Distributed Denial-of-Service, DDoS Failure from service
Flow of false requests which tries to block the selected resource or by an attack on a communication channel which "is chucked in" with the huge mass of useless data, or the attack directly the server servicing this resource. Such actions are used for the purpose of competitive struggle, direct blackmail of the companies and also for derivation of attention of system administrators from other illegal acts.
The distributed attacks like "failure from service" (distributed denial-of-service, DDoS) for the first time appeared in news in December, 1999; and this case was connected with trin00 system based on use of a botnet. These attacks evolve today, but the principle remained the same: hundreds and thousands of geographically distributed hosts begin to bombard empty requests of the server then the last begin to test an overload and cannot timely process legitimate requests. All this time producers try to develop products which effectively resist to DDoS.
The attacks of DoS and DDoS often meet in the world of Internet security. First, they are not directed to vulnerabilities which can be corrected; secondly, each separate packet is quite legitimate — only their set leads to destructive effects, and, thirdly, such attacks have long character – they last several hours or days, instead of several seconds or minutes.
For many years did not pay to the attacks of DoS and DDoS due attention as they were considered as niche. The situation sharply changed in 2011 when the Anonymous group selected the DoS/DDoS-attacks as the main method of attack. Inspired with the power and destructive effects of such attack, the Anonymous group turned it into the main method of fight, drawing to it attention not only communities of security experts, but also general public. In spite of the fact that the activity of group decreased in 2012, it laid the foundation for further development of this type of the attacks. Many groups of hackers began to use DoS/DDoS – the haktivist financially motivated criminal the organizations and even government structures became interested in the opening opportunities.
Types of DDoS attacks
- Errors in a program code to which operation special exploits – programs are applied, or code fragments using vulnerabilities in software during the attack. To WinNuke and the Ping of Death – examples of the exploits incapable to set control over the system of the enemy, but successfully performing DDoS attack.
- Nedoproverka of user data - leads to the increased long resource consumption of the processor, or to selection of large volume of RAM (up to exhaustion of processor resources and available memory).
- Flood (from engl. flood — "overflow") — a large number of unsystematic and senseless questions to a system with the purpose to put it out of action (the reason - exhaustion of resources of a system: memories, processor or communication channels).
- The attack of the second sort — causes false operation of a system of protection and results in unavailability of a resource.
According to forecasts of analysts of Gartner, in 2013 up to 25% of the distributed attacks with failure in service it will be aimed at specific applications. Using target DDoS attacks and social engineering swindlers try to get into banking systems, analysts warn.
The first similar attacks against banks were mentioned in the USA in the second half of 2012. Via channels the Internet about 70 gigabits of noise traffic sometimes went to the bank websites per second. Still the majority of the attacks at the level of network absorbed no more than five gigabits per second. Resulted transition to the level of applications and increase in intensity of the attacks in utter impossibility of use of the websites.
But the main objective of DDoS attacks, according to analysts, is derivation of attention of security services of banks. In the report of Gartner examples of how swindlers gain the confidence of clients of banks are given, being represented by police officers or bank clerks, it is entrusted to them to help the client to pass to the new account.
Analysts recommend implementation of multilevel technologies of protection against DDoS attacks, fraud preventions and identity certificates.
Trends of development of instruments of the attack
DDoS are Make
Tools for the organization of DDoS attacks turned into a trade subject. Of course, they still cannot be found in free sale in online stores, but on the illegal websites it is possible to find a huge number of different options – packets of the DDoS tools, price lists and even services of the organization of DDoS attacks. Availability of such DDoS of packets lowered requirements to the organization of network attacks and attacks on applications. Anyone, from individuals to the criminal cyberorganizations, can easily configure a botnet for attack start.
Packets of tools for DDoS attacks
Packets of tools for which use it is not required to write the code or to be an experienced hacker, allow beginners to configure a botnet easily. A packet of tools for DDoS attacks represent the software package, consisting of two components - the designer of bots and the server of management.
- Bot Builder is the tool for step-by-step creation of bots with the graphical interface which allows attacking to create the executable file (bot) extended to computers which will be a part of a botnet. The created bot contains the address of the server of management with which it can exchange data.
- The command center (Command and Control, C&C) - represents the page of the administrator which is used by the malefactor for tracking of a status of bots and departure of commands.
Right after the C&C installation and preparation of the performed bot, the malefactor should give a bot as it is possible for the bigger number of other computers which will become a part of a botnet, using public methods, such as social engineering and attacks for passing loading when the web browser, there is it Internet Explorer or Chrome, is used in order that in a fraudulent way to induce the user to load and start the malware. As soon as the army of bots reaches the necessary sizes, it is possible to start the attack.
As any professional software developers, developers of tools for DDoS attacks improve the products and release new versions which then are published and on sale. In the world of illegal software the majority of such packets represent versions of other bots, executable files and/or the source code of which was changed and renamed. The group of the tools made from the general source usually is called "family".
DDoS attacks to order
The prevalence of DDoS-programs promoted also emergence of services of custom DDoS attacks. The criminal cyberorganizations use simplicity of application of packets for DDoS that at different illegal forums to offer services of accomplishment of such attacks.
Typical "business scenario" of the order DDoS attack can include such offers as "put the website of competitors out of action" or, on the contrary, to apply racketing like "pay us for that we did not put your website out of action".
Dangers of IoT-devices
- Twente university, Netherlands: In 2012 9 billion IoT of devices are produced and it is expected that in their 2020 there will be not less than 24 billion
- According to Cisco estimates, the percent of Internet traffic generated by the devices which are not personal computers will increase nearly 70% to 70% by 2019.
- The IoT-devices compromised with malware can become the platform for undesirable traffic
- Computing powers of IoT-devices (home routers) exceed profile requirements to these devices
- Using the average speed of connection of 15.85 Mbps (data of telecom operators), generation of DDoS attack 586 GB wide / with requires about 37,890 devices
What DDoS attack is aimed at
Effectively to be protected from DDoS attacks, it is necessary to differentiate potential dangers. Depending on subject to the attack:
- Resource-intensive packets with the counterfeit addresses "hammer" communication channels that complicates or blocks access to the website of legitimate users. Broad capacity of communication channels will help to be protected from the attacks of this type.
- If system resources are exposed to the attack, then its performance decreases therefore a system works slowly or hangs up. Attacking it is perfectly known what data packets need to be sent to the computer victim for loading.
- Vulnerabilities of software are used by the destroying attack which can change a configuration and parameters of a system. Any unauthorized changes should be traced and be eliminated. The script of protection against ddos primenyatesya in each separate case.
Vulnerable elements are the server, the firewall and Internet channel
- Servers are vulnerable for that simple reason that malefactors will often organize the attacks so that they consumed more resources, than those which the server has.
- The Internet channel becomes vulnerable for the attacks which are aimed at capacity exhaustion, and are called "volume flood". UDP flood or TCP flood consuming a lot of capacity of the channel belong to such attacks.
- In spite of the fact that the firewall is the instrument of security and should not serve as a weak spot for the DoS/DDoS-attack, during such attacks as SYN flood, UDP flood and overflow of connection, malefactors can generate many statuses that firewall resources exhaust until he does not become a weak point of infrastructure
Attacks to CDN
Attack on the website
The purpose one – "suspend" a system, put your website out of action. Competitors in the market deal with each other with the help of professional hackers. There is even so-called ddos-business. Protection against DDoS attacks in such conditions is simply necessary. In due time the website of the Kommersant newspaper, Echo of Moscow radio station and even the website of the Kremlin were exposed to DDoS attacks, for example, also often the websites of banks and online stores become the victims. Depending on a season the different websites are attacked.
Preventive protection against DDoS attacks becomes customary practice. According to our experts, many companies facing in the past the attacks rise in defense against cyber attacks a month before the beginning of a season, "high" for the business.
Protection should be activated at all levels:
- The provider can provide basic protection. Also we advise to purchase a hosting with protection against ddos. It is multi-layer system which will protect your website from the attack.
- The firewall and firewall will help to be protected from DDoS attacks at the level of network. At DDoS attack on the server it will help to recognize threat and to win time for protection, and the small attack can be stopped also by these means.
- It is important to use the relevant equipment that will help to be protected from ddos at the level of hardware. It is also necessary to monitor that the software had no errors and vulnerabilities.
DDoS attacks in Russia
Main article: DDoS attacks in Russia
Protection against DDoS attacks
Main article: Protection against DDoS attacks
Destruction of Service, DeOS (service interruption)
The main article on this subject is published here.
The New Zealand stock exchange did not work 4 days because of cyber attacks
At the end of August, 2020 stock exchange of New Zealand it appeared under blow of cyber attacks and did not work 4 days in a row. Periodic interruptions began on Tuesday August 25 therefore the securities trading stopped before the termination of exchange day. Read more here.
Ukraine endured the largest DDoS attack in the history. 1/10 all networks was open to attack
At the end of July, 2020 it became known of the largest DDoS attacks in the history of Ukraine. Under blow there was the tenth part of all telecommunication networks in the country.
According to RBC Ukraine with reference to the deputy secretary of Council of national security and defense of Ukraine (NSDC) of Sergey Demedyuk, the repeated attacks using bots continued of 40 minutes till 1.5 o'clock within several days, having reached value about 780 Gbps. Hackers managed to achieve shutdown of 15% of the world Internet. After date leak in the Darknet the real IP addresses of 45 websites with the domain "gov.ua" and over 6.5 thousand with the domain "ua" appeared, Demedyuk told.
According to Demedyuk, such cyberattacks on Ukraine were not yet: hackers used not the power of the infected devices, but a strimingovy video flow for load of the IP address. Violation of work of telecommunication providers was the purpose of DDoS attacks, he said.
Besides, as the representative of the NSDC emphasized, the attack was performed not to the specific addresses, and the whole ranges, at the same time used the broken webcams.
|Their default settings (for example, login: admin, password: admin) were one of basic reasons of receiving unauthorized access to remote control — Sergey Demedyuk said, having added that by the end of July, 2020 of the NSDC he works on recording all digital traces of this attack now and to collect data in different parts of the world where such attacks were recorded.|
According to the Center of cyber security at the National commission on regulation in the field of communication and informatization (NKRSI), in the second quarter 2020 of DDoS attack became the reason of 46% of cyberincidents in public sector. At the same time in the non-state sector this share indicator was 1%.
Amazon reflected the largest DDoS attack in the history
In the middle of June, 2020 it became known that in February of Amazon using AWS Shield service reflected the largest DDoS attack in the history which at peak of power reached speed of 2.3 tbit/page Read more here.
The number of DDoS attacks in the world jumped by 180%
Experts did not specify the number of cyberattacks of a type "failure in service" and only reported that growth is observed in all categories of the attacks. The highest dynamics is registered among the attacks with power up to 5 Gbps again.
The strongest attack in 2019 had the power of 587 Gbps that for 31% exceeds the maximum indicator of previous year. The extreme intensity of DDoS attack in 2019 was measured by 343 million packets per second — it is 252% more, than the previous year.
However, despite the growing peaks, the average amount of the attack (12 Gbps) and intensity (3 million packets per second) remained invariable. The most long single attack in 2019 lasted three days, 13 hours and eight minutes.
Also experts noted growth of number of so-called smart DDoS attacks which are performed by very experienced cybercriminals, and the attacks which are directly aimed at network infrastructure.
In 2019 about 85% of all attacks used not less than two vectors of threats. This number is comparable to an indicator for 2018; however the number of the attacks using two or three vectors increased from 55% up to 70%, the number of the simple one-vector attacks and difficult four - and the five-vector attacks respectively decreased.
Neustar also polled information security specialists, and 58% from them called DDoS attacks by the growing front of cyberthreats along with social engineering using e-mail (59%) and viruses racketeers (56%).
Experts warn that in connection with the growing transition of staff of the companies and state institutions to remote work the number of DDoS attacks can increase.
Qrator Labs: Top trends in the field of network security and availability of the Internet
Growth of the market IoT means that malefactors vulnerable devices if desired can operate, creating a considerable throughput band attacks – as it occurred in the middle of the year when protocol WSDD was used for drawing visible damage. The protocol Apple ARMS which was used for receiving coefficient amplifications about 35.5 was also visible in attacks to network of filtering Qrator Labs.
Technology of the attack like Amplification ("gain") is that on the vulnerable server, not suspecting party belonging to the third nothing, a request which this server repeatedly is replicated and goes to the website of the victim is sent. In this case for gain of the attack the LDAP and TCP protocols were used.
The attacks involving SYN-ACK amplification vector became one of the most serious network threats whereas till 2019 remained only the theory. One of the first loud attacks using the SYN-ACK technology of amplification was organized on the international hosting Servers.com platform. Traffic of amplification of SYN/ACK reached peak values in 208 million packets per second, and the longest period of the attack with continuous bombing by "garbage" traffic was 11.5 hours.
Also the fact that the reaction method which is most often used in the past in the form of reset of all UDP traffic which is virtually neutralizing a big share of the attacks using amplification does not help to neutralize SYN-ACK vector at all is quite interesting. The smaller Internet companies experience huge difficulties at neutralization of similar threats as it requires involvement of more complex measures for fight against DDoS attacks.
In 2019 the class of problems connected with use of the BGP protocol for optimization of passing of networks of telecom operators was revealed. Many companies want to control automatically a flow of the outbound traffic, it allows them to reduce costs significantly. For this purpose the different devices using specific tactics for work with the BGP protocol which can work only are installed if around them the filters preventing leakage of routes are correctly configured. Unfortunately, there are few specialists able to configure correctly filters in this connection optimizers constantly "break" and routes flow away in the unknown direction.
So, in January, 2020 on one of points of exchange of traffic in St. Petersburg routes to Google, Facebook, Instagram from provider from the Donetsk People's Republic who was engaged in optimization of traffic were suddenly redirected. Similar incidents are dangerous not only emergence of errors in network, but malicious interception of traffic (Man-in-the-middle attack).
Recently such situations happen because of purchase of BGP optimizers regularly. The industry of the qualified network engineers actively supports restriction of use of optimizers as nobody is able to work with them. However already and in Russia it is possible to observe how BGP optimizers for expense reduction on traffic begin to buy many companies that in the light of enforcement of the legislation about points of exchange of traffic and autonomous systems can give very unpleasant cumulative effect.
|"Criminals can monetize a botnet network in several ways. The most widespread of them ̶ implementation of services of DDoS attacks, cryptocurrency mining, use in the target attacks ̶ in particular, for selection of passwords to servers, or just delivery of a botnet in lease. At the same time we observe emergence of really multifunction botnets, a bright example of that ̶ Neutrino which not only operates vulnerabilities for cracking of servers and mines cryptocurrency, but also cracks others web shells, intercepting control over the resources which are already cracked with someone. As of February, 2020 Neutrino is included into top three on number of the attacks on Positive Technologies hanipota",|
In spite of the fact that mobile device manufacturers try to support as much as possible versions of modern applications, in 2019 it became noticeable that many of them nevertheless cease to be updated on old devices. More it concerns the popular browser – Chrome. As of February, 2020 there are whole parks of devices at which old versions of the browser work, and new – do not become available. These old versions of browsers comprise vulnerabilities which can lead to a personal data leakage and financial information.
On the other hand, on many Chrome devices it continues to be updated actively at the expense of what the Google company presumably holds A/B testing of the browser on users.
All got used to consider that when there is the next version of the browser, all computers automatically to it are updated. However it not absolutely so. Google at the same time releases two minor versions of the Chrome browser (affecting less considerable improvements and completions) and a part of the user devices updates to one, a half – to another. Most likely, it becomes for testing of the QUIC protocol which is supported in Google Chrome. QUIC (Quick UDP Internet Connections) is the experimental Internet protocol drafted by Google for replacement of an old stack of the WWW protocols. Vulnerability of QUIC consists that its unreasoned implementation in Internet services can weaken their protection against DDoS attacks. Sets of tools, popular with malefactors, for the organization of DDoS attacks have the built-in support of UDP that can pose a big threat for QUIC, than for the traditional WWW protocols based on TCP.
The situation with testing of Chrome shows how Google develops network protocols of new generation. In this way comes to light in what of versions of Chrome the responsiveness where different network parameters work better at which of users the page opens quicker is better. Such situation is essential to users from that point of view that at two individual people the websites can begin to open a little differently. Also it is an indicator of how quickly Google (or other companies, for example, of Telegram) can unroll the new protocol, for example, for a bypass of blocking, on all devices of the world.
|"By our estimates, the total quantity of DDoS attacks for 2019 grew approximately by 1.5 times. Such increase in number of incidents was reached due to growth of the attacks on the separate industries: banks, payment systems, cryptoexchanges, online retail, dating sites. It is possible to observe that in the last year repartition of certain markets between his certain players was observed. And if large business can sustain attacks, then for medium business it is a big problem: the small companies often have no free financial resources for use of external solutions on protection on a permanent basis therefore they become more often than others the victims of DDoS attacks",|
According to formal data of Qrator Labs, attacks on the sector of media decreased by 7.59%, however the situation is slightly more difficult, than it seems. At the end of 2019 – the beginning of 2020 of attack on mass media grew much. In recent years most the Russian media began to use free or inexpensive means of protecting from DDoS, in particular, foreign. As budget protection often has appropriate level of quality (in view of, in particular, errors at its implementation), at the end of 2019 the industry observed a set of the successful attacks on the websites of mass media. As a result malefactors understood that the majority of the websites of media can be brought down easily even by the minimum efforts, and recently they began to do it just just for fun.
|"In 2020 continuation of a situation with the attacks to media will be observed. At the beginning of a year there was a large number of newsmakers, many of which caused a ready response in minds of people, both positive, and negative. Rough splashes in Info-Space are usually followed by active attempts of cracking and DDoS attack to which the industry of media can be not ready",|
'Artem Gavrichenkov, the technical director of Qrator Labs noted'
Data of the company Positive Technologies specializing in software development and rendering services in the field of cyber security show that from the point of view of attacked by cybercriminals of the industries leadership at the end of year remained behind public institutions, the companies of the industrial and financial industries and also the medical and scientific organizations. In most cases computers, servers and network equipment of the target companies remained object of cyber attack within a year.
|"For protection against the mass attacks it is enough to follow standard recommendations. But such approach does not work at the difficult purposeful attacks of professional hackers. It is necessary to study them technicians and tools, to implement the specialized systems of protection which such tools and technicians are capable to detect: SIEM (Security information and event management), NTA (Network traffic analysis), sandbox (Sandbox), etc. And of course, it is important to increase practical skills of staff of service cybersecurity, opposition to difficult threats requires high qualification of personnel",|
According to Positive Technologies, attacks on web resources of the organizations entered in TOP-3 in popularity among cybercriminals, but at the same time did not exceed 20% in total number. Public institutions and, in particular, portals of the public and municipal services were most subject to them.
|"An attack on the web application – one of the most popular methods of the attacks in principle. Within testings of the security level our experts regularly confirm the facts of possible penetration into networks of the companies via the vulnerable websites. But if the organization uses means for protection, then the probability of the successful attack considerably decreases. There is a chance in time to react to threat and to block attacking. Unfortunately, the websites of the state organizations contain a set of vulnerabilities, and due attention is not paid to protection of web applications. In focus – security of the websites of the state or regional value, at the same time the set of less significant resources still remains is vulnerable. Criminals know and use it, for example for theft of information, a defeys, mining or just for debugging of new instruments of the attack before carrying out the attacks on larger purposes. It is possible to rank as the most vulnerable also the websites of educational and medical institutions",|
'Evgeny Gnedin, the head of the analytical department of information security of Positive Technologies noted'
China uses for DDoS attacks "The great gun" again
According to analysts of AT&T Cybersecurity, the Chinese authorities activated "The great gun" (Great Cannon) again —  the powerful tool for DDoS attacks which was last time used two years ago.
Last time "The great gun" was used in 2017, when the Chinese authorities used it for DDoS attacks on Mingjingnews.com, the Chinese news website in New York. Before the tool was used for the organization of DDoS attacks on GitHub as there place the utilities helping the Chinese users to bypass a national firewall, and GreatFire.org — the portal devoted to Internet censorship worldwide.
Now experts of AT&T Cybersecurity claim that "The great gun" is used again. This time the website LIHKG.com became a target for the attacks - it is the online platform where organizers of protests in Hong Kong share information on venues of daily demonstrations. Also the website is the place of collecting for residents of Hong Kong where they publish a story about abuses of police and where load video proofs.
The number of technically difficult DDoS attacks in the second quarter grew by 32%
On August 5, 2019 it became known that the number of technically difficult DDoS attacks grew by 32% in comparison with the same period of 2018 and made nearly a half (46%) of the total number of these cyberthreats.
As it was reported, the attack lasting 509 hours (21 days) was in the second quarter recorded. It is a record: earlier it made 329 hours. In general the share of the long attacks became less, than at the beginning of a year.
The number of DDoS attacks directed to the resources located in Russia remained, in comparison with the second quarter 2018, approximately at the previous level, having decreased by 9%.
|Usually malefactors who try "put" the websites for entertainment go on vacation till September. And here professionals who stand behind technically difficult attacks, on the contrary, as our statistics showed, work in the summer even more intensively. The companies should pay attention to it. Many organizations are well protected from large volumes of undesirable traffic, but it is not enough in case of the "smart" attacks which require recognition of illegitimate activity even if not really there is a lot of it. Therefore we recommend to the companies to be convinced that their solutions for protection against DDoS are ready to reflection of this type of cyberthreats.|
Alexey Kiselyov, the business development manager of Kaspersky DDoS Protection in Russia told
Kaspersky Lab advises to take the following measures for protection against DDoS attacks:
- be convinced that corporate websites and IT resources are able to process a large number of traffic;
- use specialized protective solutions.
The palm by the number of the attacks directed against the purposes in the specific region still remains beyond China (63.80%), on the second place still to the USA (17.57%), and on the third — Hong Kong (4.61%).
Fluctuations in the first three are insignificant, but in rating there were again countries from which the DDoS-activity is not expected: this time it is the Netherlands (the 4th place from 1.54%) and Taiwan (the 7th place from 1.15%).
For August, 2019 top ten by quantity of unique targets approximately corresponds to top ten by the number of the attacks: the first three places were also taken by China (55.17%), the USA (22.22%) and Hong Kong (4.53%). Except them the top ten by this criterion included Taiwan (1.61%) and Ireland (1%).
Most rough month this quarter there was an April, 2019 on which fell including peak of the attacks, the most silent — the May following it.
Statistically most of all attacks were made on Monday (17.55%), and there was a Sunday (10.45%) in the quietest afternoon.
The greatest share of garbage traffic in quarter still fell on SYN flood (82.43%) which UDP (10.94%) followed. However HTTP and the TCP traffic traded places: the last was beaten out forward (3.26%), and the share of the first made only 2.77%.
In geographical rating by the number of command servers of botnets the USA (44.14%), on the second place Netherlands (12.16%), and on the third — Great Britain (9.46%) are in the lead. It is interesting that this quarter top ten was left by Russia.
Indicators of the first three of the countries by the number of the attacks directed against the purposes in the specific country this quarter almost did not change: on the first place still China though its share decreased approximately by 4 items and made 63.80%. On the second place of the USA with almost former share (17.57%), and on the third — Hong Kong, whose "deposit" to the total number of cyber attacks (4.61%) also changed very little.
The trend of last quarters proceeds: in ten unexpected guests appear again. This time it is the Netherlands which took the fourth place from 1.54% and Taiwan which was the 7th from shares of 1.15%. And if the Netherlands already got to ten in 2016 or approached it close, then for Taiwan it is quite significant growth in indicators. Ten was left by France and Saudi Arabia, and Canada fell from the 4th place by the 8th though in numerical expression its share even raised, having made 0.93%. Vietnam took the last place in ten (0.68%), and Great Britain rose in rating by one position, having become the sixth (1.20%). Singapore still the fifth though its share also grew up (up to 1.25%).
Distribution of number of the unique purposes more or less corresponds to distribution of number of the attacks. The first four places match: China from 55.17% (its share decreased, and too approximately by 4 items), the USA from 22.22% (their share grew approximately by 1 items), Hong Kong from 4.53% (the share decreased by only 0.2 items) and the Netherlands from 2.34% (here changes were considerable because they in the last quarter Netherlands did not even enter ten).
In the field of geographical distribution of command servers of botnets leadership still remains for the USA (44.14%). Except them the Netherlands (12.16%) and Great Britain (9.46%) were in the top three. China appeared only on the fifth place (4.95%), and the share of South Korea made 1.80% that made it penultimate in this rating. Besides, Greece (1.35%) got to ten this quarter, however dropped out Romania, and — that is especially unexpected — Russia.
The hacker was given 2 years of prison for DDoS attacks on Sony
At the beginning of July, 2019 the 23-year-old hacker from the State of Utah Austin Thompson was sentenced to 27 months of prison and payment of a penalty in the amount of $95 thousand for a series of DDoS attacks for game servers of Sony and other companies. Read more here.
Having crushed custom DDoS-service, the authorities decided to punish also his clients
The europol and other law-enforcement organizations began active searches of users of services of custom DDoS attacks. It became continuation of the international transaction Power Off as a result of which in April, 2018 detectives neutralized the largest DDoS-service Webstresser.org and arrested its owners.
As a result of transaction the information about clients of Webstersser.org fell into hands of law enforcement authorities. At the time of its neutralization service had 136 thousand registered clients, and all law enforcement agencies received users of DDoS-service given on 151 thousand.
The attacks were ordered on the most different objects, from game servers to banks and government agencies.
The europol announced that the police of Great Britain perform large-scale operation on search of clients of Webstresser now. Investigators already visited several suspects and withdrew not less than 60 personal devices for the analysis. Charges against 250 people — users of both Webstresser, and other similar services prepare.
Falling of average duration of DDoS attacks till 2.5 o'clock against the background of growth of their intensity
Key observations of 2018:
- The average duration of DDoS attacks fell till 2.5 o'clock;
- 2018 showed presence of the computing force capable to generate the attacks by intensity hundreds of gigabits per second in one country or the region;
- The intensity of DDoS attacks continues to grow together with the simultaneous growth of a share of the attacks with use HTTPS (SSL);
- The most part of modern traffic is generated on mobile devices, representing a task for organizers of DDoS and the following call for the companies which are engaged in protection of networks;
- The BGP protocol became an attack vector, for 2 years after the expected term;
- Manipulations of DNS are still the most destructive attack vector;
- Emergence of amplifikator, such as memcached and CoAP is expected;
- All industries are equally vulnerable to cyber attacks of any sort.
2018 began with the attacks, record on intensity, from memcached amplification which marked the beginning of the next era of DDoS attacks. 2018 showed that, in addition to manipulations with BGP, terabit DDoS attacks are capable to put Internet service providers of the average level out of action if not the largest.
A serious threat is posed by the high-intensity DDoS attacks concentrated in one region. The similar attacks by intensity in 500 Gbit/sec. generated for 100% in one region were already recorded in 2018. Such events will take place even more often in many countries and regions whose networks became fast and effective. Europe, Russia, China, America, India - all these huge territories already have the steady networks ready to being aimed at removal from a system the regional purposes.
The number of the ciphered attacks considerably grew. In previous years the similar attacks were rare, and malefactors used first of all an old vector of HTTP. The bots capable to use of ciphers represent paramount danger as have broad learning capabilities.
The BGP protocol becomes more and more demanded at attacking which even more often use it for interception of traffic and redirection of users on false phishing pages. At the same time enciphering will not protect users from deception as malefactors learned to sign SSL certificates, and therefore such pages do not cause suspicion in the ordinary visitor in view of lack of an evident difference between this, legitimate web page and false.
Manipulations of DNS, such as cache poisoning (damage of integrity of data to the DNS system by filling of a cache of the DNS server given, not proceeding from an authoritative DNS source), very often accompany attempts of interception using BGP. In 2018 Qrator Labs became the witness of theft of the various cryptocurrencies organized using a linking of these two protocols.
DNS amplification was and remains one of the most known vectors of DDoS attacks of the data link layer. In case of the attack the considerable probability of an overload of connection to higher provider exists intensity in hundreds of gigabits per second.
Botnets considerably developed for 2018, and their owners thought up another occupation - click fraud. With improvement of machine learning technologies and receiving in hands of the headless-browsers (working without network headings) occupation by click fraud became considerably simpler and reduced the price in only two years.
Machine learning already reached mass market and became quite available. With respect thereto emergence first, based on ML algorithms, DDoS attacks is expected in the nearest future, especially considering the decreasing cost of management and the increasing accuracy of analytics of such networks.
Identification becomes extremely serious problem and a task on the modern Internet as the most advanced bots do not even try to represent the person – they manage it and are in one with it space. The perspective of bots scanners and many other subspecies consists in very important economic a component. If 30% of traffic are illegitimate and come from undesirable sources, then 30% of costs for support of such traffic are useless.
The parsers and scanners which are a part of a wide perspective of bots came to the horizon only in 2018. During parsing epidemic which in Qrator Labs observed all second half of 2018 in Russia and the CIS it became obvious that bots far promoted in questions of enciphering. One request a minute are quite normal intensity for a bot which is very difficult for noticing without analysis of requests and the outbound traffic of answers.
Decrease in the encouragement attacking – the only way of counteraction. The attempt to stop bots will not bring anything, except the spent times and means. If anything clicks on the fact that it gives profit – it is necessary to cancel these cliques; when parsing it is possible to include a layer of 'false' information through which with ease there will pass a normal user in search of correct and reliable information.
Internet of Things
IoT as the industry did not make significant progress towards improvement of the general security for 2018. Researchers detected a class of the industrial equipment which is in large quantities connected to networks and has considerable vulnerabilities. Recent opening concerning the CoAP protocol demonstrate what similar open points of operation can be much.
Amplifikatora based on IoT are obvious further development of the idea of vulnerable services. Moreover, home attached devices are only a statistical top of this iceberg. There are also other groups of the 'attached devices' which are reported using protocols which are selected is unpredictable and do not provide sufficient protection of devices.
Open vulnerabilities in industrial Internet of Things will be operated further on condition of the invariance of the current development approach.
Throughout already progressive tense we live in the world of the multifactor attacks operating the attacking opportunities at once of several protocols for removal of the purpose from operating state.
DDoS attacks long time were a serious problem only for limited number business of the industries, such as e-commerce, trade and exchange, banking and payment systems. But with the continuing development of the Internet DDoS attacks of the increased intensity and frequency in all parts of the Internet are observed. The era of DDoS began with a certain threshold of capacity of home routers and, it is no wonder that with the advent of the microchip in each physical thing around the landscape of the attacks began to change promptly. 2018 was year of opportunities for "dark side". Qrator Labs saw growth of the attacks with their simultaneous complication and increase both volume in network terms, and frequencies.
Qrator Labs: key trends in the field of Internet security
Qrator Labs specializing in counteraction to DDoS attacks and ensuring availability of Internet resources in March, 2018 published the overview of the main trends of 2017 in the field of Internet security in Russia and in the world. In the report are described the main trends and problems in the field of availability and security of web resources connected with threats of DDoS attacks and cracking.
In 2017 the growing diversification of threats because of the increasing set of possible attack vectors is recorded. Range of critical vulnerabilities of a modern global network is so wide that malefactors can select different methods of creation of problems practically for any organization.
If it was possible to designate 2016 year of botnets and the terabit attacks, then 2017 became year of networks and routings. Such incidents as the leakage of routes of networks of Japan provoked by Google, interception of others traffic of Level3 in the United States and Rostelecom in Russia, as well as many others, show the steady and high risks connected with a human factor, based on insufficient process automation.
Internet of Things
|The main difference between 2016 and 2017 is that malefactors switched own attention from cracking of separate devices to attacks on clouds and IoT-platforms. Internet of Things provides to malefactors access to thousands of completely operable devices at the same time, often similar penetrations remain unnoticed. Cost efficiency — the reason for which we expect increase in frequency of the similar attacks on the whole clouds and platforms in 2018 — the CEO and the founder of Qrator Labs Alexander Lyamin noted.|
Many IoT-devices are still cracked using trivial methods, such as vulnerabilities in the web interface. Almost all such vulnerabilities are critical, and at the producer extremely limited opportunities for fast creation of a patch and its delivery in the form of updating.
Cracking of IoT-devices became frequent since the Mirai tools became a basic framework for creation of a botnet in 2017. Experts predict emergence still of the involved devices, big by quantity and scale, and, of course, much more dangerous botnets in terms of opportunities. Qrator Labs expects active emergence of larger botnets, than Mirai capable to the flood-attacks even without use of amplification-protocols.
In 2017 incidents of routing became same notorious, as well as botnets in 2016. It is known that such incidents can be not less large-scale and dangerous, than the attacks of a record botnet, leaving almost whole country without access to popular resources.
According to experts of Qrator Labs, in case of the BGP protocol (Border Gateway Protocol) it is necessary to be extremely careful as the potential loss can be enormous. As BGP manages transfer of all traffic from one AS (autonomous system) to another, it is not only about the increased delays in access to resources for users, but that is more important, about emergence of probability of the MiTM-attack on the encoded traffic. Similar incidents can affect millions of users in the different countries.
Vulnerabilities and intranet
2017 became this year of cracking. From epidemics of encoders before opening of Vault7 and Shadow Brokers archives, in addition to noticeable leaks owing to human errors where Uber and Equifax represent two loudest examples.
2017 showed how various types of the equipment can be vulnerable to different types of cyber attacks. It will be fixed in the future even more incidents connected with outdated program and the hardware, consider in Qrator Labs.
The attacks using smartphones can be made as on the basis of infection with the malware, even in case of their installation from official shops, and using similar BlueBorne of vulnerabilities. Browser expansions and plug-ins, network devices (which suffered within the last three years already enough), any equipment on joints of providers — everything can be repeatedly tested on resistance to the attacks and probably eventually, will not resist.
The market of ICO became this revelation for hackers in 2017. The attack trend at the most stressful moment for the organization (fund raising, advertizing campaigns) remains, and with the growing number of cryptocurrency projects of the attack on cracking are combined with DDoS. If the market of emission of cryptocurrency tokens continues the growth — this trend will only amplify, believe in Qrator Labs.
ICO are of special interest for all market parties. The huge amount of funds, and technical aspect of implementation of many projects frankly weak is already involved in this market. They are constantly cracked. Mining pools signatures of each block for the purpose of receiving remuneration for the signature of the block are attacked by the competing pool in the last seconds. Cloud cryptocurrency wallets constantly under the attack — during 2017 happened large cracking of such services to loss of all cryptocurrencies by their creators.
About a research
The overview is prepared by specialists of Qrator Labs at information support of Valarm company on the basis of monitoring of a situation in the industry and also based on statistics collected on clients of the companies in 2017.
In the Darknet it is possible to order DDoS attack for $10 per hour
Researchers of security from Armor company published in March, 2018 the report on the underground markets in the Darknet. Experts studied quotations on the most popular types of hacker goods and services.
According to the report, DDoS attack can be ordered for only $10 per hour, $200 a day or for $500 - $1 thousand in a week. Researchers also detected on sale bank botnets (lease costs $750 a month), sets of exploits ($1400 a month), exploits for vulnerabilities in WordPress ($100), skimmers ($1500) and the hacker training programs ($50).
Data of bank cards remain the most widespread goods in the Darknet. The price varies depending on the country of origin.
The different information on credit cards which is often received using malware for PoS-terminals or on the Internet costs cheaper, however the complete data necessary for creation of copies of maps will be in two or three times more expensive.
Swindlers can also purchase access to the cracked bank accounts. The prices of accounts vary depending on an amount of money which on them is stored. Malefactors use bank trojans for gaining access to accounts, and swindlers, in turn, buy access, purchase different goods using cards, and then resell them, getting profit.
In addition, it is possible to find forgery documents in the Darknet. In particular, it is about different identity certificates, passports, driver's licenses, green cards of the USA, recipes on drugs, bank statements and so forth. Passports, identity certificates and driver's licenses usually are the most expensive, and documents of citizens from the countries of North America are the most valuable.
The markets and forums of "A shadow web" also offer a set of the cracked accounts. Access to the hacked account in social networks costs an average of about $13. Hackers can offer access to accounts to Facebook, Twitter, Instagram, Hulu, Netflix, Spotify, Amazon, Skype and so forth.
The American provider underwent the most powerful DDoS attack in the history
The Arbor Networks company detected the largest DDoS attack on one of the American providers which traffic reached 1.7 terabits per second. In it the mechanism opened at the end of February, and used in the previous strongest DDoS attack which happened on February 28 was used, Ars Technica report in March, 2018. Specialists are afraid that the detected mechanism often will be used for such powerful attacks in the near future.
During DDoS attack malefactors direct from a set of computers to servers of the victim so many requests that servers cease to cope and become unavailable to users. In addition their danger is that the server can behave not regularly and, for example, issue to malefactors a part of data.
There is a set of the DDoS attacks methods, including the attacks at which the malefactor addresses public servers and substitutes the address for the address of the victim. As a result these servers send response packets not to the malefactor, and the victim any more. This type of the attack can be used together with gain — it means that the server sends to each sent request to the victim a packet of the bigger size. Depending on a method the gain amount can reach tens and even hundreds of times.
At the end of February several Internet companies detected new, even more powerful version of this mechanism. This time malefactors began to use the unprotected Memcached-servers used for caching and acceleration of loading of some data. The main difference consisted in gain amount — in certain cases it reached already more than fifty thousand times. For example, researchers reproduced the attack and could achieve the 750-kilobyte response to a 15-byte request. It should be noted that such method of the attack was described by the Chinese researchers in 2017.
The first "this" DDoS IPv6 the attack is recorded
The network of DNS service Neustar fell a victim of the first recorded "this" IPv6 DDoS- the attacks. Sources of "the attack according to the dictionary" are about 1.9 thousand IPv6 nodes belonging to more than 650 networks. In March, 2018 the SC Magazine UK edition reported about it.
According to representatives of Neustar, this attack is remarkable the fact that malefactors use new methods instead of copying already existing, however using IPv4. The attacks of IPv6 can do serious harm, for example, to exceed amounts of memory of modern security aids due to a large number of the addresses available to hackers.
In total IPv6 contains more than in 7.9×1028 times more of the addresses than IPv4 which uses the 32-bit addresses and allows to organize about 4.3 billion addresses. Thus the number of the potential attacks also grows many times. At the same time, the set of the networks supporting IPv6 protocol do not support tools for counteraction to hackers.
As specialists noted, significant increase in quantity of IPv4 of the attacks in the current year is observed – it doubled in comparison with the same period of 2017.
Qrator Lads: Rating of stability of national segments of the Internet
At the beginning of July the Qrator Labs company based on a research of national segments of 244 countries of the world made the rating of the states in ascending order of the indicator reflecting dependence of availability of national segments of the Internet on failures of the most significant telecom operators.
The rating of stability of national network segments the Internet was for the first time provided to Qrator Labs in 2016. For measure calculation over each explored country on the basis of data of Maxmind service the card on which all telecom operators were distributed on national segments of the Internet was made. This year the procedure of a normalization was in addition carried out — the fact of presence of the operator in the specific region, how many the importance of this presence at the set national segment was estimated not so much.
On the next stage using model of the relations between Qrator.Radar project telecom operators for each operator calculation of extent of influence of failure of its work on a specific national segment was made (what percent of national operators, or autonomous systems, will become unavailable on the global area network in case of refusal of this operator).
Further for formation of rating operators whose failure can lead to loss of global availability of the greatest percent of operators of the set national segment were selected. These operators are listed in the third column of the table given below.
|the Place in rating||Country||Telecom operator (autonomous system number)||the Maximum share of the networks of a national segment losing global availability at failure of one telecom operator, %|
|1||Germany (DE)||Versatel (8881)||2.29696|
|2||Hong Kong (HK)||Level 3 Communications (3356)||2.65659|
|3||Switzerland (CH)||Swisscom (3303)||3.57245|
|4||Canada (CA)||Bell Backbone (577)||3.67367|
|5||France (FR)||Cogent (174)||3.68254|
|6||Great Britain (GB)||Cogent (174)||3.76297|
|7||Belgium (BE)||Telenet (6848)||3.93768|
|8||Ukraine (UA)||UARNet (3255)||3.95098|
|9||USA (US)||Cogent (174)||3.97103|
|10||Bangladesh (BD)||Fiber @ Home (58587)||5.29293|
|11||Romania (RO)||RTD (9050)||5.35451|
|12||Brazil (BR) - the beginner||Telefonica (12956)||5.39138|
|13||Russia (RU)||Rostelecom (12389)||5.73432|
|14||Ireland (IE)||Cogent (174)||5.87254|
|15||Czech Republic (CZ)||SuperNetwork (39392)||5.88389|
"Results of this year show that trends remain invariable: in an upper part of the table, as well as in 2016, there were countries in which the telecommunication market is mature and is characterized by high extent of diversification. At these countries there is a large number of telecom operators therefore failure in work even of large provider will have an impact only on a small number of other networks" — Alexander Lyamin, the CEO of Qrator Labs commented on research results.
In 2017 the company noted one more trend — the value of regional operators from discharge of Tier-2 grows. They began to play a role of key in some countries, having displaced market leaders of the Tier-1 level.
"For example, in Germany the largest telecom operator — Deutsche Telekom, but more significant effect on the global connectivity of a national segment other company — Versatel has. It means that the market continues to develop and be diversified" — emphasized in Qrator Labs.
Kaspersky Lab: Overview of the market and cost of DDoS-services
"Kaspersky (earlier Kaspersky Lab)" published the overview of the market of DDoS-services, their quotations and the offered services in March, 2017. In the publication it is especially noted that similar resources look as the websites of quite legitimate IT companies, with all sections and functions what could only be expected from them, not excepting "personal accounts".
The Kaspersky DDoS Intelligence system in the first three months 2017 recorded the attacks on the purposes located in 72 countries of the world.
Distribution of unique targets of DDoS attacks by the countries:
The first place on number of servers of management of botnets remains beyond South Korea, and to the second there was USA. The Netherlands for the first time since April, 2015 forced out China which fell by the seventh position from top three. Russia remained on the fourth place. Besides, ten of the countries with the greatest number of command servers left Japan, Ukraine and Bulgaria. Instead of them Hong Kong, Romania and Germany appeared.
Distribution by operating systems this quarter changed too. Having pressed botnets from devices of Internet of Things on Linux, into the forefront send Windows bots: their share grew from 25% last quarter to 60% in January-March, 2017.
For the reporting period any attack with gain was not registered, but growth of number of the attacks using enciphering was observed. It corresponds to last year's forecasts of Kaspersky Lab: difficult DDoS attacks which are hard for detecting standard protective tools gain popularity.
In general, the beginning of year was quite silent — the greatest number of the attacks (994) was observed on February 18, and the record on duration of attack made only 120 hours. It is much less, than in the fourth quarter 2016: then the most long attack lasted 292 hours.
"These web services represent completely functional web applications which allow the registered clients... plan the budget for DDoS attacks. Some operators even offer bonus points for each attack which is carried out using their service. In other words, cybercriminals have the of the loyalty program and customer service", said in the publication of the anti-virus company.
Owners of similar services suggest to organize attacks on any resources, with preserving of complete anonymity of clients and free testing of the attack within 15 minutes.
On average, according to the estimates of Kaspersky Lab from the client ask about $25 per hour, besides, that real cost value of the attack, according to experts, much lower.
In the calculations authors of the publication on SecureList proceed from approximate expenses of malefactors on infrastructure. Quotations on use of a cloud of Amazon EC2 are given as an example.
The price of a virtual dedicated server with the minimum configuration (and communication channel width, but not a configuration of the workstation is more important for DDoS attack) is about $0.0065 per hour. Respectively, 50 virtual servers for the DDoS-ataki organization of low power on online store will cost cybercriminals of $0.325 per hour. Considering additional expenses (for example, on SIM cards for registration of the account and a binding to it of the credit card), hour DDoS attack using a cloud service will cost criminals $4.
Respectively, the actual cost of the attack using the botnet numbering 1 thousand workstations costs about $7 per hour. It means that organizers of DDoS attacks get profit in the amount of about $18 in each hour of the attack.
In fact the cost of DDoS attack varies enough considerably, depending on a number of factors. Attacks on the state resources will be, most likely, more expensive, than on online stores, and besides not all operators of botnets will agree to carry out the similar attacks: such resources are under permanent observation of law enforcement agencies, and cybercriminals not really want "shine" the botnets.
If the attacked resource is under protection of the specialized service filtering garbage traffic, cost, most likely, will increase repeatedly. On one of services an attack on the normal website is offered at the price of $50-100, however, if there is a protection against DDoS, the price grows to $400 at once. Some services even offer blocking of the domain at the level of the registrar, but it is the most expensive service — it will cost to the client from $1 thousand and more.
The important factor is as well structure of a botnet. Creation and support of a botnet from 1 thousand personal computers (and furthermore 100 servers) is significantly more expensive, than support of the harmful network consisting of 1 thousand video cameras with a vulnerable firmware.
At last, pricing is influenced by the scenario of the attack (for example, the client can ask to switch from SYN flood to UDP flood from time to time or to use at the same time at once several options of the attack), and a geographical location of the customer. For the organization of the attack from the resident of the USA, for example, will ask more, than from the resident of Russia.
It is interesting that some services on the organization of the attacks even publish a total quantity of the clients, and them there can be tens of thousands. Cybercriminals advertize the services in plain terms. "We bring to your attention services in elimination of the websites and servers of competitors by means of DDoS attack" — record on the homepage of one such resource says.
Persons interested to pay for a similar form of pressure exist, and they are obviously ready to spread lump sums for DDoS attacks: in 2016 the longest DDoS attack continued 292 hours — about 12 days.
In return, malefactors sometimes do not shun at the same time to offer services of protection against DDoS attacks, as well as to require money for non-execution or the termination of already begun attack.
Data of Kaspersky Lab
According to Kaspersky Lab, in 2016 DDoS attacks were recorded by every fourth bank (26%). For financial institutions in general this indicator was 22%. According to a research, the average damage from DDoS attack to banks was 1,172,000 dollars while for the enterprises of other spheres — 952,000 dollars.
At the same time 52% of victims faced unavailability or quality degradation of work of public web services for long time – from several hours to several days. And at least in 43% of cases DDoS attack was used as masking when carrying out other harmful transactions. The websites of banks become the purpose of the similar attacks most often – they were affected in half of the recorded cases (49%). However it not only weak spot. Almost same number of respondents (48%) underwent DDoS attacks on the Internet banking and online services.
According to Kaspersky Lab, in the third quarter 2016 web resources in 67 countries of the world suffered from DDoS attacks. The absolute majority them (97%) was the share of only three countries: China, USA and South Korea. At the same time China "got" most — 63% of DDoS attacks were aimed at resources of this state. Against the background of top three the number of the attacks recorded in Russia looks unconvincingly, however in comparison with the last quarter it considerably increased — from 0.8% to 1.1%.
Meanwhile, China breaks records and on other quarter indicators. So, the longest attack in reporting period continued 184 hours (7.6 days) and was aimed at the Chinese provider. And the popular Chinese search engine became the champion on number of DDoS attacks on the same purpose — for the third quarter the resource was attacked 19 times.
In general experts of Kaspersky Lab noticed increase in number of the "smart" attacks which use the protected https-connections and thus avoid recognition by the protective systems. Most often at similar DDoS attacks malefactors create flows of requests, rather small on volume, to a "heavy" part of websites — for example, to search forms — and send them using the https-protocols protected by enciphering. The systems of recognition and prevention of DDoS attacks, in turn, are often not capable to decrypt traffic "on the fly" and pass all requests for the web resource server. Thus, the requests attacking remain unnoticed, and DDoS attack becomes successful even at low intensity, explained in the company.
Increase in a share of the attacks with Linux botnets remains one more trend — in the third quarter it grew by 8 percent points and reached 79% by October. It is partly correlated with growth of popularity already of the most widespread SYN-DDoS method for which Linux botnets are the most suitable tool. However many devices of Internet of Things, for example, routers which are even more often noticed in structures different a bot networks work at Linux also today. For this reason special attention of experts was drawn by the publication of the source code of the botnet Mirai which contains the built-in scanner which is finding vulnerable devices of Internet of Things and including them in structure of a botnet.
Probability that the company, once fallen a victim of DDoS attack, will undergo it once again is very high. It is confirmed to 77% of the Russian organizations which were repeatedly influenced action of this threat within a year, at the same time more than a third (37%) of the companies were attacked four or more times. This statistics confirms the fact that protective tools from DDoS attacks shall log in security of the company, and important criterion of their efficiency is capability to provide the continuity of work of corporate online services directly in attack time, emphasized in the company.
As for duration of DDoS attacks, in 40% of cases they last no more than an hour, and in 13% — up to several weeks. Most often the companies which are actively using different web services for the primary activity become the victims of this type of threats in Russia there are enterprises of e-commerce, financial institutions, state bodies, media. Also often the hi-tech organizations, such as telecommunication and cybersecurity companies face DDoS attacks.
The fact that quite often they learn about it from external sources has negative effect on reputation of the companies not only the fact of the attack, but also: in 21% of cases — from clients, and in 29% of cases — from the contractor who is carrying out the analysis of security of IT infrastructure of the organization. According to experts of Kaspersky Lab, there is no wonder, most often cybercriminals attack external resources: client portals (40%), communication services (36%) and websites (52%).
Data of Qrator Labs
Dynamics of DDoS attacks in 2015 — 2016
Boom of startups and the subsequent growth of number of attached devices — this new field of rich opportunities where it is possible to create not one larger and dangerous botnet. In 2016 suddenly there was a terabit per second which was considered as unattainable.
At the same time considerably the level of necessary experience and knowledge for the DDoS organization of the attacks fell. Today for implementation of the successful attack even on the large websites and applications there is enough video instruction on YouTube or a little cryptocurrency for payment of services of service like booter. Therefore in 2017, for example, the normal teenager with couple of bitcoins in a purse can appear the most dangerous person in the field of cyber security.
For increase in power of the attacks malefactors amplifitsirut the attacks. Attacking increases the amount of the sent "garbage" traffic by operation of vulnerabilities in third-party services and also masks the addresses of a real botnet. The common example of the attack with amplification is traffic of DNS answers to the IP address of the victim.
Other vector — Wordpress, a universal and functional engine for blogs. Among other functions in this CMS there is a Pingback function using which autonomous blogs communicate about comments and references. Vulnerability in Pingback allows to force the vulnerable server to request a special XML-request any web page from the Internet. The received malicious traffic call Wordpress Pingback DDoS.
An attack to HTTPS is not more difficult, than on HTTP: it is necessary to specify other protocol only. Neutralization will require the channel from 20 Gbps wide, an opportunity to process traffic of the application layer on complete capacity of connection and to decrypt all TLS connections in real time — considerable technical requirements which can perform not all. The huge number of vulnerable servers on Wordpress is added to this combination of factors — it is possible to involve hundreds of thousands in one attack. At each server quite good connection and performance, and participation in the attack is imperceptible for normal users.
BGP and leakages of routes
Founding fathers of the Internet could hardly expect that it will grow to the current amounts. That network which they created was constructed on trust. This trust was lost during the periods of rapid growth of the Internet. The BGP protocol was created when the total number of autonomous systems (AS) was considered tens. Now their more than 50 thousand.
The routing protocol BGP appeared in the late eighties as a certain sketch on a napkin of three engineers. It is no wonder that he answers questions of the left era. His logician says that packets should go on the best of available channels. The financial relations of the organizations and the policy of huge structures in it were not.
But in the real world money — on the first place. Money sends traffic from Russia somewhere to Europe, and then returns back home — so the cheapest way, than to use the channel within the country. The policy does not allow two quarreled providers to exchange traffic directly, it is easier for them to agree with the third party.
Other problem of the protocol — lack of the built-in mechanisms of data validations on routing. From here take roots of vulnerability BGP hijacking, leakages of routes and the reserved numbers AS. Not all anomalies are malicious inherently, often technical specialists not up to the end understand the principles of functioning of the protocol. "Driver's licenses" on driving of BGP are not granted, there are no penalties, but well big space for destructions.
Common example of leakages of routes: the provider uses the list of prefixes of clients as the only mechanism of filtering of outgoing announcements. Regardless of a source of announcements client prefixes will be always announced on all available the directions. While there are announcements directly, this problem remains hardly detected. At once the network of provider degrades, clients try to take away announcements and disconnect a BGP session with problem provider. But the operator continues to announce client prefixes in all directions, creating thereby leakages of routes and pulling together a considerable part of client traffic on the problem network. Certainly, it is so possible to organize the attacks of Man in the Middle, than some also use.
In anycast-networks we drafted a number of amendments for fight against leaks and provided them to Engineering council of the Internet (IETF). Initially we wanted to understand when our prefixes, and on whose fault get to such anomalies. As the wrong setup was the reason of the majority of leaks, we understood that the only way to solve a problem — to eliminate conditions in which errors of engineers are capable to influence on other telecom operators.
IETF develops voluntary standards of the Internet and helps their distribution. IETF is not the legal entity, but community. Such method of the organization has a set of pluses: IETF does not depend on legal issues and requirements of any country, it cannot be condemned, cracked or attacked. But IETF does not pay salary, all participation voluntarily. All activity hardly comes to a priority higher, than "non-profitable". Therefore development of new standards goes slowly.
Anyone can discuss or offer draft copies of standards — in IETF there are no requirements of membership. In the working group there is a basic process. When consent on the general subject is reached, with authors of the offer begin discussions and completion of the draft copy. The result leaves to the director of area whose purpose — reverification of the document. Then the document is sent to IANA as this organization manages all changes of the protocol.
If our draft copy with the new BGP expansion passes all circles of hell, then the flow of leakages of routes will run low. Malicious leaks will not leave anywhere, but for the solution of this task there is only one option — permanent monitoring.
According to the statistics, the received Wallarm company (Valarm) Onsek (Onsec) with unrolled by honeypot'ov company, in 2016 between a public exploit and its mass operation passes on average 3 hours. In 2013 this term was week. Malefactors become more and more prepared and professional. Acceleration will continue, we expect reduction of this period of time till 2 o'clock in the near future. And again only pro-active monitoring is capable to prevent this threat and to insure from terrible effects.
Cracking and network scanning already reached unknown scale. More and more malefactors this year will get previously scanned ranges of the IP addresses segmented on the used technologies and products — for example, "all WordPress servers". The number of the attacks on new technology stacks will increase: microcontainers, private and public clouds (AWS, Azure, OpenStack).
In the next one or two years we expect to see nuclear type of the attacks to providers and other infrastructure when the connected autonomous systems or the whole regions suffer. The last several years of fight of a sword and board led to more advanced methods of neutralization. But the industry often forgot about legacy, and the technical debt brought the attacks to unprecedented simplicity. From this time, only the geo-distributed cloud systems constructed with skill will be able to stand against record attacks.
Qrator Labs: stability of national segments of the Internet in the world
On June 7, 2016 the Qrator Labs company announced the Internet results of a research of influence of possible failures in work of networks of telecom operators on global availability of national network segments.
The research was conducted in national segments of 236 countries of the world - everything where the Internet works. The rating of the countries in ascending order of an indicator reflecting dependence degree  became result of a research national segments of the Internet from failures in work of certain operators.
Calculation of this indicator for each explored country is made by the following technique:
- the first stage on the basis of data of Maxmind makes the card of network prefixes of operators on which the announced prefixes are distributed on national network segments the Internet.
- at the second stage using the system of modeling of work of the global Internet Qrator.Radar for each operator calculation of extent of influence of failure of its work on a specific national segment is carried out: the number of the prefixes of a national segment losing global availability on the Internet was defined.
For formation of rating operators whose failure can lead to loss of global availability of the greatest percent of prefixes of the set national segment were selected. These operators are listed in the second column of the tables given below.
|The Internet affects global availability of national network segment country market situation. The maturity of the market and degree of its diversification (in particular, the more operators of the average size have access to cross-border transition) is higher, the work of all national segment is stabler.|
In half of America the Internet after DDoS attack on DNS servers of Dyn company "laid down"
On September 21, 2016 Internet users in the USA faced a problem – tens of demanded resources were unavailable, or worked with errors. Their number included social network Twitter, PayPal payment system, the news website Reddit, music service Spotify and others].
Problems of access concerned inhabitants of densely populated East coast of the USA where lives to a half of the population of the country, partially Pacific coast and partly Great Britain.
DNS servers are responsible for communication between domain name (for example, ya.ru) and the IP address (220.127.116.11 respectively). If the DNS server cannot answer the user, the browser does not know from where to obtain information. Therefore these servers can be carried to key infrastructure of the Internet — if it is about large provider of services which is used by services with millions of users.
At DDoS attack the server is loaded with "garbage" traffic therefore for normal users access is limited. In a case with Dyn provider for the attack structures of Internet of Things — cameras, routers and so on were used.
Part of responsibility lies also on equipment manufacturers. They do nothing in order that users changed standard passwords on cameras, routers, printers and other devices. Because of it it is very simple to get access to them. As a result of the attack go from printers of Xerox and Panasonic and also cameras with routers from less known companies.
Actions of the company
At 11:10 a.m. on universal time (2:10 p.m. across Moscow) Dyn reported on the website that her employees began fight against the attack. The company warned that users can feel discomfort connected with delays of DNS queries and zone distribution. At 1:20 p.m. on general time Dyn stated that operation of DNS servers is completely recovered
What resources were unavailable
In attack time users lost access to such demanded resources as web service for a hosting of IT projects of GitHub, the website for search of services of Yelp, the online dictionary of a slang Urban Dictionary, Pinterest photohosting, service of exchange of photos of Imgur, service for creation of the websites Weebly, service of loading of content Playstation Network and to others.
Federal trade commission of the USA filed a lawsuit against D-Link
Federal trade commission of the USA (Federal Trade Commission, FTC) submitted a claim to Taiwanese company of D-Link for the fact that the producer did not ensure safety of the products, having left them vulnerable to the hacker attacks. According to the statement of claim, D-Link did not implement necessary mechanisms of protection in the routers and video cameras connected to the Internet released by the company, thereby "having threatened security of thousands of consumers".
Submission of the claim was caused by use by cybercriminals of the unprotected devices of Internet of Things (IoT) for creation of the botnets used for implementation of large-scale DDoS attacks. In particular treats like those to botset Mirai consisting of routers, webcams and video recorders with unreliable factory passwords. Using this botnet last year the most powerful were performed for all history DDoS attacks. Besides, Mirai was used for shutdown of the Internet on east coast of the USA.
The botnet Mirai consisted of the devices connected to the Internet with pairs logins the password by default and rather simple vulnerabilities. We believe that it — only the firstborn in the whole generation of botnets on the basis of Internet of Things. Even solution of the problem of one Mirai will not help. Malefactors at first just touched passwords, now look for vulnerabilities and backdoors, reaches studying of the code of a fresh firmware of the device regarding possible "holes" with the subsequent their operation within few hours.
Data of Qrator Labs
According to the Qrator Labs company provided in March, 2015, 2014 by the number of high-speed DDoS attacks became peak. Also the average number of DDoS attacks in day increased: with 18 to 28. Analysts of Qrator Labs consider that in 2014 there was phenomenal growth of number of the attacks to speed over 100 Gbit/sec. It is predicted that the number of such attacks in 2015 will decrease. Experts noted the repeated growth of the incidents connected with DDoS attacks for the last 5 years, the attacks of the increased complexity that assumes a possibility of increase in number of the attacks in 2015, at least for 20%. Growth of number of the attacks is connected, generally with competitive struggle aggravation.
In 2014 Qrator Labs using own service of the same name neutralized 9.519 DDoS attacks. The maximum number of the attacks in day directed to clients of the company was reduced from 151 to 131. The average number of DDoS attacks in day increased from 18 up to 28.
According to Alexander Lyamin, the head of Qrator Labs, in 2014 growth of number of the attacks of the increased complexity – with a speed more than 100 Gbps was observed. In 2015 the high-speed attacks (more than 100 Gbps) will decline – the peak is passed in 2014.
In a specific case the conversation goes about attacks to the entering channel of provider on purpose: kill him with "parasitic" traffic. The attacks of this kind became less, but speeds significantly grew. Small telecom operators and hosting companies get to a zone of risk. The share of the attacks with a speed more than 1 Gbps increased from 2.58% in 2013 up to 5.47% in 2014. In 2014 practically from "zero" shares of the attacks with a speed more than 10 Gbps considerably grew (from 0.7% to 2.72%), i.e., they were observed approximately each working day. The number of the attacks more than 100 Gbps grew by 11 times (from 0.1% to 1.32%). Specialists of Qrator noted that simplification of technology of the organization of DDoS attacks became one of the trends promoting it.
DDoS attacks using botnets on servers and operating systems remain still the most popular among malefactors. Alexander Lyamin noted growth in 2014 of the average and maximum sizes of observed botnets that, according to him, speaks about return of botnets monsters.
The general trend on decrease in the attacks of the class DNS/NTP Amplification of which more than a half of all incidents was the share earlier was outlined, but malefactors begin to attack network infrastructure of operators more actively.
Total quantity of the attacks registered on the company — clients of Wallarm (Valarm) Onsek (Onsec) in 2014, exceeds 750,000. According to Ivan Novikov, the CEO of Wallarm (Valarm) Onsek (Onsec), the industry of games, advertizing networks CPA, e-commerce (shops and auctions), payment systems and banks, media got to a risk zone in 2014-2015. At the same time if payment systems and banks, online retailers and media were always the purpose of the attacks, then now the activity of malefactors considerably increased in sectors where to information security there was no special attention earlier.
The attacks using botnets to servers and OS for exhaustion of resources of the server remain the most widespread. The maximum size of a botnet, involved in one attack grew by 50% in 2014: from 281 thousand to 420 thousand machines. The size of an average botnet showed 27% growth (from 1.5 thousand to 1.9 thousand machines).
"In 2014 we observed attack cases directly on network infrastructure of operators to whom they were not ready. There is a hypothesis that malefactors took under control a large number of others powerful network equipment - several hundred thousands of routers and switches connected to the Internet worldwide whose owners did not change the password from factory, set by default. Now these resources without the knowledge of their owners are used for large-scale attacks such", -  Rossiyskaya Gazeta quotes the head of Qrator Labs Alexander Lyamin.
Diagram of aggression, 2014
Besides, Qrator.Radar at the end of 2014 recorded growth of frequency of the volume Volumetric-attacks used as the address tool against the large purposes. Specialists of Qrator Labs connect wide circulation of this type of DDoS with the fact that technologies of the attack became available to low-skilled specialists.
Mass distribution was promoted by simplification of technology of the organization and also decrease in cost value of the Volumetric-attacks, including at the expense of an opportunity to involve low-skilled specialists. Now the cost of one such attack fell up to 10-50 dollars a day for 1 GB a band. The most widespread remain the method of gain (Amplification) used for sending long requests of an error to configurations of DNS servers. If earlier for the organization of the volume attack it was required to create a botnet, then now an opportunity to forge the IP address of the victim and to send a request for the vulnerable DNS server allows malefactors to spend much less resources, including time for the organization of the attack. Apparently, the detailed scheme of implementation of these attacks becomes generally available. In 2013 the popular tool for the Volumetric-attacks were DNS амплифиакторы. In 2014 cybercriminals used NTP-and SSDP амплификаторы more often.
"The diagram of such volume attacks stopped being discrete, and turned into a big continuous wave with the beautiful front. We connect it with the fact that the tools implementing the Volumetric-attacks available earlier to separate groups entered the mass "hacker market"" — Lyamin Alexander, the head of Qrator Labs commented.
Data of Wallarm
According to the research Wallarm, in 2014 top favourite by the number of the attacks it was distributed as follows: databases (the attacks in 35% of cases), attacks on clients/users of websites (28%) and different attack vectors with a possibility of remote code execution on the server (19%).
Vulnerability of Simple Service Discovery Protocol turns millions of access points, webcams and printers into instruments of DDoS attacks
Specialists of PLXsert company announced in October, 2014 the mass DDoS attacks going since July, 2014 performed using vulnerability of the Simple Service Discovery Protocol protocol which is applied to the declaration of availability by millions of devices supporting the standard of Universal the Plug and Play — home routers, access points, cable modems, webcams, printers, etc. The attack will be organized by transfer of specially prepared packet of SOAP on the vulnerable device therefore that sends a response packet to the set.
As many of vulnerable devices — consumer, it is improbable that on them patches will be set, and in certain cases such opportunity is not even provided. Considering it, specialists of PLXSert predict that all new tools facilitating the organization of the attacks using vulnerable protocols and creation of botnets will be developed. Will difficult suppress such attacks as packets can proceed at the same time from the mass of different points.
That the device could not be involved in the similar attack, specialists of PLXSert recommend to block traffic on port 1900 used by vulnerable protocols if UPnP is not necessary. Otherwise only patches will help.
Data of Arbor Networks
The Arbor Networks company provided in the summer of 2014 data on DDoS attacks in a global area network in the first half of the year 2014. Statistics is unfavourable: both the number, and intensity of the attacks continue to grow steadily.
So, the number of the DDoS attacks exceeding at peak traffic in 20 GB / with only for the first six months of this year exceeded their total number for all 2013. And more than hundred attacks of the first half of the year 2014 exceeded also an indicator in 100 GB / page.
The most powerful of the mentioned Arbor Networks of the attacks reached at peak of traffic in 154.69 GB / with and was directed against the purpose in Spain. She used the principle of reflection of requests of NTP. It is rather new technology of the attacks based on use of the NTP protocol serving for synchronization of hours on computers. The NTP protocol distinguishes that on rather short requests it issues the unrolled answers. Respectively, having forged a request and having specified in it as the sender the address of the victim, it is possible to generate very high traffic to the specified IP address. Such attacks were very popular in the first half of the year though their greatest number fell nevertheless on the first quarter-2014. Also growth of duration of DDoS attacks within this year attracts attention. If in the first quarter the average attack with a capacity of traffic over 10 GB / with lasted about 54 minutes, then in the second – 98 minutes.
The CEO of the Technical center Internet Alexey Platonov noted: "DDoS attacks became the main "rough" weapon in corporate Internet wars, such cudgel of information war. The big companies began to take measures to reduce damage from DDoS, but they are expected only a certain power of the attack. Respectively, malefactors increase power to punch protection – there is a classical competition of armor and a shell".
Prolexic: Average power of DDoS attacks this year grew by eight times
By estimates of specialists of the Prolexic company which is engaged in the organization of protection against the distributed attacks directed to failure in service in the first quarter 2013 the average power of DDoS attacks made 48.25 Gbps. It in eight times more, than in the last quarter of last year.
The power of the attack to the antispam organization Spamhaus estimated at 300 Gbps as consider in Prolexic is strongly exaggerated, but in March Prolexic was necessary to reflect the attack in 130 Gbps. About 25% of the attacks on the websites of clients of Prolexic in the first quarter did not exceed on the power of 1 Gbps. However 11% of the attacks were carried out with a power over 60 Gbps. The organization and technical equipment of attacking grows, specialists note. Not only the total amount of data with which during DDoS attack overload an Internet access channel, but also the frequency of sending packets that creates problems not only at the direct victim of the attack, but also at providers, trunk operators and the companies occupied with reflection of the attacks increased.
The number of the attacks in the first quarter grew by 1.75% in comparison with the last quarter and for 21.75% — in comparison with the first quarter 2012. At the same time the share of the attacks on infrastructure of providers and telecom operators grew.
Data of Arbor Networks
According to the special research Arbor Networks, the nature of the threats connected with the distributed attacks changes around the world. On survey results, carried out in 2013, about 70% of the respondents using services of DPC reported that they faced DDoS attacks (in 2012 like those there were 50%). A large number of the attacks with a power over 100 Gbps is at the same time registered. These are very expensive "actions" for the ordinary malefactor, and they will be usually organized by "customers", actively kriminalizuyushchy community of hackers, even more often in political goals. A considerable part of the registered incidents was directed to failure in the functioning of applications — such attacks are observed regularly now. The number of the attacks on the SSL connections also increased by 17%. About a third of respondents faced attacks on DNS infrastructure.
Resources of the Russian companies were exposed to the massive attacks in 2013. It is enough to remember a series of DDoS-attacks on websites of five largest Russian banks: during the period Alfa-Bank, Gazprombank, VTB, Sberbank and the Central Bank of Russia were attacked from October 1 to October 7, 2013. However, since the Ukrainian crisis passed into a sharp phase, the number of DDoS attacks grew by resources of the Russian organizations many times, conferees noted.
Hardware and software systems for protection against such attacks offer several companies: Arbor Networks, Radware, Check Point and also Russian MFI Soft. Besides, "Kaspersky (earlier Kaspersky Lab)", BIFIT, Group-IB and Qrator.Radar provide to clients cloud services of protection against DDoS.
Ukraine: DDoS attack – as a competitive struggle method
About a half of the DDoS attacks made in Ukraine in the I half-year 2012 was the share of the websites of representatives of business and marketplaces. In general, experts recorded 111 attacks in the Ukrainian segment of the Internet. The most long DDoS attack in the Ukrainian segment of the Internet lasted more than 13 days.
On a global scale the share of Ukraine as source of DDoS attacks decreased to 2.8% in comparison with 12% in the II half-year 2011.
Most often customers of DDoS attacks are competitors, consider in Kaspersky Lab. The affairs opened by law enforcement agencies upon DDoS attacks very seldom come to court, recognizes a source in management on fight against cyber crime of the Ministry of Internal Affairs. In the state register of judgments it was succeeded to find only one solution on the case of DDoS attack: for blocking of work of OSMP and Kiberplat payment systems in 2009 the malefactor from Bila Tserkva was sentenced to three years of imprisonment with a probation period in two years.
By estimates of market participants, losses of large online stores from DDoS attacks can make up to 300 thousand dollars a day.
The bulk of the hackers providing similar services, – the young loner nonprofessionals who are engaged in infection of computers using the programs developed independently or purchased, the administrator of "The Ukrainian network of exchange of traffic" (UA-IX) Sergey Polishchuk tells. However the international hacker groupings managing networks worldwide also work at Ukraine. So, in July the staff of the Russian company Group-IB blocked Ukraine of servers a bot network six Grum which is considered as third largest in the world. bred in
It is possible "to put" the website for day for 50-1000 US dollars depending on its attendance and level of protection of servers. The program for the organization of a botnet can be purchased for 150 US dollars. Specialists accept payment by means of most electronic payment systems. Group-IB estimates the income of hackers of the CIS countries and the Baltics in 2011 at 4.5 billion US dollars
The Netherlands suggested to legalize DDoS attacks
The Netherlands opposition social and liberal party Democrats 66 took in the summer of 2012 the discouraging initiative, having suggested to legalize DDoS attacks and other forms of manifestation of disagreement on the Internet and to give them the status of protest actions, having affirmed the right to similar "performances" in the Constitution, however, with restrictions. With reference to local media the RBC agency reports about it.
However the order and implementation of forms of an online protest should be accurately stated in the legislation, Democrats 66 note. Anyway, according to one of party members, Kis of Verhoeven, the similar attacks are a peculiar demonstration, and the fact that fundamental constitutional rights of citizens still did not gain distribution in the Internet is surprising to him.
Democrats 66 are going to complete already in the nearest future the work on the bill then it will be submitted for consideration in parliament. Ten party members, in upper — five sit at the lower house of parliament of the country. The position of other parliamentarians is not known.
- Censorship on the Internet. World experience
- Censorship (control) on the Internet. Experience of China
- Censorship (control) on the Internet. Experience of Russia, Roskomnadzor
- Law on regulation of Runet
- VPN and privacy (anonymity, anonymizers)
- Protection of critical information infrastructure of Russia
- Law On security of critical information infrastructure of the Russian Federation
- National Biometric Platform (NBP)
- Single Biometric System (SBS) of these clients of banks
- Biometric identification (market of Russia)
- Directory of solutions and projects of biometrics
- Digital economy of Russia
- Information security of digital economy of Russia
- SORM (System for Operative Investigative Activities)
- State detection system, warnings and mitigations of consequences of the computer attacks (State system of detection, prevention and elimination of consequences of computer attacks)
- National filtering system of Internet traffic (NASFIT)
- Yastreb-M Statistics of telephone conversations
- How to bypass Internet censorship of the house and at office: 5 easy ways
- The auditor - a control system of blocking of the websites in Russia
- The Single Network of Data Transmission (SNDT) for state agencies (Russian State Network, RSNet)
- Data network of public authorities (SPDOV)
- Single network of telecommunication of the Russian Federation
- Electronic Government of the Russian Federation
- Digital economy of Russia
- Cyber crime in the world
- Requirements of a NIST
- Global index of cyber security
- Cyber wars, Cyber war of Russia and USA
- Cyber crime and cyber conflicts: Russia, FSB, National coordination center for computer incidents (NKTsKI), Information Security Center (ISC) of FSB, Management of K BSTM of the Ministry of Internal Affairs of the Russian Federation, Ministry of Internal Affairs of the Russian Federation, Ministry of Defence of the Russian Federation, National Guard of the Russian Federation
- Cyber crime and cyber conflicts: Ukraine
- Cyber crime and cyber conflicts: USA, CIA, NSA, FBI, US Cybercom, U.S. Department of Defense, NATO, Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA)
- Cyber crime and cyber conflicts: Europe, ENISA
- Cyber crime and cyber conflicts: Israel
- Cyber crime and cyber conflicts: Iran
- Cyber crime and cyber conflicts: China
- As the USA spied on production of chips in the USSR
- Security risks of communication in a mobile network
- Information security in banks
- Digital transformation of the Russian banks
- Overview: IT in banks 2016
- The policy of the Central Bank in the field of data protection (cyber security)
- Losses of the organizations from cyber crime
- Losses of banks from cyber crime
- Trends of development of IT in insurance (cyberinsurance)
- Cyber attacks
- Overview: Security of information systems
- Information security
- Information security (world market)
- Information security (market of Russia)
- The main trends in data protection
- Software for data protection (world market)
- Software for data protection (the market of Russia)
- Pentesting (pentesting)
- Cybersecurity - Means of enciphering
- VPN - Virtual private networks
- Security incident management: problems and their solutions
- Authentication systems
- Law on personal data No. 152-FZ
- Personal data protection in the European Union and the USA
- Quotations of user data in the market of cybercriminals
- Virus racketeer (encoder)
- WannaCry (virus racketeer)
- Petya/ExPetr/GoldenEye (virus racketeer)
- Malware (malware)
- APT - Targeted or target attacks
- DDoS and DeOS
- Attacks on DNS servers
- DoS-attacks on content delivery networks, CDN Content Delivery Network
- How to be protected from DDoS attack. TADetails
- Fraud Detection System (fraud, fraud, fraud detection system)
- Solutions Antifraud directory and projects
- How to select an antifraud system for bank? TADetails
- Security Information and Event Management (SIEM)
- Directory of SIEM solutions and projects
- Than a SIEM system is useful and how to implement it?
- For what the SIEM system is necessary and as it to implement TADetails
- Intrusion detection and prevention systems
- Reflections of local threats (HIPS)
- Confidential information protection from internal threats (IPC)
- Phishing, DMARC, SMTP
- Botha's botnet
- Worms Stuxnet Regin
- Information loss preventions (DLP)
- Skimming (shimming)
- Sound attacks
- Antispam software solutions
- Classical file infectors
- Cybersecurity: means of protecting
- Backup system
- Backup system (technologies)
- Backup system (security)
- ↑ Attacks to network: the new cyberthreat is how dangerous to Ukraine
- ↑ DDoS Attacks Increase of 180% in 2019 Compared to 2018
- ↑ [https://xakep.ru/2019/12/05/great-cannon/ China uses
- ↑ The 'Great Cannon' by has been deployed again
- ↑ for DDoS attacks "The great gun" again]
- ↑ Not all go on vacation: the number of DDoS attacks continues to grow
- ↑ DDoS attacks in the second quarter 2019
- ↑ Having crushed custom DDoS-service, the authorities decided to punish also his clients
- ↑ The Black Market Report
- ↑ In the Darknet it is possible to order DDoS attack for $10 per hour
- ↑ the American provider underwent the most powerful DDoS attack in the history
- ↑ the first "this" DDoS IPv6 the attack Is recorded
- ↑ DDoS-services turn into "solid businesses" with bonus points and programs of loyalty
- ↑ 15,0 15,1 a dostupnostidostupnost - a possibility of the operator to receive data packets from other operators
- ↑ steadier is considered that national segment in which least of all prefixes of operators lose global availability at possible failure of network of one operator
- ↑ CNews: In half of America the Internet
- ↑ [http://www.networkworld.com/article/3133751/security/extensive-ddos-attack-against-dyn-restarts-could-indicate-a-new-use-of-old-criminal-tech.html of Extensive DDoS attack against Dyn restarts, could indicate a new use of old criminal tech
- ↑ "laid down"
- ↑ of Meduza: https://meduza.io/feature/2016/10/24/ddos-ataka-iz-za-kotoroy-ne-rabotali-twitter-spotify-i-drugie-servisy-kto-vinovat
- ↑ of COMPLAINT FOR PERMANENT INJUNCTION AND OTHER EQUITABLE RELIEF
- ↑ Federal trade commission of the USA filed a lawsuit against D-Link
- ↑ the kiberugrozissledovaniye is based on the analysis of the traffic passing through network of filters Qrator.Radar Qrator using intellectual algorithms of identification of attempts DDoS- the attacks (development of Qrator Labs) and attempts of cracking of web applications Wallarm (Valarm) Onsek (Onsec) (development). Also the companies analyze the events outside network of filtering, collecting information from operators of a telecom by means of the tool Qrator Radar intended for optimization of work and the design of networks
- ↑ DDoS attacks disperse
- ↑ address Vulnerability of Simple Service Discovery Protocol turns millions of access points, webcams and printers into instruments of DDoS attacks