DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist
The Largest DDoS Attacks & What You Can Learn From Them
August 23, 2019

A DDoS (Distributed Denial of Service) is an attack that focuses on making the website unavailable to its legitimate users. DDoS attacks can produce service interruptions, introduce large response delays, and cause various business losses.

Denial-of-Service Attacks result in two ways —they either flood services or crash services. Attackers execute DDoS through computers and smart devices. Given this, it’s common for attackers to make use of IoT devices that are internet-accessible.  IoT devices refers to any electronic that can connect to the internet and transmit data, such as toys, smart TVs, and monitors of any kind.

Because these devices have limited processing and operating systems, they may not come with advanced security features. DDoS attackers leverage this via the IP addresses of these IoT devices, personal computers, and even servers to fake legitimate traffic. This makes quick detection harder or difficult to track the attacker’s starting point and IP.

According to TechRepublic, in Q1 2019, there was an increase of 967% for attacks sized 100Gbps or higher, compared to Q1 2018. The largest attack was 70% larger than the biggest one for the same period in 2018, with 587Gbps compared to that of 345Gbps.

The Top 4 Largest DDoS Attacks

Have you ever wondered what the top 4 largest DDoS attacks were? In this post, we will dive into what the largest DDoS attacks looked like.

Spamhaus – 2013

The Spamhaus Project is an international organization based in London and Geneva. This anti-spam organization, founded in 1998, is responsible for compiling anti-spam lists to reduce the amount of spam reaching their users who are usually internet service providers and email servers.

This particular attack took place on March 16th and shut down Spamhaus until March 23nd. The attackers seized SpamHaus’ IP addresses through a malicious BGP (Border Gateway Protocol) route using a DNS server at the IP. By doing so, it gave a positive result for every SpamHaus DNSBL (Domain Name Server-Based Blacklist) query.

This reported as a DNS Reflection or Amplification DDoS attack at 140Gbps in some instances and up to 300+Gbps in others. The attack affected their website, e-mail servers, and DNS IPs.

Performed by a hacker-for-hire, it took many networks and several website security providers to mitigate one of the largest DDoS attacks ever recorded. Spamhaus quoted this about the events and the attacker:

“A 17-year-old male from London has been charged with computer misuse, fraud, and money laundering offences. He was arrested in April 2013. On his arrest officers seized a number of electronic devices”.

Misconfigured, open recursors are a true threat for the internet because they run on big servers with fat pipes. There is an open list available of all of these recursors, which in the wrong hands, could be disastrous to the internet.

BBC – 2015

The BBC (British Broadcasting Corporation) is a public service broadcaster based in London and founded in 1922, which makes it the oldest national broadcasting organization in the world. This might be the reason why they are now one of the biggest ones and carry TV channels, radio and web portals for all of their subsidiaries.

During New Years Eve of 2015, a group called The New World Hackers took responsibility for executing a DDoS attack to the BBC website, saying it was “A test of their abilities”.

Though almost 600Gbps, neither this magnitude or the attack’s identity were ever confirmed by the BBC. At the time this attack took place it was the largest one recorded (if indeed it reached that scale) taking nearly two weeks to completely recover from the incident.

The entire BBC domain was taken down, including their on-demand television and radio player for a total of three hours worth of attack, plus experimenting residual issues for the rest of the morning. To this, The New World Hackers had to say:

“The reason we really targeted the BBC is because we wanted to see our actual server power”

and followed with:

” It was only a test. Our servers are quite strong”

The BBC DDoS Attack

Botnets performed this DDoS attack using DDoS tools such as Lizard Stresser and BangStresser. These hacktivists mentioned at the time that they didn’t intend to run the attack for that long.

Dyn – 2016

Dyn is an internet performance management and web application security company founded in 2001 (acquired by Oracle Corporation in 2016) and based in the U.S. It offers products to optimize, control, and monitor online infrastructure.

On October 21st, Dyn had a series of DDoS attacks targeting systems operated by this DNS provider. The attack affected a large amount of users in North America and Europe. The DDoS attack lasted roughly one day, with spikes coming and going up to 1.2Tbps. It affected several large businesses and websites with high authority and traffic, such as: Airbnb, Amazon.com, Fox News, HBO, The New York Times, Twitter, Visa and CNN.

The New World Hackers, Anonymous, and SpainSquad claimed responsibility for the attack, a hacktivist effort to retaliate for Ecuador’s rescinding internet access to WikiLeak’s founder Julian Assange at their embassy in London where he had asylum. No has confirmed this as the reason.

Dyn stated that according to risk intelligence firm FlashPoint, this was a botnet coordinated through a large number of IoT-enabled devices, including baby monitors, cameras, and residential gateways that had been infected with mirai malware.

Github – 2018

Founded in 2008, GitHub is a subsidiary for Microsoft based in the United States. It offers web-based hosting services for version control using Git  as a source-code management (SCM) tool.

On February 28th,  a large amount of traffic hit the developer platform spiking it to 1.3Tbps—the largest ever recorded. In total, GitHub was offline for five minutes, but the recovery took nearly a week.

GitHub stated they were not underprepared:

“Over the past year we have deployed additional transit to our facilities. We’ve more than doubled our transit capacity during that time, which has allowed us to withstand certain numeric attacks without impact to users. Even still, attacks like this sometimes require the help of partners with larger transit networks to provide blocking and filtering”. – GitHub

Memcached Server, a caching system to optimize websites relying on external databases, facilitated the attack. The attacks involved spoofing or phishing a target’s IP address to the default UDP (User Datagram Protocol) port on available memcached amplifiers. This returned much larger responses to the target.

Responsibility for this attack and the attacker is still unknown.

How to Prevent and Respond to a DDoS Attack

Whether a small or large website, everyone should prepare to face a DDoS attack. Having a website firewall protect your website is a great way to be ready for the worst case scenario. The Sucuri Web Application Firewall (WAF), filters all incoming traffic, impeding DDoS attacks from reaching your website. This way, your website will have enhanced performance along with website security.

Preparation is key, but it also helps to have a response plan:

  • Avoid single point of failure – spreading your servers across multiple data centers with a good load balancing system.
  • Have a secondary DNS server – attackers may try to bring your DNS servers down.
  • Consider managed website security – a professional on your side can help you work through an attack with minimal implications.
  • Don’t buy more bandwidth – Don’t feed the troll, use a professional WAF.
  • Limit your vulnerable or resource hungry end-points to the expected attention or traffic that your website has.
  • Outsource as much as possible off of your website components. Instead of having a built-in search system, consider using a professional search service integrated to your website.

Source: https://securityboulevard.com/2019/08/the-largest-ddos-attacks-what-you-can-learn-from-them/

DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist
Which cyber security trends should organisations adopt in 2019?
July 29, 2019

With cyber crime on a meteoric rise, organisations in 2019 have to pay extra attention to cyber security trends such as increased cloud security, vulnerable Internet of Things networks, and phishing practices

A recent report on cyber crime estimated that hackers could have made as much as 45 billion from their illicit activities in 2018. The staggering number is yet another wake-up call for organisations worldwide to take their cyber security measures seriously and pivot them around three main trends of 2019.

These are the cyber security trends that are must-know for any organisation this year.

Increased attacks on clouds

The rise of cloud computing as a go-to network infrastructure solution among an increasing number of businesses is barely news, but organisations using the cloud still pay insufficient attention to the safety of their data.

“As a cloud provider, we are aware of the rising number in DDoS attacks globally, as well as other attempts to breach the security of the cloud,” commented Vincentas Grinius, CEO of Heficed, a cloud, dedicated server and IP address provider. “Per usual, the more access points are available within a platform or data stored on the cloud, the higher the risk. If using third-party party solutions, enterprises need to pay extra attention to securing their data. When it comes to the cloud providers, their customers need to make sure that their provider is putting the effort in properly segmenting their servers, so that an attack on one customer wouldn’t compromise the whole platform.”

Vulnerability of IoT Networks

Another IT industry on a steady rise is the Internet of Things (IoT), which is forecasted to double by 2021 and reach 520 billion. Naturally, the growth of this magnitude is leading to a growing number of cybersecurity incidents due to an increasing number of poorly secured IoT devices. Apparently, it is not only the devices themselves who could fall victim to malicious activities – the networks that devices are connected to are increasingly at risk, too.

“From a network infrastructure point of view, every connected device might be a potential threat,” added Grinius. “Phones, smartwatches, even smart home appliances, among other devices, might be used as access points and compromise whole networks. If the users do not update their devices regularly and take other precautions, they could be responsible, even without knowing, for enabling potentially damaging network-wide cyber security threats.”

Dangers of Phishing

Widely discussed phishing attacks remain one of the most widespread threats to data safety in 2019. As Verizon’s report on data breach estimates, 32% of all data breaches in 2018 were connected to phishing of some sorts. What is particularly challenging about phishing is that it is not only about cyber security solutions from the system’s side – a large part of phishing success is due to human error.

“To successfully tackle phishing, companies will have to invest in tools that monitor employees’ email traffic more closely, in making sure the systems used are always updated, and in cybersecurity training plans that would make employees aware of the threats and how to behave when confronted by them. A training plan like this could include a phishing simulator and constantly updating the employees on new phishing methods,” finished Grinius.

With cyber crime being such a lucrative niche for criminals worldwide, these trends are just a few of the many that might jeopardise enterprises. Regardless of how the cyberthreats will evolve in the future, businesses will need to invest additional resources in protecting their data.

Source: https://www.openaccessgovernment.org/cyber-security-trends/70219/

Block DDoS DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist
DDoS-for-Hire Sites Bounce Back
July 26, 2019

Despite a recent crackdown by the Federal Bureau of Investigation (FBI), there has been a more than 400% increase in the volume of attacks being launched via DDoS-for-hire sites in the last quarter. That’s according to a new report from Nexusguard, a provider of a cloud service for combatting distributed denial of service (DDoS) attacks.

The “Nexusguard Q1 2019 Threat Report” also notes that DDoS attacks smaller than 1Gbps are becoming more automated and targeted at specific organizations. For example, 17% of all the DDoS attacks launched in Brazil in the last quarter were aimed at one specific banking institution, the report finds.

Donny Chong, product director for enterprise cybersecurity at Nexusguard, said the DDoS-for-hire sites that were taken down last year are now being replaced. The number of DDoS-for-hire websites being tracked by NexusGuard has doubled year over year.

The Nexusguard report also finds this latest generation of DDoS-for-hire cybercriminals is more adept at compromising mobile computing devices to launch their attacks. Botnets employed by these sites have been able to launch attacks lasting more than 40,000 minutes at a time, or more than 27 days, the report finds. In addition to leveraging mobile computing devices, DDoS-for-hire sites are starting to leverage billions of poorly protected internet-of-things (IoT) devices, he said.

Chong noted the latest iteration of DDoS-for-hire websites appears to be trying to fly under the radar of law enforcement. Rather than launching massive attacks, cybercriminals are employing the threat of a DDoS attack to extort payments from organizations both large and small.

At a time when organizations depend heavily on websites to generate revenue, DDoS attacks can have a much bigger financial impact on organizations.

In general, DNS attacks come in a variety of forms, including:

  • Domain hijacking, which results in DNS servers and domain registrar redirecting traffic away from the original servers to new destinations.
  • DNS hijacking (also known as DNS redirection), which involves malware being employed to, for example, alter the TCP/IP configurations so they can point to another DNS server, which will then redirect traffic to a fake website.
  • DNS flooding, which is a distributed denial-of-service (DDoS) attack that seeks to overload a DNS server to the point where it can no longer process requests.
  • Distributed reflection denial-of-service (DRDoS) attacks, which spoof the source address of the DNS service and results in machines replying back and forth until the DNS server becomes flooded.
  • DNS tunneling, which makes use of encoded data from other applications to compromise DNS responses and queries.
  • Random subdomain attacks, which involve sending a lot of DNS queries via compromised systems against a valid and existing domain name.

While there may be no way to terminate every DDoS attack, the good news is organizations at the very least are getting more adept at mitigating them.

Source: https://securityboulevard.com/2019/07/ddos-for-hire-sites-bounce-back/

Block DDoS DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense
Mirai-Like Botnet Wages Massive Application-Layer DDoS Attack
July 25, 2019

IoT botnet-made up mainly of routers-hit a service provider with nearly 300,000 requests-per-second in a 13-day deluge of data.

A collection of more than 400,000 connected devices – mainly home routers – for 13 days leveled a powerful application-layer attack on a online entertainment-service provider.

The attack used packets designed to appear as valid requests to the targeted application with the aim of chewing up bandwidth and server resources and reached a peak rate of 292,000 requests per second, according to a report released on July 24 by security firm Imperva, which blocked the attack.

The distributed denial of service (DDoS) attack, also known as an application-layer or layer-7 attack, came from devices compromised by the attackers and likely aimed to take down the company’s service, says Vitaly Simonovich, a security researcher for Imperva.

“This is not the first time this customer got attacked,” he says. “In the past, we witnessed this customer get attacked via network-layer DDoS attacks and also attackers have tried to steal their service, or use it without paying them.”

Distributed denial-of-service attacks are now considered the cost of doing business online, and companies need to plan for the attacks. In a survey released on July 24, data-center services firm US Signal found that 83% of organizations had suffered a DDoS attack in the past two years, and the average downtime caused by such an attack was 12 hours. The survey also found that 81% of organizations had their web application targeted in a cyberattack.

“The number of respondents that have experienced DDoS and application attacks is jarring, demonstrating that there is always room for improvement in keeping up with modern cyberthreats,” Trevor Bidle, vice president of information security and compliance officer at US Signal, said in a statement.

Yet, network packet floods continue to set new records in terms of volume and sustained traffic.

The attack on Imperva’s client is not the largest, but represents one of the most significant application-layer attacks. Volumetric attacks, which try to overload a target’s network bandwidth and infrastructure with a massive deluge of data, have exceeded 500 million packets per second, according to Imperva. For comparison, the DDoS attack against GitHub in 2018 exceeded 1.35 terabits per second, or about 130 million packets per second, the company said.

In 2016, the original Mirai malware, along with several variants, were used to conduct massive DDoS attacks against a variety of targets. More than one attack peaked at more than 600 gigabits per second and the attack against infrastructure provider Dyn in October 2016 exceeded 1 terabit per second.

Volumetric and application attacks are different and target different parts of a company’s online infrastructure. Web applications can typically handle tens or hundreds of gigabits of legitimate traffic, but typical Web servers handle perhaps 25,000 requests per second, says Imperva’s Simonovich.

“Today, customers that use cloud services can scale up in no time,” he says. “This means that when the number of requests is growing, the cloud platform can spawn more servers to handle the load. It also means that the customer will pay more to the cloud provider.”

Imperva tracked much of the traffic in the latest attack back to compromised home routers in Brazil. While the company does not believe that the attacks came from the Mirai botnet because the code to the malicious software had been released some time ago, underground developers have modified Mirai to incorporate a variety of attacks.

Because of the large number of Internet-of-things devices — tens of billions of network-connected devices by most accounts — and the lack of security concerns of most manufacturers and consumers, the population of vulnerable devices will only likely continue to grow, Imperva said.

“Botnets of IoT devices will only get larger,” the company said. “We live in a connected world, so the number of IoT devices continues to grow fast and vendors still do not consider security a top priority.”

Source: https://www.darkreading.com/attacks-breaches/mirai-like-botnet-wages-massive-application-layer-ddos-attack/d/d-id/1335331

DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist Stop DDoS Stop DDoS Attacks
How The New York Times Handled Unprecedented Election-Night Traffic Spike
April 19, 2017

When he woke up the morning of October 21, 2016, Nick Rockwell did the same thing he had done first thing every morning since The New York Times hired him as CTO: he opened The Times’ app on his phone. Nothing loaded.

The app was down along with BBC, CNN, Fox News, The Guardian, and a long list of other web services, taken out by the largest DDoS attack in history of the internet. An army of infected IP cameras, DVRs, modems, and other connected devices – the Mirai botnet – had flooded servers of the DNS registrar Dyn in 17 data centers, halting a huge number of internet services that depended on it for letting their users’ computers know how to find them online.

The outage had started only about five minutes before Rockwell saw the blank screen on his phone. His team kicked off a standard process that was in place for such outages, failing over to the Times’ internal DNS hosted in two of its four data centers in the US. The mobile app and the main site were back online about 45 minutes after they had gone down.

While going through the fairly routine recovery process, however, something was really worrying Rockwell. The thing was, he didn’t know whether the attack was directed at many targets or at the Times specifically. If it was the latter, the effect could be catastrophic; its internal DNS wouldn’t hold against a major DDoS for more than five seconds. “It would’ve been incredibly easy to DDoS our infrastructure,” he said in a phone interview with Data Center Knowledge.

His team had been a few months deep into fixing the vulnerability, but they weren’t finished. “We were OK [in the end], but we were vulnerable during that time.” The process to fix it started as they were preparing for the 2016 presidential election. Election night is the biggest event for every major news outlet, and Rockwell was determined to avoid the 2012 election night fiasco, when the site went down, unable to handle the spike in traffic.

One of the steps the team decided to do in preparation for November 2016 was to fully integrate a CDN (Content Delivery Network). CDN services, such as Akamai, CloudFlare, or CDN services by cloud providers Amazon, Microsoft, and Google, store their clients’ most popular content in data centers close to where many of their end users are located – so-called edge data centers — from where “last-mile” internet service providers deliver that content to its final destinations. A CDN essentially becomes a highly distributed extension of your network, adding to it compute, storage, and bandwidth capacity in many metros around the world.

That a CDN had not been integrated into the organization’s infrastructure came as a big surprise to Rockwell, who joined in 2015, after 10 months as CTO at another big publisher, Condé Nast. While at Condé Nast, he switched the publisher from a major CDN provider to a lesser-known CDN by a company called Fastly. He has since become an unapologetically big fan of the San Francisco-based startup, which now also delivers content to The New York Times users around the world.

Being highly distributed by design puts CDNs in good position to help their customers handle big traffic spikes, be it legitimate traffic generated by a big news event or a malicious DDoS attack. (Rockwell said he did wonder, as the Dyn attack was unfolding, whether it was a rehearsal for election night.)

Fastly ensured that on the night Donald Trump beat Hillary Clinton, the Times rolled without incident through a traffic spike of unprecedented size for the publisher: an 8,371 percent increase in the number of people visiting the site simultaneously, according to the CTO. The CDN has also mostly absorbed the much higher levels of day-to-day traffic The Times has seen since the election as it covers the Trump administration.

The six-year-old startup, which this year crossed the $100 million annualized revenue run-rate threshold, designed its platform to give users a detailed picture of the way their traffic flows through its CDN and lots of control. Artur Bergman, Fastly’s founder and CEO, said the platform enables a user to treat the edge of their network the same way they treat their own data centers or cloud infrastructure.

In your own data center you have full control of your tools for improving your network’s security and performance (things like firewalls and load balancers), Bergman explained in an interview with Data Center Knowledge. While you maintain that level of control in the public cloud, you don’t necessarily have it at the edge, he said. Traditionally, CDNs have offered customers little visibility into their infrastructure, so even differentiating between a legitimate traffic spike and a DDoS attack has been hard to do quickly. Fastly gives users log access in real-time so they can see exactly what is happening to their edge nodes and make critical decisions quickly.

The startup today unveiled an edge cloud platform, designed to enable developers to deploy code in edge data centers instantly, without having to worry about scaling their edge infrastructure as their applications grow. It also announced a collaboration with Google Cloud Platform, pairing its platform with the giant’s enterprise cloud infrastructure services around the world.

GCP is one of two cloud providers The New York Times is using. The other one is Amazon Web Services. Today, the publisher’s infrastructure consists of three leased data centers in Newark, Boston, and Seattle, and one facility it owns and operates on its own, located in the New York Times building in Times Square, Rockwell said. The company uses a virtual private cloud by AWS and some of its public cloud services in addition to running some applications in the Google Cloud.

This setup is not staying for long, however. Rockwell’s team is working to shut down the three leased data centers, moving most of its workloads onto GCP and AWS, with Fastly managing content delivery at the edge. Google’s cloud is also going to play a much bigger role than it does today. The plan is to run apps that depend on Oracle databases in AWS, while everything else, save for a few exceptions (primarily packaged enterprise IT apps), will run in app containers on GCP, orchestrated by Kubernetes.

As he works to sort out what he in a conference presentation referred to as the “jumbled mess” that is The Times’ current infrastructure, Rockwell no longer worries about DDoS attacks. Luckily for his team, there was no major DDoS attack on The Times between the day he came on board and the day Fastly started delivering the publisher’s content to its readers. Whether there was one after Fastly was implemented is irrelevant to him. “It’s no longer something I have to think about.”

Source: http://www.thewhir.com/web-hosting-news/how-the-new-york-times-handled-unprecedented-election-night-traffic-spike