Getting Hit with a DDoS Attack

How to Know if You Are Getting Hit with a DDoS Attack

  • Unveiling of the People behind Mirai
  • Army of Thermostats and Routers Attacks
  • How Do You Know if You Are Getting Hit by a DDoS?
  • 5 Steps to Defend Yourself from DDoS
  • Now More than Ever

 

Many people know Dyn as the domain name system (DNS) infrastructure provider that was taken off the Internet by a record-breaking distributed denial of service (DDoS) attack. Interestingly enough, there is a prominent piece on surviving DDoS attacks that was written by Dyn director of operations and client services David Grange back in 2014. The attack on Dyn was successful, but it was the largest DDoS of all time; so Grange’s comments are valid and are broad enough that they are still highly relevant.

 

In exploring the thoughts provided by Grange, we will be answering the questions, “How do you know if you are getting hit by a DDoS?” and “How do you defend yourself from DDoS?” But first, let’s look at the pivotal malware that made DDoS such a particularly important aspect of cybercrime in 2017: Mirai.

 

Unveiling of the People behind Mirai

 

The problem with attacking an investigative security journalist with your malware is obvious: you just might get their attention. That’s definitely what happened when a DDoS malware developer went after former Washington Post IT security reporter Brian Krebs.

 

Krebs got hit by a DDoS attack in September – a massive one. In November 2016, a huge section of the Internet went down because of an attack using the same botnet. Krebs used his training as a reporter and investigated; and he has confidently fingered the culprit. Krebs cited various sources to make a reasonably solid case that the individual behind Mirai is Rutgers student Paras Jha – also, somewhat incredibly, the owner of Protraf Solutions, a DDoS prevention service.

 

Approximately a week following the DDoS attack of Krebs’ site, a malware author (Jha, in Krebs’ opinion) released the source code for their incredibly powerful zombie botnet of IoT devices, Mirai.

 

The open sourcing led to additional attacks, explained David Lumb of Engadget on January 19. “But it also gave Krebs the first clue in their long road to uncover Anna Senpai’s real-life identity – an investigation so exhaustive… Krebs made a glossary of cross-referenced names and terms along with an incomplete relational map.”

 

Army of Thermostats and Routers Attacks

 

The unveiling of the guy who is supposedly behind this operation is somewhat of a distraction from the general trend of DDoS, which continues to rise. What’s particularly notable about this attack from a threat perspective is its vast scope. The attack started on the evening of September 20, at about 8 p.m. ET. It measured 620 Gigabits per second. What was actually troubling about the attack wasn’t just that incredible scale but that it appeared to come from a massive army of hacked devices.

 

To understand this attack on Krebs and Mirai itself, it helps to look back at a previous major DDoS attack against a European media company that hit 363 Gbps. That attack was believed to have been produced by a botnet, but using various methods to amplify a small attack into having greater scale. The DDoS tactic of amplification is a type of reflection – in which the perpetrator is trying to create a flood of responses to a spoofed IP address (which is that of the target). In the case of the Krebs DDoS, it wasn’t amplification or reflection.

 

On the contrary, “many were garbage Web attack methods that require a legitimate connection between the attacking host and the target, including SYN, GET and POST floods,” explained Brian Krebs. There was one that did not fit that bill, though: traffic that was imitating generic routing encapsulation (GRE) packets – a protocol that is used to communicate directly between two network nodes (to allow sharing of data between peers without use of a public network).

 

An attacker can easily spoof DNS traffic, but that is not the case with GRE traffic, or with the garbage methods described by Krebs. Basically, the high amount of traffic of these types seen in early analysis of the DDoS pointed to the fact that a large number of hacked systems were used – hundreds of thousands of them. It’s now recognized that the collection of systems that was used was actually the Mirai botnet.

 

Following the attack on Krebs and the open-sourcing of Mirai’s code, another major assault occurred – this one of a DNS provider, Dyn. The Dyn DDoS, which occurred in October, was – similarly to the Krebs attack – the work of more than 100,000 devices. These are Internet of Things devices such as webcams, thermostats, and routers, but they can pack a punch in numbers, as is clear in the 1.2 terabits per second (Tbps) of power they delivered to Dyn.

 

How Do You Know if You Are Getting Hit by a DDoS?

 

What does this story have to do with you? DDoS is becoming increasingly commonplace, so – unfortunately – many companies are having to ask themselves the question, “Am I getting hit by a DDoS?” or “What would I do if I were hit by a DDoS?”

 

The confusing thing about identifying a DDoS is that it isn’t easy to tell if the spike in traffic is legitimate users or an actual distributed denial of service effort, noted Dyn’s Grange. “The key to telling the difference lies in the length of time the service is down – if slow or denied service continues for days rather than a spike during a campaign it is time to start to look into what’s going on.”

 

Another way to tell something malicious is occurring is when you see that a source continues to query a certain set of data long after the time to live (TTL) has elapsed. (TTL, also called hop limit, is any means by which the amount of time data stays on a network or computer is controlled – discarding data after the determined timespan has passed.)

 

5 Steps to Defend Yourself from DDoS

 

What are some proactive steps you can take to protect yourself from Mirai and other DDoS attacks? Here is Grange’s advice:

 

#1 – Focus on awareness. Track your network’s normal activity carefully so that you recognize when anything is amiss and a DDoS might be occurring.

 

#2 – Improve your capacity. Be certain your capacity is high enough to carry the load, and optimize for performance during spikes. Architect with mitigation in mind.

 

#3 – Run drills. Go through drills with your staff so everyone is ready if you do experience a DDoS.

 

#4 – Use an outside provider. Many companies reasonably decide that they do not want to deal with the DDoS challenge internally, so they partner with third parties.

 

#5 – Err on the side of preparation. “[F]igure out the impact it would have on your company financially if it were to happen,” said Grange. “[T]he cost associated with being attacked is usually much higher than the cost to take safeguards.”

 

Now More than Ever

 

Clearly, following the rise of Mirai and these high-profile mega-attacks, it is more important than ever to make sure you have defenses in place so that DDoS can’t sideline your operations. At KnownHost, we offer free DDoS protection with all of our VPS hosting packages. Compare plans.

Read More

Basic Security Features of Your New Site You Need to Know

Security on the web has been a huge topic of conversation for the past several months, if not years, though our last election cycle has seemed to really spotlight it for the general population. More people than ever have been exposed to a conversation that business owners and IT professionals have been engaged in for years which is trying to find the best ways to protect sensitive data from malicious attackers. The security of your customers and visitors is also of the highest importance. So, what do you need to know to get your new site up to speed as far as standard security protocols?

 

There are a few settings and features to be aware of as you explore the backend environment of your new VPS in an effort to bolster your security. This is a good point to throw in some caveats when we talk about the security of any website. There are no guarantees. Hacking attempts continually get more sophisticated and things can happen despite one’s due diligence. What the following is meant to do is to inform you of some best practices that will help keep your site more secure, but is it in no way a definitive guarantee that nothing will happen to your site if you do “X” things. Taking preventative steps is better than taking no action, of course, so use this information to your advantage.

 

Once you’ve logged into the hosting environment of your VPS, here are some things to keep an eye out for.

 

CSF/LFD

 

The good news about a lot of the terms and acronyms that are going to be coming your way is that they refer to things that are (or should be) already installed on your server. If they’re not, you can contact customer service to get it remedied. So, you won’t have to worry too much about making sure all of these things are in place yourself. Let’s start with CSF and LFD.

 

ConfigServer Security & Firewall (CSF) with Login Failure Daemon (LFD) is a security application that can be accessed through cPanel, which will already be established for you when you log in. CSF/LFD does a few things. It is a Stateful Packet Inspection (SFI) firewall and login and intrusion detector. CSF/LFD sends notifications in the event that something with some importance is potentially happening. That’s to say, getting an alert doesn’t mean you’re in the midst of an attack. But, something worth your attention is occurring.

 

LFD has a variety of useful features built into it that we’ll touch on briefly here. You can read more about these features and examples of the kinds of notifications you’ll receive at our wiki.

 

LFD will automatically perform IP blocks based on reasons that can be configured by the user. By default, you receive notifications each time an IP is blocked. Whether or not you want to disable this is up to you. Depending on your traffic and your filters, you might be getting alerted to things constantly, which would be a distraction. Make sure you’re confident in your configurations before doing this.

 

LFD “keeps an eye out” for things like too many failed login attempts within a short period of time, too many connection attempts being made from a single IP address, certain email issues as they pertain to volume, and successful login attempts through a variety of methods including cPanel or SSH.

 

SSL

 

Secure Sockets Layer (SSL) is maybe a bit more familiar to people because of its general acceptance as a must have for many sites, especially e-commerce sites where you’re handling sensitive customer information.

 

To explain the technology in brief, having an SSL certificate is important because it signifies you’ve put certain protections in place to ensure the safety of your customers’ information. SSL encrypts the path between the server and the client. When customers type in their credit card information to make a purchase on your site, for example, that information is transmitted securely thanks to encryption instead of the plain text it is transmitted as without SSL. Because one method of stealing information is intercepting it as it is transmitted, SSL is more or less a must have these days.

 

You’ll have to install your SSL through cPanel. To do this, you’ll need to generate a Certificate Signing Request (CSR) in cPanel which you can do by following our guide. The signing authority you purchase your SSL from will need that CSR to complete your certificate. You can then install the signed SSL certificate through cPanel. You can typically tell if a site has an SSL right from the address bar in your browser. There may be a lock next to the URL to indicate security, or you can look for https:// to precede the site’s address. The key detail there is the S as the unsecured http:// delineates no SSL. If you’re unsure that your SSL has been installed, there are sites online where you can type in your domain name and it’ll tell you.

 

User Decisions

 

Moving along from server issues to issues that are more user based, it’s important to be smart with your content management system (if you’re using one) as well. Popular CMSes like WordPress often find themselves targets of malicious actors because of how widely used they are. It’s important to do your due diligence and ensure that you are regularly updating your CMS’ core software as updates are released. The nature of open source software is such that updates come out frequently because the user base is always inspecting the code. Vulnerabilities can also come from that same public knowledge of the code. It’s important to be on top of those updates because they almost always include security and bug fixes. This need for vigilant updates also applies to plugins, extensions, and whatever other additional modules that your CMS allows you to install to expand functionality.

 

Additionally, if you have multiple users with access to your site, be sure to restrict access to the bare minimum so that they can perform their job. The fewer people that have full administrator access, the better. Passwords should also be complex, a random assortment of characters greater than ten, and not a duplicate of any other password you use for any other service. Password breaches are still one of the most common methods of unauthorized entry to a site. Most of the time it’s because the user was either phished or the password was something relatively easy to guess.

 

Finally, backups are critical. Your host may perform backups for you, but you should still manually save things yourself on a local drive whenever possible just to be doubly sure you always have your information in the event of something going wrong. As a best practice, one backup of something is never enough.

 

Conclusion

 

At KnownHost, we value customer satisfaction. That’s why we want to set you up for success. Whether it’s needing faster hosting solutions than you’re already using, you have questions about security, or you’re looking to establish a web hosting reseller business, we’re available to help. Contact our team today and we’ll get you setup with the hosting that you need.

Read More

What Are the Most Common Reasons Hackers Will DDoS Sites?

Brian Krebs. OVH. Dyn. And the open-sourcing of the code of the botnet that attacked them. Are you DDoS-defending your business? If not, now is the time.

 

  • A supercharged botnet
  • 7 reasons DDoS is popular among hackers
  • Action to DDoS-defend your business

 

A supercharged botnet

 

The Mirai botnet has been busy lately. In September, it was used for a couple of massive attacks, one against US-based security journalist Brian Krebs, the other against French web host OVH. In October, the network of IoT devices that make up its bot army (some 380,000, according to its purported author) were used to DDoS Dyn and temporarily cripple a large chunk of the internet in the United States.

 

But, unfortunately, it gets worse… much worse. Security thought-leaders are sounding the alarm bell after a hacker publicly released the source code for Mirai. After all, the scope of the DDoS attacks from Mirai are highly disturbing. The one that hit Krebs measured 620 gigabits per second. The one that hit OVH measured 1.1 terabits per second. If you are having trouble grasping that sheer attack volume, it’s understandable: Mirai delivers almost unimaginable information-overload by our current standards.

 

Mirai is getting the press, but Bashlight is the original, explained Dan Goodin of Ars Technica. “Until now, the botnets created with the newer and technically more sophisticated Mirai have been greatly outnumbered by those based on its rival Bashlight,” he said, “with about 233,000 infected devices versus 963,000 respectively.”

 

The release of Mirai’s code – via the user Anna-senpai on Hack Forums (a site that has since been accused of running a DDoS-for-hire service) – is troubling to security pros because easy access means proliferation of gigantic DDoS assaults.

 

The post on Hack Forums, which included links to the Mirai source code and noted that it was time to “GTFO” (direct quote) of IoT DDoS due to increased attention. (Source: Security Affairs)

 

Goodin noted that there has been an increased focus among those who use botnets to target CCTV cameras, routers, thermostats, webcams, and other vulnerable IoT devices. Once formed, the army of slaves is used to extract ransom from victims (in exchange for halting a DDoS).

 

“Both Mirai and Bashlight exploit the same IoT vulnerabilities,” said Goodin, “mostly… weakness involving the telnet remote connection protocol in devices running a form of embedded Linux known as BusyBox.”

 

One reason Mirai has become more prominent, though, is that it encrypts communications it sends to central command (i.e., the master). Also, some believe that the conversion of some 80,000 of the 963K Bashlight devices to Mirai suggests that the newer malware may be overtaking and then patching devices so that other botnets can’t reclaim them.

 

Although the open sourcing of the code is especially troubling, the attack on Dyn should also not be overlooked when we consider the power that is currently in the hands of botnet operators. Mirai successfully sabotaged the DNS provider Dyn and brought its response time to a crawl (or at least a large portion of the attack came from Mirai slaves). According to Michael Kan of Computerworld, many in the security community think that the Dyn DDoS (2 attacks of 130 minutes and 70 minutes, divided by a 2 ½ hour break) was more of a warning shot than an actual siege: it just leveraged 100,000 devices of the half-million or so devices then available.

 

7 reasons DDoS is popular among hackers

 

Why are these attacks becoming such a common form of malicious intrusion?

 

Reason #1 – Easy as 1, 2, 100 thousand

 

One reason DDoS is a go-to for hackers is that it’s simple, and it works. The Dyn attack sidelined household-name web giants such as Spotify, Netflix, Airbnb, and Twitter, all of which use Dyn to connect their site to users.

 

“It doesn’t take particularly advanced hacking skills to block access to those sites,” said Emma Hinchliffe. “It just takes a huge network.”

 

Well, how do you access a huge network? Even before the open sourcing of Mirai, the simplicity of carrying out a DDoS has been troubling to those who protect networks. Through paid services, anyone is able to rent a botnet. In fact, the criminally oriented can even have a stressor or booter service do the dirty work for them.

 

It is often challenging for the security team or law enforcement to track down the booters because they use proxies to assault you from different locations.

 

Reason # 2 – Cash for peace

 

DDoS-for-ransom, a form of extortion, has been on the rise over the last few years. Essentially you get barraged by traffic, see your site go down, and then get a note letting you know that you can regain your smoothly functional site for a certain amount of Bitcoin.

 

Security experts recommend never paying the attackers because there is no guarantee they won’t do it again and because it feeds the growth of the problem; however, some site owners feel they have no choice to get their own revenue coming in again.

 

Reason #3 – Slash-and-burn competition

 

What’s one way to outperform the rivals in your industry? Well, you could make it impossible for them to operate.

 

“Just small amounts of downtime can end up costing a company thousands [or millions] of dollars,” noted Christian Sager. “It can also promote negative associations with a brand, so that customers no longer trust their services.”

 

Reason #4 – Hacktivism

 

DDoS isn’t always just about pummeling someone for money. It’s also a way that some actors use to voice dissent. South Korea, the U.S., Russia, and Georgia have historically been DDoS targets. Keep in mind that many of these attacks are thought to be perpetrated by other nations – which makes them more cyberwarfare than citizen protest. However, individuals do sometimes DDoS governments or companies because they disagree with them ethically.

 

Reason #5 – Rise of the “script kiddy”

 

Some of those behind DDoS events have been given the derisive name “script kiddies,” highlighting the fact that they lack technical skills (instead grabbing a script in a forum) and have what are viewed as immature intentions.

 

For instance, game publishers are sometimes DDoSed immediately following an update, because an irritated player believes they “nerfed” the best part.

 

“Also, let’s be honest, being able to take out a company from your bedroom is probably amusingly empowering in a David and Goliath sort of way,” said Sager. “Today’s DDoS is yesterday’s vandalism.” (Note that he made these comments in 2014, when DDoS was much less destructive and economically devastating than it is today.)

 

Reason #6 – The overpowering decoy

 

A DDoS is certainly more uncontrollable than a fake duck that you can throw in your hunting bag, but it is sometimes a decoy in the sense of a distraction. In these cases, the directness and crudeness of a DDoS is used as a cover for a more technical, surgical hack. A landmark incident of this Ocean’s-11-style assault occurred in 2013, when a botnet operator slammed the Bank of the West with fraudulent requests while they entered an account and withdrew $900K.

 

Reason #7 – This is only a test…

 

A company will occasionally force itself offline – whether by accident or when intentionally resilience-testing their systems.

 

Action to DDoS-defend your business

 

In the post-open-sourcing of Mirai, heavyweight DDoS has become more widely available than ever before. And people continue to have various reasons to want to crash websites.

 

In this increasingly volatile climate, are you DDoS-defended? At KnownHost, we offer complimentary DDOS protection on all VPS and SSD VPS product lines. See how you’re protected.

Read More

What October’s Massive DDOS Attack Can Teach Us About the Importance of Security

Anyone Else Having a Problem?

 

Something odd happened on the morning of October 21st, 2016. Many Americans, mostly located in the Northeast though it was nationwide at some level, experienced strange outages. Many tried to take to Twitter to ask the Internet if they too were having Spotify issues…only to find Twitter was also offline. A few thousand reset routers later and people began to realize it wasn’t their network connection that was the culprit. What had happened was a massive DDOS attack the likes of which we rarely see. Though they are happening with more frequency, this was the first one in quite awhile that affected large swaths of the population and disrupted their daily lives.

 

So, how do sites and services like Twitter, Spotify, Reddit, Wired, and even the New York Times all get taken offline simultaneously by one event? The answer lies in hosting. Many large-scale web services based on the east coast use Dyn as their DNS host. Because these sites are so heavily trafficked, they often use the same large hosting firms because they have the resources to provide speedy transit for visitors expecting to have nearly instant download times on a site with millions of simultaneous viewers. The downside of this solution is that it makes a company like Dyn an attractive target for malicious agents looking to cause service disruptions.

 

This huge DDOS event put a spotlight on quite a few issues. The security issues that arise from the always growing “Internet of Things” (it is theorized that access points came from simple network-enabled devices that lack the security measures of more advanced products), the danger of having a massive central hub, and the need to be more vigilant when it comes to the ever growing and intricate world of cybercrime.

 

But What is a DDOS Atack?

 

Before the major consumer and media targeted DDOS attack we saw last month, most of the media coverage was on DDOS attacks related to government intrigue and ransom from financial institutions. What they are, essentially, is a system overload. Think of it like a landline. If you have two people on the line (including call waiting) and a third person tries to call you, they’ll get a busy signal. A dedicated denial of service attack is like getting a million phone calls all at once so that no one can get through and anyone who tries is met with a busy signal.

 

Let’s go back to the concept of the Internet of Things and its culpability, again. Many DDOS attacks originate from relatively simple devices (in comparison to a full computer) such as smart thermostats or security cameras. Because millions of these devices are out in the world, they are a relatively easy and attractive target to create a “zombie army” of malware infected gadgets that flood sites with requests to take them offline. Because these devices aren’t initiating the attack, but are actually controlled from elsewhere acting as a proxy, DDOS attacks can be difficult to shut down.

 

One’s first instinct may be to try to block offending IP addresses. While this works for spammers on forum sites that operate under multiple user names but one device location, it isn’t effective against DDOS attacks because thousands of devices are launching an attack at once and because IP addresses can be forged. Consider what a simple VPN could do for the average user and then multiply it by thousands of machines backed by hacker know-how.

 

What DDOS Attacks Mean for Your Business

 

This isn’t to say DDOS attacks on their own are particularly dangerous. For example, they don’t actually break into locations and steal sensitive data. At their worst, they keep your site from being accessed for an extended period of time. Unless they are used in conjunction with other types of attacks, you aren’t at risk beyond your site being unavailable until the attack is over or thwarted. However, if you operate a small ecommerce business, being taken offline can be devastating. That’s hours of not making any money.

 

While it may seem like only really big sites get targeted in DDOS attacks due to the media coverage of them, the fact is anyone could be a target. Fifty-one percent of businesses suffered a DDOS attack in 2015. That’s why it’s important to have some sort of protection against these fairly common events.

 

You can identify a DDOS attack pretty early. As a business owner or someone managing a client’s site, you most likely keep a pretty close eye on what your typical inbound traffic looks like. Sudden spikes in traffic that seem unusual as far as location and duration can be signs of the beginning of an attack. From there you would want to contact your hosting company.

 

Of course if you’re currently responsible for managing your own server, this could be a tricky situation for you. You may be asking how you can defend yourself against these attacks and the answer is: it’s a little complicated. For the typical web designer or small business owner, the actual technical measures that can be taken may be beyond your comfort level. But if, hypothetically, you were running your own web server you could limit your router to prevent your server from being overwhelmed, add filters to your router to limit packets, time-out half open connections, and drop malformed packets. If reading that sentence made your eyes cross, then luckily KnownHost is here to help you.

 

How We Can Help

 

At KnownHost, we provide our customers with high performance managed dedicated servers and VPSes. If you’re currently with a hosting solution that leaves you to manage your own servers, the prospect of a DDOS attack probably preoccupies you quite a bit. After all, you’re responsible for spotting them and resolving them on your own. If you’re running a business or you’re responsible for hosting all of your clients’ sites, there simply isn’t enough time to be both security IT expert and the manager of day-to-day business operations. That’s why you should leave all your hosting needs to us. We have the experience to spot events as they occur and act to protect your site from the ill effects that they cause. Our hosting solutions are designed to keep your site up and running no matter the issue.

 

The team at KnownHost knows you want to focus on your actual business without having to worry about the safety and functionality of your sites. That’s why not only do we offer free backups and migrations, but we also include complementary DDOS protection. We include protection up to 500 gps and 700 mpps for bandwidth and packet intensive attacks. We use identifying and filtering hardware to make sure that your site remains online throughout the duration of the attack. Examples of the kinds of attacks you’re protected from include UDP Floods, NTP Amplification, DNS Amplification, Syn Flood, Volume Based Attacks, and Fragmented Packet Attacks.

 

If you’re looking for peace of mind, fast speeds, and the best uptime in the industry, contact us today and let us set you up with the managed dedicated server or VPS you need to help your business.

Read More