomware, there’s no guarantee that a system wouldn’t be used to continue to remain a part of the botnet or be used as a foothold for further attacks if the threat isn’t properly contained.

Source:  http://www.darkreading.com/endpoint/attackers-clobbering-victims-with-one-two-punch-of-ransomware-and-ddos/d/d-id/1325659

DDoS attacks threat growing, study says

DDoS (Distributed Denial of Service) attacks continue to increase dramatically, threatening websites and businesses globally, according to a study cited by IPC, the country’s pioneer DDoS Mitigation service provider.
The study conducted by IPC’s DDoS Mitigation partner Imperva Incapsula, entitled Global DDoS Threat Landscape Q4 2015, used data from 3,997 network layer and 5,443 application layer DDoS attacks mitigated by Incapsula from October 1 to November 29, 2015.
A DDoS attack is a costly form of cyber crime where a large volume of malicious traffic is flooded into a website, causing it to crash. This is a planned and coordinated attack to disrupt the normal function of a website.
According to the study, the United States, United Kingdom and Japan are the top three targeted countries. Furthermore, UK-based and Japan-based sites saw a 20.7 percent and 7.4 increase in attacks, respectively.
“DDoS is a serious online crime that cannot be ignored. It warrants a definitive course of action from highly-skilled professionals trained in this type of cyber war,” said IPC president Rene Huergas. He added that the Incapsula report is a clear indication of how DDoS poses a formidable threat to businesses in any industry worldwide, including the Philippines.   In the study, it was revealed that there were changes in the DDoS attack patterns during the last quarter of 2015 and a surge in the use of DDoS-for-hire services. A 25.3-percent increase from the previous quarter in terms of frequency of network layer attacks was also recorded.
The longest application layer attack — to date lasted for over 101 days. The target was a US-hosted Web site registered to a small catering business. Moreover, a 325Gbps network layer attack, one of the largest to ever be documented, occurred in mid-December 2015.
“Business leaders and entrepreneurs must be vigilant against these attacks, which can cause damage to their companies’ coffers. As what the report stated, the perpetrators are finding new ways to infiltrate Web sites and crash these on purpose,” Huergas pointed out.
Cyber crimes on a larger scale can take its toll on a country where there is a growing need for companies to go online to reach a bigger target market. A recent example is when the National Telecommunications Commission (NTC) Web site was defaced by hackers claiming to be from Anonymous Philippines. As the group turned the NTC page black, they posted their grievances over the state of Philippine Internet. The attack went viral immediately, not only bringing to the public’s attention the group’s cause but exposing the vulnerability of the website of a government agency.
Aside from the government, most businesses in the retail and financial industries in the Philippines have online presence. E-commerce, for one, continues to thrive, attracting customers who spend a lot of time online. Some of these e-commerce sites have advertised aggressively, spending millions for production and tri-media (TV, print and radio) placements, proof that e-commerce is an emerging industry.
Aside from this, most decision makers recognize the importance of going digital to grow their business. Indeed, there is a need for effective online safeguards and security measures to prevent DDoS attacks.

Source: http://www.tribune.net.ph/business/ddos-attacks-threat-growing-study-says

Hackers Breach Linux Mint Distribution, Forums

Attackers manage to breach Linux Mint’s security, adding a backdoor to the distribution and even stealing information from user forums.
The Linux Mint operating system community is reeling today after the public disclosure on Feb. 21 that hackers managed to infiltrate the popular Linux distribution and plant a backdoor in the system. Adding further insult to injury, hackers were also able to compromise the Linux Mint user forum, stealing username and password information. As a result of the attack, the LinuxMint.com Website is now offline as the distribution scrambles to restore confidence and security.
Linux Mint has emerged in recent years to become one of the most popular desktop Linux distributions in the world. A key part of Linux Mint’s popularity is its Cinnamon desktop, which provides users with a different user interface from the more standard GNOME desktop. Linux Mint does, however, offer other desktop choices to users as well.
It appears that on Feb. 20 the attackers were only able to impact the most recent Linux Mint 17.3 Cinnamon edition (which eWEEK reviewed here), according to Clement Lefebvre, founder of Linux Mint.
Lefebvre noted the intrusion was brief and quickly discovered. “Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it,” he wrote.
In addition to the hacked Linux Mint 17.3 Cinnamon Edition download, the attackers also compromised the user forums site (forums.linuxmint.com), stealing a copy of the entire database. Hackers now have usernames and passwords used on the Linux Mint forum Websites, and so it is imperative that users make sure they aren’t using the same username/password combination on other sites.
In terms of root cause for the breach of Linux Mint’s security, the finger is being pointed at a security issue with a poorly configured WordPress content management system (CMS) component.
“We found an uploaded php backdoor in the theme directory of a word press installation, which was one day old and had no plugins running,” Lefebvre commented.
Lefebvre explained that the WordPress theme was new and was set up with incomplete file permissions. the vulnerability was not an exploit of the WordPress core application and that Linux Mint is running the latest version of WordPress, he said. The WordPress 4.4.2 update debuted at the beginning of February, patching a pair of security flaws.
After gaining access to the Linux Mint Website by way of the vulnerable WordPress theme component, the attackers were able to point the Linux Mint 17.3 Cinnamon edition download link to a malicious version of the operating system that embeds the Tsunami Trojan. Tsunami is not a new form of malware, and it’s not unique to Linux either. Back in 2011, Tsunami was able to hijack Apple Mac OS X systems in order to launch distributed denial-of-service (DDoS) attacks.
In regard to who is responsible for the attack, Linux Mint has identified that the hacked versions of its operating system were pointed to servers located in Sofia, Bulgaria.
“What we don’t know is the motivation behind this attack,” Lefebvre wrote. “If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this.”

Source: http://www.eweek.com/security/hackers-breach-linux-mint-distribution-forums.html

HSBC Banking Customers Vent Anger After DDoS Scuppers Service

HSBC has been forced to apologize to customers after a DDoS attack disrupted key online systems, meaning many users couldn’t log-in to their internet banking portals.

A statement from the bank claimed this morning’s denial of service attack affected “personal banking websites in the UK.”

It continued:

“HSBC has successfully defended against the attack, and customer transactions were not affected. We are working hard to restore services, and normal service is now being resumed. We apologise for any inconvenience this incident may have caused.”

The outage persists for many customers as of the time of writing, with countless HSBC online banking users taking to social media to vent their anger.

The attack comes at a particularly sensitive time given there are only a couple of days left before UK taxpayers can file their returns without being charged interest on late payments.

As the last working day of the month, it’s also pay day for many people – a fact the DDoS-ers may well have had in mind when timing the attack.

A new report from security firm Imperva released yesterday showed that attacks on UK websites soared by over 20% in Q4 2015, placing the country as the second most targeted in the world behind the US.

Justin Harvey, CSO at Fidelis Cybersecurity, had advice for firms caught in the same situation as HSBC.

“Strong external network-facing access control lists (ACLs) should be instituted to keep out-of-profile traffic off services, robust monitoring should be put in place to identify these types of attacks in their early stages, and high-risk organizations should oversubscribe their network bandwidth to better absorb the brunt of inbound DDoS attacks,” he said.

“The upstream ISP should also be notified to place mitigations on their connected devices to protect networks.”

However, Lee Munson, security researcher for Comparitech, urged commentators not to blow things out of proportion.

“The bank’s systems have not been breached. No bank accounts have been raided and no personal information has been stolen,” he argued.

“The UK financial sector remains resilient to cyber-attack thanks to operations such as Wire Shark and Resilient Shield which have encouraged sharing of threat intelligence and greater communication between both British and US banks.”

The bank also said it was “working closely with law enforcement authorities to pursue the criminals responsible.”

However, Ryan O’Leary, senior director of WhiteHat Security’s Threat Research Centre argued that its time could be better spent on preventative measures, especially given that finding and prosecuting attackers can be a challenge.

“Those who can pull off a DDoS attack are extremely prevalent; if one individual or group were able to execute a DDoS attack, it is very likely many others could do the same,” he added. “The company’s issue is not the attacker, it’s the system that is susceptible to the attack. Fix the issue and your attacker problem goes away.”

Source: http://www.infosecurity-magazine.com/news/hsbc-banking-customers-anger-ddos/

How to Report a DDoS Attack

Dave Piscitello, on behalf of the ICANN Security Team

DDoS attacks are serious problems. While ICANN’s role in mitigating these threats is limited, the Security Team offers these insights to raise awareness on how to report DDoS attacks

Distributed Denial of Service attacks have increased in scale, intensity and frequency. The wide range of motives for these attacks – political (hacktivism), criminal (coercion), or social (malice) – makes every merchant or organization with an online presence a potential target. The shared nature of the Internet infrastructure – whether hosting, DNS, or bandwidth – puts many merchants or organizations at risk of becoming collateral damage, as well. If you find that your site or organization is under attack, it’s important that you report such attacks quickly to parties that are best positioned to help you mitigate, weather, and restore normal service.

I’m under attack. What should I do? Whom should I call?

Any Internet service – web, DNS, Internet voice, mail – can be the target of a DDoS attack. If your organization uses a hosting provider for a service that is attacked, first contact the hosting provider. If your organization hosts the network or Internet service that is under attack, first take measures to contain or dampen the attack. Next, call the service provider that provides Internet access for your network. Most hosting providers and ISPs post emergency contacts on their web sites and many include at least general contact numbers on bills. If you only have a general contact number, explain that you are under attack and ask the customer care agent to escalate (forward) your call to operations staff with the ability and authority to investigate.

Helping Hands

Traffic associated with a single DDoS attacks may originate from hundreds or thousands of attack sources (typically compromised PC or servers). In many cases, your hosting provider or your Internet access provider should act on your behalf (and in self-interest). They will contact “upstream” providers and the ISPs that route traffic from the DDoS attack sources to notify these operators of the nature and suspected origins of the attack. These operators will investigate and will typically revoke routes or take other measures to squelch or discard traffic close to the source.

If you cannot find contacts, or if the contacts you find are unresponsive, try contacting a Computer Incident, Emergency, or Security Incident Response Team (CERT/CIRT/CSIRT), or a Trusted Introducer (TI) team. CERT/CIRT organizations (find a national list here) or TI teams will investigate an attack, notify and share information with hosting providers or ISPs whose resources are being used to conduct the attack, and work with all affected parties to coordinate an effective mitigation.

Should I contact Law Enforcement?

Contact your national law enforcement agency if you believe that a crime is being committed; for example, you should contact law enforcement if your organization received a threat prior to the attack, or received a demand for money in return for not being attacked, or if you believe that critical infrastructure or delivery of a critical service (such as Emergency 911) is threatened.

Contact law enforcement to report a crime, not to mitigate an attack. DDoS attacks are criminal acts in many jurisdictions. By filing a report, you and other victims provide valuable information that may be relevant in any subsequent investigation or prosecution of the attackers.

Provide Good Intel

At an operational level, you, your hosting provider or ISP should gather as much information related to the attack as possible. The Operations Security Trust Forum recommends collecting the following kinds information:

  1. Provide as much time information as possible: identify the start of attack, end of attack, whether the attacks are repeated, and whether there are observable patterns or cycles to the attacks.
  2. Share any insights or suspicions you have regarding the nature of the attack. Does it appear to correlate with a geo-political event? Did you receive threatening correspondence prior to or during the attack and if so, what was the nature of the threat?
  3. Provide detailed traffic information including: type of traffic (ICMP, DNS, TCP, UDP, application), source and targeted IP addresses and port numbers, packet rate, packet size, and bandwidth consumed by the attack traffic.
  4. Describe any unique traffic or packet characteristics you observe. Is the attack targeting a particular virtual host or domain? What have you observed from application protocol headers? Have you observed any unusual patterns of flag settings in underlying protocols (TCP, UDP, ICMP, IP)?
  5. Identify any changes you observe in the attack over time (i.e., to packet sizes, rates, unique IPs seen per epoch, protocols, etc.). These may be indications that the attacker is reacting to mitigation efforts you or others have implemented.
  6. Provide your assessment of the impact; for example, explain whether you are managing the attack using mitigations and assistance, or that your services or performance is {moderately, severely} affected, or that your services have been disrupted entirely.

For protection against your eCommerce site click here.

Source: http://blog.icann.org/2013/04/how-to-report-a-ddos-attack/

The Three Elements of Defense Against Distributed Denial of Service (DDoS) Attacks

Businesses can protect their data and their networks by focusing on these core areas of their network.

Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks are the insidious enemy of many enterprises. These attacks, which attempt to disrupt legitimate use of an organization’s website or other network resources, rely on brute force to use all of a server’s or network’s available capacity, leaving none for legitimate users.

The attacks are also difficult to protect against because it’s hard to distinguish requests that are part of the attack from those of legitimate users.

IT workers have three tools at their disposal when it comes to defending against denial-of-service attacks: working with Internet service providers (ISPs) to block attacks before they reach the target network, filtering them at the network border and deploying sufficient capacity to simply absorb the attack.

ISPs: The First Line of Defense

The most effective way to protect against the impact of DoS attacks is to stop them before they even reach a company’s network. That means partnering with the contracted ISP to block the attack at the gateway. This blunts their impact by protecting even network border devices from being overwhelmed by the flood of malicious traffic. Many ISPs offer a “clean pipes” service-level agreement that commits to a guaranteed bandwidth of legitimate traffic rather than just total bandwidth of all traffic.

The availability and pricing of clean-pipes services should be one of the criteria evaluated when selecting an ISP, especially if the company is a likely target of DoS attacks. While this service is not foolproof, a significant portion of the burden of defending against these attacks is placed on upstream providers, keeping the network and security gear available to handle legitimate traffic.

If a clean-pipes service isn’t available from the ISP, several cloud providers offer subscription services that scrub traffic before it enters the network. These services function by serving as an intermediary, receiving traffic bound for the network, filtering it, and passing on only legitimate connections. Cloud-based DoS protection services are available from providers such as Imperva and VeriSign.

It is extremely important to obtain written service-level agreements from ISPs that clearly outline their permitted responses in the face of a DoS attack. This is true whether or not a clean-pipes service is purchased.

Remember, a DoS attack poses a threat not only to your organization but also to the ISP itself. Without written terms to the contrary, an ISP may be tempted to cut off service entirely in the face of an onslaught of traffic in order to protect other customers from being affected by the side effects of an attack on one company.

Border Filtering: Keep Out the Bad Connections

Businesses should also consider deploying specialized DoS protection devices to further guard their networks against attack. These devices sit at the network perimeter and process traffic before it reaches the internal network, filtering out potentially malicious activity. They may be used in conjunction with a clean-pipes ISP service or as a stand-alone solution when ISP protection is not available. Solutions in this category include the CheckPoint DDoS Protector and Radware DefensePro.

Hardware DoS protection solutions work by analyzing network traffic and signature-based detection of known attacks or by providing behavioral analysis of current traffic against profiles of “normal” behavior. Traffic that matches a known attack pattern or fails to resemble typical network traffic is either automatically blocked by the device or flagged for investigation by a security analyst.

It is important to note that DoS protection appliances placed on a business’ own network are only able to protect network segments, devices and servers that are downstream from the protection appliance. Most notably, if a DoS attack is able to completely use up all of an organization’s Internet bandwidth, the attack will be successful, because legitimate traffic will not even be able to reach the protection appliance.

For this reason, organizations should use a combination of border filtering and a clean-pipes service to present a layered defense. Organizations relying solely upon local filtering must significantly overprovision network bandwidth to ensure that the network is capable of withstanding a sustained DoS attack.

Absorbing DoS Attacks: No Fazing This Network

Absorption, the final DoS protection strategy, attempts to prevent an attacker from using all accessible resources by making available more resources than the attacker is able to consume. This involves purchasing sufficient network bandwidth and server and device capacity to absorb significant levels of traffic over and above the typical traffic profile.

While this approach is effective, it can also be quite expensive. However, it has the added benefit of providing an organization with service resilience in the face of both DoS attacks and legitimate unexpected surges in traffic. For example, an organization would be able to withstand both a targeted DoS attempt and a high-profile media appearance that quickly drives large numbers of users to a website.

Many organizations seeking to use this strategy decide not to build this “burst” capacity on their own networks, choosing instead to leverage cloud providers who specialize in rapidly scaling up to meet irregular demand patterns. When demand spikes above levels that the existing infrastructure can handle, the autoscaling service automatically provisions enough additional virtual servers to meet the demand.

Later, as the demand subsides, those services are automatically decommissioned. Amazon Web Services, Microsoft Windows Azure and Rackspace are just a few of the cloud providers that offer this service. Using this approach requires careful monitoring because the automated provisioning of servers can rapidly increase the company’s cloud provider bill in the face of extremely high demand.

There is no foolproof solution to the problem of DoS attacks. But through the balanced use of ISP-based clean-pipes services and DoS protection appliances and by provisioning excess capacity, IT professionals may create a defense-in-depth approach that mitigates the impact these attacks have on an organization’s network.

In many cases, this protection comes with the side benefit of creating a resilient service environment that is able to remain operational even in the face of legitimate demand surges.

For DDoS protection click here.

Source: http://www.biztechmagazine.com/article/2013/02/three-elements-defense-against-denial-service-attacks

4 Ways to Prepare for and Fend Off Distributed Denial of Service (DDoS) Attacks

Cyber attacks of all kinds are on the rise. It is a trend you ignore at your own peril. National Security Agency and U.S. cyber-command chief Keith Alexander said in July that Internet attacks of all sorts surged 44 percent in 2011 and are responsible for what he terms the “greatest transfer of wealth in history.”

In a world where you can rent an already-hacked botnet for about $20 to start your attack, and in a world where a criminal enterprise industry has developed to support amplifying attacks in progress, it is important to understand that these types of attacks are simply not going away. Are you ready for them? Are you considering the right points? Here are four strategies to help your organization prepare for and defend against Distributed Denial of Service (DDoS) events in the future.

1. Consider Over-Provisioning a Service in Advance

Most of us develop systems on strict budgets. There is a general resistance among financial types as well as information executives to not pay for unused capacity. This makes good sense in and of itself—why waste your dollars on capacity, either bandwidth or compute, that you are not using? Many companies scale their systems to match a predictable but legitimate peak, such as Black Friday, Cyber Monday or another annual peak load.

In a DDoS attack, however, your site or resource can experience loads many times greater than even your highest peak activity—on the order of 10 or 20 times, if not more. Mind you, I’m not suggesting you budget capacity to pay hackers to blast your network with packets. While you are specing bandwidth and compute resources, though, it makes sense to give yourself a healthy margin of error, even on top of your peak.

With the advent of cloud computing, this has become easier. In most cases, it’s simple to spin up additional resources to either meet legitimate demand or ensure access to your services in the event your primary hosting site is under attack. Internet service providers and other providers are also usually quick to offer burst capabilities with their contracts. This way, you can access an assured, ready additional amount of capacity in the event you need it while not necessarily paying full price for it during those times when your load doesn’t demand it.

2. Don’t Be Bashful About Asking for Help

Many companies and businesses specialize in assisting customers before, during and after a cyber attack&mdashand they serve all levels of clients. Akamai Technologies, Level 3 Communications and Limelight Networks, for example, all serve large customers with highly trafficked sites, but their rates begin north of $10,000 per month just for a basic level of assistance. On the other hand, startups such as CloudFlare offer to take onto themselves the load of distributing your site across multiple datacenters. They then engage in detection and mitigation services without involving your team. CEO Matthew Prince says CloudFlare datacenters see “more traffic than Amazon, Wikipedia, Zynga, Twitter, Bing and AOL combined.” If true, this certainly puts the company in the first tier of network experience and engagement.

With attacks increasing yearly and with no relief in sight, it’s important to engage a firm that meets your needs and get its assistance before an event. DDoS attacks are an expensive problem, but now a day’s defense against them is becoming simply a price of doing business on the Web. After all, consider the revenue loss if your site were to become unavailable to the Internet. Every minute your page can’t be reached, dollars destined for your company’s coffers spill away to other businesses. The protection should seem justified when you think about it that way.

3. During a DDOS Attack, Be Quick to Dump Log Files

As network capacity increases, attacks become cheaper to mount, so attackers can scale the severity of their activities quite easily. According to Alex Caro, CTO and vice president of services for Asia Pacific and Japan for Akamai, “the biggest attack that we’ve seen is around 150 Gbps, and we expect much larger attacks in the future.”

As you can imagine, at that level logging explodes—on your servers themselves, as well as on the attendant devices that care for and feed your network. Firewalls, unified threat monitoring devices, servers and other systems usually can’t keep up with logging each individual request when an actual attack is in progress. Typically these devices begin falling over under the sheer load of logging each and every request, and their failures cause chain reactions with linked devices and systems, making the attack much more severe than just a lot of traffic. (That is much of the secret to DDoS attacks in the first place: Causing enough load that other systems than the one you are initially targeting begin failing.)

These chain reactions are often difficult to predict and recover from. Consider the botched recovery job Amazon suffered with its Elastic Compute Cloud service after the power outages in the Washington, D.C. area in early 2012. While not an attack, once servers in the datacenter began recovering after utility power was restored, the large number of reboot requests created its own little denial of service and prevented many virtual instances from powering back up until the load lightened. The moral of this story: Don’t hesitate to dump your logs quickly once you know you’re under attack and they’re not giving you any more useful information.

4. Have a Good Response Plan Ready

If you experience a DDoS attack, you likely won’t have a chance to develop a response plan at the time of impact. Your services will be degraded, if not disabled completely, and your highest priority will be restoring service and stopping the attack. These actions are aided by a detailed plan of mitigation developed in advance of an event.

Blogger Lenny Zelster has created a good-looking template for an incident response plan. His DDoS Cheat Sheet includes steps such as preparing contact lists and procedures in advance, analyzing the incident as it happens and spinning up your response processes, perform mitigation steps you’ve outlined for your action team and, finally, performing a thorough post-mortem to document lessons learned and amend the response plan with that experience for future incidents.

One takeaway here: Everyone works better during a crisis when there is a predefined procedure, with checklists and next actions already clearly laid out. Don’t deprive your incident response team of this wisdom. This is something you can do today at no cost. Get a team together, talk about your response and write the plan down. Be prepared.

DDoS attacks, cyber-intrusion events and other nefarious acts are simply a fact of life in an Internet-connected world. The key responsibility you have as a CIO is to make sure you have prepared for attacks, have a plan to mitigate them when they occur and have done your best to make your company able to withstand the attacks. The prospect of facing an attack with anything less should be a scary thought that kicks you into gear.

Source: http://www.cio.com/article/726582/4_Ways_to_Prepare_for_and_Fend_Off_DDoS_Attacks?page=3&taxonomyId=3093