Skip to content

The Evolution of DDoS: Risk Mitigation for Retailers

2014 October 15
Comments Off
by admin

By Martin Brown, Chief Security Futures Architect, BT Global Services
For retailers, e-commerce has not only become a convenient way for customers to research items, browse new inventory and ultimately purchase goods, but it has also turned into a large revenue generator. According to Forrester, e-commerce sales are expected to rise from $231 billion to $262 billion in the U.S. this year, a 13 percent increase. This robust growth has been attributed to more consumers using their smartphones and tablets to complete transactions.

Eventually, revenue from e-commerce is expected to surpass that of brick-and-mortar locations, so it is crucial that retailers are investing in online platforms early, as well as ensuring that their IT systems can combat any issues they might encounter.

Figuring out which issues to take seriously can be an issue in the ever-changing landscape of digital technology. The Target credit card breach or eBay website hack can make retailers want to quiver in fear, but the threats and seriousness of these issues are not something to be discounted. An issue with a mobile application or website could paralyze a business and can quickly cost a retailer thousands or even millions of dollars. One of the known threats to retailers that could ultimately cause a significant disruption to e-commerce retailers is a DoS or DDoS attack.

What is a Dos / DDoS attack?
At a fundamental level a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users.

Although the means to carry out, motives for, and targets of a DDos or DoS attack may vary, it generally consists of the efforts of one or more people to temporarily or indefinitely interrupt or suspend connectivity to the Internet.

Perpetrators of these attacks typically target sites or services hosted on high-profile web servers, such as banks, retail or card payment gateways. The term is generally used in reference to computer networks but is not limited to this field.

While firewalls and IPS/IDS (intrusion prevention and detection) services can offer a certain amount of protection if configured appropriately, once the internet pipe between the ISP (Internet Service Provider) and customer is overloaded the net effect is that the DoS/DDoS is successful as not only is the target of the attack affected but any other services routed down the same link are also impacted.

How big is the problem?
DDoS has become the weapon of choice for many cyber attackers but also serves as a useful distraction to divert scarce security engineering resources from other backdoor attacks undertaken concurrently with the DDoS.
The largest recorded attack in 2014 so far, as reported by Arbor Networks, was 325 Gigabits/second (Gbps) directed at a user in France.

In February 2014 BT, working together with Arbor, its technology partner, successfully mitigated an attack of 54 Gbps against a large UK retail organization. This attack, had it been successful, could have affected daily online business of around $8 million and seriously impacted brand reputation.  Fortunately this customer already was  a subscriber to the BT DDoS mitigation service and normal service was restored within 10 minutes of the attack starting.



BPS = bits per second,   PPS = packets per second

Source:  Arbor Networks

As can be seen from the table above the scale of DDoS attacks is continuing to grow and that trend is predicted to continue over the next five years.

When the target of a DDoS attack is a revenue-generating website, the result is twofold. First, the company may need to manage brand damage and customer dissatisfaction, which have a less defined cost associated with them. Second is a more recognizable loss of revenue driven either by online customer activity being significantly reduced or lost due to being unable to interact with the website for orders or changes.

How can technology help?
There are several companies in the marketplace working to help retailers and other businesses combat DDoS/DoS attacks. For example, some services provide an automated system which, when specific triggers are met, prevents downstream links to customer sites being saturated with traffic therefore not only the target has been protected but the other services using the connection are also protected.

Services that provide mitigation at the core of the network can combat high volume attacks more efficiently and effectively. Perimeter mitigations effectively protect the infrastructure from malicious traffic targeted at networks or hosts, which can result in significant volumes of malicious traffic being discarded before it can be of any harm.

Some service providers that own their own network typically are able to surgically reroute traffic right down to the individual IP address and pass it through a DDoS mitigation or scrubbing center before dropping the cleansed traffic into the target’s local network. This means that the right traffic can get through to the customer’s network such as order placements, while the malicious traffic is discarded.

How can retailers mitigate risk?
The threat of DoS and DDoS attacks is real and not slowing down anytime soon. The potential to be affected by these types of attacks is a very present and harsh reality for businesses everywhere. The key to mitigating this risk is preparation – knowing who your allies are in your time of need. This is especially true for retailers. Attacks happen quickly and the results can be catastrophic.

With the continued growth and importance of e-commerce, retailers need to be taking appropriate precautions to ensure that their customers, bottom lines and reputations do not suffer in the event of an attack.

Martin Brown is the chief security futures architect for BT Global Services. Using his 20 years of security industry experience, he is responsible for the strategic determination, definition and down-streaming of new and innovative security products and services for BT, as well as managing relationships with BT security partners. 


Researcher makes the case for DDOS attacks

2014 October 11
Comments Off
by admin

When you start with the premise that capitalism is illegitimate it’s easy to dismiss other people’s property rights.

To some people, a political mission matters more than anything, including your rights. Such people (the Bolsheviks come to mind) have caused a great deal of damage and suffering throughout history, especially in the last 100 years or so. Now they’re taking their mission online. You better not get in their way.

Molly Sauter, a doctoral student at McGill University and a research affiliate at the Berkman Center at Harvard (“exploring cyberspace, sharing its study & pioneering its development”), has a paper calling the use of DDOS (distributed denial of service) attacks a legitimate form of activism and protest. This can’t go unchallenged.

Sauter notes the severe penalties for DDOS attacks under “…Title 18, Section 1030 (a)(5) of the US Code, otherwise known as the CFAA” (Computer Fraud and Abuse Act). This section is short enough that I may as well quote it here verbatim:

(5)(A) [Whoever] knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

There are other problems with the CFAA with respect to some legitimate security research and whether it technically falls afoul of the act, but that’s not the issue here.

Sauter goes on in some detail with the penalties under Federal law for violating this act and, no argument here, they are extreme and excessive. You can easily end up with many years in prison. This is, in fact, a problem generally true of Federal law, the number of crimes under which has grown insanely in the last 30 or so years, with the penalties growing proportionately. For an informed and intelligent rant on the problem I recommend Three Felonies a Day by Harvey Silverglate. Back to hacktivist DDOS attacks.

She cites cases of DDOS attacks committed against Koch Industries, Paypal, the Church of Scientology and Lufthansa Airlines, some of these by the hacktivists who call themselves Anonymous. In the US cases of the attacks against Koch, Paypal and the Church, the attackers received prison time and large fines and restitution payments. In the Lufthansa case, in a German court, the attacker was sentenced to pay a fine or serve 90 days in jail; that sentence was overturned on appeal. The court ruled that “…the online demonstration did not constitute a show of force but was intended to influence public opinion.”

This is the sort of progressive opinion, dismissive of property rights, that Sauter regrets is not happening here in the US. She notes, and this makes sense to me, that the draconian penalties in the CFAA induce guilty pleas from defendants, preventing the opportunity for a Lufthansa-like precedent.

This is part and parcel of the same outrageous growth of Federal criminal law I mentioned earlier; you’ll find the same incentive to plead guilty, even if you’re just flat-out innocent, all over the US Code. I would join Sauter in calling for some sanity in the sentencing in the CFAA, but I part ways with her argument that political motives are a mitigating, even excusing factor.

Sauter’s logic rises from a foundation of anti-capitalism:

…it would appear that the online space is being or has already been abdicated to a capitalist-commercial governance structure, which happily merges the interests of corporate capitalism with those of the post-9/11 security state while eliding democratic values of political participation and protest, all in the name of ‘stability.’

Once you determine that capitalism is illegitimate, respect for other people’s property rights is no longer a problem. Fortunately, the law protects people against the likes of Anonymous and other anti-capitalist heroes of the far left.

I would not have known or cared about Sauter’s article had it not been for a favorable link to it by Bruce Schneier. Schneier is a Fellow at the Berkman Center.

Progressives and other leftists who think DDOS, i.e. impeding the business of a person or entity with whom you disagree in order to make a political point, should consider the shoe on the other foot. If I disagree with Schneier’s positions is it cool for me to crash his web site or those of other organizations with which he is affiliated, such as the Berkman Center, the New America Foundation’s Open Technology Institute, the Electronic Frontier Foundation, the Electronic Privacy Information Center and BT (formerly British Telecom)? I could apply the same principle to anti-abortion protesters impeding access to a clinic. I’m disappointed with Schneier for implying with his link that it’s legitimate to engage in DDOS attacks for political purposes.

It’s worth repeating that Sauter has a point about the CFAA, particularly with respect to the sentences. It does need to be reformed — along with a large chunk of other Federal law. The point of these laws is supposed to be to protect people against the offenses of others, not to protect the offender.


Anonymous threatens China, Hong Kong authorities with website blackout

2014 October 10
Comments Off
by admin

(Reuters) – Anonymous, the nebulous online activist group that uses hacking to further causes it supports, has threatened a major blackout of Chinese and Hong Kong government websites, and to leak tens of thousands of government email address details.

The group, under the banner of ‘Operation Hong Kong’ or ‘#OpHongKong’ and ‘#OpHK’ on Twitter, said on Friday it will launch a mass effort against Chinese government servers to bring down their websites via Distributed Denial of Service (DDoS) attacks on Saturday.

DDoS attacks attempt to cripple networks by overwhelming them with Internet traffic.

“Here’s your heads up, prepare for us, try to stop it, the only success you will have will be taking all your sites offline,” an Anonymous statement posted online said. “China, you cannot stop us. You should have expected us before abusing your power against the citizens of Hong Kong.”

Demonstrations in Hong Kong have seen the use of tear gas, violent clashes and mass disruptions to business and traffic as people campaign for the right to democratically elect the Asian financial hub’s leader.

Hong Kong’s refusal so far to negotiate with protesters, and a police reaction that many labelled as heavy-handed, has sparked widespread condemnation that has now spread to Anonymous, which often campaigns for civil liberties by attacking people or institutions it sees as opponents of those rights.

“If this is true, it will show that the Chinese government is a victim of internet hacking,” said Foreign Ministry spokesman Hong Lei at a daily news briefing. “China has consistently stressed our opposition to all internet hacking attack activities. We rebuke the acts of this organisation.”

The Chinese government’s Hong Kong Liaison Office also said its website had been attacked twice on Wednesday and Thursday, blocking visitors to the site for a time.

“This kind of internet attack violates the law and social morals, and we have already reported it to the police,” it said, adding that the website was running normally again.

Among the websites Anonymous said it would target are those of China’s Ministry of Public Security, the Ministry of Defence, Ministry of Justice and Hong Kong police.

“Prepping for massive DDoS attacks, Database dumps, etc… Will be destroying #China Government,” wrote one Anonymous participant on Twitter.

China’s Defence Ministry, in a statement sent to Reuters, said its website was subject to numerous hacking attacks every day from both home and overseas.

“We have taken necessary steps to protect the safe operation of the Defence Ministry website,” it added.

The State Internet Information Office, China’s internet regulator, declined to comment. The Ministry of Public Security declined to immediately comment by telephone. The Hong Kong Police Force was not available for immediate comment.

The Ministry of Justice said it was not aware of the threat from Anonymous, and that its website wasn’t its responsibility to maintain.

The Legal Network Media Beijing Company, which maintains the Ministry of Justice site, said it had not had official notice about any attack, nor had it detected any attacks on the website so far.

“If there are future hacking attacks, we have confidence they can be resolved,” said a technician at the company who gave his surname as Zhong.

(Reporting by Paul Carsten; Additional reporting by Ben Blanchard and Beijing Newsroom; Editing by Jason Subler)


DDoS attacks: slow and smart is the order of the day

2014 October 10
Comments Off
by admin

Whilst the trend for distributed denial of service (DDoS) attacks has been towards larger and larger (aka volumetric) attacks in recent years, a new report just published claims to show that slow-and-low, with smart, short IP bursts, is now a lot more commonplace.

For its third annual set of research, Neustar interviewed IT professionals from around 450 companies, concluding that business are now seeing a more unstable and complex landscape.

Over the last year, says the report, DDoS attacks have evolved in terms of their strategy and tactics, with IT professionals seeing increased media reports of ‘smokescreening’ – where criminals use DDoS attacks to distract IT staff while inserting malware to breach bank accounts and customer data.

More than half of attacked companies reported theft of funds, data or intellectual property. Such cyber-attacks are intense but shorter-lived, more surgical than sustained strikes whose goal is extended downtime.

More than 47 percent of respondents said they viewed DDoS attacks as a greater threat than in 2012, whilst another 44 percent believe the problem is just as serious. In 2013, DDoS continued to cripple websites, shut down operations and cost millions of dollars in downtime, customer service and brand damage.

According to Rodney Joffe, Neustar’s senior technologist, when there’s a tremendous storm, most people run around the house making sure all the windows are closed and you have a flashlight ready.

“You’re not worried about anything else. DDoS attacks are similar. They create an all-hands-on-deck mentality, which is understandable but sometimes dangerous,” he said, adding that with DDoS attacks, the stakes are high, as if you are a criminal, why mess around with extortion when you can just go ahead and steal-and on a much greater scale?

Neustar’s analysis also shows a trend towards shorter DDoS attacks, but also more attacks from 1Gbps to 5Gbps – that is, quicker, more concentrated strikes.

“While it’s too soon to say for sure, this could stem from a highly damaging tactic, DDoS smokescreening,” says the report, adding that smokescreening is used to distract IT staff whilst the criminals grab and clone private data to siphon off funds, intellectual property and more.

One solution, concludes the report, is for organisations to install dedicated DDoS protection, as scrambling to find a solution in the midst of an emergency only adds to the chaos-and any intended diversion.

According to Sarb Sembhi, a director of Storm Guidance, the report tracks some interesting trends.

“If you look at large companies suffering attacks, it is clear that the DDoS methodologies being used are getting very sophisticated,” he said, adding that a key aspect is that they are often relatively slow – but smart – in nature.
“With larger companies it is clear that the cyber-criminals are doing their research. They are clearly also testing their technology with smaller companies, and then using those companies’ IT systems as their own assets to launch other attacks,” he said.

Sembhi went on to say that his observations also suggest that larger companies are now starting to install layers of protection – as the report recommends – to remediate against a DDoS attack when it takes place.


Destiny, Call Of Duty: Ghosts Taken Offline By Hackers

2014 September 21
Comments Off
by admin

The hacking group known as the Lizard Squad has apparently been up to their old shenanigans, bombarding and sending denial of service attacks to Destiny and Call of Duty: Ghosts servers.

The attacks have been reported by VG 24/7, where the Lizard Squad – allegedly the same group responsible for the hack attacks occurring in August that took PSN, Xbox Live and offline – tweeted out responsibility for the attacks.

Additionally, there’s a thread over on Reddit in the Destiny sub-Reddit that explains how a lot of people were booted mid-game once the DDoS attacks took place. Many others have claimed that they can’t even log into the game anymore. Others have stated that the PS4 version of Destiny is working somewhat fine for them – so it may be that only some users were affected by the outage.

Additionally, The Escapist forums were also hit during the same time. However, no group has claimed responsibility for the attacks. At the moment the forums have been taken offline, as you can see below.

Co-founder of the Escapist Alexander Macris posted the following messages in regards to the DDoS attacks.

VG 24/7 makes it known that they’re unsure if the attacks are related, or if conveniently enough The Escapist’s forums just happened to go down around the same time as Destiny and Call of Duty: Ghosts.

There have been no ample reasons given for the attacks targeting Destiny, but if it was to gain attention and notoriety then Lizard Squad definitely achieved that goal. What makes this worse is that Destiny is an MMO, so you’ll have to bide your time until the servers become more stable to get back into the action.

No estimated time has been given for the return-date of The Escapist forum. Many gamers had been using it as a central meeting ground to discuss some important issues taking place within gaming at the moment given the widespread censorship happening across the web.

It’s highly unlikely that the Lizard Squad would want to damage The Escapist, but it’s hard to tell what their motivations are. Originally many thought they had been caught after the FBI were alerted about the bomb threats during the PSN and DDoS attacks. However, these latest attacks seem to show that the hacking group are still up to their old tricks and are still attempting to disrupt the ecosystem of video games.