DDoS DDoS Attacks
Report: popular online gambling sites taken out by DDoS attacks
April 14, 2015

Poker News and several other publications that focus on the ins and outs of online poker/gambling are reporting that two popular online gambling services were taken offline this weekend. Betfair and PokerStars were both offline over the weekend, according to the reports and are still suffering from connectivity issues today.

Betfair confirmed on Monday via Twitter that its service was under attack:

“We’re currently experiencing a DDOS attack on our site. We’re working to fix this as quickly as possible,” the official twitter account informed one user.

PokerStars did not publicly confirm or deny that it was under attack; In fact, Poker News claims that “players have been reporting major lag (low response when clicking buttons etc) and connectivity problems when attempting to play at PokerStars since April 9.”

On April 12 PokerStar’s Belgium twitter account only noted that it was having connectivity issues. Those issues seem to be gone as of this writing, but they plagued the service for most of the weekend, according to Poker News.

Source: http://www.gamepolitics.com/2015/04/14/report-popular-online-gambling-sites-taken-out-ddos-attacks#.VS03-Fz4tFI

DDoS DDoS Attacks DDoS Defense
Anonymous brings down 30 Chinese government websites to support Hong Kong protesters
April 13, 2015

Hacker collective Anonymous has hacked 30 Chinese local government websites to protest the arrest of five hacktivists in October 2014, who are accused of sending additional traffic to a Hong Kong government website during the pro-democracy protests.

The Hong Kong protests started in September 2014, bringing the city to a standstill, and although the former British colony is now back on its feet, protests against rule being imposed by the central government in mainland China remain.

Anonymous claims that it chose to launch “Operation China” – a campaign of Distributed Denial of Service (DDoS) attacks against Chinese government websites – on 10 April due to the recent arrest of Hong Kong hacktivists due to their alleged involvement in cyberattacks against Chinese websites during the protests.

“Some hacktivists have been arrested and persecuted by the Chinese Government. Five activists have been arrested accused of causing congestion in [sic] Chinese sites, and this kind of protest is one of the most peaceful imaginable,” Anonymous wrote on Pastebin.

“Pro groups China attacked the protesters, firing at them. Demonstrators were beaten and sexually harassed, but no one helped, the streets were stained with blood. The police remained inert and ignored these aggressions, and started arresting people who were being attacked. This makes us believe that the attackers were, well, paid the government or pro-China parliamentarians.”

As of 9am BST on 13 April, the 30 websites Anonymous claims to have attacked are still offline. The hacked domains include the local government websites for many cities in China, including Huazhou and Fengshun County in Guangdong, Wulian County in Shangdong and Cili County in Hunan.

A sub-domain for the Hunan news website belonging to China’s state-owned telecoms company China Telecom is also down.

The hackers also brought down the Hunan Police Academy website over the weekend, but it is now up and running again.

The Chinese government maintains strict laws where any kind of dissent, both online and offline, is concerned.

On 2 April, three Chinese citizens were arrested in Guangdong province on suspicion of “incitement to subvert state power”, for posting tweets featuring satirical and pro-democracy content, as well as critical comments about President Xi Jinping to social media, including Tencent’s QQ instant messaging software.

Source: http://www.ibtimes.co.uk/anonymous-brings-down-30-chinese-government-websites-support-hong-kong-protesters-1496069

DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist
The best way to stop DDoS attacks
April 7, 2015

Experiencing a distributed denial-of-service (DDoS) attack is like having your home flood. Without warning, attackers can upend your enterprise. Every moment counts, but unfortunately by the time some DDoS solutions identify and report the attack, the damage is already done. You need a faster, more immediate means of threat detection to prevent severe damage.

When a DDoS attack hits your network, a long time can pass before the security/network staff fully realizes it is actually a DDoS attack that is affecting the services, and not a failing server or application. Even more time may pass before the actual mitigation of the threat starts to take effect.

Volumetric attacks, though devastating, take a while before users and internal service monitoring systems notice their effects. Application layer attacks are much harder to detect, as they tend to fly under the detection radar because of their low-volume profile.

When mitigation starts too late, the damage may already be done: the firewall state table may be overwhelmed, causing reboots, or worse, it locks up, making the DDoS attack effective from the attacker’s perspective. The service is no longer available to legitimate users.

Deployment Methods and Detection

A variety of methods allow security teams to gain insight into what’s going on in a network. One of the more popular approaches is flow sampling as virtually all routers support some form of Flow technology, such as NetFlow, IPFIX, or sFlow. In this process, the router samples packets and exports a datagram containing information about that packet. This is commonly available technology, scales well, and is quite adequate to indicate trends in network traffic.

For in-depth security analysis purposes, however, relying on samples is a serious concession; you miss a large piece of information as you only receive one packet out of a thousand, or worse. A flow analytics device has to evaluate the behavior of a traffic stream over a longer time period to be sure something is wrong, and to avoid false positives.

Common DDoS protection deployments use a flow analytics device, which reacts to the discovered incident by redirecting the victim’s traffic to a mitigation device and telling it what action to take. This method scales well for gathering traffic to be analyzed, and the reactive model only redirects potentially bad traffic, which allows for some bandwidth oversubscription. But this is risky business as the mean time to mitigate can run into minutes.

For the most insightful detection and fastest mitigation, you can’t beat in-path deployment of a high-performance DDoS mitigation device that is able to detect and mitigate immediately. In-path deployment allows for continuous processing of all incoming traffic (asymmetric) and possibly also the outgoing traffic (symmetric). This means the mitigation device can take immediate action, providing sub-second mitigation times. Care should be taken that the mitigation solution is able to scale with the uplink capacity, and the real-world performance during multi-vector attacks.

As an alternative to in-path detection and sampling, mirrored data packets provide the full detail for analysis, while not necessarily in the path of traffic. This allows for fast detection of anomalies in traffic, which may have entered from other entry points in the network. While setting up a scalable mirroring solution in a large network can be a challenge, it can also be an excellent method for a centralized analysis and mitigation center.

Watch your performance metrics

Bandwidth is an important metric for most people. When shopping for home Internet connection, people most often compare the bandwidth metric. While it is important, as with many things, the devil is in the details. Networking devices ultimately process network packets, which typically vary in size. Small packets use less bandwidth, while large packets amount to larger bandwidths. The main limitation of the networking node is set by the amount of packets a device can process within a second. By sending many small packets at a high rate, an attacker can stress out the infrastructure quite quickly – especially traditional security infrastructure such as firewalls, or Intrusion Detection Systems. These systems are also more vulnerable to stateless, high-rate assaults such as many flooding attacks, due to their stateful security approach.

Verizon’s 2014 Data Breach Investigations Report notes that the mean packet-per-second (pps) attack rate is on the rise, increasing 4.5 times compared to 2013. If we carefully extrapolate these numbers, we can expect 37 Mpps in 2014 and 175 Mpps in 2015. These are the mean values to show the trend, but we have seen many higher pps rates. While the mean value demonstrate the trend, to properly prepare your network, you should focus on worst-case values.

Assure your Scalability

As DDoS attacks, and especially volumetric attacks, enter the network with extreme packet-per-second rates, you need a mitigation solution with adequate packet processing power

Scaling the analytics infrastructure is also an important consideration. Flow technology scales rather well, but at a massive cost: it compromises granularity and time-to-mitigate.

If your vendor provides performance numbers that match your network size, be aware that the real-world performance may be lower. The current trend is that attacks use multiple attack vectors; multiple attacks methods are launched simultaneously. Datasheet performance figures provide a good indicator to match the product to your needs, but it is advisable to test your prospect mitigation solution, and validate it through a series of tests to see how it holds up against a set of attack scenarios in your environment.

The multi-vector attack trend illustrates the importance of validating performance. Running a basic attack such as a SYN flood puts a base stress level onto the CPUs – unless, of course, the attack is mitigated in hardware. Making the system simultaneously fight a more complex application-layer attack such as an HTTP GET flood attack could push a system over its limit.

Periodic validation of your network’s security performance is critical to ensure that your security solutions will hold up during various simultaneous attacks, and to ensure that your network investments are up to the task in a growing, secured network.

Network flooding does indeed have a lot in common with a home flooding. The sooner you know it is happening, the sooner you can take action. Just make sure your sandbags are up to the task!

Source: http://www.networkworld.com/article/2905115/network-security/the-best-way-to-stop-ddos-attacks.html

DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist
DDoS losses potentially £100k an hour, survey shows
March 31, 2015

Distributed denial-of-service (DDoS) attacks could expose 40% of businesses to losses of £100,000 or more an hour at peak times, a survey by communications and analysis firm Neustar has revealed.

Some 12% estimated potential losses due to outages at peak times would be greater than £600,000 an hour, and 11% admitted they did not know what their losses would be.

The poll of 250 IT professionals in Europe, the Middle East and Africa also showed that half of respondents believe DDoS attacks are a bigger risk than a year ago.

Only 18% said they believed the risk was lower, yet 59% of them still admitted they are investing more in DDoS protection compared with 2014.

Apart from direct financial losses, the biggest risk identified by more than a quarter of companies is the damage to company reputation and a loss of customer trust.

“For 26% of companies, brand damage and loss of customer trust is a top concern,” said Neustar product marketing director Margee Abrams.

“Companies are beginning to understand that the impact of DDoS attacks is across the organisation, also impacting areas like customer services and regulatory compliance,” she told Computer Weekly.

Underlining the business threat of DDoS attacks, 30% of respondents said their companies had been hit multiple times, with the number of companies being hit only once down 30% compared with 2014.

The financial sector reported the highest level of multiple attacks, with 79% reporting six or more DDoS attacks a year, compared with the cross-industry average of 20%.

Respondents said attacks were lasting longer, with 30% of attacks lasting between one and two days.

They also said DDoS attacks are often accompanied by theft, with 52% of DDoS victims also reporting theft of customer data, intellectual property (IP) or money, representing a 24% increase from 2014.

The survey revealed that 84% of companies still use up to 10 employees to mitigate DDoS attacks, which the report notes is exploited by attackers to distract companies.

“Smokescreen” DDoS attacks

In “smokescreen” DDoS attacks, the real objective is theft, the report said. In 30% of DDoS attacks, malware was either installed or activated, in 18% customer data was stolen, in 12% IP was stolen, and in 12% money was stolen.

The survey showed that 56% of retailers hit by DDoS attacks were also hit by malware installation or activation compared with the cross-industry average of 30%, and 76% of retailers hit by DDoS attacks were also robbed of data or funds compared with the cross-industry average of 52%.

The report notes that managed mitigation services help to free up IT security staff to focus on other activities that may be taking place during a DDoS attack.

“However, the effect of DDoS attacks is so much wider than information security,” said Abrams. “Companies also need to review how DDoS attacks could affect their overall online performance and customer experience.”

As a result of increased recognition of the threat of DDoS attacks, many organisations are taking stronger action, with 35% investing in hybrid DDoS protection that combines on-premise hardware with cloud-based mitigation services.

The biggest investment in hybrid systems is being made by financial sector organisations which are a prime target of DDoS attacks, with 40% investing in hybrid protection and 80% choosing a hybrid approach to block attacks at peak times.

Hybrid approaches seek to combine the instant blocking capabilities of on-premise hardware devices with cloud-based “traffic scrubbing” to deal with high-volume attacks.

According to the report, hybrid systems are able to detect and respond to attacks nearly twice as fast as other systems while providing the bandwidth to deal with larger attacks.

The report showed that 56% of attacks average around 5Gbps, while some organisations have recorded attacks in the past year of up to 300Gbps.

Smaller attacks still cause damage to businesses

However, companies targeted by smaller attacks still reported damage to brand trust, loss of customer data, loss of IP, and loss of revenue.

More than a third of organisations are using stand-alone, cloud-based DDoS mitigation services, up 11% compared with 2014, and 36% are using DDoS mitigation appliances, also up 11% on 2014.

Overall, 70% of respondents said they are spending more on DDoS protection, although 40% feel their investment should be even greater.

Although 28% said they were investing less in DDoS protection, only 6% said they did not see DDoS defence as a priority.

Only 8% continue to rely on content distribution networks as a form of DDoS protection, and only 2% report no DDoS protection at all.

However, most companies (61%) still use internet service provider-based firewalls to combat DDoS attacks. But firewalls are not sufficient as they often cause bottlenecks and accelerate outages during attacks, the report said.

Some 28% of respondents said they still use web application firewalls, switches and routers as a defence against DDoS attacks.

However, with cyber criminal services available to enable anyone to take down a website using DDoS attacks for just $6 a month, it is clear that increasing mitigation capacity alone is not enough, according to Neustar senior vice-president and fellow Rodney Joffe.

“We have to become more strategic. The online community needs to develop industry-based mitigation technologies that incorporate mechanisms to distribute attack source information to internet service providers so they can stop attacks closer to the source,” he said.

Joffe believes there is also a need to improve visibility and understanding of activities in the criminal underground, so that their command and control structures can be disabled quickly.

“Finally, it is important to improve attribution and the ability of law enforcement to identify perpetrators and bring them to justice. While these improvements will not happen overnight and will not solve everything, they will make a significant and positive difference,” he said.

Source: http://www.computerweekly.com/news/4500243431/DDoS-losses-potentially-100k-an-hour-survey-shows

DDoS DDoS Attacks
GitHub recovering from massive DDoS attacks
March 30, 2015

The attacks were aimed at two GitHub-hosted projects fighting Chinese censorship

Software development platform GitHub said Sunday it was still experiencing intermittent outages from the largest cyberattack in its history but had halted most of the attack traffic.

Starting on Thursday, GitHub was hit by distributed denial-of-service (DDoS) attacks that sent large volumes of Web traffic to the site, particularly toward two Chinese anti-censorship projects hosted there.

Over the next few days, the attackers changed their DDoS tactics as GitHub defended the site, but as of Sunday, it appears the site was mostly working.

A GitHub service called Gists, which lets people post bits of code, was still affected, it said. On Twitter, GitHub said it continued to adapt its defenses.

The attacks appeared to focus specifically on two projects hosted on GitHub, according to a blogger who goes by the nickname of Anthr@X on a Chinese- and English-language computer security forum.

One project mirrors the content of The New York Times for Chinese users, and the other is run by Greatfire.org, a group that monitors websites censored by the Chinese government and develops ways for Chinese users to access banned services.

China exerts strict control over Internet access through its “Great Firewall,” a sophisticated ring of networking equipment and filtering software. The country blocks thousands of websites, including ones such as Facebook and Twitter and media outlets such as The Wall Street Journal, The New York Times and Bloomberg.
Anthr@X wrote that it appeared advertising and tracking code used by many Chinese websites appeared to have been modified in order to attack the GitHub pages of the two software projects.

The tracking code was written by Baidu, but it did not appear the search engine — the largest in China — had anything to do with it. Instead, Anthr@X wrote that some device on the border of China’s inner network was hijacking HTTP connections to websites within the country.

The Baidu tracking code had been replaced with malicious JavaScript that would load the two GitHub pages every two seconds. In essence, it means the attackers had roped in regular Internet users into their attacks without them knowing.

“In other words, even people outside China are being weaponized to target things the Chinese government does not like, for example, freedom of speech,” Anthr@X wrote.

GitHub has not laid blame for the attacks, writing on Saturday that “based on reports we’ve received, we believe the intent of this attack is to convince us to remove a specific class of content.”

The attackers used a wide variety of methods and tactics, including new techniques “that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic,” GitHub said.

In late December, China cut off all access to Google’s Gmail service, after blocking Facebook’s Instagram app, and the phone messaging app Line. A month prior, it appeared many non-political sites supported by the U.S. content delivery network EdgeCast Network were blocked. EdgeCast may have been a casualty because its cloud services are often used to host mirror sites for ones that have been banned.

Source: http://www.computerworld.com/article/2903318/github-recovering-from-massive-ddos-attacks.html