Brian Krebs reports: "A 35-year-old Dutchman thought to be responsible for launching what's been called 'the largest publicly announced online attack in the history of the Internet' was arrested in Barcelona on Thursday by Spanish authorities. The man, identified by Dutch prosecutors only as 'SK,' was being held after a European warrant was issued for his arrest in connection with a series of massive online attacks last month against Spamhaus, an anti-spam organization."

Neustar Second Annual DDoS 2012 Survey
Download full survey: PDF

In comparing threats to readiness, the answers weren't encouraging:

• DDoS attacks continue to grow in frequency and impact
• While a handful of massive attacks dominated the headlines — especially in the banking industry, where many suspect the hand of unfriendly nation-states — most DDoS attacks are less than 100Mbps in size
• As in 2011, over 1/3 of attacks lasted longer than 24 hours, extending downtime, customer complaints and mitigation costs
• Connecting the dots: it doesn't take a mega-attack to cause lasting damage, merely well-planned strikes on poorly defended websites
• While more companies are investing in some type of DDoS protection...
• Most still rely on firewalls and other traditional solutions that get bottlenecked during attacks and accelerate outages

Most Frequent Ddos Victims – As in 2011, financial and ecommerce businesses were the most frequent DDoS victims. Last year, 32% of financial organizations reported being attacked. In 2012, the number increased to 44%. Starting in Q3 2012 and continuing to the present, banks in particular have suffered large, disruptive attacks, with specialized botnets such as "itsoknoproblembro" amplifying the destructive impact.
(Source: Neustar 2012 DDoS Survey)The data reported here is from a wide-ranging survey, not from Neustar's network monitoring or DDoS mitigation efforts. The data reflects the realities faced by diverse IT professionals across numerous industries, among companies large and small. It shows the real challenge most companies face today: how to gauge the threat clearly and respond within their means.

Among the key findings from the survey, 35% of organizations experienced a disruptive DDoS attack in 2012. Of those surveyed, 39% of retailers and 41% of ecommerce businesses experienced an attack last year. Additionally, more than a quarter of respondents (26%) indicated a DDoS outage could cost between $50-100k per hour, further showcasing the need for a strategy around DDoS protection and mitigation.

Additional survey findings include:

• Key sectors reported higher rates of attack: The number of retailers experiencing an attack increased by 144% from 2011 levels to reach an overall level of 39% in 2012; financial organizations experienced a 38% increase in attacks year-to-year with 44% of financial organizations being victimized in 2012.
• Though more companies are deploying DDoS protection — only 8% had no protections in place compared to 25% in 2011 — few have invested in purpose-built hardware or third-party expertise.
• The latter is alarming; while 66% of companies use firewalls, routers and switches for DDoS protection, these networking products create bottlenecks that actually aid attackers.

How long did DDos attacks last?

2012 Annual DDoS Attacks & Impact Infographic – To see how DDoS attacks affected businesses in 2012, Neustar surveyed over 700 IT pros. Comparing 2012 results with out 2011 survey, it's clear that many people are still hoping and wishing and praying they can solve a complex problem with old-school solutions. (Click to Enlarge Image)Tracking with last year’s results, survey found over a third of all DDoS attacks lasted more than 24 hours: 37% in 2012 versus 35% in 2011. Some attacks stretched out for several days or even longer — with 20% of attacks lasting between 3 days and 7+ days. The longest attacks, those lasting over a week, increased from 10% in 2011 to 13% in 2012.

According to Christian A. Christiansen, Chris Liebert and Charles J. Kolodgy of IDC Research, in a February 2013 report, entitled The Business Value of Hybrid Cloud-based Compromise Intelligence Monitoring and Threat Mitigation, "Given the complex nature of today's threats, enterprises can achieve a strategic advantage by employing a new layer of security that is services based. Cloud-based services are an important aspect of this approach to security and provide always-on monitoring without the added expense of buying and maintaining on-premise equipment."

Download a copy of the full survey here.

About Neustar siteProtect
Learn How Neustar Technology Can Block DDoS AttacksNeustar SiteProtect offers intelligent DDoS protection, blending the people, processes and technologies to stop today's complex attacks. Using battle-tested procedures and best-of-breed equipment, the experts in the Neustar Security Operations Center work swiftly to eliminate downtime and protect your brand.

Based in the cloud, SiteProtect offers 24/7 on-demand traffic scrubbing. Immediately accessible through DNS or BGP redirection, it provides instant relief from DDoS attacks involving network Layer 3, application Layer 7, IPv6 and/or encrypted traffic — or any combination of these takedown methods. SiteProtect reroutes traffic to unclog your network, filters malicious traffic and permits valid traffic to return to your infrastructure.

Built on a dedicated, globally distributed Anycast network, SiteProtect can be instantly deployed and remains activated until the danger is gone. With SiteProtect handling the DDoS, your responses remain nimble and in sync with customer requests. Online business continues even as the attack unfolds.

For larger organizations, SiteProtect is an ideal complement to in-house mitigation hardware. As a cloud-based failover solution, SiteProtect provides the bandwidth to absorb malicious traffic and enables you to launch countermeasures in real time. Using a hybrid approach, you can leverage your investments in DDoS detection and alerting, avoid outages and minimize disruptions.

The internet and borders

People often refer to the internet as borderless and that there is a need to cooperate cross border between police agencies and other agencies regulating or enforcing the internet. This falls under the category "This needs a global solution" or the "this is cross border, we can not do anything!" type of comments.

Breaking down silos goes way beyond this. It is a national, organisational as well as international problem. Specific organisations work within their own remit and have, in some cases extreme, difficulty to reach out to other organisations. Others are not aware of each others capabilities. This discussion is about mental borders as well as legal, organisational and state ones.

The worst example

Usually the police is pointed to as a hard partner to work with. "We never hear anything back" or "We never receive information from them" are often heard comments. It is my impression that police organisations (and prosecutors) could have more understanding of what the capabilities of other enforcement agencies are, in order to coordinate actions in a better way. (What happens when two or three different organisations investigate the same botnet at the same time?!)

Law enforcement is more than enforcing the law from a penal code objective. Other agencies may be better equipped to solve a specific cyber crime than police on the basis of enforcing their "own" law. A "serious" crime could be dealt with through e.g. a Consumer Protection Act also. Or together there is a higher chance at success. These are important lessons. Break down your silos!

Cyber security

Cyber security organisations like Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Services (Csirt) secure and monitor governmental and industry ICT systems, alert and respond to breaches, e.g. like ddos attacks or hacks. They have a lot of information and evidence that could actually assist enforcement agencies in doing their work. At the same time they can act on certain breaches in ways that law enforcement never could.

Cooperation between the two is not something which comes easily. For dozens of reasons. Hence the need to break down silos and create understanding.

Industry

And what about industry? What is the information it has on cyber crimes? If industry does not see the incentive to report all, let's say relevant, breaches to the proper authority, enforcement and security will never get the priority it deserves. Hence another reason to break down silos.

Who needs to act?

In the report of De Natris Consult (click here to view) called "National cyber crime and online threats reporting centres. A study into national and international cooperation." it is clearly shown that for an individual organisation it is nearly impossible to break a silo down. Simply because it's to difficult and not a part of the organisations primary task. So despite the fact that it is in the direct interest of a single organisation to be able to cooperate, it is nearly impossible to break through on your own when no one hears you knocking. It is important however to report your impossibilities to those who can make a difference. How will people who can actually make a difference ever know otherwise? Start breaking down your own silo in the right places.

So who needs to act then?

There are a few options. (My apologies for non-EU readers. I'm a bit EU-centric here, but please allow your imagination to run to your corner of the world and the options it provides.)

1. National government
This would help at national level. E.g. in a national strategy on cyber security a national coordinating body is foreseen and instituted by the national government. E.g. The Netherlands created the National Cyber Security Centre. It is very interesting to see the developments going on. Embedded officers from different agencies, industry and vital infrastructure work part time within the centre.

Some questions could be asked that can make a difference over time. How does the centre change knowledge and perceptions with time? Does it make a solid inventory of skills, complementary powers and different possibilities that different laws supply to fight cyber crimes? Does it take a closer look at whether present laws supply the needed powers to fight the different forms of cyber crime?

2. International bodies
ENISA currently plays a role in bringing CERTs and police agencies together. Could it play that role in a broader sense? So for other LEAs and police and CERTS?

EC3 could open itself to more enforcement entities, e.g. by providing common trainings, coordinate cyber actions, etc. It does not so at present, but it would be a good thing if EC3 looked into this option in the very near future. Who invites them to break down their silo?

Fill in your option here .....

3. International projects
What will a project like ACDC (Advanced Cyber Defense Centre) do to international cooperation? In this case it is about fighting botnets. From disinfecting end users computers to gathering, analysing and sharing data on botnets, botnet traffic and command and control servers in and through the central clearing house. What will aggregated data do in the fight against cyber crime and more so, what will it do for cooperation and understanding between different entities both public and private?

Conclusion

Why are all these questions so relevant? Because my bet is that all these agencies, from the military to secret services and from police to consumer fraud, spam and privacy agencies are all looking for the same people who make the internet not a very safe place to do business and pleasure today. There is, well there should be, a strong need to cooperate and coordinate.

Breaking down silos will not come easy. For many a reason. Still, if people responsible for this task are to make serious business with it, it is important to start asking the right questions. Let's do so at NLIGF this June, in Bali in October (I will do so here as moderator) and Vilnius in November and in all places where you think it is possible and necessary to do so. I'm always happy to discuss further or help out creating strategies or programs. The time seems right.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

The next day new malfunction of banks' websites were reported. For the first time it was openly admitted that all our banks' and payment intermediary iDeal's website were down, due to an attack in the form of a DDoS attack, making the website of the respective banks unreachable for regular traffic. The assailants tried to log in also.

This resulted in headlines, Tweets, blogs and opening news items, the one at the 8 o'clock news on the public channel ending with: "in the USA this happens nearly every day". In the following I'd like to take a look at a few related comments, a tweet by a politician, before coming to some questions. The main one reflects the title most: "Who's responsible for cyber security?"

Public outcry

If anything the chaos or perceived chaos in banking transitions led to angry or confused people, famous short fuses and loads of attention from the media. The cyber security world is waiting for years for a major cyber incident. One causing great damages, in the hope governments and companies start moving in the right direction. Some experts are even totally resigned to this way of thinking. This is not that incident. Sure, it shocked end users, led to some reactions from politicians, but in the end nobody seems to have lost money and there are so many other issues calling out for attention.

The news

Tax evasion
In the past week high level tax evasion by multi nationals, top-executives, politicians, etc., let's say the top of societies, was prominent in the news. A conclusion in a column in NRC Handelsblad stated, to this problem decisions at world level are needed. (If I'm cynical, look at the list at the start of this section and ask yourself the following question: Who decides on worldwide solutions?) What struck me, also, is that this is the exact same conclusion that is derived at when talking about Internet governance, international cooperation against cyber crime, spam and malware enforcement, etc., etc. In short, what I recently heard someone call "the glass ceiling of Internet governance". Most discussions stop here. Another variant to this discussion is: "we need to break own silos!". Okay, but who is "we"? Is someone made responsible for this breaking down, silos or ceilings? What are the right questions to ask here? Questions that lead to answers that could take the discussion forward and actually change the outcome? A topic for the upcoming IGF in Bali I'd say.

The near future
The comment in the 8 o'clock news cited above, caught my attention most. "This happens nearly every day in the US". I read somewhere that 267 out 365 days there were problems accessing major banks' websites. In other words this is something we are to expect also? Are there contingency plans? Do governments allow that payments can't be made (parts of) 267 days in the year? The economic impact is gigantic. Does it matter then whether the attacks stem from criminals, free speech advocates, "fun hackers" or state-to-state activities? I'd say not.

How can banks ever guaranty the safety of our money?
...is the question Dutch parliamentarian Kees Verhoeven (D66) asked on Twitter. (This is the Tweet: "Heftig. De storing blijkt nu een #DDoS aanval! De vraag is hoe banken de veiligheid van ons geld kunnen blijven garanderen. #cybersecurity"). I responded to him that this was totally the wrong question to ask. There is nothing banks can do against DDoS attacks, beyond preventive measures. The attackers, the tools they use, the infected PCs and other devices used, the command and control servers hosted anywhere in the world, are all far beyond the control of banks. As long as banks run state of the art security measures (even if they don't), they are victims and not attackers. Perhaps the banks need support from other entities on and around the Internet to solve this problem.

The tools used are infected PCs of end users, companies, governments, industry, etc. and other devices like smart phones, smart TVs, up to a hacked chip in your cat's collar (and this is no joke). There are a million reasons why these devices are infected. From irresponsible use by end users, flawed software, a lack of security by design in anything with "i" in front if it, negative incentives to deal with botnet mitigation or notice and take down requests, a lack of understanding in general, right up to a lack of government regulation, enforcement or incentives. All measures or better a lack of measures, banks have no influence over at all. They have an influence over the quality of the products they buy themselves in the future, over internal policy and security measures and perhaps they can reach out more to discuss Internet governance actively, which I advice them to do, but it stops there.

So, taking this all in, can banks guarantee the safety of our money? Answer this question yourself and continue to ask yourself the question who is responsible for cyber security? A virtual plethora of parties involved and where to start? What I have to conclude is that almost every single decision is to be made in the private sphere. In a competitive world. Where does that leave governments? Where does this leave decisions consciously made with the common good in mind?

So, who's responsible?

I'm not going to answer this question here. Those who follow me on my blog, here on CircleID or read my articles in Virus Bulletin know my points of view. What I'd like to ask you is to think about this question for one minute and share your thoughts with me here on within an(y) other context. It may just get a discussion going.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

Learn about the diverse technologies Neustar uses to Mitigate DDoS attacks quickly and effectively. The seasoned DDoS fighters in the Neustar Security Operations Center explain the need for a full toolset to combat complex attacks. Listen as some of the world's top DDoS experts break it down in plain English to help you grasp your options.

Transcript

DDOS can happen, it can strike at anytime, around the clock, 24/7.

There's so much out there. There are so many unknowns. Everyday there's some new variant of some new botnet coming out. You have to be constantly on your toes at this job

The reality is that the technology and the threat have changed so much over the last year and a half that anything you bought 2 years ago is pretty much irrelevant. A lot of people fall for the marketing if I have a firewall I think I can automatically withstand a DDOS, if I have an IPS or an IDS I believe that I can deal with these things.

However this doesn't always work and it's not the best solution because the largest floods and types of attacks can actually overwhelm a firewall or an intrusion detection service and just pass right through.

What people need to realize is their hosting company isn't going to protect them if they get a large enough attack. That hosting company is going to shut you off so that they can protect their overall infrastructure and that's the one great thing about SiteProtect is we are solely invested in protecting you.

The model that we use for SiteProtect and what differentiates it versus what else is in the market and often what we hear from customers is our architecture is far reaching. The technology that we use is diverse in nature. So we're not just using firewalls, we're not just using IPS, we're not just using purpose built gear. We're bringing all of that to the forefront to fight attacks on behalf of our customers.

Neustar takes all of the devices and all of the technologies that we have and can kind of mesh them together and to blend them together to get the most effective mitigation in place.

Attacks continue to evolve every day. Everyone knows that in the industry so it's important that you bring to the table technology that can deal with those sophisticated often application layer attacks. And that's what we offer with SiteProtect.

While 1) is unavoidable simply due to the additional data that DNSSEC produces, and 2) "should" be practised as part of any provider's network configuration, it is 3) that requires "you and I" ensure that systems are adequately configured.

The fact is open DNS resolvers are nothing new and the open resolver project is tracking approximately 27 million open DNS resolvers. What I find interesting is that their database can be queried for an IP range to see how many open resolvers are listed.

Out of curiosity, I entered the /24 prefix that my personal IP address resides on, 81.174.169.0/24. This range belongs to Plusnet, a popular ISP located within the UK. I was quite surprised that a list of 9 IP addresses came back, I wasn't really expecting any, and fortunately, none of them were mine!

Out of further curiosity, I started using dig to fire off a DNS query for "www.bbc.co.uk" to each of the IP's. Most of them timed out, but as I worked down the list, sure enough, one of them returned an answer. I ran a port scan but couldn't detect any well known open ports other than DNS. So within a few minutes, I had found an open resolver being run on an IP address within the same /24 as my own. This ISP has hundreds of thousands, if not millions of customers, so if extrapolated, there could be thousands of open resolvers present via this one ISP. (Having said that, this list of open resolvers vs AS numbers only lists 7 open resolvers against Plusnet, so maybe I was just (un)lucky...) I would like to think my ISP has implemented BCP-38, but what if they haven't? And how many other ISPs out there haven't?

I have no idea whether CPE routers are providing this open resolver capability or whether people are genuinely running a poorly configured DNS server. The Measurement Factory perform regular surveys for open resolvers and network providers can get them to email a list of open resolvers. They have a useful page here.

I guess it's unfair to place the blame solely at sysadmins when the default setting for BIND up until 9.4 was to allow queries from anyone, and I am sure there are many *nix/*BSD distros that shipped with BIND versions <9.4 (RHEL 5 anyone?) — although you could argue "Why haven't they upgraded?" as we are talking pretty old code here. No, I think more culpable are the network operators who route spoofed traffic out from their network; it is inexcusable that they have not implemented BCP-38 (also known as RFC2827).

However, looking at that list of open resolvers vs ASNs again, the top offender is Brazil, followed by a big block in Asia-Pac, HINET is Taiwan, then Chile, Korea etc. To go to each of these providers, figure out which local networks are the offenders, and communicate all this in a meaningful, constructive way to the end customers, well, it's a gargantuan task!

Unfortunately I do not see a simple solution to this problem, and I fear that with the publicity the Spamhaus attack generated, we will ultimately see more of these kinds of attacks.

If you are curious like me, why not check your local ISP range and see if you can find any open resolvers? You never know what you might find! I'll buy a pint for the person who can find the most… at a date/time/location of my choosing… provided it's in the UK… in the South somewhere… near Reading or Basingstoke! ;-)

Written by Paul Roberts, CEO, Calleva Networks

While attacks of this nature are certainly nothing new, the scale of this attack was surprising, reported to hit 120Gbps. For a sense of scale, your average cable modem is only about 20Mbps, or about 0.016% of that bandwidth.

So how does one generate an attack of that size? The technique that appears to have been used is called DNS Amplification. The attacker will typically use a network of infected hosts, known as a botnet, to send DNS queries to servers, faking the source address to be that of their target. When the servers reply to these queries, they send the reply to that false address.

Since the response packet is bigger than the query packet, the DNS server is helping out in the attack by increasing the amount of bandwidth being used. This is not a new technique, and has been around since at least the late 1990s.

What has changed is how effective this attack is, mostly due to the introduction of DNSSEC records. For example, a DNS query for isc.org/ANY with DNSSEC is only 78 bytes, but the reply is 3,586 bytes — so big it gets fragmented and spread across three packets. This makes it very easy to use a little bit of bandwidth to make a huge attack, and since your compromised hosts don't need to send out a lot of data, it's less likely they'll be detected and shut down.

Open Recursives Are Not the (Only) Problem

A lot of these attacks make use of recursive resolvers to perform this amplification. These are the servers that are typically run by your ISP or by services such as Dyn's Internet Guide, OpenDNS, or Google's Public DNS.

It is intended that the end user will query these servers, they'll take care of finding the answer, caching it, and returning it to the user. In the case of an ISP's resolvers, these are usually locked down so only the ISP's customers can use it. It has long been considered a security risk to operate a resolver that will respond to just anyone (an "open" resolver) without taking special care to consider the consequences.

There has been a lot of renewed interest in finding and shutting down unintentional open resolvers, through things like the Open DNS Resolver Project. This is a good thing, but it only addresses part of the problem. These attacks do not need to use open resolvers; they can use the authoritative servers directly to do their amplification. The authoritative servers are the systems that ultimately serve the answers in DNS.

These are the sorts of systems operated by DynECT Managed DNS and Standard DNS. And since these servers must be open in order to function, it's much more difficult to secure them against abuse and the attackers are using them.

Dyn observed this activity back in December 2011, and it has only gotten worse since then. Other authoritative operators have seen the same behavior, typically DNS queries for "ANY" records on zones that have been DNSSEC signed. We have our own in-house tools for mitigating these attacks, but there has been public work to counter the problem, such as the Response Rate Limiting patches to the BIND nameserver software.

But these are really only temporary fixes in an arms race between DNS operators and the people who want to abuse their systems.

The Real Problem and its Solution

At its core, the problem that enables these attacks to work is source address spoofing. This is when a packet is sent from a computer using a source address that isn't actually on that computer, but instead belongs to some other system — usually not even on the same network, such as a home PC on a cable modem, sending traffic that appears to be from a popular website. This has been seen as a security problem for a long time, and yet there are still plenty of networks that allow it to happen.

The solution has also been around for a while, known as BCP38. This document, part of a series of Best Common Practices, describes a very simple concept of not allowing packets to pass through a router from hosts that shouldn't be sending from those addresses. It was published nearly 13 years ago, and is often brought up in tech circles as a solution to a number of problems, but there is still a lack of implementation on the Internet at large.

It boils down to a very simple logic, described in section 4:

IF packet's source address from within [its assigned space]
THEN forward as appropriate

IF packet's source address is anything else
THEN deny packet

There has been a renewed effort recently to push the adoption of this practice, with a boost from this recent DDoS attack on CloudFlare, with some new websites popping up, such as BCP38.info, and a lot of discussion in public forums. This is something that really needs to be done for the security of the Internet as a whole.

So, if you're a network operator, please consider implementing BCP38. If you're buying internet service, ask your provider about BCP38. The rest of the Internet will thank you.

Written by Chip Marshall, Network and Security Analyst

From the Alert: "While the attacks are difficult to prevent, network operators can implement several possible mitigation strategies. The primary element in the attack that is the focus of an effective long-term solution is the detection and elimination of open recursive DNS resolvers. These systems are typically legitimate DNS servers that have been improperly configured to respond to recursive queries on behalf of any system, rather than restricting recursive responses only to requests from local or authorized clients. By identifying these systems, an organization or network operator can reduce the number of potential resources that the attacker can employ in an attack."

Al Iverson over at Spamresource has a great round-up of the news, if you haven't managed to catch the news, go check it out, then come on back, we'll wait ...

Of course, bad guys are always mad at Spamhaus, and so they had a pretty robust set-up to begin with, but whoever was behind this attack was able to muster some huge resources, heretofore never seen in intensity, and it had some impact, on the Spamhaus website, and to a limited degree, on the behind-the-scenes services that Spamhaus uses to distribute their data to their customers.

Some reasonable criticism, was aimed at the New York Times, and Cloudflare for being a little hyperbolic in their headlines and so on, and sure, it was a bit 'Chicken Little'-like, the sky wasn't falling and the Internet didn't collapse.

But, don't let the critics fools you, this was a bullet we all dodged.

For one, were Spamhaus to be taken offline, their effectiveness in filtering spam and malware would rapidly decay, due to the rate at which their blocklists need to be updated. The CBL anti-botnet feed and the SBL list both have many additions and deletions every day. These services are used to protect mail servers and networks against the most malicious criminal traffic. If they go down, a lot of major sites would have trouble staying up, or become massively infected with malware.

There are also a ton of small email systems that use the Spamhaus lists as a key part of their mail filtering (for free as it turns out). Were those lookups prevented, or tampered with, those systems would buckle under the load of spam that they dispense with easily thanks to Spamhaus.

To put it into perspective, somewhere between 80% & 90% of all email is spam, and that's the stuff Spamhaus helps filter. So it doesn't take a Rocket Scientist to figure out that if filters go out, so do the email systems, in short order. AOL's Postmaster famously said, at an FTC Spam Summit a decade ago, before the inception of massive botnets, that were their filtering to be taken offline, it'd be 10 minutes before their email systems crashed.

Due to some poorly researched media reports (hello, Wolf Blitzer!), there is a perception that this is a fight between two legitimate entities, Spamhaus and Stophaus; some press outlets and bloggers have given equal time to the criminals (we use that word advisedly, there is an ongoing investigation by law enforcement in at least five countries to bring these people to justice). Nothing could be further from the truth. The attackers are a group of organized criminals, end of story. There is nothing to be celebrated in Spamhaus taking it on the chin, unless you want email systems and networks on the Internet to stop working.

So yeah, it was a big deal.

Written by Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE

In the article I was questioning if this was even possible and what was needed as general interest and curiosity.

Well, looking at the "stophaus" attack last week, we are getting some answers.

I would say it is a real threat now and is a valid attack vector. Seems you only need a couple of ingredients:

Open recursive DNS servers

Many of these are already available, and numbers increase. This not only includes dedicated DNS Server systems, but also any equipment attached to the internet capable of handling DNS requests it seems (like cable-modems, routers, etc). So the risk this will be utilized again, will be greater every day now.

A party that is capable/willing do set it off

Seems that there are more and more parties on the Internet that open to "attack" certain entities on the Internet to defend their believes. In above case, stressing even the Internet and influence the usage of everyone on it.

Infrastructure

Lets call it the "Internet", "Logistics" and "Bandwidth". Looking at the numbers, it is apparent that you need little (in context) and it is possible to do so if you want. Technology, services or other wise it is not really challenging. And it can be done not from a shady area/country either.

I suspect we will see more of this happening now the "proof-of-concept" is done. It still worries me when the real guns are pulled out and focus would shift from particular entities to the root infrastructure of the Internet.

I had a couple of talks with my expertise peers on this how to mitigate this, it is very difficult as it is sheer load coming from every corner of the Internet. We really did not come up with a single solution. Mitigation would probably mean "breaking" some parts of the Internet as collateral damage, which in size would probably be disruptive enough as well.

Main concern in this, again, is the "open resolvers" out there that we cannot control without education and regulation on how DNS is deployed (you know, the thing we are allergic/apathetic about on/about Internet).

The more thoughts I give this, the more I think the solution is not only technical but mostly an organisational/educational/regulation one… Before that is in place, we probably will experience some outages…

Written by Chris Buijs, Head of Delivery

Read full story: BBC

Some of you will remember the heated debates when Calling Line Identification (CLID) was first introduced in telephony. Libertarians of all stripes called passionately to ban such an evil tool threatening our most precious civil liberties like the impunity of calling home from the bar, pretending to be still at work or with a customer. Today everybody welcomes the decline of crank and obscene calls even if telemarketers can continue to be a nuisance. Will SAVA be for the internet what CLID was for telephony?

One of the beauties and at the same time a source of potential vulnerability of the internet design is that it forwards packets connectionless, hop by hop, based on the destination address. This has proven a cornerstone of the amazing resiliency and scalability of the internet. The flip side is that this makes the blue box offspring, address spoofing more prevalent. From making occasional free calls in the 'telephony era', internet address spoofing now substitutes legitimate source addresses to fraudulently obtain personal information from unsuspecting end-users or wreak havoc flooding network hosts, DNS systems and even networks with DDoS attacks. So much so that a number of ISP's now offer 'scrubbing services' to their customers. Zacks Investment sees Cyber Security firms as a major investment opportunity. This is surely a growing and lucrative market segment; I might follow their advise.

SAVA was first presented at an IEEE conference in 2007 and subsequently proposed as a RFC to the IETF in 2008 with Tsinghua University of Beijing as lead author. The paper addressed the need for source address verification on the access network, intra-AS within a network, and inter-AS between networks across BGP boundaries. This led to the creation of a quite active IETF working group called SAVI to tackle the subject. An informational draft issued this February provides a good overview of a variety of 'attack vectors' and threats. How fast some of these RFC will be completed and approved and, more importantly, implemented remains however an open question.

China has reported that it is experimenting with a SAVA implementation in its CNGI (China Next Generation Internet) IPv6 only based R&E network, in no less than the United Kingdom's prestigious Philosophical Transactions of the Royal Society. This has in turn triggered some activity in the blogosphere ranging from more factual to a bit more alarming. Concluding yet again that China is light years ahead of the United States in IPv6 deployment remains questionable however. While CNGI has without question been the benchmark for native IPv6 deployment for many years in a Research and Education Networking environment, China has been really lagging so far in the commercial deployment of IPv6. They obviously bide their time.

While some will argue that SAVA would undermine their civil liberties and individual freedom especially when they prefer anonymity in whatever they are doing on the internet and others will see it as another step to big brother watching us, the need for better security is undeniable and even more urgent as we accelerate towards a mobile broadband data environment. IDC predicts that, this year, smartphone sales will for the first time surpass feature phones. Mobile operators enjoy usage based services and billing; to correctly identify the source will always remain essential to revenue generation and corporate wellbeing. And what would the impact be of a DDoS attack choking a major LTE network?

Major ISP's and mobile operators might want to track SAVA more closely; ça va ou ça va pas?

Written by Yves Poppe, Director, Business Development IP Strategy at Tata Communications

The official program

What I liked about the opening, was that it was modest. Nothing beyond this is who we are and this is what we try to achieve in the near future. And practical. On stage a Memorandum of Understanding on cooperation was signed with the US counterpart.

The following focal points were chosen by EC3 to start its work on fighting cybercrime:

1. That (is) committed by organised groups to generate large criminal profits such as online fraud;
2. That ... causes serious harm to the victim such as online child sexual exploitation;
3. That ... affects critical infrastructure and information systems in the EU.

Next to that,

"the Centre will also facilitate research and development and ensure capacity building among law enforcement, judges and prosecutors and will produce threat assessments, including trend analyses, forecasts and early warnings."

In this EC3 has made clear choices on what it will pursue. Choices that are well defensible, as online child sexual exploitation is a major concern for society as a whole, that always has the interest of the public eye. While major fraud and online incidents involving critical infrastructure are destabilising for the economy and the (trust in the) Internet itself. Next to financially hurting those that were attacked, phished, hacked or misled.

Starting modest

To start "small" is not a disadvantage. Expectations, although they are high for EC3, are tempered somewhat. When the centre proves it merit with first successes in 2013, interest grows. People like to be associated with success, so a grow in budget may well become possible soon after.

Challenges

From the sideline I see a few challenges for EC3. It needs the best data available in order to pursue its goals. What are the chances to engage with industry in order to receive data from multiple sources? Will EC3 be able to participate in some way in the botnet mitigation centres that have been and will be erected around Europe (and perhaps beyond) over the coming years? Will the relevant organisations in the Member States and beyond be willing to share relevant data with EC3? In what way are the new privacy rules of the EU a hindrance to successful cooperation? Concerns on this topic are regularly uttered, especially from the U.S. (a close partner, as we have seen!).

Will Member States allow EC3 some forms of cooperation or/and coordination between organisations from the Member States? This seems pivotal to me in order to tackle cross-border cases, which nearly all Internet crimes are.

Questions that are to be answered over the coming months and years, but will determine whether EC3 is able to really make a difference. Whether it will live up to its potential.

Opportunities

CERTs and EC3 are already working on a program run by ENISA to establish forms of cooperation. How about cooperation with other law enforcement agencies around the EU? Whether telecommunication, privacy, consumer, customs, anti-spam and malware, etc., all have complementary powers to the police. Having an overview of these powers could actually bring a broader spectrum of enforcement powers to the fore.

The police is there to arrest criminals, but this does not stop all perpetrations on the Internet. There is a world to win if the police world recognises other powers on hand and learns to exchange data with other entities if the police is not the first or perhaps not the best equipped party to act.

The EC3 could play this role in recognising other entities available to cooperate with, whether industry initiatives such as botnet centres and self-regulatory initiatives, national online threat or security centres and other law enforcement capabilities. From this a better overview of opportunities becomes available, capacity building is broadened and the overall exchange of meta data grows, enlarging the analysing and enforcement capabilities of all concerned.

Conclusion

The EC3 has opened and many challenges lay in front of it. It is a good thing the Centre has opened and an important step towards the much needed cross-border cooperation that is very much in demand to fight cybercrime in all its facets successfully. I wish EC3 the best of luck and many successes!

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

Top Ten Featured Blogs from the community in 2012:

#1		DNS Changerby Paul Vixie | Mar 27, 2012 | Viewed 66,094 times
#2		Trademarking .generics - the .bank Fiasco!by Konstantinos Komaitis | Jan 18, 2012 | Viewed 17,124 times
#3		Refusing REFUSEDby Paul Vixie | Jan 11, 2012 | Viewed 11,860 times
#4		MegaBust's MegaQuestions Cloud the Net's Futureby Philip S Corwin | Feb 13, 2012 | Viewed 10,430 times
#5		Anonymous Plans to Go After DNS Root Servers. What Will Be the US's Response?by Terry Zink | Feb 15, 2012 | Viewed 9,813 times
#6		Why the Dot Com Kingdom Will Continue to Rule Post New gTLDsby Naseem Javed | Jul 24, 2012 | Viewed 9,771 times
#7		Fake Bank Site, Fake Registrarby Garth Bruen | Mar 27, 2012 | Viewed 8,977 times
#8		Why Vint Cerf is Wrongby Wout de Natris | Nov 21, 2012 | Viewed 8,891 times
#9		Internet Governance and the Public Interestby Paul Diaz | Mar 19, 2012 | Viewed 8,384 times
#10		IPv6 Subnetting - The Paradigm Shiftby Chris Grundemann | Jul 19, 2012 | Viewed 8,380 times

Top 10 News in 2012:

#1		ISPs Are Not Broadcasters, Says Supreme Court of CanadaFeb 10, 2012 | Viewed 35,128 times
#2		Iran Blocks HTTPS, 30 Million Reported Losing Email AccessFeb 11, 2012 | Viewed 11,016 times
#3		Vint Cerf: The Launch of a New Larger InternetJun 05, 2012 | Viewed 8,257 times
#4		The Digital Marketing & gTLD Strategy Congress Announces Keynote, Speakers, Initial PartnershipsJan 08, 2013 | Viewed 7,841 times
#5		Akamai Reports 460 Times Increase in IPv6 Requests Over Its Platform Since Last YearOct 22, 2012 | Viewed 6,976 times
#6		Saudi Arabia Objects to Certain Proposed New gTLD Strings Such as .Gay and .WineAug 15, 2012 | Viewed 6,764 times
#7		Department of Commerce Cancels IANA Contract RFPMar 09, 2012 | Viewed 6,343 times
#8		SPECIAL: Updates from the ICANN Meetings in TorontoOct 17, 2012 | Viewed 5,802 times
#9		Most U.S. Agencies Expected to Miss IPv6 DeadlineSep 28, 2012 | Viewed 5,411 times
#10		Websites Go Dark Protesting SOPA and PIPA, Senators Change CourseJan 18, 2012 | Viewed 5,299 times

Top 10 Industry News in 2012 (sponsored posts):

#1		MarkMonitor Offers New gTLD Application Databaseby MarkMonitor | Jun 15, 2012 | Viewed 6,992 times
#2		DotConnectAfrica Participates in ICANN-45 Toronto, Unveils New IBCA Initiative at ICANN Public Forumby DotConnectAfrica | Oct 23, 2012 | Viewed 6,822 times
#3		ICANN 45: New gTLDs Not Far Away Nowby Afilias | Oct 25, 2012 | Viewed 5,676 times
#4		MarkMonitor to Exhibit at Internet Tech Policy Exhibition and Reception to be Held on Capitol Hillby MarkMonitor | Jan 24, 2012 | Viewed 5,355 times
#5		CentralNic and REG.RU Confirm Strategic Partnershipby CentralNic | Jul 30, 2012 | Viewed 5,244 times
#6		MarkMonitor Fraud Intelligence Report, Q4 2011by MarkMonitor | Feb 17, 2012 | Viewed 5,037 times
#7		Afilias Participates in Global Test of Multilingual IDN Emailby Afilias | Jun 28, 2012 | Viewed 4,857 times
#8		Implementing a Cyber-Security Code of Conduct: Real-Life Lessons From Australia (Webinar)by Nominum | Apr 30, 2012 | Viewed 4,665 times
#9		Top-Level Domain Survey Findings Not Surprising, But Still Concerningby MarkMonitor | Sep 05, 2012 | Viewed 4,509 times
#10		Public Interest Registry Releases Results of Bi-Annual Domain Name Reportby PIR | Aug 14, 2012 | Viewed 4,462 times

Additionally, you can also check the leaderboards for CircleID's overall top 100 community and industry participants.

Written by CircleID Reporter

Neustar, a trusted, neutral provider of real-time information and analysis to the Internet, telecommunications, information services, financial services, retail, media and advertising sectors, announces the launch of Neustar Professional Services with a comprehensive suite of IT service offerings for enterprise organizations of all sizes. Neustar's seasoned team of professionals provides the expertise and resources organizations need to ensure the performance, security and reliability of their IT infrastructure.
A Comprehensive Approach – Neustar Professional Services offers a series of detailed assessments of your Internet infrastructure, both internal and public-facing. In each assessment a full system analysis is conducted, including interviews with your staff, ranking your vulnerabilities, citing best practices and making recommendations for efficient troubleshooting.

Organizations today face complex IT challenges, including reduced budgets and insufficient IT staff to meet critical deadlines. Using its proven three-dimensional methodology — discover, design, deploy — Neustar's team of experts helps customers identify the root of their IT problems and creates a comprehensive and technologically neutral solution to meet the customers' objectives. Once the solution is implemented, the team is available around the clock to help sustain critical systems and adjust to meet the organization's evolving needs.

"Our team has vast expertise in critical IT disciplines, from web performance to security," said Alex Berry, senior vice president of Enterprise Services at Neustar. "Each engineer has senior-level technical experience and brings a neutral, independent perspective to the job. With Neustar Professional Services, IT departments can extend themselves with confidence and get the results they need."

Meet Our Experts – Neustar experts are highly experienced and incredibly competent, exactly the sort of people you'd trust with your web performance and security.

Neustar Professional Services offerings include:

• Security and Reliability: Comprehensive assessments that include network vulnerability and penetration testing to deliver holistic and actionable insights to prioritize resources for maximum security — all while meeting best practices.
• Web Performance Analysis and Testing: Full-service website load testing that helps organizations protect their customers' experience by identifying traffic bottlenecks, ensuring sites can handle traffic and providing custom recommendations for improving performance.
• Integration, Migration and Training: Services that help customer IT departments integrate or migrate systems and policies effectively on any platform, while also providing in-depth training to enable customers to use the capabilities available through their solutions.
• Consulting Services: Services that help organizations accelerate projects, fill critical staffing gaps and access expertise in technical account management.

Learn more about Neustar Professional Services and meet the IT industry veterans on the team.