DDOS, the new black?
In the last few weeks, maybe even months we've been seeing an increase in the number of Distributed Denial of Service (DDOS) attacks on different sites. Today, according to Ahnlabs in Korea, a number of government sites are under attack. Yesterday it was word press, and recently we also had sourceforge and no doubt a number of others that I've forgotten to mention.
So is DDOS the new black? We know that the majority of the malicious files and traffic we see are somehow related to making money, but realistically I can't quite see how this is doing the trick. How is money being made? Are the current attacks going to serve as examples? Give some money or else? I don't know how effective that would be as most of the organisations seem to be dealing with the DDOS attacks relatively well.
So why are we seeing these increases? Are they being reported more? Are they easier to do? Are they test runs for something better later on, or maybe even nation states testing their processes. Let us know if you've been under attack, recently. I'd be interested to know how you dealt with it and if you have some packets you can share, even better. If you know why you were targeted I'd be interested to know.
Now for dealing with a DDOS attack.
The best will be to stop the packets from reaching you in the first place. To stop them as far away from your environment as possible, especially if link saturation is the problem. This will likely need the cooperation of your ISP. You will find some are more willing to help you deal with an attack than others.
If you manage to identify a particular characteristic of the packets being sent, then you might be able to get a firewall, router, IDS, or IPS to deal with the traffic. These types of devices will be better at coping with this than your web or mail server. Check you firewalls, many have the capability to drop traffic based on certain thresholds or characteristics and they may be enough to
But lets put this in the context of an incident handling process. Hopefully you remember the six steps:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
Preparation
This will be the most important step. Firstly you will need to decide what you are going to do in the event of a DDOS attack on your infrastructure. Will you pull the plug yourself and just ride it out? or will you take steps ab and c to deal with the attack. Best to sort this out before it happens rather than whilst it is happening.
Make sure you understand what your ISP will and won't do for you in the event of a DDOS attack on your sites.
If you have an approach to deal with the DDOS, make sure it is documented. Nothing worse than having to figure things out whilst the attack is underway.
Have the capability to grab packets in place. They will be invaluable.
Identification
How do you identify an attack? Often it is because someone receives a phone call saying "xyz is very slow/unavailable". You may have an IDS/IPS/Firewall throwing up alert. So that is how you notice.
What to do next. Well hopefully you have managed to capture some packets, or at a minimum log records. You will need to look at these and see if you can identify a common factor.
Containment
Using the information discovered, you may be able to configure an upstream device to drop the malicious packets. Your ISP or a vendor may be able to help mitigate the attack and contain the damage done.
You will likely also need to examine the targets to ensure they have not been compromised. l
Eradication
If the targets have been compromised you will need to deal with those. Your incident handling plan, developed in the preparation stage, should have enough information to allow you to deal with this new issue.
Often when the attack is not successful it will drop off, so I guess it is self eradicating.
Recovery
Once the attack is over, determine what else may need to cleaned, replaced, hardened.
Lessons Learned
Standard practice after any incident is the lessons learned. Go through the attack, see where you went wrong and where you went right. Develop an approach to deal with
I've made a start, if you can add to it let us know via the contact form or comments.
Cheers
Mark H.
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago