Topiary 'known' to police says network giant

Frontline Lulzsec hacking member Topiary's identity and whereabouts were known to British police, chief technology officer of Prolexic Paul Sop has said.
While debate raged over whether British Police had arrested Topiary.
Scotland Yard released the name of a teenager, Jake Davis, it arrested in the Shetland Islands last week on suspicion of involvement with the LulzSec hacking group.
It has yet to emerge if the arrest man was the LulzSec identity Topiary, a concept contested by some online groups dedicated to uncovering the groups' participants.
Paul Sop, chief technology officer at Prolexic could not say if Topiary was in police hands, or talk specifically about the international police operation to locate and identify suspected online criminals within Anonymous and LulzSec because of non-disclosure agreements.
But he confirmed that police knew who and where Topiary was.
“Yes, I’ve read about the speculation. But you know I can’t say anything, right?” Sop said.
His company used its global IP network and technical specialists to defend businesses against Distributed Denial of Service (DDoS) attacks.
In doing so, it had harvested countless IP addresses and other data from DDoS attacks launched against customers and supplied them to law enforcement.
“With that many eyes watching the long and protracted attacks [by LulzSec and Anonymous] it’s not really possible to stay anonymous," Sop said.
"Police efforts are slow and protracted – they have to be because evidence must be transferred and it cannot be compromised".
Sop predicted the hacking groups' continued attacks against government intelligence and police agencies and scores of businesses would be “just more damning for them”.
Prolexic was not the only private sector company to assist the police investigations into Lulzsec and Anonymous.
A sworn affidavit by an FBI agent had revealed PayPal supplied the IP addresses of 1000 participants in DDoS attacks launched against its network in December.
Many of the DDoS participants had used the LOIC (Low Orbit Ion Cannon) software which made it easy for non-technical users to participate in coordinated attacks against nominated targets.
But in doing so, their IP addresses were recorded on the logs of victims, or with specialists like Prolexic.
A report  last year by researchers from the University of Twente in the Netherlands compared the use of LOIC for DDoS attacks to "overwhelming someone with letters, but putting your address at the back of the envelope".
The IP addresses were all there, in logs,” Sop said. “It’s rather daft – like throwing a brick through a window with your address taped to it," he said.
The philosophical ideology that united much of the Anonymous and Anti Security movement had helped investigators build profiles, Sop said.
Yet for all the attacks against Prolexic customers, Sop was warm to the movements’ broad ambitions to fight censorship and corruption.
“I don’t disagree with the messages, but the methods affect hundreds of thousands of innocent people. Look at the attacks on Sony – that affected thousands of people who just wanted to play PlayStation. When it was down, I couldn’t enjoy gaming with my son.”

http://www.scmagazine.com.au/News/265445,topiary-known-to-police-says-network-giant.aspx

Massive DDoS attack mitigated

Prolexic Technologies, a company specializing in Distributed Denial of Service (DDoS) mitigation services, has announced that it successfully mitigated another major DDoS attack of unprecedented size in terms of packet-per-second volume. Prolexic cautions that global organizations should consider the attack an early warning of the escalating magnitude of similar DDoS threats that are likely to become more prevalent in the next six to eight months.
The attack was directed against an Asian company in a high-risk e-commerce industry. It generated larger than usual TCP SYN Floods and ICMP Floods, both of which are common DDoS attack methods. There was nothing common, however, about the magnitude of the attack.
According to Prolexic chief technology officer Paul Sop, the volume of the attack reached levels of approximately 25 million packets per second (pps), a rate that can overwhelm the routers and DDoS mitigation appliances of an internet service provider (ISP) or a major carrier. In contrast, most high-end border routers can forward 70,000 pps in typical deployments. In addition, Prolexic’s security experts found 176,000 remotely controlled PCs, or bots, in the attacker’s botnet (robot network). This represents a significant threat as typically only 5,000 to 10,000 bots have been employed in the five previous attacks mitigated by Prolexic.
“The customer attempted to mitigate these repeated DDoS attacks for many months with solutions from its ISP and its carrier before approaching Prolexic,” said Sop. “Defeating this attack is a testament to our unrivaled capacity and our unique position as the only global DDoS mitigation provider with the experience and bandwidth to successfully fight these gigantic attacks.”
To mitigate this high-magnitude attack without putting the burden on a single carrier, Prolexic distributed traffic among several of its global Tier 1 carrier partners and scrubbing network centers. Prolexic was able to help the client maintain service availability throughout the duration of the attack. While Prolexic was fighting this particular threat, it simultaneously helped another client who was experiencing a 7 Gbps DDoS attack.

Early warning and escalating threats
“Prolexic sees this massive attack in Asia with millions of packets per second as an early warning beacon of the increasing magnitude of DDoS attacks that may be on the horizon for Europe and North America in the next 6 to 8 months,” Sop said. “High risk clients, such as those extremely large companies in the gaming and gambling industries in Asia, are usually the first targets of these huge botnets just to see how successful they can be.”
Prolexic cautions that the next quantum leap in DDoS attacks will not necessarily center on bandwidth, but rather on increasing the volume of packets per second to such a high level that carriers cannot handle the overload. According to Sop, these extremely high packet-per-second DDoS attacks are especially insidious because they can cause collateral damage to carriers long before the “bad traffic” ever reaches its intended target.
Overwhelmed by the deluge of Internet traffic, carriers try to cope by passing around the excessive traffic like a “hot potato” from one to another. Ultimately, the carriers must “black hole” the IP address of the attack target and in doing so they unwittingly help the hacker to achieve the goal of creating a “zero route” which crashes the victim’s site. In addition, the continuous shifting of traffic from carrier to carrier can seriously affect the performance of multiple web sites, not just the intended target.
“Prolexic has invested millions to be ready for this type of DDoS attack and while we have only seen this botnet once in the Western Hemisphere to date, it is likely to follow a common pattern and become much more prevalent,” Sop said. “The good news is that Prolexic is already well ahead of the game and has proven that we can stop attacks of this magnitude.”

http://dateline.ph/2011/08/01/massive-ddos-attack-mitigated/

Layer 7 Application attacks - (DDoS)

Security attacks are moving ‘up the stack.’  90% of security investments are focused on network security, yet according to Gartner, 75% of the attacks are focused at the application layer and ‘over 90 percent of security vulnerabilities exist at the application layer, not the network layer.’  SQL Injection and XSS are #1 and #2 reported vulnerabilities and the top two from the OWASP Top 10.  Plus, from Forrester Consulting, the average loss of revenue per hour for a layer 7 DDoS attack is $220,000.  These vulnerabilities are some of the primary routes that are being exploited in many of the recent attacks.
Modern DoS attacks are distributed, diverse and cross the cavity that divides network components from application infrastructure yet many of these attacks are preventable. The problem is that organizations are using outdated network and/or desktop technology to try and protect against sophisticated application security attacks which traditional solutions like network firewalls, IPS or AV systems have little to no visibility or role. It’s like trying to protect a city against a coordinated air attack by digging trenches in the ground. Wrong band-aid for the attack vector. 

It is interesting that these attacks have been around for a while but also shows how hard it is to get protection right, especially when the attacks are blended.  Once a vector is found to deliver, a variety of exploits can be used in quick succession to find one that will work.  Most of these attacks would also have sailed invisibly through an IPS device – no offense to those solutions – they are just not designed to protect the application layer or didn’t have a signature that matched.  A unified application delivery platform with multi-layer visibility is the best way to detect and mitigate multi-layer attacks.

http://psilvas.wordpress.com/2011/06/22/cure-your-big-app-attack/