What Are the Most Common Reasons Hackers Will DDOS Sites?

Brian Krebs. OVH. Dyn. And the open-sourcing of the code of the botnet that attacked them. Are you DDoS-defending your business? If not, now is the time.

 

  • Story of a Busy, Busy Botnet
  • 7 Reasons DDoS is Popular with Hackers
  • DDoS-Defend Your Business

 

Story of a Busy, Busy Botnet

 

Well, suffice it to say that the Mirai botnet has been busy lately. In September, it was used for a couple of massive attacks, one against US-based security journalist Brian Krebs, the other against French web host OVH. In October, the network of IoT devices that make up its bot army (some 380,000, according to its purported author) were used to DDoS Dyn and temporarily cripple a large chunk of the internet in the United States.

 

But, unfortunately, it gets worse… much worse. Security thought-leaders are sounding the alarm bell after a hacker publicly released the source code for Mirai.

 

After all, the scope of the DDoS attacks from Mirai are highly disturbing. The one that hit Krebs measured 620 gigabits per second. The one that hit OVH measured 1.1 terabits per second. If your brain is having trouble computing that sheer attack volume, it’s a good sign: it is almost unimaginable information-overload by our current standards.

 

Mirai is getting the press, but Bashlight is the original, explained Dan Goodin of Ars Technica. “Until now, the botnets created with the newer and technically more sophisticated Mirai have been greatly outnumbered by those based on its rival Bashlight,” he said, “with about 233,000 infected devices versus 963,000 respectively.”

 

The release of Mirai’s code – via the user Anna-senpai on Hack Forums (a site that has since been accused of running a DDoS-for-hire service) – is troubling to security pros because the resultant easy access to the botnet could supercharge the DDoS Dark Side.

 

The post on Hack Forums, which included links to the Mirai source code and noted that it was time to “GTFO” (direct quote) of IoT DDoS due to increased attention. (Source: Security Affairs)

 

Goodin noted that there has been an increased focus among those who use botnets to target CCTV cameras, routers, thermostats, webcams, and other vulnerable IoT devices. Once formed, the army of slaves is used to extract ransom from victims (in exchange for halting a DDoS).

 

“Both Mirai and Bashlight exploit the same IoT vulnerabilities,” said Goodin, “mostly… weakness involving the telnet remote connection protocol in devices running a form of embedded Linux known as BusyBox.”

 

One reason Mirai has become more prominent, though, is that it encrypts communications it sends to central command (i.e., the master). Also, some believe that the conversion of some 80,000 of the 963K Bashlight devices to Mirai suggests that the newer malware may be overtaking and then patching devices so that other botnets can’t reclaim them.

 

Although the open sourcing of the code is especially troubling, the attack on Dyn should also not be overlooked when we consider the power that is currently in the hands of botnet operators. Mirai successfully sabotaged the DNS provider Dyn and brought its response time to a crawl (or at least a large portion of the attack came from Mirai slaves). According to Michael Kan of Computerworld, many in the security community think that the Dyn DDoS (2 attacks of 130 minutes and 70 minutes, divided by a 2 ½ hour break) was more of a warning shot than an actual siege: it just leveraged 100,000 devices of the half-million or so devices then available.

 

7 Reasons DDoS is Popular with Hackers

 

Why are these attacks all the rage in the malicious intruder community?

 

Reason #1 – Easy as 1, 2, 100 thousand

 

One reason DDoS is a go-to for hackers is that it’s simple, and it works. The Dyn attack sidelined household-name web giants such as Spotify, Netflix, Airbnb, and Twitter, all of which use Dyn to connect their site to users.

 

“It doesn’t take particularly advanced hacking skills to block access to those sites,” said Emma Hinchliffe of Mashable. “It just takes a huge network.”

 

Well, how do you access a huge network? Even before the open sourcing of Mirai, the simplicity of carrying out a DDoS has been troubling to those who protect networks. Through paid services, anyone is able to rent a botnet. In fact, the criminally oriented can even have a stressor or booter service do the dirty work for them.

 

It is often challenging for the security team or law enforcement to track down the booters because they use proxies to assault you from different locations.

 

Reason # 2 – Cash for peace

 

DDoS-for-ransom, a form of extortion, has been on the rise over the last few years. Essentially you get barraged by traffic, see your site go down, and then get a note letting you know that you can regain your smoothly functional site for a bit of Bitcoin.

 

Security experts recommend never paying the attackers because there is no guarantee they won’t do it again and because it feeds the growth of the problem; however, some site owners feel they have no choice to get their own revenue cranking again.

 

Reason #3 – Keeping up with the Joneses by slashing their tires

 

What’s one way to outperform the rivals in your industry? Well, you could make it impossible for them to operate.

 

“Just small amounts of downtime can end up costing a company thousands [or millions] of dollars,” noted Christian Sager of HowStuffWorks. “It can also promote negative associations with a brand, so that customers no longer trust their services.”

 

Reason #4 – Hacktivism

 

DDoS isn’t always just about pummeling someone for money. It’s also a way that some actors use to voice dissent. South Korea, the U.S., Russia, and Georgia have historically been DDoS targets. Keep in mind that many of these attacks are thought to be perpetrated by other nations – which makes them more cyberwarfare than citizen protest. However, individuals do sometimes DDoS governments or companies because they disagree with them ethically.

 

Reason #5 – Rise of the script kiddy

 

Some of those behind DDoS events have been given the derisive name “script kiddies,” highlighting the fact that they lack technical skills (instead grabbing a script in a forum) and have what are viewed as immature intentions.

 

For instance, game publishers are sometimes DDoSed immediately following an update, because an irritated player believes they “nerfed” the best part.

 

“Also, let’s be honest, being able to take out a company from your bedroom is probably amusingly empowering in a David and Goliath sort of way,” said Sager. “Today’s DDoS is yesterday’s vandalism.” (Note that he made these comments in 2014, when DDoS was much less destructive and economically damning than it is today.)

 

Reason #6 – The overpowering decoy

 

A DDoS is certainly more uncontrollable than a fake duck that you can throw in your hunting bag, but it is sometimes a decoy in the sense of a distraction. In these cases, the directness and crudeness of a DDoS is used as a cover for a more technical, surgical hack. A landmark incident of this Ocean’s-11-style assault occurred in 2013, when a botnet operator slammed the Bank of the West with garbage traffic while they entered an account and withdrew $900K.

 

Reason #7 – This is only a test…

 

A company will occasionally force itself offline – whether by accident or when intentionally resilience-testing their systems.

 

DDoS-Defend Your Business

 

In the post-open-sourcing of Mirai, heavyweight DDoS has become more widely available than ever before. And people continue to have various reasons to want to crash websites.

 

In this increasingly volatile climate, are you DDoS-defended? At KnownHost, we offer complimentary DDOS protection on all VPS and SSD VPS product lines. See how you’re protected.

Read More

Why Using an Independent Hosting Company Beats Out Free Publishing Services

It’s no secret that those “have a website instantly” services sound attractive. It seems like a great deal, right? Little to no coding experience necessary, a low monthly fee for everything (the site, domain, ecome-commercetall, etc.), and some kind of content management system you don’t need to install yourself. What’s not to love?

 

And then there are those free publishing content platforms that many professionals use to share their thoughts. You’re probably familiar with many of them: Medium, LinkedIn, Tumblr, and other blogging platforms. What all of these services have in common is they promise a web presence that 1. costs nothing or close to it and 2. allows you to have your content out there on the internet with little to no technical knowledge.

 

For some people, this setup is just fine. Someone with a personal blog that just wants to share their thoughts doesn’t need too complicated of a web presence. But if you’re a professional, especially a creative or someone involved in ecommerce, these free publishing platforms may not be the best solution for you.

 

If your web presence is your primary source of income, then building a website and hosting it on a managed VPS with an independent hosting company is the way to go. Does it require a little bit more work and (sometimes) cost a bit more? It can. But the benefits of “owning” your site far outweigh the cons. Let’s take a look at why free publishing platforms may not be all that they’re cracked up to be for professionals who make their money from their web business.

 

Who is Actually the Audience?

 

Let’s take a look at the more blogging based platforms (Medium, etc.) that act as content delivery services. You provide the content, Medium provides the platform and eats the costs. You pay nothing to get your voice heard. On the surface, this sounds like a great deal, but hold on. Now, to be fair, there’s nothing wrong with occasionally posting something on Medium or the like if you’re looking for specific kinds of social engagement. After all, social media is a big revenue builder. Social platforms like Tumblr and Medium have built in audiences that you may benefit from on occasion. But to go all in on them? Not so fast.

 

You’re technically working for the company you post for. That means it’s not your audience, specifically, but rather the platform’s audience. They reap all the benefits of those views which forces you to try and make the extra step of conversion through some other method. That also means you can’t make alterations to the site to better optimize it. You can’t do anything, really, outside of their terms and conditions. If your content is the source of your income, this will quickly lead to a dead end. Unless there are benefits to giving things away for free on these platforms within a larger plan, you want to stick to maintaining your own self-hosted site.

 

Data Collection and Analytics

 

This is a subset of the issues one faces in relation to audience and control when using a free site builder/host or publisher. We’ve already touched on the concept of your audience actually belonging to your platform and not to you. To take this idea further, consider how valuable insight into your audience is for your business.

 

When you’re using a site builder or content platform, you’re basically put into a dark room with a flashlight. You can see some things, but very little. It’s not very practical. You may get basic analytics (if any), but they won’t tell you much beyond how many people clicked on your post. If you’re looking to actually run a business, this is nowhere near enough information to act upon.

 

It’s no secret that having access to all the data you would want and acting on those analytics is essential to a successful web-based business. With a site you built yourself and on an independent host, you can install any kind of analytics software you want. When you have complete independence from your publishing platform, you’ll have access to actionable information like knowing where the majority of your traffic comes from, what social networks they use, the kind of content they read, and how long they’re spending on certain points of the site. From here, you can drill down and see what the conversion path looks like and its success rate.

 

You’ll also have more opportunity for audience engagement. Manage whatever comment or feedback system you would like. Install contact forms via plugin (if you’re using WordPress) or code them in. The ability to customize a site you host yourself gives you many more options. Throw in the capabilities of a VPS and you’ll see that speed and performance won’t be things your visitors complain about. Which brings us to the next point.

 

Performance

 

The performance of a site is a big deal when it comes to conversions. We’re not just talking the importance of fast load times, either. Granted, the big players don’t often go offline. But, in the event that Squarespace of WordPress.com suffers some sort of error or attack, you are powerless. There’s a customer service number, sure, but in an operation that large, there needs to be a global fix. Who knows how long it would take for your content to come back online. These big service providers also make attractive targets for things like DDOS attacks, which will make your site an indirect target.

 

These platforms can also go out of business. Medium recently cut a third of its workforce. What happens if they go out of business? What happens to all of your content? Suddenly, everything you contributed to a platform doesn’t have any value. If it lived on your own site with a hosting company you know isn’t going anywhere, you could be rest assured your content would be safe.

 

Monetization

 

If you sell products directly, it’s clear what your income source is. But maybe your revenue stream isn’t so obvious. Maybe you don’t actually sell physical products and instead rely on ad revenue or affiliate links. This is where the specific platform you use can hurt your bottom line. Some platforms don’t allow you to place ads at all, so that revenue stream goes away completely. Others allow some advertising, like Google AdSense, but limit you via their terms and conditions. There is also no guarantee the ads will display properly depending on how the platform codes its templates.

 

There is also the good chance that, eventually, the platform you publish on will want to monetize for themselves. If your visitors are suddenly blocked by paywalls, advertising that benefits the publisher (but not you), or subscriptions that lower the visitor count, this is a bad deal for you. If you are looking to monetize your site, your only real viable option is one where you control where it’s hosted.

 

Conclusion

 

By now the benefits of hosting your own site on a managed VPS are pretty clear. Why sacrifice profits and independence for a little bit more convenience? If you’ve been running your business from a variety of free publishing platforms or shared hosting services, it’s time to stop letting someone else profit from your work. Contact the team at KnownHost today and we’ll help you come up with the hosting solution that will give you back control over your web presence.

Read More

Why Should Web Designers Beware of the Shared Hosting FAIL?

  • Hacking: The FAIL video of web design
  • Shared hosting: The McDonald’s of infrastructure
  • Shared hosting: Clients crashing in your dorm room
  • “Oh no, we’re gonna get sued!”
  • VPS: Your insurance against a hosting FAIL
  • VPS for better web design hosting

 

Hacking: The FAIL video of web design

 

As humans, we seem to be a little mesmerized by both success and failure. The winning team helps us remember to dream big, while the losing team reminds us what not to do so we don’t arrive at a similar fate. We aren’t always learning lessons from the losing party, though. We are sometimes exploiting them and laughing at their expense. In a FAIL video, somebody always get hurt.

 

Major hacking incidents get a lot of attention in the press, probably for the same two reasons. We want to correct ourselves and learn from the experiences of others – the highly constructive aspect of such coverage. On the other hand, we are also a bit entertained by the idea that some poor schmucks (i.e., the security team at XYZ company) are getting skewered on the nightly news.

 

It’s all, really, a matter of perspective. Here’s where no one enjoys a FAIL video: when they’re in it. Similarly, no one is amused by watching themselves get, effectively, eviscerated in every newspaper in the country.

 

When you take that major hacking incident trending on Twitter and bring it down to earth in the context of web design, you don’t want your clients to think you failed them with poor security. In other words, It’s not fun to be in a FAIL video, and likewise, it’s not fun to see your web design company hit with hacking.

 

Shared hosting: The McDonald’s of infrastructure

 

It is common for web designers to start out on shared web hosting, for a few reasons:

 

  • It’s the cheapest form of hosting (bring your coupons, Belinda)
  • It’s widely available
  • It’s the most heavily promoted.

 

In other words, shared hosting is McDonald’s. And we all know McDonald’s has fine cuisine that will protect the health of your body; it’s not just the product that a multinational corporation would most like to sell to you. (That might be sarcasm.)

 

The point is, with hosting, it’s important to remember that the standard option is not usually the one that is the safest or highest quality. Just like McDonald’s should not be trusted with your physical health – or your wedding proposal dinner – shared hosting should not be trusted with your web design business.

 

Shared hosting: Clients crashing in your dorm room

 

Not everyone makes fun of shared hosting the same way we do. Take the perspective of “Hack Repair Guy” Jim Walker: “Analogy wise, a shared web hosting plan is akin to an open bay college dorm room,” he said, “or an office building where all of the internal office doors share the same key.”

 

Very few web designers would advertise to their clients, Your business can crash in the dorm room that is my infrastructure, but that could be an apt way of describing web design based on shared hosting. Most web designers aren’t doofuses, of course. They understand that they are prioritizing convenience and affordability to the safety of their client’s data. Why? If someone enters your dorm room to steal your roommate’s belongings, they will thereby have access to your things as well.

 

Shared hosting is not just a professional option.

 

“Oh no, we’re gonna get sued!”

 

Back in the 1990s, David Letterman had a bit on CBS’s The Late Show With David Letterman called, “Oh No! We’re Gonna Get Sued.” It was usually a pretty funny part of the show. Not so much when you actually do get sued.

 

Since no web designer wants a lawsuit, it is worth considering possible legal ramifications of using shared hosting. Let’s say you have thirty clients on shared hosting. One of them wants to upload something to the server. The question then is, do you give that client FTP access? If you do, then they are able to access all the databases and other files of the rest of your clientele.

 

Does that sound far-fetched? Well, unfortunately, it’s not. Maybe someone who gets FTP access has some hacking skills. Or, perhaps you just have a plugin on any of the sites that has a security hole. With a security hole present, the hacker’s job is straightforward.

 

Walker explained the hacker’s perspective: “[A]ll I have to do is use that to install a back door script, like FilesMan,” he said, “and I’ll have total access to everything within your account, from files, to images, as well as read and write access to all of your clients databases (and all of your client’s email if email is stored within the same account).”

 

What is the reputation of your web design firm? Are you known for operating ethically? If you use shared hosting, and your clients trust your IT expertise, isn’t it then your responsibility to inform them that a hack of one of your other clients would, in turn, compromise their site?

 

Walker points out that it would take under 3 minutes for a malicious intruder to delete all of your clients’ content and other data. Don’t give them the chance.

 

VPS: Your insurance against a hosting FAIL

 

Yes, shared hosting is affordable. We know that part. As established above, it is also clearly problematic.

 

Beyond hacking, there are other reasons why people choose virtual private server (VPS) hosting over the shared variety (from Ajeet Khurana of The Balance):

 

  • Isolation from other users

 

The strict delineation between the different users of a VPS is a benefit beyond security. While a shared hosting “roommate” might crash the server and take down your site, the owner of another VPS that’s on your server wouldn’t be able to do that.

 

  • Speed guarantee

 

You will continue to experience high performance on your site – i.e., fast and reliable loading – no matter what other VPS users do.

 

“If you have two CPU’s allocated to you, then you will always have those two CPU’s available to your operations,” said Khurana. “The amount of RAM you have paid for in a VPS setting will always be available to your operations, regardless of what else is happening on the physical machine.”

 

The speed of shared hosting, meanwhile, is variable because resources are fundamentally being offered “as available” rather than guaranteed within that context.

 

  • Stability guarantee

 

We all know that reliability is a cornerstone of business credibility. Is your web design business reliable? Shared hosting is known for being unstable. For this consideration, VPS is again an upgrade.

 

  • Space guarantee

 

Disk space “without limitation” is not a real thing. A shared host that says space is unlimited will write a “fair use” clause into their contract that states the resources must be equally available to all users. That means they’ll set down a couple party pizzas and give you the “fair use” to grab your meal.

 

VPS means you don’t have to grab up the pizza before someone else gets it. “You have an agreed upon disk space that is paid for monthly and is reserved exclusively for you,” said Khurana. “It sits there, either used or unused, but paid for and allocated to you.”

 

VPS for better web design hosting

 

Are you looking for a strong infrastructural choice to fuel the growth of your web design business? At KnownHost, we offer fully managed VPS hosting with incredible support. Get started now.

Read More

Why You Should Host Your Business Email on a VPS

In an age where everything can feel like it’s moving at the speed of light, it’s almost funny how we’ve never quite gotten past the need for email. What other technology has remained relatively unchanged but critical to business and communication over the course of twenty-plus years? While industry leaders and opinion columnists have been publishing pieces pondering “the death of email” for years now, it doesn’t look like it’s going any where any time soon. That means your email solution is still something you need to take seriously when establishing your online business.

 

You might be wondering what, exactly, you need to decide on when setting up your email account(s). After all, you’ve had a personal email forever and signing up for a free one is one of the simpler things a person has to do. The only real question is do you use Yahoo, Gmail, or another of the popular heavy hitters? Well, maybe not so fast. Have you considered hosting your own email on a VPS?

 

Why Would I Want to Self Host?

 

That’s the million dollar question, isn’t it? Why give up the convenience of having some big company manage your emails with all the bells and whistles to host your own email on a VPS you’re paying for every month? It turns out there are quite a few reasons why you would want to do this. The first one is you could use the same VPS that you’re using to host your site. This is a matter of preference. Some find it convenient, others thing you should keep your mail and domain separate. If you have the know how and a penchant for privacy, you may want to keep your email on a VPS (either its own or with your domain). Here are some of the reasons why.

 

Privacy

 

This is probably the biggest reason why you’d either want to install your own mail environment or use the one provided to you by your host on your VPS. Whether or not you consider yourself something of a “control freak,” there are real benefits to hosting your own email when it comes to privacy. For one thing, you don’t know the extent to which your “free” email host is using your information to generate ad revenue or however else it is that they make money. Take for example Google and their tendency to have a changing privacy policy over time. Circumventing software privacy settings to gather user data can certainly feel crummy as a user. Now imagine what kind of data collection happens via Gmail.

 

An email account set up through your hosting company isn’t subject to these kinds of privacy intrusions. By all means, check with your host to see if they ever use your email for analytics purposes, but chances are they don’t.

 

There is another reason you may want to keep your email with a hosting company that’s closely related to privacy and has been in the news quite a bit over the past several years.

 

Security

 

If you’ve used Yahoo as your email provider for any length of time over the past decade or so, you’re probably all too aware of their massive security breach in 2012 that we’re still discovering more about four years removed. Not to mention it appears they haven’t really gotten things together. Do you want your business emails exposed to these kinds of massive attacks?

 

The question is what is at the root of these security issues? Is a VPS objectively safer? That’s hard to say. Anyone with enough skill can break into a server and it’s not like a big company like Yahoo is lacking in security personnel or budget. The answer comes down to who makes a more attractive target. A company like Yahoo is much more of a worthwhile target because of the size of the company, its worth, and the amount of users that can be compromised. Millions of customers having their information exposed to the highest bidder is a major crime with a lot of value for someone willing to commit it. Someone getting into your email account on your hosting company’s VPS? Not so much.

 

Your hosting company also has their own security protocols that while maybe not on the same scale as a major company like Yahoo, does the job through constant observation. After all, they have many websites being hosted on their hardware that they are responsible for.

 

Functionality

 

The “bells and whistles” offered by many of the big email providers were mentioned earlier when the question was posed as to why you’d want to give these things up for an email account provided by your hosting company. Features are nice. The more the better, right? It depends, really. When you use a big name for your email management, you’re at the mercy of their update cycle. Web-based services tend to be on more frequent and dramatic update cycles compared to their smaller counterparts. This means features you’ve come to rely on can be removed without much notice. Also, features can be added in that you’re not a fan of. Factor in the possibility of needing to retrain your staff on email functionality (if that’s the scenario you work in) for best practices and you can see how frustrating this can be. Your email set-up on your VPS likely won’t change much, if at all, depending on the configuration. If you’ve installed your own mail environment, nothing much changes without your say so. If you’re using the email services provided by your host, functionality probably won’t change with any regularity. 

 

Downtime

 

Here’s where we get into a few “what if?” scenarios. Downtime can be a huge burden when it actually hits. KnownHost provides industry leading uptime of 99.996%. Do the big companies go offline? No, not often. But when they do it’s a huge disruption. Whether it’s a malicious attack or some sort of malfunction, being at the mercy of a major provider going through prolonged downtime can be crippling for your business. With a hosting company, you know a local team is working quickly to resolve any issues. You can also actually get in touch with a human being fairly quickly thanks to the 24/7 support you won’t find with a giant like Google.

 

There are also always outside chances of the big companies dropping certain services. One never knows when a company may deem its email functionality is no longer profitable or there is litigation that causes the email service to be shut down. Companies like Google and Yahoo, again, are prime targets for  things like DDOS attacks to make political statements or cause financial disarray.

 

Conclusion

 

At KnownHost, we know our customers want reliable performance, speed, and access to our support team whenever they need it. Whether you’re looking to host a personal site and accompanying email or a whole ecommerce organization with a fleet of email addresses, we can help. Our VPS packages are designed for every kind of use case. And if you need even more? There’s always a dedicated server option. If you’re looking to get sites or email accounts established, contact our team today and we’ll answer any questions that you may have.

Read More