A new UDP reflection/amplification DDoS vector is observed in the wild.

The surprising nature of the abusable reflectors/amplifiers.

Recommended DDoS Defense and Best Current Practices (BCPs) for ARMS.

Anatomy of a New DDoS Vector

One of the ground truths of distributed denial-of-service (DDoS) defense is that literally any kind of packet can be utilized to launch an attack against a host, service, application, or network. And when attackers initially identify a service or application which can be abused to indirectly reflect attack traffic to the intended target, while at the same time providing an amplification factor (i.e., the attackers can induce the abusable service or application to generate more network traffic than the amount required to stimulate the spoofed ‘responses’ to the target), they tend to move quickly to utilize it in attacks and to weaponize it for inclusion in DDoS-for-hire ‘booter/stresser’ services.

Late last week, we were made aware that network operators were seeing a sudden surge of attacks in the 70gb/sec range, sourced from UDP/3283. Initial investigations revealed that the abused reflectors/amplifiers were generating two attack-traffic packets for every single spoofed stimulus packet — the initial packet was 32 bytes in length, and the second packet was 1034 bytes in length – attaining a respectable amplification ration of 35.5:1.

Whichever application or service was being abused, it apparently performed application-layer message segmentation, as no non-initial UDP fragments were present. We’ve observed this behaviour in some other abusable UDP reflectors/amplifiers such as misconfigured Network Time Protocol (ntp) servers.

Looking at relevant DDoS Misuse alerts in Arbor Sightline deployments, it became apparent that attackers could induce the reflectors/amplifiers to target any destination port of their choosing, and that observed attacks were peaking in the ~75gb/sec range, with a throughput of ~11mpps. While throughput, or packets-per-second (pps), is often the most significant metric in direct-flooding DDoS attacks such as SYN-floods, bandwidth, or bits-per-second (bps), is the primary metric for most (not all) reflection/amplification attacks.

Even though this was a previously-unknown DDoS attack vector, Sightline was able to detect, classify, and traceback these ‘minute-0’ DDoS attacks due to its use of network-wide flow telemetry in order to perform real-time anomaly detection. And based on the attack classification information contained in relevant Sightline DDoS Misuse alerts, network operators were able to instantaneously make use of Arbor TMS to mitigate the attacks as they first appeared on production networks.

Once we had a thorough understanding of the attack characteristics, we turned our attention to identifying the application or service being abused in order to generate these attacks.

A Surprising Discovery

Our initial investigation revealed a surprising piece of information: UDP/3283 was most closely associated with the Apple Remote Desktop (ARD) application and related management service used to remotely manage fleets of Apple Macs, primarily in enterprises and universities. While ARD was most popularly identified with the ability to perform screen-sharing, over the years it has evolved into a more fully-featured system management application, allowing the remote installation of software updates, remote logging, etc.

Based on available online documentation, it appears that Apple’s Remote Management service (ARMS) listens on that port for management console commands and queries. Some time ago, Apple separated ordinary screen-sharing from more comprehensive remote administration capabilities, so ARMS should only be enabled when Macs are being actively administered via a management framework such as ARD.

Making use of the ASERT Virtual Lab, we were able to determine that on Apple macOS, enabling Remote Management under macOS System Preferences/Sharing caused Mac computers to listen on UDP/3283, even if Apple’s Firewall service under System Preferences/Security & Privacy was enabled!

It should be noted that this service is disabled by default, and must be explicitly enabled by a Mac user with administrative privileges.

Why ARMS?

It was somewhat puzzling that we were seeing UDP reflection/amplification attacks abusing a remote administration framework that we’d typically expect to be used across enterprise LANs and WANs, rather than on the public Internet. But once we began delving further into how ARD is typically deployed, the answer became apparent.

In most of the online documentation and discussion we found about enabling and utilizing ARD and ARMS, when it came to remotely administering Macs in environments beyond campus LANs, almost all the focus was on how to implement static NAT translations and allow UDP/3283 through firewall rules and router ACLs, rather than on utilizing standard industry BCPs like virtual private networks (VPNs) and related secure network access policies and authentication techniques.

This same set of Worst Current Practices (WCPs) with regards to vulnerable and/or misconfigured Internet of Things (IoT) devices such as IP-enabled surveillance cameras and digital video recorders (DVRs) has contributed to the compromise of many embedded devices and their consequent enrolment in DDoS botnets, even when they are installed behind NATs and firewalls.

As of this writing, we have determined that there are approximately ~54,000 abusable ARMS-enabled Macs exposed to the public Internet, either directly or via the aforementioned static NAT translations and/or permissive firewall rules and ACLs. These computers are being actively abused by attackers to launch ARMS reflection/amplification DDoS attacks; and not only do the attack targets and intervening networks suffer from the onslaught of DDoS attack traffic, but the abused ARMS-enabled Mac reflectors/amplifiers and the networks on which they reside are negatively impacted, as well.

Via analysis of DDoS attack data collected by Netscout Arbor’s ATLAS system, we were able to determine that the first observed use of ARMS as a reflection/amplification DDoS vector on the public Internet appears to have taken place during the second week of June 2019. It has rapidly grown in relative popularity, and we believe that it will be weaponized by DDoS-for-hire ’booter/stresser’ operators in short order.

Recommendations

ASERT recommends that network operators make use of network-wide visibility and alerting systems such as Arbor Sightline to detect, classify, and traceback ARMS reflection/amplification DDoS attacks. Custom Misuse Alerts for ARMS reflection/attacks can be defined by the system operator.

Together with Sightline, Arbor TMS can be used to mitigate ARMS reflection/amplification attacks using a variety of countermeasure options; Sightline also supports flowspec-based mitigations for flowspec-enabled routers. Other mitigation techniques such as source-based remotely-triggered blackholing (S/RTBH) and ACLs may be employed, as well.

ASERT have transmitted both IPv4 and IPv6 AIF Templates containing example TMS countermeasure configurations to AIF-entitled customers.

We also urge administrators of ARMS-enabled Macs to shield UDP/3283 from the public Internet, and instead make use of VPN technologies in order to forward remote administration traffic between administration systems and managed Macs.

The post A Call To ARMS: appeared first on IT Security Guru.

Response time is critical for every enterprise because, in our hyper-connected world, DDoS attacks cause downtime, and downtime means money lost. The longer your systems are down, the more your profits will sink.

Let’s take a closer look at all the ways that automation can put time on your side during a DDoS attack. But first, let’s clarify just how much time an automated defence system can save.

Automated vs. Manual Response Time

Sure, automated DDoS defence is faster than manual DDoS defence, but by how much?

Founder and CEO of NimbusDDoS Andy Shoemaker recently conducted a study to find out. The results spoke volumes: automated DDoS defence improves attack response time five-fold.

The average response time using automated defence was just six minutes, compared to 35 minutes using manual processes, a staggering 29-minute difference. In some cases, the automated defence was even able to eliminate response time completely.

An automated defence system cuts down on response time in five major ways. Such systems can:

Instantly detect incoming attacks: Using the data it has collected during peace time, an automated DDoS defence system can instantly identify suspicious traffic that could easily be missed by human observers.
Redirect traffic accordingly: In a reactive deployment, once an attack has been detected, an automated DDoS defence system can redirect the malicious traffic to a shared mitigation scrubbing center – no more manual BGP routing announcements of suspicious traffic.
Apply escalation mitigation strategies: During the attack’s onslaught of traffic, an automated DDoS defence system will take action based on your defined policies in an adaptive fashion while minimising collateral damage to legitimate traffic.
Identify patterns within attack traffic: By carefully inspecting vast amounts of attack traffic in a short period of time, an automated DDoS defence system can extract patterns in real-time to block zero-day botnet attacks.
Apply current DDoS threat intelligence: An automated DDoS defence system can access real-time, research-driven IP blocklists and DDoS weapon databases and apply that intelligence to all network traffic destined for the protected zone.

An intelligent automated DDoS defence system doesn’t stop working after an attack, either. Once the attack has been successfully mitigated, it will generate detailed reports you and your stakeholders can use for forensic analysis and for communicating with other stakeholders.

Although DDoS attackers will never stop innovating and adapting, neither will automated and intelligent DDoS protection systems.

By using an automated system to rapidly identify and mitigate threats with the help of up-to-date threat intelligence, enterprises can defend themselves from DDoS attacks as quickly as bad actors can launch them.

Three key strategies to block DDoS attacks

While it’s crucial to have an automated system in place that can quickly respond to attacks, it’s equally important to implement strategies that help achieve your goal of ensuring service availability to legitimate users.

After all, DDoS attacks are asynchronous in nature: You can’t prevent the attacker from launching an attack, but with three critical strategies in place, you can be resilient to the attack, while protecting your users.

Each of the three methods listed below is known as a source-based DDoS mitigation strategy. Source-based strategies implement cause as a basis for choosing what traffic to block. The alternative of destination-based mitigation relies on traffic shaping to prevent the system from falling over.

While destination traffic shaping is effective in preserving system health from being overwhelmed during an attack, it is equally fraught with indiscriminate collateral damage to legitimate users.

Tracking deviation: A tracking deviation strategy works by observing traffic on an ongoing basis to learn what qualifies as normal and what represents a threat.

Specifically, a defence system can analyse data rate or query rate from multiple characteristics (e.g. BPS, PPS, SYN-FIN ratio, session rate, etc.) to determine which traffic is legitimate and which is malicious or may identify bots or spoofed traffic by their inability to answer challenge questions.

Pattern recognition: A pattern recognition strategy uses machine learning to parse unusual patterns of behaviour commonly exhibited by DDoS botnets and reflected amplification attacks in real time.

For example, DDoS attacks are initiated by a motivated attacker that leverages an orchestration platform providing the distributed weapons with instructions on how to flood the victim with unwanted traffic. The common command and control (C&C) and distributed attack exhibit patterns that can be leveraged as a causal blocking strategy.

Reputation: To utilise reputation as a source-based blocking strategy, a DDoS defence system will use threat intelligence provided by researchers of DDoS botnet IP addresses, in addition to tens of millions of exposed servers used in reflected amplification attacks.

The system will then use that intelligence to block any matching IP addresses during an attack.

Any of these three source-based DDoS mitigation strategies requires more computing capabilities than indiscriminate destination protection.

They do, however, have the significant advantage of being able to prevent legitimate users from being blocked, thereby reducing downtime and preventing unnecessarily lost profits.

Knowing that, it’s safe to say that these three mitigation strategies are all well worth the investment.

The post How To Block DDoS Attacks Using Automation. appeared first on IT Security Guru.

Today’s DDoS attacks are more prevalent, multi-vector in nature and morph over time. With millions of IoT devices predicted to be in use over the coming years, driven by the transition to 5G networks, traditional DDoS solutions will quickly become inadequate. Current solutions are static, reactive and require significant operator intervention, resulting in a slow response time to the rapidly evolving attack landscape. It is clear that DDoS detection and mitigation is a growing concern for enterprises, cloud providers and service providers, alike. In fact, in a recent A10 Networks survey of mobile operators, 63 percent saw advanced DDoS protection as the most important security capability needed for 5G networks. And, in an IDG research report, respondents confirmed that the number-one most important capability in a DDoS solution was automated detection and mitigation.

“The economics of DDoS mitigation and attacks are very much slanted towards the attackers now, so we will need more efficient tools and advanced technologies to balance the equation to make DDoS defence more effective and economical,” said Chris Rodriguez, research manager, cybersecurity products. “A10 Networks is advancing the economics of DDoS security by leveraging machine learning and advanced heuristics to create that balance.”

DDoS Protection Powered by Machine Learning

A10 Networks’ ZAP is comprised of two components: dynamic attack pattern recognition by a machine learning algorithm and heuristic behaviour analysis recognition to dynamically identify anomalous behaviour and block attacking agents. ZAP works in conjunction with A10 Networks’ adaptive DDoS security model and its five-level adaptive policy mitigation engines to provide a complete in-depth defence system. This comprehensive approach blocks DDoS attacks while protecting legitimate users from indiscriminate collateral damage typically associated with traditional DDoS protection methods.

The ZAP policies can be enforced by a combination of hardware and software. Thunder SPE (Security and Policy Engine) appliances can serve up to 100,000 ZAP policies at line rate and the remaining ZAP policies can be served by software. This provides superior mitigation performance over the traditional software only solution, enabling superior response time and scalability.

“In today’s climate with the dramatic increase in polymorphic multi-vector attacks and the chronic shortage of qualified security professionals, enterprises and service providers need intelligently automated defences that can accomplish tasks autonomously,” said Lee Chen, CEO of A10 Networks. “Manual interventions are not only resource-intensive but too slow and ineffective, resulting in a greater potential of network downtime and high cost to the organisation.”

A10 Networks provides the highest performance with 500 Gbps of protection in a single one-rack unit (RU) appliance, leading automation capabilities with ZAP and five-level adaptive policy, and actionable DDoS weapons threat intelligence for a complete multi-modal defence in depth solution.

A10 Networks Thunder TPS with ZAP is available now.

The post A10 Networks Brings Advanced Zero-Day Automated Protection (ZAP) To DDoS Defence. appeared first on IT Security Guru.

Last year the number of DDoS attacks was constantly falling, leading Kaspersky Lab experts to assume that cybercriminals who had been conducting DDoS attacks for financial gain had shifted their attention to other sources of income (such as crypto-mining). However, statistics for Q1 2019 contradict this trend and show that the number of DDoS attacks blocked by Kaspersky DDoS Protection has actually grown by a staggering 84%, when compared to Q4 2018. This figure could indicate that such attacks were still in demand, despite being inaccessible when popular DDoS marketplaces were taken down. Once new DDoS-for-Hire websites launched, the number of attacks grew exponentially as a result.

The most noticeable area of growth can be found in DDoS attacks that lasted for more than an hour. These incidents doubled in quantity and their average length increased by 487%. These statistics confirm Kaspersky Lab experts’ hypothesis that hackers are evolving their techniques and are now able to launch longer attacks, which are harder to organise.

“The DDoS attack market is changing. New DDoS services appear to have replaced ones shut down by law enforcement agencies. As organisations implement basic countermeasures, attackers target them with long-lasting attacks. It is difficult to say if the number of attacks will continue to grow, but their complexity is showing no signs of slowing down. We recommend that organisations prepare themselves effectively, in order to withstand sophisticated DDoS attacks,” comments Alexey Kiselev, business development manager on the Kaspersky DDoS Protection team.

Kaspersky Lab recommends that organisations follow these steps to protect themselves from DDOS attacks:

Ensure that web and IT resources can handle high traffic
Use professional solutions to protect the organization against attacks. For example, Kaspersky DDoS Protection combines Kaspersky Lab’s extensive expertise in combating cyberthreats and the company’s unique in-house developments. The solution protects against all types of DDoS attacks regardless of their complexity, strength or duration

About Kaspersky Lab

Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 21 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next-generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com

The post A DDoS Storm Has Come: appeared first on IT Security Guru.

DDoS attacks have always been a major threat to network infrastructure and web applications.

Attackers are always creating new ways to exploit legitimate services for malicious purposes, forcing us to constantly research DDoS attacks in our CDN to build advanced mitigations.

We recently investigated a DDoS attack which was generated mainly from users in Asia. In this case, attackers used a common HTML5 attribute, the tag ping, to trick these users to unwittingly participate in a major DDoS attack that flooded one web site with approximately 70 million requests in four hours.

Rather than a vulnerability, the attack relied on turning a legitimate feature into an attack tool. Also, almost all of the users enlisted in the attack were mobile users of the QQBrowser developed by the Chinese tech giant Tencent and used almost exclusively by Chinese speakers. Though it should be noted that this attack could have involved users of any web browser and that recent news could ensure that these attacks continue to grow — and we’ll explain why later in the article.

How They Did It

Ping is a command in HTML5 that specifies a list of URLs to be notified if the user follows a hyperlink. When the user clicks on the hyperlink, a POST request with the body “ping” will be sent to the URLs specified in the attribute. It will also include headers “Ping-From”, “Ping-To” and a “text/ping” content type.

The post The Ping Is The Thing: Popular HTML5 Feature Used To Trick Chinese Mobile Users Into Joining Latest DDoS Attack. appeared first on IT Security Guru.

Darren Anstee, NETSCOUT CTO, Security, commented, “The tools to initiate DDoS attacks are cheap, freely available and easily deployed – as a result, there are more than ten thousand DDoS attacks every day around the world. The size and complexity of attacks continue to grow and businesses must make sure their key resources are adequately protected – including in the cloud, SaaS etc…”

“We know that DDoS attacks target businesses of all shapes and sizes, but we wanted to quantify the economic impact on the UK’s largest employers. Our research data revealed that around 86% of major UK enterprises questioned were attacked at least once in 2018. 90% of these UK businesses experienced downtime, which averaged 67 minutes for the year, and the downtime costs were estimated at £2,140 per minute.

“If we assume those impacts apply equally to the 8,000 UK companies with more than 250 employees, the total cost equates to approximately £900 million. However, we know that the wide availability of the required tools has ‘democratised’ DDoS. Much smaller companies are also under attack and so the true cost to the UK economy is likely to significantly exceed £1 billion per annum.”

NETSCOUT’s findings also show that DDoS attacks have ramifications beyond just service downtime. Respondents cited a series of measurable attack consequences, such as revenue loss (36.2%), increased operational expenses (38.6%), reputational impact (36.2%), surging insurance premiums (31.9%) and loss of customers (30.7%), highlighting the longer-term damage successful attacks can bring.

“If something is important to you, it’s important to hackers,” added Anstee. “As businesses place growing reliance on digital services, it’s hardly a surprise that attacks against the cloud, SaaS and data centres are increasing at an alarming rate. Attackers are continually evolving tactics to exploit new vulnerabilities in complex – and critical – IT infrastructures. It is essential that companies have visibility across their entire IT infrastructure – physical, virtual, cloud etc. – and into all inbound and outbound traffic, so that they can quickly and efficiently tackle threats.”

With visibility into one-third of all internet traffic, NETSCOUT delivers actionable intelligence about DDoS attacks, botnets and malware which threaten internet infrastructure and network availability. NETSCOUT correlates this and other data sets to provide automated data sharing and intelligence, facilitating usage by all internet users, business and private, and giving them a broader perspective to better understand and react to the threats they face.

About NETSCOUT

NETSCOUT SYSTEMS, INC. (NASDAQ: NTCT) assures digital business services against disruptions in availability, performance, and security. Our market and technology leadership stems from combining our patented smart data technology with smart analytics. We provide real-time, pervasive visibility, and insights customers need to accelerate, and secure their digital transformation. Our approach transforms the way organizations plan, deliver, integrate, test, and deploy services and applications. Our nGenius service assurance solutions provide real-time, contextual analysis of service, network, and application performance. Arbor security solutions protect against DDoS attacks that threaten availability, and advanced threats that infiltrate networks to steal critical business assets. To learn more about improving service, network, and application performance in physical or virtual data centers, or in the cloud, and how NETSCOUT’s performance and security solutions, powered by service intelligence can help you move forward with confidence, visit www.netscout.com or follow @NETSCOUT and @ArborNetworks on Twitter, Facebook, or LinkedIn.

The post Cost To UK Economy Of DDoS Cyber-Attacks appeared first on IT Security Guru.

IDC MarketScape is the industry’s premier vendor assessment tool, providing in-depth quantitative and qualitative technology market assessments of ICT vendors for a wide range of technology markets. According to IDC, the report is based on a balanced group of criteria that lead to ICT vendor’s market success – not overly weighted toward offering functionality or company size.

“We’re delighted to be considered an IDC MarketScape leader within the DDoS prevention space,” said Shailesh Shukla, Neustar general manager of security solutions. “Neustar thrives on providing a broad portfolio of holistic identity resolution and unmatched mitigation strategies to protect businesses and customers’ mission critical digital assets,” he continued.

Shukla continues, “Neustar products and services leverage real-time intelligence based on the analysis of traffic, behaviour and identity to determine activity, context and intent. From this, decisions are made with respect to the type and level of protection to provide. As DDoS attacks continue to wreak havoc and pose significant challenges across the globe, we’re committed to producing the latest innovations in security to protect organisations.”

“The Neustar DDoS Protection solution offers 10+Tbps of DDoS mitigation making it one of the largest dedicated data scrubbing networks in the world,” said Martha Vazquez, IDC senior research analyst. “As an analyst, we know how important it is to have access to the best mitigation techniques, the most robust vendor-diverse protection technologies, as well as the most advanced analytics available today. Neustar provides its customers with the resources and assurance that are needed to ensure data and infrastructure is continually protected against any type or size of DDoS attack.”

Part of the Neustar Security Solutions suite, SiteProtect NG, breaks with the tradition of designing DDoS mitigation that makes use of a high volume of small scrubbing centres with fewer, highly fortified and highly connected locations. The SiteProtect NG network has deployed large, full scale, nodes, each with its multi-terabit scrubbing capacity in North America, Europe, and Asia, South America, Africa, Australia and India.

A complimentary excerpt copy of The IDC MarketScape: Worldwide DDoS Prevention Solutions 2018- 2019 Vendor Assessment is available here.

The post Neustar Named A Leader In IDC MarketScape Worldwide DDoS Prevention Report. appeared first on IT Security Guru.

Earlier this year, A10 launched its own Q4 2018 State of DDoS Weapons report which shed additional light onto the connection between IoT devices and devastating DDoS attacks. The findings have exposed the role that IoT plays as one of the biggest cybersecurity threats of our time.

An Overview of DDoS Attacks and IoT

It comes as no surprise that IoT is continuing to grow at breakneck speed: A 2018 report from Bain found that the combined markets of IoT will reach $520 billion in 2021, more than double the amount spent in 2017. According to the State of DDoS Weapons report, that translates to a growth rate of 127 connected devices per second, a number that will undoubtedly grow over the coming years.

Unfortunately, this IoT explosion also provides attackers with a perfect opportunity to hack into vulnerable connected devices, especially for the purpose of building botnets (networks of malware-infected connected devices that can be used to send an overwhelming number of requests to the target’s server).

As Eurecom discovered, hackers have already developed brand new strains of malware designed to target IoT devices specifically. Knowing this, it’s clear that the age of IoT-based DDoS attacks isn’t just on the horizon — it’s already here.

Some of the top IoT malware dropped have already reached global levels of infamy. Take for example the Mirai malware, which brought major websites like Reddit and Github to their knees. In the Q4 2018 State of DDoS Weapons report, A10 found that five of the top IoT malware dropped belong to the Mirai family, with the sixth belonging to the Gafgyt/Bashlite family.

The majority of those malicious IoT items are hosted in the U.S., Italy, the U.K., Germany and the Netherlands. In terms of ASNs, the majority of IoT malware is hosted by Frantech, DigitalOcean, Aruba, Forthnet and HOSTiO.

IoT DDoS Attacks and 5G

The increasing size of DDoS attacks today is bad enough, but things are about to get worse with the widespread adoption of 5G. That’s because the implementation of 5G will usher in an age of unprecedented data speeds and significantly lower latency, meaning that DDoS attacks will have to be mitigated in a matter of seconds, not minutes.

With Ericsson estimating that the number of IoT devices with a cellular connection will reach 4.1 billion by 2024, it’s plain to see why vulnerable 5G-connected IoT devices will pose a serious threat to organisations around the globe. If left unchecked, the scale of 5G-connected IoT DDoS attacks is likely to make even the biggest attacks of today pale in comparison.

To combat the next generation of 5G DDoS attacks, it’s imperative that organisations implement advanced DDoS threat intelligence that combines real-time threat detection and automated signature extraction. Only then can organisations effectively defend themselves against the colossal, hyper-fast DDoS attacks of the future.

It is with advances in the 5G and IoT market that we will begin to see a rise in major DDoS attacks as current reports show. It is a double-edged sword as the risks of using IoT is high, but the benefits are also many. If organisations can prepare themselves now for this future, then security teams can be ready to face the next large-scale DDoS threat before it arrives. If the warnings from these reports are instead ignored or left until the last moment then DDoS attacks will be allowed to find the perfect partner in IoT.

The post IoT And DDoS Attacks: A Match Made In Heaven. appeared first on IT Security Guru.

“Eighty-five percent[1] of companies today have a hybrid cloud strategy, but many have begun to realize that the cloud brings significant challenges to security, operations, and cost management,” said Rick McConnell, President and General Manager of Akamai’s Web Division. “Cloud migration introduces complexity that can slow app deployments, cause cost overruns, and expose businesses to previously unknown security risks. With enhancements to our platform, Akamai surrounds and extends client infrastructures, leveraging the edge and advanced security to alleviate cloud challenges.”

Enhancing Security

Akamai has expanded its portfolio of adaptive security capabilities that are architected to enhance protections while enabling businesses to deliver excellent user experiences. New offerings can intelligently serve or block access to content with a fully integrated Virtual Private Network (VPN) and Domain Name System (DNS) proxy detection service. Intelligence added to Akamai’s Token Authentication capabilities extends coverage for browsers and devices that do not support cookies and also makes it more difficult to play back stolen content. Finally, standard TLS addresses the need to deliver HTTPS at massive scale while providing a customer-branded SSL certificate, all of which are critical for large broadcasters and streaming TV distributors.

To fight the growing threat of increasingly sophisticated bots, Akamai has continued to develop technologies designed to improve visibility into malicious botnet activities on customer sites as well as those targeting other businesses. In addition to enhanced detections in the company’s bot management solution, Akamai has also improved self-serviceability, enabling customers to finetune their own settings for advanced bot detection and deploy agile defences against fast-evolving automated threats.

Organisations undergoing digital transformation are heavily leveraging APIs to power new customer experiences and create new revenue streams. Protecting APIs requires purpose-built solutions for governance, management, and security. Akamai now supports automated protections of API traffic, new attack groups across its web application firewalls, and advanced throttling capabilities in its API Gateway solution.

Akamai’s managed DDoS solution now includes improved traffic profiling and attack reporting along with the ability for security teams to better configure app-layer DDoS protection. Customers benefit from the value of an edge platform, with edge servers positioned to automatically block network-layer DDoS attacks and respond to application-layer DDoS attacks within seconds.

Akamai has also integrated its security and performance services with the Akamai Identity Cloud following the acquisition of Janrain, the industry-leading customer identity access management solution. This significantly improves the protection and performance of consumer login pages and is poised to deliver incremental value to customers in combating additional fraud use cases in 2019.

Akamai will showcase its full range of security solutions at RSA Conference USA 2019 in San Francisco, March 4-8, where Akamai will exhibit in booth 6153, Moscone Center North Hall.

Accelerate Time to Value

Akamai has also launched new capabilities designed to help organisations innovate faster and gain greater agility. Automating adaptive acceleration capabilities including HTTP/2 performance optimisations and loading font libraries can improve user experiences. To further improve security, Akamai is now making TLS 1.3 delivery standard.

The company has also expanded its image management solution to include support for short-form video that helps improve customer experiences through rich, engaging content. A series of new features support DevOps teams, including middle-mile logs to more precisely investigate performance issues and the ability for developers to test their logic in a local development environment before deploying those changes to production.

Streamline Operations

The Akamai Intelligent Edge Platform is also introducing an expansive set of improvements that support the operation of sites, apps, and APIs, from concept to production deployment. A completely re-engineered Akamai Control Center simplifies operations with detailed reporting across security, acceleration and delivery from a single pane of glass. Through close collaboration with its customers, Akamai has improved navigation, optimised alerting, made it more intuitive to take action, and added real-time support capabilities including a live chat function.

Teams looking to automate deployment and operations can leverage the robust DevOps and APIs to accelerate time to market, including real-time production management capabilities, scriptable APIs and toolkit integrations. Customers leveraging the Akamai edge can not only carefully monitor application usage and performance but also maximise offload to optimise their cloud service investments. These features can create efficiencies for internal teams by allowing them to scale, accelerate their pace of development, and achieve more predictable cloud pricing, while reducing downtime.

A new set of purpose-built services offerings, from architecture, design and project scoping through fully managed security and performance optimisation, act as an extension to digital application teams. The Akamai Health Check Service provides customers with insights into their traffic and the effectiveness of their deployed digital experiences from Akamai delivery, security, and performance optimisation experts.

To learn more about the spring 2019 updates to the Akamai Intelligent Edge Platform, visit akamai.com/march2019.

About Akamai

Akamai secures and delivers digital experiences for the world’s largest companies. Akamai’s intelligent edge platform surrounds everything, from the enterprise to the cloud, so customers and their businesses can be fast, smart, and secure. Top brands globally rely on Akamai to help them realise competitive advantage through agile solutions that extend the power of their multi-cloud architectures. Akamai keeps decisions, apps and experiences closer to users than anyone — and attacks and threats far away. Akamai’s portfolio of edge security, web and mobile performance, enterprise access and video delivery solutions is supported by unmatched customer service, analytics and 24/7/365 monitoring. To learn why the world’s top brands trust Akamai, visit www.akamai.com, blogs.akamai.com, or @Akamai on Twitter.

The post Akamai Introduces Edge Platform Enhancements appeared first on IT Security Guru.

The low cost of DDoS-as-hire makes such attacks one of the most affordable cyberweapons for evil competitors or internet trolls. Businesses, regardless of their size or industry, can face this threat and suffer revenue and reputation losses in case legitimate users and customers cannot access company’s web resources. Despite the number of DDoS attacks falling in 2018, it’s too early to rejoice as the decrease of the amount of attacks does not mean a decrease in their severity. According to Kaspersky Lab researchers, as more and more organisations adopt solutions to protect themselves from simple types of DDoS attacks, 2019 will likely see attackers improve their expertise to overcome standard DDoS protection measures and bring overall complexity of this type of threat to the next level.

Although the number of attacks is decreasing, analysis from Kaspersky Lab experts has found that the average attack duration is growing. Compared with the beginning of the year, the average length of attacks has more than doubled – from 95 minutes in Q1 to 218 minutes in Q4. It is notable that UDP flood attacks (when the attacker sends a large number of UDP packets to the target’s server ports in order to overwhelm it and make it unresponsive for clients), which are accounting for almost half (49%) of the DDoS attacks in 2018, were very short and rarely lasted more than 5 minutes.

Kaspersky Lab experts assume that the decline in the duration of UDP flood attacks illustrates that the market for easier to organise attacks is shrinking. Protection from DDoS attacks of this type is becoming widely implemented, making them ineffective in most cases. The researchers propose that attackers launched numerous UDP flood attacks to test whether a targeted resource is not protected. If it immediately becomes clear that attempts are not successful, malefactors stop the attack.

At the same time, more complex attacks (such as HTTP misuse) which require time and money, will remain long. As the report revealed, HTTP flood method and mixed attacks with HTTP component, which shares were relatively small (17% and 14%), constitute about 80% of DDoS attack time of the whole year.

“Most simple DDoS attacks don’t achieve their aim. Because of this, cybercriminals aiming to benefit financially from these attacks only have two options. The first option is that they could divert the resources required for DDoS attacks towards other sources of revenue, such as cryptomining. Their second option is to improve their technical skills. Given this, we can anticipate that DDoS attacks will evolve in 2019 and it will become harder for companies to detect them and stay protected,” – comments David Emm, Principal Security Researcher at Kaspersky Lab.

Regarding results from the last quarter, the longest DDoS attack in Q4 lasted 329 hours (almost 14 days) – such a long attack was last registered at the end of 2015.

The top three counties which had the most conducted DDoS attack remain the same. China is again in first place but its share dropped significantly from 77.67% to 50.43%. The US remains second and third place is still occupied by Australia.

By target distribution, China still tops the list, but its share declined to 43.26% (70.58% in Q3).

In Q4, there have also been changes in the countries hosting the most C&C servers. As in the previous quarter, the US remained the leader, but the UK and the Netherlands came second and third, replacing Russia and Greece respectively. This is likely because of the number of active C&C Mirai servers increasing significantly in the aforementioned countries.

Kaspersky Lab recommends the following steps to protect an organisation from DDOS attacks:

· Train personnel to respond to such incidents in a proper way;

· Ensure that a company’s websites and web applications can handle high traffic;

· Use professional solutions to protect against attacks. For example, Kaspersky DDoS Protection combines Kaspersky Lab’s extensive expertise in combating cyberthreats and the company’s unique in-house developments. The solution protects against all types of DDoS attacks regardless of their complexity, strength or duration.

About Kaspersky Lab

Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 20 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

The post A Shift From Quantity To Quality: 2018 Saw Cybercriminals Dropping Basic DDoS Operations. appeared first on IT Security Guru.