The DDoS industrial Complex Just Keeps on Growing

DARPA (Defense Advanced Research Projects Agency) is now awarding projects to vendors so they can proliferate the security industry with next-generation tools to mitigate DDoS attacks.

In the article main points are:

DARPA says the XD3 program looks to develop technologies that:

  • Thwart DDoS attacks by dispersing cyber assets (physically and/or logically) to complicate adversarial targeting
  • Disguise the characteristics and behaviors of those assets to confuse or deceive the adversary
  • Blunt the effects of attacks that succeed in penetrating other defensive measures by using adaptive mitigation techniques on endpoints such as mission‐critical servers.

How about instead of creating infinite complexity, just stopping them.  I wrote how this could be done back in December in 2015.

Or better yet, how about stinging and arresting people who initiate them? Perhaps we don’t have the police powers to do so.  Maybe the FBI has the manpower to do this. Hopefully it will not get to the point where we need to just cut off those countries from the Internet.

Am I just stupid? Or am I missing something?  What would be the cost to the security industry if we actually found a non labor-intensive way to put and end to this nonsense?

By  Art Reisman



The 1/4 Million DDoS Extortion

In Christian Sager’s June 2014 article “Why do people perform DDoS attacks“, he does an excellent job in outlining the possible motivations for DDoS attackers. I especially like the DDoS attack map site he references. Here is a snapshot from today’s attacks
DDoS attacks around the world

Christian covers a range of excellent points behind DDoS attacks, and yes he does address direct monitory extortion in the following excerpt.

Feedly’s claim that their DDoS attack was the result of extortionists isn’t that unbelievable. There have been several cases where a DDoS is followed by a ransom note. Once the site is down, the attackers demand money in exchange for stopping their attacks. Some even make the threat before the attack. In both cases their rate of success is usually low.

A DDoS attack with a ransom note is a bit crude when compared to the much more insidious indirect extortion going in the world of DDoS attacks.  One half Million Dollars is the base price for a firewall capable of mitigating a DDoS attack on a 10 gig network  (with limited success at that).  Vendors are selling thousands of them  year.  Let me state, I do not have evidence of any link between the sale of a Firewall product  to a deliberate DDoS attack, but I wonder why the DDoS attacks are so widespread and cannot help but to speculate. With equipment sales in infrastructure struggling in a flat IT infrastructure economy. The prevalence of wide spread DDoS attacks is picking up.

NetEqualizer DDoS Firewall: Simple and Effective without the Bloat

One of the challenges when creating a security tool is validating that it works when the S$%^ hits the fan.  We have heard (via anonymous sources) that many of the high-dollar solutions out there create bloated, rotting piles of information, whose only purpose is to look impressive due to their voluminous output.  A typical $100K buys you a CYA report. A tool that covers  everything, leaving the customer to decide what to do; which is usually nothing or some misguided “make work”. These non-specific tools are about as useful as a weather forecast that predicts everything all the time. Rain, Snow, Wind, Hot, Cold, for everyday of the year. If you predict everything you can’t be wrong?

On the other hand, the reports from the field coming in for our DDoS tool are:

Yes, it works.

Yes, it is simple to use.

Yes, it takes action when appropriate.

We have confirmation that our DDoS tool, combined with our shaping algorithms, has kept some very large institutions up and running while under very heavy, sophisticated DDoS attacks.   The reasons are simple. We look at the pattern of incoming packets in a normal situation.  When the pattern reaches a watermark that is clearly beyond normal, we block those incoming circuits. If needed, we can also take a softer approach, so the attacker is not aware we are throttling them.  This is needed because in some situations outright blocking will alert the attacker you are on to them and cause the attacker to double-down.

When under DDoS attack you don’t need reports; you need immediate action. If you would like to discuss our solution in more detail feel free to contact us.

Firewall Recipe for DDoS Attack Prevention and Mitigation

Although you cannot “technically” stop a DDoS attack, there are ways to detect and automatically mitigate the debilitating effects on your public facing servers. Below, we shed some light on how to accomplish this without spending hundreds of thousands of dollars on a full service security solution that may be overkill for this situation.

Most of the damage done by a targeted DDoS attack is the result of the overhead incurred on your servers from large volume of  fake inquiries into your network. Often with these attacks, it is not the volume of raw bandwidth  that is the issue, but the reduced the slow response time due to the overhead on your servers. For a detailed discussion of how a DDoS attack is initiated please visit zombie-computer-3d

We assume in our recipe below, that you have some sort of firewall device on your edge that can actually count hits into your network from an outside IP, and also that you can program this device to take blocking action automatically.

Note: We provide this type of service with our NetGladiator line. As of our 8.2 software update, we also provide this in our NetEqualizer line of products.

Step 1
Calculate your base-line incoming activity. This should be a running average of unique hits per minute or perhaps per second. The important thing is that you have an idea of what is normal. Remember we are only concerned with Un-initiated hits into your network, meaning outside clients that contact you without being contacted first.

Step 2
Once you have your base hit rate of incoming queries, then set a flag to take action ( step 3 below), should this hit rate exceed more than 1.5 standard deviations above your base line.  In other words if your hit rate jumps by statistically large amount compared to your base line for no apparent reason i.e .you did not mail out a newsletter.

Step 3
You are at step 3 because you have noticed a much larger than average hit rate of un-initiated requested into your web site. Now you need to look for a hit count by external IP. We assume that the average human will only generate at most a hit every 10 seconds or so, maybe higher. And also on average they will like not generate more than 5 or 6 hits over a period of a few minutes.  Where as a hijacked client attacking your site as part of a DDOS attack is likely to hit you at a much higher rate.  Identify these incoming IP’s and go to Step 4.

Step 4
Block these IP’s on your firewall for a period of 24 hours. You don’t want to block them permanently because it is likely they are just hijacked clients ,and also if they are coming from behind a Nat’d community ( like a University) you will be blocking a larger number of users who had nothing to do with the attack.

If you follow these steps you should have a nice pro-active watch-dog on your firewall to mitigate the effects of any DDoS attack.

For further consulting on DDoS or other security related issues feel free to contact us at

Related Articles:

Defend your Web Server against DDoS Attacks –

How DDoS Attacks Work, and Why They’re Hard to Stop

How to Launch a 65 gbps DDoS Attack – and How to Stop It

%d bloggers like this: