Showing posts with label DDoS. Show all posts
Showing posts with label DDoS. Show all posts

Tuesday, June 4, 2019

A10 adds Zero-day Automated Protection to DDoS Defense

A10 Networks is bolstering its Thunder Threat Protection System (TPS) family of Distributed Denial of Service (DDoS) defense solutions with Zero-day Automated Protection (ZAP) capabilities/

A10's ZAP capabilities are designed to automatically recognize the characteristics of DDoS attacks and apply mitigation filters without advanced configuration or manual intervention.

A10 Networks’ ZAP is comprised of two components: dynamic attack pattern recognition by a machine learning algorithm and heuristic behavior analysis recognition to dynamically identify anomalous behavior and block attacking agents. ZAP works in conjunction with A10 Networks’ adaptive DDoS security model and its five-level adaptive policy mitigation engines to provide a complete in-depth defense system. This comprehensive approach blocks DDoS attacks while protecting legitimate users from indiscriminate collateral damage typically associated with traditional DDoS protection methods.

The ZAP policies can be enforced by a combination of hardware and software. Thunder SPE (Security and Policy Engine) appliances can serve up to 100,000 ZAP policies at line rate and the remaining ZAP policies can be served by software. This provides superior mitigation performance over the traditional software-only solution, enabling superior response time and scalability.

“In today’s climate with the dramatic increase in polymorphic multi-vector attacks and the chronic shortage of qualified security professionals, enterprises and service providers need intelligently automated defenses that can accomplish tasks autonomously,” said Lee Chen, CEO of A10 Networks. “Manual interventions are not only resource-intensive but too slow and ineffective, resulting in a greater potential of network downtime and high cost to the organization.”

Separately, A10 published a study conducted by the Ponemon Institute highlights the critical need for DDoS protection that provides higher levels of scalability, intelligence integration, and automation. Some 325 IT and security professionals at ISPs, mobile carriers and cloud service providers participated in the survey.

85 percent of survey respondents expect DDoS attacks to either increase (54 percent) or remain at the same high levels (31 percent). Most service providers do not rate themselves highly in either prevention or detection of attacks. Just 34 percent grade themselves as effective or highly effective in prevention; 39 percent grade themselves as effective or highly effective in detection.

The DDoS intelligence gap was highlighted by a number of survey findings:

  • Lack of actionable intelligence was cited as the number-one barrier to preventing DDoS attacks, followed by insufficient personnel and expertise, and inadequate technologies. 
  • Out-of-date intelligence, which is too stale to be actionable, was cited as the leading intelligence problem, followed by inaccurate information, and a lack of integration between intelligence sources and security measures. 
  • Solutions that provide actionable intelligence were seen as the most effective way to defend against attacks. 
  • The most important features in DDoS protection solutions were identified as scalability, integration of DDoS protection with cyber intelligence, and the ability to integrate analytics and automation to improve visibility and precision in intelligence gathering. 
  • Communications service providers who rated their DDoS defense capabilities highly were more likely to have sound intelligence into global botnets and weapon locations. 

“Communications service providers are right, both in their expectations for increased attacks and about their need for better intelligence to prevent them,” said Gunter Reiss, vice president, marketing at A10 Networks. “The continuing proliferation of connected devices and the coming 5G networks will only increase the potential size and ferocity of botnets aimed at service providers. To better prepare, providers will need deeper insights into the identities of these attack networks and where the weapons are located. They also need actionable intelligence that integrates with their security systems and the capacity to automate their response.”

https://www.a10networks.com

Monday, January 22, 2018

A10 debuts hybrid DDoS protection - on-prem + cloud overflow scrubbing

A10 Networks has launched a new hybrid DDoS protection solution for enterprises that combines its  Thunder 1040 TPS appliance with cloud capabilities powered by Verisign.

By integrating the new A10 DDoS Protection Cloud, powered by Verisign, with its Thunder 1040 TPS appliance A10 said it is able to deliver full spectrum enterprise protection to detect and mitigate distributed denial of service (DDoS) attacks.

The on-prem Thunder TPS appliance employs machine learning, traffic profiling and intelligent policy escalation in order to provide frontline defenses against all manner of DDoS attacks, including network-based, application layer, slow and low attacks. If a volumetric DDoS attack is detected that exceeds the bandwidth of the organization, the appliance will alert A10 so that traffic can be diverted to the Verisign cloud-based DDoS Protection service for scrubbing before delivery. Enterprises only pay for legitimate traffic and not for the amount of traffic that attacks apply against their network.

“A10 now provides a single advanced solution for on-premise and cloud scrubbing enterprise DDoS defenses, backed by our DDoS SIRT team,” said Raj Jalan, CTO, A10 Networks. “The surgical precision and hybrid, full spectrum approach of the A10 DDoS solution ensures enterprises are resilient to advanced DDoS attacks in the most effective and economical manner possible.”

“DDoS attacks are unpredictable and increasing in complexity. Eighty-eight percent of DDoS attacks mitigated by Verisign in Q3 2017 employed multiple attack types,” said Michael Kaczmarek, VP of Product and Marketing, Verisign Security Services. “Many enterprises need smart, scalable hybrid DDoS defenses to efficiently tailor mitigation strategies to combat the changes in the DDoS landscape like those offered by the A10 DDoS Protection Cloud and A10 Thunder TPS.”

Tuesday, January 24, 2017

Arbor: Weaponization of IoT Devices Drives Attack Size Higher by 60%

The threat landscape has been transformed by the emergence of Internet of Things (IoT) botnets, with attackers now able to weaponize inherent security vulnerabilities in certain IoT devices, according to Arbor Networks' 12th Annual Worldwide Infrastructure Security Report (WISR).  Arbor Networks is the security division of NETSCOUT.

“The survey respondents have grown accustomed to a constantly evolving threat environment with steady increases in attack size and complexity over the past decade,” said Darren Anstee, Arbor Networks Chief Security Technologist. “However, IoT botnets are a game changer because of the numbers involved. There are billions of these devices deployed, and they are being easily weaponized to launch massive attacks. Increasing concern over the threat environment is reflected in the survey results, which show significant improvements in the deployment of best practice technologies and response processes.”

Some highlights:

  • The largest distributed denial-of-service (DDoS) attack reported this year was 800 Gbps, a 60% increase over 2015’s largest attack of 500 Gbps. 
  • Since Arbor began the WISR in 2005, DDoS attack size has grown 7,900%, for a compound annual growth rate (CAGR) of 44%.
  • In the past five years alone, DDoS attack size has grown 1,233%, for a CAGR of 68%.
  • 53% of service providers indicated they are seeing more than 21 attacks per month – up from 44% last year.
  • 21% of data-center respondents saw more than 50 attacks per month, versus only 8% last year.
  • 45% of enterprise, government and education respondents experienced more than 10 attacks per month – a 17% year over year increase.
  • 67% of service providers and 40% of Enterprise, Government and Education (EGE) reported seeing multi-vector attacks on their networks.
  • 61% of data center operators reported attacks totally saturating data center bandwidth.
  • 25% of data center and cloud providers saw the cost of a major DDoS attack rise above $100,000, and 5% cited costs of over $1 million.
  • 41% of EGE organizations reported DDoS attacks exceeding their total internet capacity. Nearly 60% of EGE respondents estimate downtime costs above $500/minute.
  • 77% of service provider respondents are capable of mitigating attacks in less than 20 minutes.
  • Nearly 55% of EGE respondents now carry out DDoS defense simulations, with approximately 40% carrying them out at least quarterly.
  • The proportion of data center and cloud provider respondents that are using firewalls for DDoS defense has fallen from 71% to 40%. 

https://www.arbornetworks.com/

Wednesday, December 14, 2016

FBI Arrests USC Student in DDoS Sweep

The FBI announced the arrest of Sean Sharma, a graduate student at the University of Southern California, for his suspected role in a distributed denial of service (DDoS) attack against a San Francisco chat service company.  The arrest came as part of an operation aimed at users of “DDoS for hire” services. The sweep, which was coordinated from The Hague in the Netherlands by Europol’s European Cyber Crime Centre (EC3), yielded nearly three dozen arrests in 13 countries.

https://www.fbi.gov/news/stories/international-cyber-sweep-nets-ddos-attackers

Friday, October 21, 2016

Dyn Cites Mirai Botnet as One Source of the Attack

In a statement regarding the DDoS attack on 10/21/2016, Dyn confirmed the sophisticated, highly distributed attack involved 10s of millions of IP addresses.

The company said its preliminary forensic analysis, with help of analysis from Flashpoint and Akamai, indicates that the attack originated across multiple attack vectors and internet locations. One source of the traffic for the attacks were devices infected by the Mirai botnet.  Dyn observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.

http://hub.dyn.com/static/hub.dyn.com/dyn-blog/dyn-statement-on-10-21-2016-ddos-attack.html

Flashpoint Links Dyn DDoS Attack to Mirai IoT Botnet

Flashpoint confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware.

Mirai botnets were previously used in DDoS attacks against security researcher Brian Krebs’ blog “Krebs On Security” and French internet service and hosting provider OVH. Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks.

However, Flashpoint states that the Mirai botnets used in the October 21, 2016 attack against Dyn were separate and distinct botnets from those used to execute the DDoS attacks against “Krebs on Security” and OVH.

Flashpoint also notes that the Mirai source code was released earlier this month by the hacker operating the Mirai botnet responsible for the Krebs DDoS attack.

https://www.flashpoint-intel.com/mirai-botnet-linked-dyn-dns-ddos-attacks/

Dyn Managed DNS Hit by Major DDoS Attack

Dyn, which provides cloud-based Internet Performance Management and traffic steering to major websites, including Twitter, Zappos, Red Hat, BT, CNBC and Zillow, experienced a major DDoS was impacting its Managed DNS customers in its US East region.

On its status update site, Dyn noted that it began monitoring and mitigating a DDoS attack starting at 11:10 UTC on October 21st-Friday 2016 against its Dyn Managed DNS infrastructure.

Impacted websites and services included Etsy, Heroku, Business Insider, Soundcloud, Spotify, Reddit, Github, Twitter and others

The company reported that its services were restored to normal as of 13:20 UTC, approximately two hours after the attack began, but then new attacks emerged against the Dyn Managed DNS infrastructure.

https://www.dynstatus.com/incidents/nlr4yrr162t8

Sunday, October 16, 2016

Arbor Networks Updates DDoS Digital Attack Map with Jigsaw

Arbor Networks announced an enhanced version of the Digital Attack Map, a live data visualization of distributed denial-of-service (DDoS) attacks around the globe.

The Digital Attack Map uses data from Arbor Networks’ Active Threat Level Analysis System (ATLAS), a globally scoped threat monitoring network that currently collects 140Tbps of anonymous traffic data from more than 330 service provider customers. This represents approximately one-third of the world’s global internet traffic.
lability.

Updates include:

  • A change in architecture of the ATLAS system allows the Digital Attack Map to unlock 20X the data of the previous version in terms of the number and scale of the attacks presented.
  • The new system architecture moves all of this data from batch processing to real-time streaming, thereby ensuring that the data is up to date, and as accurate as possible.


Jigsaw, which is an incubator within Alphabet (Google's parent company) focused on addressing online censorship, is using the data for its mission.

“DDoS attacks are growing at an alarming rate in terms of size, frequency and complexity. They are the primary threat to the availability of networks, application and online services. The Digital Attack Map represents a just a slice of the rich data set that we have in ATLAS and it has been brought to visual life by the engineers at Jigsaw, allowing anyone to see DDoS attacks on a global scale or a country by country basis. Jigsaw is doing important work to educate the public about the DDoS threat, and we are gratified that our data is being showcased on the Digital Attack Map,” said Brian McCann, President of Arbor Networks.

http://www.DigitalAttackMap.com

Tuesday, October 11, 2016

A10 Rolls Out Big Gun to Fight DDoS Attacks

A10 Networks introduced "the industry’s biggest gun" in the rapidly escalating war against DDoS attacks -- the A10 Thunder 14045 TPS (Threat Protection System) for Service Providers, Internet Content Providers, and Cloud operators.  The appliance packs 300 Gbps of mitigation throughput capacity (or 2.4 terabits per second in a cluster).

A10 is also expanding its Thunder TPS family with a new 840 model offering 2 Gbps of mitigation throughput capacity for medium-sized enterprises or remote sites. In addition, the company is introducing NFV-based DDoS solutions at performance tiers from 1 to 5 Gbps.

A10 said its Thunder TPS can block multi-vector DDoS attacks to stop disruption, detecting and mitigating them at the network edge, and functioning as a first line of defense for the network infrastructure.

“It’s all about the customer,” said Raj Jalan, CTO of A10 Networks. “We’re helping service providers and enterprises fight back against the rising DDoS onslaught so they can be proactive, not reactive. True multi-vector, always-on protection helps them ensure uptime, exceed operational readiness and productivity, and avoid brand damage due to costly outages.”

Some highlights:

A10 Thunder 14045 TPS
Performance: 300 Gbps, 440 Mpps, 2.4 Tbps in a cluster.
Specification highlights: SPE with FPGA, 4x18 core Xeon, 3 RU, 4x100 GbE, 2+2 redundant 80 Plus Platinum rated power supplies.

A10 Thunder 840 TPS 
Performance: 2 Gbps, with hardware bypass option.

A10 vThunder TPS 
Performance: 1, 2, and 5 Gbps. Available on VMware ESXi and Microsoft Hyper-V hypervisors.

https://www.a10networks.com/news/stop-multi-vector-ddos-disruption-expanded-thunder-tps-solution

Thursday, April 7, 2016

Blueprint: Top 10 Best Practices for Planning and Conducting an Endpoint PoC

by Paul Morville, Founder and VP of Products, Confer

Few things are more disappointing or costly than deploying a product that fails to live up to the vendor’s claims or doesn’t meet the team’s expectations. More often than not, there is a very large grey area where it’s difficult to discern what the PowerPoint slides promise versus what the product will actually deliver. A well-structured Proof of Concept (PoC) can be extremely useful in turning this grey area into black and white. But, these PoCs can be complicated and costly to run, sapping security operations center and security analyst resources that are already spread too thin.

For endpoint security, planning and conducting a good POC is even more important than usual because security’s reputation is on the line. While improving endpoint security is essential in today’s environment, endpoint deployments can be risky. They are highly visible across the company and a failed deployment will get the security team into hot water with their end users.

By designing a solid and comprehensive PoC, you can vastly improve your chances of managing the gaggle of vendors vying for your business, make the right decision and ultimately, ensure a smooth rollout and a successful project.

Our Top 10 Do’s and Don’ts:

1: Don’t delegate the scoping and planning process

Senior security team members are typically at maximum capacity, so it’s tempting to delegate the task of planning a PoC to a more junior staff member. Don’t. The PoC is the chance to define what the organization wants from an endpoint security solution in terms of technical, operational and business requirements. In forward-thinking organizations, an experienced CISO is engaged in the upfront planning to ensure the requirements are well-defined.

2: Do ask yourself, “Will it flatten the stack?”

When testing a product, ask yourself whether it will help you flatten the endpoint security stack, thereby reducing management cost and complexity. How many items can you check off on your requirement list? How many endpoint agents can you retire?

The PoC should thoroughly evaluate every function the product claims to offer. For example, if the product blocks attacks – what kind? If the product supports incident response, does it give full visibility into the details and impact on the endpoint?

3: Do adopt the mindset of the adversary

The PoC test should serve as a proxy for the determined adversaries the organization faces. By adopting the mindset of the adversary, the CISO can emulate the types of attacker behaviors they are likely to face.

Skilled attackers can easily penetrate most networks, so the test scenarios should not focus solely on breach prevention. It’s also critical to evaluate the level of damage the attackers can do once they are inside the network, and how readily their behavior can be detected and thwarted.

4: Do form Red and Blue Teams

Conducting a PoC that most accurately reflects a real-world scenario in a specific organization requires selecting members of the security staff to mimic the attackers who are constantly trying to compromise employees’ devices and steal valuable data. These employees become the Red Team. On the flip side, staff members chosen to mimic the defenders, those who work to mitigate all threats facing the organization, become the Blue Team. If everyone knows their roles, the PoC will be as close to reality as possible.

5: Do allow those teams to work together

Often, the Red Team launches an attack and then, a month later, writes a report that says, “We got in, and here are the vulnerabilities we found.” The PoC will be far more useful if one or two key members of the Blue Team are sitting alongside the Red Team and interacting with them. The Blue team can watch how an attack unfolds, analyze how the defenses react, and evaluate what kind of information is generated by the product being tested. In turn, this gives them a better sense of how the product can actually be used, and how it will perform in a real-world environment.

6: Do testing in both the lab and the real world

A typical medium enterprise will have over 5 million executables in their environment and will see upwards of 5,000 new executables enter the environment every day. Every one of these executables has the potential to generate a false positive, but that’s impossible to simulate in a lab. Therefore, a well-designed PoC will strike a balance between bench-testing live malware in a virtual-lab setting, and testing a subset of the real-world production environment under the conditions of an actual attack. An effective PoC should include deployment on at least 20 devices from the general population to provide the real world perspective.

7: Do use a representative set of attacks

Organizations are most likely to be attacked by the same actors who have attacked them in the past, using methods that were previously successful. The goal, therefore, is not to test against the most obscure or exotic malware, but rather to focus on threats the organization has already faced. Maintaining a repository of malware samples from past incidents is a good start. Also, include malwareless attacks – such as document-based or PowerShell scripts. They are common in today’s enterprise and just as damaging as a malware-based attack.

8: Don’t blindly accept tests from your vendors

If a CISO relies on the vendor to provide malware test samples, it will be very important to ask questions about how those samples were derived.  Vendors sometimes skew PoC results by repackaging known malware so it evades their competitors’ products, but is detected by their own engine (not a big surprise, since they generated it.) Ask questions and use a mixture of sources.

9: Don’t test malware on a live network

At the risk of stating the obvious, it is never wise to test live malware in a production environment. Inexperienced security personnel have actually done this, triggering a full-scale outbreak in the environment. For live malware testing, the best case is to use a segregated network consisting of virtual machines that are immediately reimaged after infection so as to avoid an actual attack.

10: Don’t test on a suspect endpoint

When conducting a PoC, it can be tempting to “kill two birds with one stone” by including real devices that are suspected of already having been compromised. This approach is not advised because it presents an incomplete picture. If the attacker has already come and gone, you often have very little to go on. Unless you plan to install the product exclusively post-incident, try to simulate the whole attack lifecycle.

Following these 10 best practices will help test how well a product addresses specific endpoint security requirements in the only environment that truly matters – yours.

About the Author

Paul Morville has been working in information security for more than 15 years. Prior to founding Confer, Paul held numerous roles at Arbor Networks, including VP Product Management and VP Corporate Business Development. Paul was an early employee at Arbor and helped take the company from pre-revenue to more than $100M in annual sales, establishing it as the leader in network security DDoS detection and prevention.

While there, Paul developed and launched Arbor’s flagship enterprise network security product line, established partnerships with ISS/IBM, Cisco and Alcatel-Lucent; managed Arbor’s Security Engineering & Response research team; acquired a company; and ultimately managed Arbor’s sale to Danaher Corporation in 2010.

Prior to entering the security industry, Paul worked for several other startups. He holds an MBA with Distinction from Michigan’s Ross School of Business.

About Confer

Confer offers a fundamentally different approach to endpoint security through a Converged Endpoint Security Platform, an adaptive defense that integrates prevention, detection and incident response for endpoints, servers and cloud workloads. The patented technology disrupts most attacks while collecting a rich history of endpoint behavior to support post-incident response and remediation. Confer automates this approach to secure millions of devices, regardless of where they are, allowing security teams to focus on more important activities.

Monday, February 1, 2016

NSFOCUS Stops Massive DDoS Attack for Australia's Micron21

NSFOCUS reported that its Anti-DDoS System (ADS) has been used to mitigate a sustained, 90-Gbps Distributed Denial of Services (DDoS) attack against Australian service provider Micron21, which offers mission-critical data center capabilities to clients around the world.

NSFOCUS said the January 14th attack started relatively small, then rapidly increased over the course of 30 minutes. It eventually consumed a staggering 23 Terabytes of inbound data in only two hours, before the assailant(s) ceased the DDoS attack. The peak was 90 Gbps. Given the sheer scale of the problem, a full-blown outage would have potentially cost the customer the equivalent of at least $1.3 Million.

“Welcome to the modern world—this is the painful reality for data center operators everywhere, and why it’s absolutely critical for every corner of the industry to have solid DDoS mitigation capabilities in place,” said Allan Thompson, COO at NSFOCUS IB. “We’re honored that NSFOCUS ADS platform played such a vital role in helping Micron21 mitigate this criminal barrage, and we remain committed to developing and offering technologies that help our customers stay vigilant and protected against future attacks.”

http://www.micron21.com
http://www.nsfocus.com

Tuesday, January 26, 2016

Arbor Networks: DDoS Attacks Continue to Grow and Clouds Come Under Threat

Cloud services are coming increasingly under attack, according to Arbor Networks' newly released, 11th Annual Worldwide Infrastructure Security Report (WISR). The report is based on a survey of Tier 1 and Tier 2/3 service providers and hosting, mobile, enterprise and other types of network operators from around the world. Data covers November 2014 through November 2015.

Some highlights:

Top 5 DDoS Trends
  • Change in Attack Motivation: This year the top motivation was not hacktivism or vandalism but ‘criminals demonstrating attack capabilities,’ something typically associated with cyber extortion attempts.
  • Attack Size Continues to Grow: The largest attack reported was 500 Gbps, with others reporting attacks of 450 Gbps, 425 Gbps and 337 Gbps. In 11 years of this survey, the largest attack size has grown more than 60X.
  • Complex Attacks on the Rise: 56 percent of respondents reported multi-vector attacks that targeted infrastructure, applications and services simultaneously, up from 42 percent last year. 93 percent reported application-layer DDoS attacks. The most common service targeted by application-layer attacks is now DNS (rather than HTTP).
  • Cloud Under Attack: Two years ago, 19 percent of respondents saw attacks targeting their cloud-based services. This grew to 29 percent last year and now to 33 percent this year – a clear upward trend. In fact, 51 percent of data center operators saw DDoS attacks saturate their Internet connectivity. There was also a sharp increase in data centers seeing outbound attacks from servers within their networks, up to 34 percent from 24 percent last year.
  • Firewalls Continue to Fail During DDoS Attacks: More than half of enterprise respondents reported a firewall failure as a result of a DDoS attack, up from one-third a year earlier. As stateful and inline devices, firewalls add to the attack surface and are prone to becoming the first victims of DDoS attacks as their capacity to track connections is exhausted. Because they are inline, they can also add network latency.
Top 5 Advanced Threat Trends
  • Focus on Better Response: 57 percent of enterprises are looking to deploy solutions to speed the incident response processes. Among service providers, one-third reduced the time taken to discover an Advanced Persistent Threat (APT) in their network to under one week and 52 percent stated their discovery to containment time has dropped to under one month.
  • Better Planning: 2015 saw an increase in the proportion of enterprise respondents who had developed formal incident response plans and dedicated at least some resources to respond to such incidents, up from around two-thirds last year to 75 percent this year.
  • Insiders in Focus: The proportion of enterprise respondents seeing malicious insiders is up to 17 percent this year (12 percent last year). Nearly 40 percent of all enterprise respondents still do not have tools deployed to monitor BYOD devices on the network. The proportion reporting security incidents relating to BYOD doubled, to 13 percent from six percent last year.
  • Staffing Quagmire: There has been a significant drop in those looking to increase their internal resources to improve incident preparedness and response, down from 46 to 38 percent in this year’s results.
  • Increasing Reliance on Outside Support: Lack of internal resources this past year has led to an increase in the use of managed services and outsourced support, with 50 percent of enterprises having contracted an external organization for incident response. This is 10 percent higher than within service providers. Within service providers, 74 percent reported seeing more demand from customers for managed services.

“A constantly evolving threat environment is an accepted fact of life for survey respondents,” said Arbor Networks Chief Security Technologist Darren Anstee. “This report provides broad insight into the issues that network operators around the world are grappling with on a daily basis. Furthermore, the findings from this report underscore that technology is only part of the true story since security is a human endeavor and there are skilled adversaries on both sides. Thanks to the information provided by network operators worldwide, we are able to offer insights into people and process, providing a much richer and more vibrant picture into what is happening on the front lines.”

Download the full report (registration required).

Tuesday, July 21, 2015

Arbor: DDos Attacks Continue to Grow in Ferocity

The average size of distributed denial-of-service (DDoS) attacks, from both a bits-per-second and packets-per-second perspective, continues to grow, according to new tracking data released by Arbor Networks.

Arbor’s data is gathered through ATLAS, a collaborative partnership with more than 330 service provider customers who share anonymous traffic data with Arbor in order to deliver a comprehensive, aggregated view of global traffic and threats. ATLAS collects 120TB/sec of Internet traffic and is the source of data for the Digital Attack Map, a visualization of global DDoS attacks created in collaboration with Google Ideas.

The largest attack monitored in Q2 was a 196GB/sec UDP flood, a large, but no longer uncommon attack size. Of most concern to enterprise networks is the growth in the average attack size. In Q2, 21 percent of all attacks topped 1GB/sec, while the most growth was seen in the 2-10GB/sec range. However, there was also a significant spike in the number of attacks in the 50-100GB/sec range in June, mainly SYN Floods targeting destinations in the US and Canada.

“Extremely large attacks grab the headlines, but it is the increasing size of the average DDoS attack that is causing headaches for enterprise around the world,” said Arbor Networks Chief Security Technologist Darren Anstee. “Companies need to clearly define their business risk when it comes to DDoS. With average attacks capable of congesting the Internet connectivity of many businesses, it is essential that the risks and costs of an attack are understood, and appropriate plans, services and solutions put in place. ”

http://www.slideshare.net/Arbor_Networks/atlas-q2-2015final

Wednesday, July 1, 2015

Level 3 Acquires Black Lotus for DDoS Mitigation

Level 3 Communications has acquired Black Lotus, a start-up offering global Distributed Denial of Service (DDoS) mitigation services. Details on the all-cash deal were not disclosed.

Black Lotus, which is based in San Francisco, operates a global DDoS mitigation network which monitors traffic on edge routers to generate sample data called flows which are then sent to an analysis platform. The traffic sample is then evaluated to determine if there is a DDoS attack against the destination IP, and if so traffic to that IP is diverted into one or more scrubbing centers. Once traffic is in the scrubbing center it can be filtered based on signatures which are predefined traffic patterns which are known to be DDoS attacks, or heuristics which are abnormalities in traffic patterns which may be indicative of a DDoS attack.

Level 3 said the acquisition of Black Lotus will add additional capabilities to the existing Level 3 DDoS service, which launched earlier in the year, including adding extra scrubbing centers. The Level 3 DDoS Mitigation service provides an enhanced network-based detection and mitigation scrubbing solution alongside network routing, rate limiting and IP filtering abilities. Black Lotus adds proxy-based DDoS mitigation services to the portfolio providing additional capabilities for application layer attacks, along with advanced behavioral analytics technology. The application layer is a prime target for DDoS attacks that often impact Web servers and Web hosting providers.

"At Level 3, we value security and are committed to protecting our customers and our network," said Chris Richter, senior vice president of managed security services at Level 3. "Black Lotus' proxy and behavioral technologies, combined with their experienced team of DDoS experts, perfectly complements Level 3's DDoS mitigation and threat intelligence capabilities. With this acquisition, Level 3 continues its commitment of investing in a comprehensive portfolio of services that enhance the growth, efficiency and security of our customers' operations, helping enterprises combat the cybersecurity challenges they face every day."

http://www.level3.com
https://www.blacklotus.net

Thursday, June 4, 2015

NTT Com Develops Multi-homed anti-DDoS

NTT Communications is testing an enhanced DDoS orchestrator system to detect, analyze and defend against distributed denial of service (DDoS) attacks. The pilot system was constructed by multiple security companies, including Arbor Networks, A10 Networks, and Radware Ltd. The user organizations include EHIME CATV Inc., INTERNET MULTIFEED Co., Interop Tokyo 2015 ShowNet, mixi Inc. and OKIT CORPORATION, among others.

NTT Com said its trial will test the operability of unique channel-control technology developed by NTT Com to minimize the negative effects, such as delays in normal communications, of implementing a DDoS defense. The testing environment incorporates NTT Com's unique channel-control technology (patent pending), which reports the Internet routes used by specific traffic and enabling traffic from a DDoS attack to be routed to optimized points in NTT Com's Global IP (GIP) and domestic OCN networks for Internet connection. The attacker's specific traffic is drawn to the system's DDoS defense devices, whereas normal communications experience only minimal delays.

NTT Com is Japan's first communications provider to conduct a multihomed anti-DDoS service that would be available to all companies using or providing Internet services.

http://www.ntt.com/aboutus_e/news/data/20150604.html

Monday, May 11, 2015

IoT is Contributing to Rise in Simple Service Discovery Protocol Amplification Attacks

There has been a significant growth in Simple Service Discovery Protocol (SSDP)-based amplification attacks, according to a recently published DDoS Threat Report from NSFocus, which specializes in enterprise-level, carrier-grade solutions for DDoS mitigation, Web security and enterprise-level network security.

The NSFOCUS report cites the rise of IoT-connected devices, such as webcams, as primary agents responsible for an increase in SSDP reflection attacks.

The report is based on statistical analysis and key observations from actual DDoS attacks that occurred during the second half of 2014. This data was collected from a mix of global enterprises, Internet service providers, regional telecom operators and Internet hosting companies.

Some key findings:

  • Any network-connected device with a public IP address and vulnerable operating system will increase the number of devices that could be used to launch SSDP–based reflection attacks. This particular type of DDoS attack was seen as the second most dominant threat, after NTP-based attacks, in 2H2014.
  • More than 30 percent of compromised SSDP attack devices were network-connected devices such as home routers and webcams. Findings also revealed that globally, more than 7 million SSDP-controlled devices could potentially be exploited.
  • While 90 percent of DDoS attacks lasted less than 30 minutes, one attack lasted 70 hours. This shorter attack strategy is being employed to improve efficiency as well as distract the attention of IT personnel away from the actual intent of an attack: deploy malware and steal data. These techniques indicate that today’s attacker continues to become smarter and more sophisticated.
  • Online retailers, media and gaming remain top targets: As retailers, entertainment and gaming companies increasingly employ online environments, consumers demand the highest level of quality of service. By slowing down or flooding these servers, attackers look to take advantage of online businesses through a variety of means, including blackmail, unfair business competition or asset theft.

"We are watching the evolution of attack technologies that amount to nothing less than 'bullying' (flood attacks) and 'leveraging' (resource exhaustion) tactics that enhance the impact by exploiting network bandwidth. To counteract these assaults, organizations must look to traffic- cleaning devices in conjunction with other security protocols," stated Yonggang Han, COO of NSFOCUS.

http://www.nsfocus.com

Thursday, March 19, 2015

DT Launches DNS Service Resilient to DDoS

International Carrier Sales & Solutions (ICSS), the international wholesale arm of Deutsche Telekom, is launching a new Domain Name System (DNS) service called ICSS Route that is to be resilient against Distributed Denial of Service (DDoS) attacks.

ICSS Route is based on global DNS network and intelligent routing capabilities, which ensure fast response times, low latency and reliable access from anywhere in the world. It also incorporates monitoring of server performance, availability and traffic management. As ICSS Route is authoritative-only, it does not operate in the recursive mode and is therefore immune to cache poisoning attacks and other risks. The fully RFC compliant solution can be run as either a managed or secondary DNS service and is available via a set of public APIs or over the ICSS CDN Web portal.

Stephan Schröder, Vice President Internet & Content at ICSS said, “ICSS Route was built to cope with all the problems other systems can’t handle. It is a dedicated, enterprise-grade platform with extremely high performance, availability and security. Because it’s scalable and requires no up-front investment, it is also very cost-effective.”

http://www.cdn.telekom-icss.com

Thursday, February 12, 2015

Level 3 Offers DDoS Mitigation Service with 4.5 Tbps Ingest

Level 3 Communications introduced a new DDoS Mitigation Service that provides protection closer to the network edge.

The Level 3 DDoS Mitigation Service leverages the carrier's vast DDoS ingest capacity, 4.5 terabits per second, to predict and detect malicious attacks, alert customers and quickly re-route traffic to defend their critical data infrastructures. Infected packets are routed to one of Level 3's globally located scrubbing centers before being returned via a private connection or the public Internet. The global service provides enhanced network routing, rate limiting and IP filtering alongside a network-based detection and mitigation scrubbing solution.

Level 3 said the combination of its expansive network, which provides extensive attack traffic visibility, and the service's ability to work on both Level 3 and on third-party networks provides a clear differentiator in the marketplace for customers. The vast level of visibility comes from the company's Content Delivery Network (CDN), IP and Domain Name System (DNS) networks. The addition of Level 3's threat analysis capabilities and managed security services enable it to assist enterprises in building a strong security posture to address today's complex threat landscape.

"Throughout my tenure in the cybersecurity business, I have never seen such an accelerated and sophisticated cyber threat landscape – and attacks will only continue to grow in frequency, size and complexity," said Chris Richter, senior vice president of managed security services at Level 3. "Level 3 has leveraged its global network infrastructure and managed security services with leading detection and mitigation technologies to provide our customers with a truly advanced layer of defense against these evolving exploits."

http://www.level3.com


Tuesday, November 25, 2014

A10 Networks Adds Advanced DDoS Mitigation

A10 Networks introduced new advanced DDoS mitigation capabilities for its Thunder TPS platform.

The new functionality blocks additional attacks such as the recent POODLE attack, and provides advanced rate-limiting for granular Layer 4-7 control to enable mitigation.  The company said its Thunder TPS Release 3.1 includes comprehensive detection capabilities with access to over 400 global, destination-specific and behavioral counters, to eliminate false positives. These granular forensics protect applications and networks while they remain highly available. Significant visibility enhancements expose enhanced traffic details to provide a comprehensive understanding of regular and anomalous traffic patterns. The enhanced easy-to-use GUI provides dashboard, incident and rich report views, which can be analyzed to improve any DDoS protection strategy.

"Network and security staff will greatly benefit from the new mitigation and visibility options provided by Thunder TPS 3.1. More detailed threat analysis and updated tools help to combat the impact of DDoS attacks by preventing damage to critical online resources and the bottom line," said Raj Jalan, CTO of A10 Networks. "With these enhancements, A10 Networks sets the stage to provide additional correlated analytics and ease of administration, including centralized management and automatic traffic baselining features in the near future."

http://www.a10networks.com/news/pr.php?id=1903525

Tuesday, October 21, 2014

Arbor Networks Defends Against Fast Flood DDoS attacks

The latest release of Arbor Networks' Peakflow distributed denial-of-service (DDoS) platform can now detect Fast Flood DDoS attacks in as little as one second and initiate mitigation in less than thirty seconds.

The Peakflow platform includes two main components, Peakflow and the Peakflow Threat Management System. Peakflow combines network-wide anomaly detection and traffic engineering with the Peakflow Threat Management System’s carrier-class threat management, which automatically detects and surgically removes only attack traffic, while maintaining other business traffic. With the ability to mitigate only the attack traffic, customer-facing services remain available while providers actively mitigate attacks. The Peakflow platform also powers many of the world's leading cloud-based DDoS managed security services.

The Peakflow Threat Management System now includes an optional on-box SSL acceleration card to deliver an integrated, one-appliance solution to inspect encrypted traffic for DDoS threats. DDoS attacks are blocked in real time as normal traffic passes uninterrupted – all without forcing changes to existing network and application infrastructure.

Arbor noted that through the end of the third quarter, more than 130 attacks larger than 100Gbps have occurred, a dramatic spike in the frequency of volumetric attacks compared to previous quarters.

“The majority of the world’s service providers rely on the Peakflow platform for network intelligence and DDoS protection. More than sixty providers utilize the Peakflow platform to also offer DDoS managed services to their customers. Our continued innovation in the area of DDoS attack detection and mitigation has duel benefits for our service provider customers, helping protect their own infrastructure while also improving their ability to deliver DDoS managed security offerings,” said Arbor Networks President, Matthew Moynahan.

http://arbornetworks.com

See also