Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Protecting Performance from Traffic Spikes
You must login to participate in this chat. Please login.

@tdudziak: What would be nice is a service or a product that could react to DDOS to not necessarily mitigate it but to bring it under control so that live folks could deal with it.

There are definitely services out there. The question is whether you want to engage one of those services before or during an attack. During, you're obviously going to have a better handle on it and be able to get it under control faster. If you wait for the attack, it could take hours to days before you can stop the bleeding and figure out what's really happening.

Moderator

@john and everyone who was involved, thank you, very valuable time today

Apprentice

@john: Thanks for the info; that was my guess as well. The report contains some very good data, btw.

Ninja

@GonzSTL: does Neustar have data on the attack vectors used to steal data or funds obfuscated by the DDoS attack?

Take a look at page 6 and 7 of their report for some additional information. I'd also suggest contacting them to see if they can put you in touch with one of their technical people who has more background. My guess would be that it's a combination of your common web attacks like SQL injection or usage of stolen credentials to gain access and commit fraud or theft.

Moderator

@tdudziak: There are some DDoS-specific appliances and cloud-based service providers out there but I didn't want to mention names as I don't want it to come across as a recommendation for one vendor over another. The sponsor for this series is one example.

Moderator

What would be nice is a service or a product that could react to DDOS to not necessarily mitigate it but to bring it under control so that live folks could deal with it.

Apprentice

@john: does Neustar have data on the attack vectors used to steal data or funds obfuscated by the DDoS attack?

Ninja

@Kelly Jackson Higgins: People consider DDoS a nuisance rather than a major incident like a data breach, but it sounds like the rise in DDoS attacks could be due to the use of them as a diversion, correct?

It depends on the industry. Companies that rely on their websites' availability to make money see DDoS as much more than a nuisance. Unfortunately, the targets often think it's some petty issue that is causing them to be a target when it could be much more targeted. It's so easy to hire a DDoS service to hide what you're doing, I definitely think that more victims would realized they suffered another type of attack concurrently if they weren't so focused on stopping the DDoS attack and getting that money-making site back online.

Moderator

Thanks, John. I appreiate the additional info. Just to be sure that there was nothing more specific for the DDOS topic.

Apprentice

@John, if you were an attacker going after a retail site, then, would it make more sense to launch a DDoS attack during a high-traffic period, such as the holiday shopping season? Is it safe to say that an organization's defenses are at their weakest when their business/activity is at its busiest?

Strategist

@alex.brightpearl: where would you start against DDoS. Prevention or detection? With the sophisticated range of DDoS attacks, is it even feasible to aim for prevention?

First, determine what risk is associated if you were to become a target of a DDoS. How much is it going to cost you to be offline for X number of days? How much does it cost to implement basic preventions such as beefing up your server and network resources compared to third party hosting providers and cloud solutions designed specific to prevent DDoS attacks.
When it comes to DDoS, detection is easy as you'll see it in your network and website traffic logs, customer and employee complaints, and similar issues. If you determine that you're more likely to be a target, then it's time to start the discussion on how to prevent it now and not wait until it happens.

Moderator

@tdudziak: What are some other examples of the "etc" in the previous slide?

I think you're referring to slide 15. In addition to the standard security products for mitigating the typical security attacks, I was thinking of things more on the infrastructure side that can aid both the website owner and the security team. Network infrastructure with logging and reporting with netflow. "Next gen firewall" that understand layer 7 and the applications, which can help greatly with profiling traffic and generating a baseline. Analytics through things like Google and Adobe Analytics that can show traffic profiles over time, help with optimizing slow pages, and identifying bottlenecks that may be with thrid-party hosts that you rely and not your own resources.

Moderator

@johnsawyer: Understood; cooepration is always essential. What many do not understand is that huge bandwidth DDOS attack logging can easily overwhelm storage resources. It is difficult to provision resources in anticipation of such an attack, as that gets expensive rather quickly.

Ninja

@John: where would you start against DDoS. Prevention or detection? With the sophisticated range of DDoS attacks, is it even feasible to aim for prevention?

Apprentice

People consider DDoS a nuisance rather than a major incident like a data breach, but it sounds like the rise in DDoS attacks could be due to the use of them as a diversion, correct?

@DarkReadingTim: DDoS diversions

According to Neustar's DDoS report, 55% of the respondents suffered data and monetary theft while the DDoS attack was active. I think it's more common than most people think because there is so much scrambling that occurs to deal with the site being down. There's too much focus on getting it back up and not enough on figuring out the non-technical reason of why it went down and what's happening with other systems.

Moderator

@GonzSTL: Logging can be really tricky if the attack involves huge bandwidth! Imagine a 5 Gbps DDOS attack.

Dealing with this requires a lot of cooperation amongst groups including sysadmins, network admins, security, and developers. It may be that logging levels for particular systems need to be dialed down in order to handle the load or maybe the logs can be sent to a few other hosts for distributed processing prior to pulling them into the SIEM. Reducing full logs from the firewall/IPS/IDS to relying more on netflow analysis may be necessary. It comes down a lot to knowing the infrastructure and already having logging in place then adapting it to handle the attack.

Moderator

@Tim, it is highly likely that if you are being DDOSed, other attack vectors are probably already in play. Granted that they will most likely not be network based if the DDOS is targeting your entire presence, they will probably be on the social engineering side.

Ninja

@alex.brightpearl: What would be the best place to get DDoS statistics/information?

Symantec and Neustar both have excellent reports on DDoS attacks.
Symantec's report is "The Continued Rise of DDoS Attacks" and Neustar's is "2014 The Danger Deepens - Annual DDoS Attacks and Impact Report"

Moderator

What would be the best place to get DDoS statistics/information?

Apprentice

@John, we have heard a lot about DDoS attacks that are used as a mask/distraction to obfuscate more sophisticated attacks -- do you have a sense for how common this is? If I'm being DDoS'd, should I also be doing extra research to see if I might be getting hit with a more sophisticated/targeted attack?

Strategist

Good question about logging a big DDoS, @GonzSTL. @John, any insight you can provide on that?

What are some other examples of the "etc" in the previous slide?

Apprentice

Logging can be really tricky if the attack involves huge bandwidth! Imagine a 5 Gbps DDOS attack.

Ninja

They have rating systems, both for buyers and merchants.

Ninja

I think it's more about reputation and referral.  Yelp for bad guys.

Apprentice

Wonder how often they double-cross one another...I guess a DDoS customer who gets exposed can't exactly get a discount or complain to the BBB.

Ferguson is in St. Louis County. We were hit shortly after Ferguson was hit.

Ninja

What fascinates me is how bad guys who are buying DDoS services trust the DDoS providers to make the attacks untraceable to them ... Bad guys trusting bad guys. 

Hi GonzSTL. How did you make the connection to Ferguson?

Strategist

We were hit with a DDOS attack, and we attributed that to the unrest resulting from the events in Ferguson, MO. This was clearly a case of hacktivism.

Ninja

I guess it has to start with a conversation. But there doesn't seem to be a common language or framework to really thrash out the issues...

Strategist

Yep, @Marilyn. We keep hearing that security must go hand-in-hand with the business strategy, but there seems to be a very long learning curve/cultural evolution here.

"Business trumps security":  the core security problem at most organizations.

Welcome @John! Always great to have John presenting, he has been a practitioner of security at a major university as well as a researcher and penetration tester. Great person to ask practical questions of.

Strategist

John Sawyer is a rock star in security--you are in good hands!

Hi all -Audio is live! If you don't see the audio bar at the top of the screen, please refresh your browser. It may take a couple tries. When you see the audio bar, if it doesn't start automatically, hit the play button. If you experience audio interruptions and are using IE, try using FF or Chrome as your browser. Many people experience issues with IE. Also, make sure your flash player is updated with the current version. Some companies block live audio streams, so if that is the case for your company, the class will be archived on this page immediately following the class and you can listen then. People don't experience any issues with the audio for the archived version.

Apprentice

John Sawyer will be our lecturer, today -- he's a wonderful expert for the course.

Author

We'd love to have your voice in the class discussion here. To take part, just type your comment or question into the "Your Post" box and then click on the "Post" button below the box. Feel free to introduce yourself before the class starts -- I think you'll find that we're a very friendly learning community here! 

Author

Hey, everyone, we're glad you could join us! When the class is scheduled to start, at noon EDT, an audio player should appear above the "Your Post" window. If it doesn't appear, you might need to refresh your browser until it does. If it appears but doesn't start playing, then you may need to click on the "play" button on the far left of the player. 

Author

@lee.ward, I'm afraid that we don't plan a downloadable version. What sort of difficulties were you having?

Author

I was unable to listen to the previous parts of this series via live streaming. Will a download version be available please?

Apprentice


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Practical Network Security Approaches for a Multicloud, Hybrid IT World
The report covers areas enterprises should focus on for their multicloud/hybrid cloud security strategy: -increase visibility over the environment -learning cloud-specific skills -relying on established security frameworks -re-architecting the network
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-30333
PUBLISHED: 2022-05-09
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
CVE-2022-23066
PUBLISHED: 2022-05-09
In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to tra...
CVE-2022-28463
PUBLISHED: 2022-05-08
ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.
CVE-2022-28470
PUBLISHED: 2022-05-08
marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor.
CVE-2022-1620
PUBLISHED: 2022-05-08
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.