Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Protecting Performance from Traffic Spikes
You must login to participate in this chat. Please login.

@tdudziak: What would be nice is a service or a product that could react to DDOS to not necessarily mitigate it but to bring it under control so that live folks could deal with it.

There are definitely services out there. The question is whether you want to engage one of those services before or during an attack. During, you're obviously going to have a better handle on it and be able to get it under control faster. If you wait for the attack, it could take hours to days before you can stop the bleeding and figure out what's really happening.

Moderator

@john and everyone who was involved, thank you, very valuable time today

Apprentice

@john: Thanks for the info; that was my guess as well. The report contains some very good data, btw.

Ninja

@GonzSTL: does Neustar have data on the attack vectors used to steal data or funds obfuscated by the DDoS attack?

Take a look at page 6 and 7 of their report for some additional information. I'd also suggest contacting them to see if they can put you in touch with one of their technical people who has more background. My guess would be that it's a combination of your common web attacks like SQL injection or usage of stolen credentials to gain access and commit fraud or theft.

Moderator

@tdudziak: There are some DDoS-specific appliances and cloud-based service providers out there but I didn't want to mention names as I don't want it to come across as a recommendation for one vendor over another. The sponsor for this series is one example.

Moderator

What would be nice is a service or a product that could react to DDOS to not necessarily mitigate it but to bring it under control so that live folks could deal with it.

Apprentice

@john: does Neustar have data on the attack vectors used to steal data or funds obfuscated by the DDoS attack?

Ninja

@Kelly Jackson Higgins: People consider DDoS a nuisance rather than a major incident like a data breach, but it sounds like the rise in DDoS attacks could be due to the use of them as a diversion, correct?

It depends on the industry. Companies that rely on their websites' availability to make money see DDoS as much more than a nuisance. Unfortunately, the targets often think it's some petty issue that is causing them to be a target when it could be much more targeted. It's so easy to hire a DDoS service to hide what you're doing, I definitely think that more victims would realized they suffered another type of attack concurrently if they weren't so focused on stopping the DDoS attack and getting that money-making site back online.

Moderator

Thanks, John. I appreiate the additional info. Just to be sure that there was nothing more specific for the DDOS topic.

Apprentice

@John, if you were an attacker going after a retail site, then, would it make more sense to launch a DDoS attack during a high-traffic period, such as the holiday shopping season? Is it safe to say that an organization's defenses are at their weakest when their business/activity is at its busiest?

Strategist

@alex.brightpearl: where would you start against DDoS. Prevention or detection? With the sophisticated range of DDoS attacks, is it even feasible to aim for prevention?

First, determine what risk is associated if you were to become a target of a DDoS. How much is it going to cost you to be offline for X number of days? How much does it cost to implement basic preventions such as beefing up your server and network resources compared to third party hosting providers and cloud solutions designed specific to prevent DDoS attacks.
When it comes to DDoS, detection is easy as you'll see it in your network and website traffic logs, customer and employee complaints, and similar issues. If you determine that you're more likely to be a target, then it's time to start the discussion on how to prevent it now and not wait until it happens.

Moderator

@tdudziak: What are some other examples of the "etc" in the previous slide?

I think you're referring to slide 15. In addition to the standard security products for mitigating the typical security attacks, I was thinking of things more on the infrastructure side that can aid both the website owner and the security team. Network infrastructure with logging and reporting with netflow. "Next gen firewall" that understand layer 7 and the applications, which can help greatly with profiling traffic and generating a baseline. Analytics through things like Google and Adobe Analytics that can show traffic profiles over time, help with optimizing slow pages, and identifying bottlenecks that may be with thrid-party hosts that you rely and not your own resources.

Moderator

@johnsawyer: Understood; cooepration is always essential. What many do not understand is that huge bandwidth DDOS attack logging can easily overwhelm storage resources. It is difficult to provision resources in anticipation of such an attack, as that gets expensive rather quickly.

Ninja

@John: where would you start against DDoS. Prevention or detection? With the sophisticated range of DDoS attacks, is it even feasible to aim for prevention?

Apprentice

People consider DDoS a nuisance rather than a major incident like a data breach, but it sounds like the rise in DDoS attacks could be due to the use of them as a diversion, correct?

@DarkReadingTim: DDoS diversions

According to Neustar's DDoS report, 55% of the respondents suffered data and monetary theft while the DDoS attack was active. I think it's more common than most people think because there is so much scrambling that occurs to deal with the site being down. There's too much focus on getting it back up and not enough on figuring out the non-technical reason of why it went down and what's happening with other systems.

Moderator

@GonzSTL: Logging can be really tricky if the attack involves huge bandwidth! Imagine a 5 Gbps DDOS attack.

Dealing with this requires a lot of cooperation amongst groups including sysadmins, network admins, security, and developers. It may be that logging levels for particular systems need to be dialed down in order to handle the load or maybe the logs can be sent to a few other hosts for distributed processing prior to pulling them into the SIEM. Reducing full logs from the firewall/IPS/IDS to relying more on netflow analysis may be necessary. It comes down a lot to knowing the infrastructure and already having logging in place then adapting it to handle the attack.

Moderator

@Tim, it is highly likely that if you are being DDOSed, other attack vectors are probably already in play. Granted that they will most likely not be network based if the DDOS is targeting your entire presence, they will probably be on the social engineering side.

Ninja

@alex.brightpearl: What would be the best place to get DDoS statistics/information?

Symantec and Neustar both have excellent reports on DDoS attacks.
Symantec's report is "The Continued Rise of DDoS Attacks" and Neustar's is "2014 The Danger Deepens - Annual DDoS Attacks and Impact Report"

Moderator

What would be the best place to get DDoS statistics/information?

Apprentice

@John, we have heard a lot about DDoS attacks that are used as a mask/distraction to obfuscate more sophisticated attacks -- do you have a sense for how common this is? If I'm being DDoS'd, should I also be doing extra research to see if I might be getting hit with a more sophisticated/targeted attack?

Strategist

Good question about logging a big DDoS, @GonzSTL. @John, any insight you can provide on that?

Wicked presentation, Thanks!

Apprentice

great presentation John! thanks so much

Strategist

What are some other examples of the "etc" in the previous slide?

Apprentice

Logging can be really tricky if the attack involves huge bandwidth! Imagine a 5 Gbps DDOS attack.

Ninja

They have rating systems, both for buyers and merchants.

Ninja

I think it's more about reputation and referral.  Yelp for bad guys.

Apprentice

Wonder how often they double-cross one another...I guess a DDoS customer who gets exposed can't exactly get a discount or complain to the BBB.

Kelly, ethics between bad guys :)

Ninja

There is honor among thieves, apparently.

Strategist

Ferguson is in St. Louis County. We were hit shortly after Ferguson was hit.

Ninja

What fascinates me is how bad guys who are buying DDoS services trust the DDoS providers to make the attacks untraceable to them ... Bad guys trusting bad guys. 

Hi GonzSTL. How did you make the connection to Ferguson?

Strategist

We were hit with a DDOS attack, and we attributed that to the unrest resulting from the events in Ferguson, MO. This was clearly a case of hacktivism.

Ninja

I guess it has to start with a conversation. But there doesn't seem to be a common language or framework to really thrash out the issues...

Strategist

Yep, @Marilyn. We keep hearing that security must go hand-in-hand with the business strategy, but there seems to be a very long learning curve/cultural evolution here.

That is a hard mindset to change, Kelly.

 

Strategist

"Business trumps security":  the core security problem at most organizations.

Welcome @John! Always great to have John presenting, he has been a practitioner of security at a major university as well as a researcher and penetration tester. Great person to ask practical questions of.

Strategist

John Sawyer is a rock star in security--you are in good hands!

Hi all -Audio is live! If you don't see the audio bar at the top of the screen, please refresh your browser. It may take a couple tries. When you see the audio bar, if it doesn't start automatically, hit the play button. If you experience audio interruptions and are using IE, try using FF or Chrome as your browser. Many people experience issues with IE. Also, make sure your flash player is updated with the current version. Some companies block live audio streams, so if that is the case for your company, the class will be archived on this page immediately following the class and you can listen then. People don't experience any issues with the audio for the archived version.

Apprentice

John Sawyer will be our lecturer, today -- he's a wonderful expert for the course.

Author

We're here in the studio ready for a great class!

Author

We'd love to have your voice in the class discussion here. To take part, just type your comment or question into the "Your Post" box and then click on the "Post" button below the box. Feel free to introduce yourself before the class starts -- I think you'll find that we're a very friendly learning community here! 

Author

Hey, everyone, we're glad you could join us! When the class is scheduled to start, at noon EDT, an audio player should appear above the "Your Post" window. If it doesn't appear, you might need to refresh your browser until it does. If it appears but doesn't start playing, then you may need to click on the "play" button on the far left of the player. 

Author

@lee.ward, I'm afraid that we don't plan a downloadable version. What sort of difficulties were you having?

Author

I was unable to listen to the previous parts of this series via live streaming. Will a download version be available please?

Apprentice


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-36328
PUBLISHED: 2021-11-30
Dell EMC Streaming Data Platform versions before 1.3 contain a SQL Injection Vulnerability. A remote malicious user may potentially exploit this vulnerability to execute SQL commands to perform unauthorized actions and retrieve sensitive information from the database.
CVE-2021-36329
PUBLISHED: 2021-11-30
Dell EMC Streaming Data Platform versions before 1.3 contain an Indirect Object Reference Vulnerability. A remote malicious user may potentially exploit this vulnerability to gain sensitive information.
CVE-2021-36330
PUBLISHED: 2021-11-30
Dell EMC Streaming Data Platform versions before 1.3 contain an Insufficient Session Expiration Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to reuse old session artifacts to impersonate a legitimate user.
CVE-2021-41256
PUBLISHED: 2021-11-30
nextcloud news-android is an Android client for the Nextcloud news/feed reader app. In affected versions the Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giv...
CVE-2021-36326
PUBLISHED: 2021-11-30
Dell EMC Streaming Data Platform, versions prior to 1.3 contain an SSL Strip Vulnerability in the User Interface (UI). A remote unauthenticated attacker could potentially exploit this vulnerability, leading to a downgrade in the communications between the client and server into an unencrypted format...