DDosMon A Global DDoS Monitoring Project by Yiming Gong.
A presentation given at APNIC 42's FIRST TC Security Session (2) session on Wednesday, 5 October 2016.
This webinar provides an overview of the CMMC certification process and how ControlCase can help organizations achieve and maintain compliance. It discusses what CMMC is, who it applies to, the different certification levels, and the assessment process. ControlCase offers certification services to help clients become certified in CMMC and other standards with one audit. It also provides continuous compliance services through automated tools to address vulnerabilities and ensure ongoing compliance.
HSM stands for Hardware Security Module, which is a tamper-resistant physical device used to securely generate, store, and manage cryptographic keys and perform cryptographic operations. Payment industries commonly use specialized HSMs to protect keys and data for payment card personalization, transaction authorization, and verification. While HSMs provide high security, they are also expensive, so some companies offer HSM services running software that simulates an HSM's functions. The Thales Simulator is an open source software library that emulates the cryptographic functions of Thales HSM devices. It can be downloaded, installed, and configured to connect to over a network port to test applications designed to integrate with real HSM devices.
The document discusses digital forensics and incident response. It covers topics such as:
- The digital forensics process of collection, examination, analysis and reporting of evidence.
- Principles of evidence handling including types of evidence, chain of custody and preserving data integrity.
- Models for analyzing security incidents such as the Cyber Kill Chain which outlines the stages of an attack, and the Diamond Model which classifies events.
- Techniques for attributing attacks such as analyzing tactics, techniques and procedures used.
El documento presenta una sesión sobre la gestión de incidentes según la norma ISO 27.002. Explica el contexto y definiciones básicas de la gestión de incidentes, revisa los controles relevantes de la norma, y describe el proceso completo de gestión de incidentes, incluyendo la planificación, detección, evaluación, respuesta, lecciones aprendidas y el uso de herramientas para su implementación. También introduce una visión alternativa del modelo de procesos de la norma ISO 27.022.
CISSP Prep: Ch 9. Software Development SecuritySam Bowne
The document discusses various topics related to software development security including programming concepts, compilers and interpreters, procedural vs object-oriented programming, software development lifecycles, agile development methods, database security, and object-oriented design. It also covers assessing software security through vulnerabilities, maturity models, and testing as well as artificial intelligence techniques.
This document discusses CISSP training. It provides information on the Certified Information Systems Security Professional (CISSP) certification and recommends training courses to help professionals prepare to pass the CISSP exam. The document suggests reviewing training materials that cover the 10 domains of knowledge required by the exam, including security and risk management, asset security, security engineering, and communication and network security.
Malware is frequently spread through email and poses a security threat to home networks. Email threats include malware like viruses, trojans, worms, and spam. To prevent email viruses, people should not open suspicious attachments, use antivirus software, disable automatic attachment opening, and regularly scan for viruses. Worms can copy and spread themselves without user involvement, potentially spreading viruses. Trojans appear as normal applications but contain viruses.
This webinar provides an overview of the CMMC certification process and how ControlCase can help organizations achieve and maintain compliance. It discusses what CMMC is, who it applies to, the different certification levels, and the assessment process. ControlCase offers certification services to help clients become certified in CMMC and other standards with one audit. It also provides continuous compliance services through automated tools to address vulnerabilities and ensure ongoing compliance.
HSM stands for Hardware Security Module, which is a tamper-resistant physical device used to securely generate, store, and manage cryptographic keys and perform cryptographic operations. Payment industries commonly use specialized HSMs to protect keys and data for payment card personalization, transaction authorization, and verification. While HSMs provide high security, they are also expensive, so some companies offer HSM services running software that simulates an HSM's functions. The Thales Simulator is an open source software library that emulates the cryptographic functions of Thales HSM devices. It can be downloaded, installed, and configured to connect to over a network port to test applications designed to integrate with real HSM devices.
The document discusses digital forensics and incident response. It covers topics such as:
- The digital forensics process of collection, examination, analysis and reporting of evidence.
- Principles of evidence handling including types of evidence, chain of custody and preserving data integrity.
- Models for analyzing security incidents such as the Cyber Kill Chain which outlines the stages of an attack, and the Diamond Model which classifies events.
- Techniques for attributing attacks such as analyzing tactics, techniques and procedures used.
El documento presenta una sesión sobre la gestión de incidentes según la norma ISO 27.002. Explica el contexto y definiciones básicas de la gestión de incidentes, revisa los controles relevantes de la norma, y describe el proceso completo de gestión de incidentes, incluyendo la planificación, detección, evaluación, respuesta, lecciones aprendidas y el uso de herramientas para su implementación. También introduce una visión alternativa del modelo de procesos de la norma ISO 27.022.
CISSP Prep: Ch 9. Software Development SecuritySam Bowne
The document discusses various topics related to software development security including programming concepts, compilers and interpreters, procedural vs object-oriented programming, software development lifecycles, agile development methods, database security, and object-oriented design. It also covers assessing software security through vulnerabilities, maturity models, and testing as well as artificial intelligence techniques.
This document discusses CISSP training. It provides information on the Certified Information Systems Security Professional (CISSP) certification and recommends training courses to help professionals prepare to pass the CISSP exam. The document suggests reviewing training materials that cover the 10 domains of knowledge required by the exam, including security and risk management, asset security, security engineering, and communication and network security.
Malware is frequently spread through email and poses a security threat to home networks. Email threats include malware like viruses, trojans, worms, and spam. To prevent email viruses, people should not open suspicious attachments, use antivirus software, disable automatic attachment opening, and regularly scan for viruses. Worms can copy and spread themselves without user involvement, potentially spreading viruses. Trojans appear as normal applications but contain viruses.
One of the most critical aspects of safeguarding the IT assets of any corporation is dealing with the Insider's Threat. With so many diversified IT components, it is a real challenge to design an effective IT security strategy. It is critical to recognize this particular threat and take countermeasures to protect your assets. So, this webinar covers: Insider threats, how to mitigate insider threats, how to design an effective IT security strategy, and how to protect your assets.
Main points covered:
• Insider threats
• How to design an effective IT security strategy
• How to protect your assets
Presenter:
The webinar was hosted by Demetris Kachulis. Mr. Kachulis is an expert in the field of Information Security. With over 20 years of Wall Street consulting experience, he has worked with many Fortune 500 companies. He is currently the director of Eldion Consulting, a company offering Security, Trainings and Business solutions.
Link of the recorded session published on YouTube: https://youtu.be/hXe5HHjnBeU
This document provides information on various intranet, extranet, and wide area network (WAN) technologies. It discusses unified threat management (UTM), content distribution networks (CDN), software-defined networking (SDN), metropolitan area networks (MAN), and common WAN concepts and technologies including CSU/DSU, switching, frame relay, X.25, and asynchronous transfer mode (ATM).
This document provides an overview of security awareness training from the University of Memphis' ITS department. It covers topics like password security, email security, safe browsing, ransomware, privacy, data encryption, mobile security, and two-factor authentication. University policies on data access and security are also referenced. Reporting security incidents and additional resources are outlined. The training emphasizes that technology can only address some risks and that users are the primary targets of hackers seeking access to systems and data.
Cyber crime involves using computers and the internet to steal identities or data. The document discusses the history and types of cyber crimes such as hacking, denial of service attacks, and software piracy. It provides statistics on common cyber attacks and safety tips for preventing cyber crimes like using antivirus software and firewalls. The conclusion reflects on how technology can be destructive if not used responsibly.
This document outlines several security frameworks that can be used to guide enterprise security architecture development. It discusses frameworks for information security management systems (ISO27000), enterprise architecture (Zachman, TOGAF), governance (COBIT, COSO), operational best practices (ITIL), and process improvement (Six Sigma, CMMI). The key aspects of a successful enterprise security architecture identified are strategic alignment with business needs, enabling business processes, enhancing existing processes, and ensuring security effectiveness through metrics and risk management.
How Android utilizes its Linux core in the heart of its security architecture
Presented at August-Penguin 2015, Israel Open-Source organization conference
http://ap.hamakor.org.il/2015
Enumeration belongs to the first phase of Ethical Hacking, i.e., “Information Gathering”. This is a process where the attacker establishes an active connection with the victim and try to discover as much attack vectors as possible, which can be used to exploit the systems further.
The document discusses information life cycle and asset security. It covers the following key points:
1. Information goes through a 4 phase life cycle of acquisition, use, archival, and disposal. Controls are needed at each phase to protect the information.
2. Data classification and categorization help determine the appropriate security controls for different types of sensitive data based on their value, sensitivity, and criticality.
3. Roles such as data owner, data custodian, and system owner are defined along with their responsibilities to ensure proper management and protection of data throughout its life cycle.
User awareness and security practices are important for protecting against cyber threats. It is not possible to ensure 100% security through technology alone. Individual responsibility and following best practices are key to a successful security program. The document outlines various cyber threats like viruses, social engineering, and password cracking. It emphasizes the importance of security awareness, strong passwords, keeping systems updated, anti-virus software, and careful handling of personal information. Multiple layers of security through practices like firewalls, access control, and backups can help bolster defenses.
This document discusses NTP (Network Time Protocol), including its history, versioning, stratum levels for synchronization, uses on Windows and Linux systems, importance of accurate timekeeping for security purposes, and past attacks against NTP like denial of service and buffer overflows. It also briefly mentions the "monlist" debugging command in NTP.
This month, Community IT presents basic IT security training for end users. Learn about common threats and the best techniques for dealing with them. This webinar is intended for a broad audience of both technical and non-technical staff.
This document has been prepared in order to develop a good Penetration Testing and Vulnerability Assessment Lab. The document contains Hardware requirements, our manual & automated Software requirements, approaches for Performing Penetration testing.
Further, this document is design to make a Penetration test LAB in order to simulate the vulnerabilities in the testing environment and to execute the vulnerability assessment & penetration testing from the LAB by providing the Static IP to the Client, ensuring that the test is being performed from a valid/legitimate link.
The document discusses cryptography and its key concepts. It defines cryptography as disguising messages so that only the intended recipient can decipher it. It then discusses various cryptographic techniques like encryption, decryption, cryptanalysis, symmetric ciphers, asymmetric ciphers and algorithms like the Caesar cipher, Vigenere cipher, Playfair cipher, Hill cipher, one-time pad, and Diffie-Hellman key exchange. It provides examples to explain these concepts and techniques in cryptography.
Class diagram templates to instantly create class diagrams creately blogMdJishan7
The document provides several class diagram templates that can be used to model common systems. It includes templates for systems like banking, employee management, flight reservations, and more. Each template includes the key classes and relationships for that type of system. Users can click on the images to modify the templates in an online diagramming tool to fit their specific needs.
The document discusses email security and best practices. It notes that email is essential for daily work but poses security risks like unauthorized access, data leakage, and malware infiltration. It recommends configuring email servers securely, establishing policies for email use and retention, monitoring for anomalies, and educating users on secure email practices. Overall, the document emphasizes the importance of securing email infrastructure while enabling effective and appropriate use of email to meet business objectives.
This document discusses computational hardness and complexity classes related to cryptography. It covers the computational complexity of problems like factoring large numbers and the discrete logarithm problem. These problems are assumed to be hard, even for quantum computers, and form the basis for cryptographic techniques. The document also discusses how cryptography could be broken if faster algorithms were found for these problems or if the key sizes used were too small.
The document discusses various aspects of secure software development lifecycles (SDLC). It covers quality factors, reasons for lack of security, and the typical 5 phases of SDLC - requirements gathering, design, development, testing/validation, and release/maintenance. It then provides more details on requirements gathering, design, development, and testing phases. Finally, it discusses different SDLC models, programming languages, concepts, and distributed computing standards.
EC-Council Certification Roadmap and Course CatalogNetCom Learning
NetCom Learning is an Accredited Training Center of EC-Council meeting strict excellence standards for delivering instructor-led training. Our EC-Council enterprise skilling plan makes your employees competent in understanding information security's critical aspects, including ethical hacking, network defense, security analysis, and more.
This document discusses analyzing DNS data to detect DNS-based distributed denial-of-service (DDoS) attacks. It finds that random subdomain attacks and attacks using open home gateways and bot malware are increasingly common. These attacks strain DNS resolvers and authoritative servers by generating large volumes of recursive queries with randomized subdomains. The document recommends filtering DNS traffic at the ingress of resolvers to minimize workload and stress, while still allowing legitimate queries by using near-real-time blocklists and whitelisting valid subdomains for popular domains.
One of the most critical aspects of safeguarding the IT assets of any corporation is dealing with the Insider's Threat. With so many diversified IT components, it is a real challenge to design an effective IT security strategy. It is critical to recognize this particular threat and take countermeasures to protect your assets. So, this webinar covers: Insider threats, how to mitigate insider threats, how to design an effective IT security strategy, and how to protect your assets.
Main points covered:
• Insider threats
• How to design an effective IT security strategy
• How to protect your assets
Presenter:
The webinar was hosted by Demetris Kachulis. Mr. Kachulis is an expert in the field of Information Security. With over 20 years of Wall Street consulting experience, he has worked with many Fortune 500 companies. He is currently the director of Eldion Consulting, a company offering Security, Trainings and Business solutions.
Link of the recorded session published on YouTube: https://youtu.be/hXe5HHjnBeU
This document provides information on various intranet, extranet, and wide area network (WAN) technologies. It discusses unified threat management (UTM), content distribution networks (CDN), software-defined networking (SDN), metropolitan area networks (MAN), and common WAN concepts and technologies including CSU/DSU, switching, frame relay, X.25, and asynchronous transfer mode (ATM).
This document provides an overview of security awareness training from the University of Memphis' ITS department. It covers topics like password security, email security, safe browsing, ransomware, privacy, data encryption, mobile security, and two-factor authentication. University policies on data access and security are also referenced. Reporting security incidents and additional resources are outlined. The training emphasizes that technology can only address some risks and that users are the primary targets of hackers seeking access to systems and data.
Cyber crime involves using computers and the internet to steal identities or data. The document discusses the history and types of cyber crimes such as hacking, denial of service attacks, and software piracy. It provides statistics on common cyber attacks and safety tips for preventing cyber crimes like using antivirus software and firewalls. The conclusion reflects on how technology can be destructive if not used responsibly.
This document outlines several security frameworks that can be used to guide enterprise security architecture development. It discusses frameworks for information security management systems (ISO27000), enterprise architecture (Zachman, TOGAF), governance (COBIT, COSO), operational best practices (ITIL), and process improvement (Six Sigma, CMMI). The key aspects of a successful enterprise security architecture identified are strategic alignment with business needs, enabling business processes, enhancing existing processes, and ensuring security effectiveness through metrics and risk management.
How Android utilizes its Linux core in the heart of its security architecture
Presented at August-Penguin 2015, Israel Open-Source organization conference
http://ap.hamakor.org.il/2015
Enumeration belongs to the first phase of Ethical Hacking, i.e., “Information Gathering”. This is a process where the attacker establishes an active connection with the victim and try to discover as much attack vectors as possible, which can be used to exploit the systems further.
The document discusses information life cycle and asset security. It covers the following key points:
1. Information goes through a 4 phase life cycle of acquisition, use, archival, and disposal. Controls are needed at each phase to protect the information.
2. Data classification and categorization help determine the appropriate security controls for different types of sensitive data based on their value, sensitivity, and criticality.
3. Roles such as data owner, data custodian, and system owner are defined along with their responsibilities to ensure proper management and protection of data throughout its life cycle.
User awareness and security practices are important for protecting against cyber threats. It is not possible to ensure 100% security through technology alone. Individual responsibility and following best practices are key to a successful security program. The document outlines various cyber threats like viruses, social engineering, and password cracking. It emphasizes the importance of security awareness, strong passwords, keeping systems updated, anti-virus software, and careful handling of personal information. Multiple layers of security through practices like firewalls, access control, and backups can help bolster defenses.
This document discusses NTP (Network Time Protocol), including its history, versioning, stratum levels for synchronization, uses on Windows and Linux systems, importance of accurate timekeeping for security purposes, and past attacks against NTP like denial of service and buffer overflows. It also briefly mentions the "monlist" debugging command in NTP.
This month, Community IT presents basic IT security training for end users. Learn about common threats and the best techniques for dealing with them. This webinar is intended for a broad audience of both technical and non-technical staff.
This document has been prepared in order to develop a good Penetration Testing and Vulnerability Assessment Lab. The document contains Hardware requirements, our manual & automated Software requirements, approaches for Performing Penetration testing.
Further, this document is design to make a Penetration test LAB in order to simulate the vulnerabilities in the testing environment and to execute the vulnerability assessment & penetration testing from the LAB by providing the Static IP to the Client, ensuring that the test is being performed from a valid/legitimate link.
The document discusses cryptography and its key concepts. It defines cryptography as disguising messages so that only the intended recipient can decipher it. It then discusses various cryptographic techniques like encryption, decryption, cryptanalysis, symmetric ciphers, asymmetric ciphers and algorithms like the Caesar cipher, Vigenere cipher, Playfair cipher, Hill cipher, one-time pad, and Diffie-Hellman key exchange. It provides examples to explain these concepts and techniques in cryptography.
Class diagram templates to instantly create class diagrams creately blogMdJishan7
The document provides several class diagram templates that can be used to model common systems. It includes templates for systems like banking, employee management, flight reservations, and more. Each template includes the key classes and relationships for that type of system. Users can click on the images to modify the templates in an online diagramming tool to fit their specific needs.
The document discusses email security and best practices. It notes that email is essential for daily work but poses security risks like unauthorized access, data leakage, and malware infiltration. It recommends configuring email servers securely, establishing policies for email use and retention, monitoring for anomalies, and educating users on secure email practices. Overall, the document emphasizes the importance of securing email infrastructure while enabling effective and appropriate use of email to meet business objectives.
This document discusses computational hardness and complexity classes related to cryptography. It covers the computational complexity of problems like factoring large numbers and the discrete logarithm problem. These problems are assumed to be hard, even for quantum computers, and form the basis for cryptographic techniques. The document also discusses how cryptography could be broken if faster algorithms were found for these problems or if the key sizes used were too small.
The document discusses various aspects of secure software development lifecycles (SDLC). It covers quality factors, reasons for lack of security, and the typical 5 phases of SDLC - requirements gathering, design, development, testing/validation, and release/maintenance. It then provides more details on requirements gathering, design, development, and testing phases. Finally, it discusses different SDLC models, programming languages, concepts, and distributed computing standards.
EC-Council Certification Roadmap and Course CatalogNetCom Learning
NetCom Learning is an Accredited Training Center of EC-Council meeting strict excellence standards for delivering instructor-led training. Our EC-Council enterprise skilling plan makes your employees competent in understanding information security's critical aspects, including ethical hacking, network defense, security analysis, and more.
This document discusses analyzing DNS data to detect DNS-based distributed denial-of-service (DDoS) attacks. It finds that random subdomain attacks and attacks using open home gateways and bot malware are increasingly common. These attacks strain DNS resolvers and authoritative servers by generating large volumes of recursive queries with randomized subdomains. The document recommends filtering DNS traffic at the ingress of resolvers to minimize workload and stress, while still allowing legitimate queries by using near-real-time blocklists and whitelisting valid subdomains for popular domains.
DNS Security WebTitan Web Filter - Stop Malware Dryden Geary
This document discusses the network threat challenges organizations face from malware, attacks, and exploits that target their DNS infrastructure. It outlines how DNS protection solutions like WebTitan can help by filtering high-risk websites in real-time to block malware, ransomware, viruses and other threats while enforcing acceptable web access policies. WebTitan provides complete DNS layer protection, custom filtering and reporting without any hardware or software to install.
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetupmichaelxin2015
We now live in a world where individuals or groups of individuals hold the same destructive power that only nation states once held. For as little as a couple of dollars an hour, fortune 500 companies and even nation states have been wiped off the Internet. The emergence of professional DDoS services is changing the threat landscape of the Internet once again. We'll take a look at DDoS tools and services and what we can do to combat them.
This document summarizes research conducted by OpenDNS on catching malware using DNS and IP data. It describes how OpenDNS analyzed DNS records to track fast flux botnets, crimeware command and control infrastructure, and phishing domains. Visualization techniques were used to create graphs of the relationships between domains and IP addresses over time. This research enabled OpenDNS to detect and block new strains of malware.
"In this session, we will address the current threat landscape, present DDoS attacks that we have seen on AWS, and discuss the methods and technologies we use to protect AWS services. You will leave this session with a better understanding of:
DDoS attacks on AWS as well as the actual threats and volumes that we typically see.
What AWS does to protect our services from these attacks.
How this all relates to the AWS Shared Responsibility Model."
Wilson Rogério Lopes presented on the evolution of DDoS attacks and mitigation options. He discussed how amplification attacks have grown in size using protocols like NTP and SSDP. IoT botnets using CCTV cameras conducted large DDoS attacks in 2016. Mitigation options discussed include using clean pipe providers, cloud DDoS services, BGP routing, and homemade tools like iptables and ModSecurity. The presentation recommended a hybrid mitigation strategy using both on-premise and cloud-based solutions.
This document discusses internet background radiation and DDoS attacks seen by CloudFlare between January and July 2012. Some key points:
- CloudFlare sees 64 billion page views per month and the majority (95.5%) of DDoS attacks are layer 7. The largest attack was 65Gbps.
- Layer 4 attacks mainly target port 80 (TCP) and DNS (UDP), while layer 7 attacks originate from many different IPs but mostly the US, China, Turkey, Brazil and Thailand.
- Reflection and amplification attacks exploit protocols like DNS and SNMP to magnify small queries into large responses. Booter websites and botnets are also used to launch attacks.
- Attacks are
FS-ISAC 2014 Troubleshooting Network Threats: DDoS Attacks, DNS Poisoning and...ThousandEyes
The network is a key component in application delivery and is often a direct or indirect target of security attacks
such as DDoS and BGP hijacking. Mitigation strategies often involve using a third party cloud service without any
visibility into whether the mitigation is working well. Using real life examples, we will show how one can measure
the user perceived impact of an ongoing attack, as well as identify which aspects of the mitigation are not working
as desired. With this detailed availability and performance data at the various layers, financial firms can learn how
to better manage ongoing attacks.
Combating Cyberattacks through Network Agility and AutomationSagi Brody
As presented January 2018 at PTC18 in Hawaii. This talk covers the use of new network automation technologies and strategies which can be used to combat Cyberattacks including DDoS, Ransomware, and Reflection. The talk specifically discusses how DDoS monitoring and mitigation can be improved via the use of interconnection fabrics to replace traditional GRE tunnels for out-of-band communication; How Disaster Recovery (DRaaS) may be used as an entry point for Cyberattacks, how DRaaS infrastructure may be used to improve production site security, and how Managed Security Service providers can integrate directly with DRaaS infrastructure and Software-Defined-Perimeter solutions to improve automated network failover and failback
This document provides an overview of distributed denial of service (DDoS) attacks including:
- Common types of DDoS attacks like UDP floods, SYN floods, DNS floods and HTTP floods and how they work to overwhelm servers.
- How DDoS attacks are evolving to larger sizes and more complex botnets.
- Methods for mitigating DDoS attacks including black hole routing, rate limiting, web application firewalls, anycast networks and cloud-based DDoS protection services.
- A real example of mitigating a massive 400Gbps DDoS attack and the largest attacks seen to date.
Infoblox - turning DNS from security target to security toolJisc
This document discusses how DNS has historically been exploited by malicious actors but can now be used as a security tool through techniques like Response Policy Zones (RPZs) and passive DNS. It explains how RPZs allow DNS servers to redirect or refuse queries based on policies. Passive DNS involves collecting DNS response data that can reveal suspicious activity patterns. Together, RPZs and passive DNS enable network administrators to leverage DNS to mitigate threats rather than just be complicit in attacks.
Spoofing and Denial of Service: A risk to the decentralized InternetAPNIC
This document discusses the problems caused by IP spoofing and denial of service (DDoS) attacks on the decentralized internet. It notes that technical solutions to IP spoofing have failed to fully address the problem. Without the ability to accurately trace attack traffic back to its source, attacks allow impersonation and amplification to occur anonymously. This lack of attribution forces networks to either absorb large attacks or route attack traffic elsewhere, undermining the decentralized structure of the internet. The document argues that implementing better netflow monitoring and supporting full netflow standards would allow accurate tracing of traffic and proper attribution of attacks. With attribution in place, a more informed discussion can occur to ultimately solve DDoS attacks and preserve the decentralized internet.
DDoS And Spoofing, a risk to the decentralized internetTom Paseka
Spoofing brings great risk to the internet and very few networks are capable of mitigating attacks, resulting in the internet possibly being centered on a hand full of networks
The document discusses several advanced persistent threats (APTs) that have targeted systems in Korea and other countries, including the LuckyCat, Heartbeat, and Flashback malware campaigns. It provides details on the attacks, malware components, command and control infrastructure, and technical analysis of the threats. The document aims to help the digital forensics community in Korea understand these sophisticated cyber espionage activities and improve defenses against similar attacks.
What You Should Know Before The Next DDoS AttackCloudflare
Last month, the world’s largest-ever distributed denial of service (DDOS) attack — 1.35 Tbps — hit GitHub and raised the stakes for every commercial website. These increasingly larger and more distributed attacks challenge security practitioners to better anticipate potential attacks on their own applications and infrastructure. In this live webinar, Cloudflare security experts will discuss the new DDoS landscape and mitigation techniques.
This presentation discusses the various types of distributed denial of service attacks launched worldwide by botnets in 2014. From DNS to Layer7 attacks, this deck provides an expert analysis of botnet breakdowns by-the-numbers including where the majority of botnets came from regionally, what attack trends were most popular, and when these attacks occurred.
This document discusses how to launch and defend against DDoS attacks. It explains that DDoS attacks are easy to conduct using tools that allow for spoofing of IP addresses. It also describes how protocols like UDP and DNS amplification attacks can be used to launch large attacks. The document then provides recommendations for how to defend against DDoS attacks, including using a global network with anycast, hiding your origin IP, separating protocols by IP, and working closely with your upstream provider.
Similar to DDosMon A Global DDoS Monitoring Project (20)
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
Sunny Chendi, Senior Advisor, Membership and Policy at APNIC, presents 'APNIC Policy Roundup' at the 5th ICANN APAC-TWNIC Engagement Forum and 41st TWNIC OPM in Taipei, Taiwan from 23 to 24 April.
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
Dave Phelan, Senior Network Analyst/Technical Trainer at APNIC, presents 'DDoS In Oceania and the Pacific' at NZNOG 2024 held in Nelson, New Zealand from 8 to 12 April 2024.
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
Geoff Huston, Chief Scientist at APNIC deliver keynote presentation on the 'Future Evolution of the Internet' at the Everything Open 2024 conference in Gladstone, Australia from 16 to 18 April 2024.
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
Paul Wilson, Director General of APNIC delivers a presentation on IP addressing and IPv6 to the Policymakers Program during IETF 119 in Brisbane Australia from 16 to 22 March 2024.
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
Tom Harrison, Product and Delivery Manager at APNIC presents at the Registration Protocols Extensions working group during IETF 119 in Brisbane, Australia from 16-22 March 2024
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
Che-Hoo Cheng, Senior Director, Development at APNIC presents on the "Benefits of doing Internet peering and running an Internet Exchange (IX)" at the Communications Regulatory Commission of Mongolia's IPv6, IXP, Datacenter - Policy and Regulation International Trends Forum in Ulaanbaatar, Mongolia on 7 March 2024
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
APNIC Senior Advisor, Membership and Policy, Sunny Chendi presented on APNIC updates and RIR Policies for ccTLDs at APTLD 85 in Goa, India from 19-22 February 2024.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
1. DDoSMon
A Global DDoS Monitoring Project
APNIC 42
Yiming Gong
Network Security Research Lab, Qihoo 360
netlab.360.com
2. About
• About 360.com
• The biggest internet security company in China
• More than 500 million monthly active Internet users, according to iResearch.
• About me
• Director of the network security research lab
• Passivedns https://passivedns.cn
• Ddosmon https://ddosmon.net
• Scanmon http://scan.netlab.360.com/
• Opendata http://open.netlab.360.com DGA, EK, etc
• And few other projects
3. Motivation
• DDoS is one of the biggest internet security threat globally
• Akamai: 129% increase in DDOS attacks in the second quarter of 2016
(https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/akamai-q2-2016-
internet-security-executive-review.pdf)
• Versign: DDOS attacks are becoming more sophisticated and persistent in the
second quarter of 2016
(https://www.verisign.com/assets/report-ddos-trends-Q22016.pdf)
• There is a lack of true visibility regarding to DDoS incident
• Most of the time, only the victims and the big pipe providers know what
happen
• Sometimes they don’t even have the needed visibility
4. Realtime Global DDoS attacks monitoring
https://ddosmon.net
• On average it sees more than 20,000 DDoS attacks every day(one of the
biggest?)
5. How does DDoSMon Work
• Mainly based on three major components
o Realtime NetFlow traffic (layer4)
o Realtime DNS traffic(DNS amp, DNS reflection..etc)
o Realtime DDoS botnet command tracking system
6. 1: Realtime NetFlow Traffic
• Collect huge volume NetFlow from various networks
o Large network backbone routers
o User contribute flows
oHandle more than 30 billions NetFlow records every day
oData is processed in near real-time
7. NetFlow Based Attacks Detecting
Spike detecting
The first important step for the heuristic DDoS
attacks recognition
• Cumulative moving average
algorithm
Characteristics recognition
Different DDoS attack vectors usually presents a
certain characteristic on NetFlow traffic.
• Amplification flood
1. More than 90% traffic is UDP
2. Most of the packets from some fixed
suspicious source port e.g. 19, 53, 123, 1900, 0
3. Most of the packet has large bytes
• SYN flood
1. More than 90% traffic is TCP
2. All TCP Flags only has SYN Flag set packets
3. Source IP address distribution normally not
enough random
8. 2: Realtime DNS Traffic
• Process 240 billions DNS requests every day which covers about
10% total DNS traffic in China
• We also operate a Passive DNS platform http://passivedns.cn
9. Realtime DNS Traffic
• What can we get from DNS traffic?
o The ability to monitor Domains instead of just IPs.
o DNS reflection/amplification attacks
o Random subdomain attacks
11. Realtime DNS Traffic – DNS
reflection/amplification attacks
• www.bankofamerica.com was attacked on Sep.14
• Attacker uses BOA address as query source to ask open dns resolvers for
cpsc.gov
• The dns responses from the open resolvers flooded BOA address
13. Realtime DNS Traffic – DNS Random
subdomain attacks
• Random subdomain attacks
• Attack is to attack DNS authoritative provider
• Mostly dns open resolvers as query sources
• High volume of queries for nonexistant subdomains
• Nonexistant subdomains so no local cache
• So the query will always reach the dns authoritative server
16. 3: Realtime DDoS Botnet Command Tracking
System
• A live ddos botnet c2 tracking system
• For some big ddos botnet families, track the analysis their C2 communication
protocols
• ~190k C2 servers (IP + Port)
• Logged ~400M DDoS related instructions
o Elknot (AKA. Linux/BillGates), A notorious DDoS botnet which runs on both Linux and
Windows. Most be used launch SYN Flooding attacks.
o LDX (AKA. Xor.DDoS), A rojan malware attackers are using to hijack Linux machines to include
within a botnet for DDoS. Commonly be used launch SYN Flooding and DNS Flooding attacks.
20. A few cases
• Case 1 : Target *.root-servers.net
• Case 2: Target *.gov
21. Case1: Attacks Target *.root-servers.net
• We detected 45 attacks against root-servers.net so far this year
• a, b, c, d, e, f, g, h, i, l, m.root-servers.net been attacked
• UDP reflection amplification and SYN flood are the major attack vectors
22. Case 1: e, g.root-servers.net be SYN Flood
• From Jun.25 22:00 to Jun.26 01:00 e.root-servers.net and g.root-
servers.net were SYN flooded
• An obvious spike can be observed for e.root-
servers.net(192.203.230.10) and g.root-servers.net(192.112.36.4),
and the spikes have highly similar pattern
The traffic figure of 192.203.230.10 from 2016-06-22 00:32:30 to 2016-06-28 23:59:50
23. Case 1: e, g.root-servers.net
• NetFlow records
o TCP packet percentage is extreme highly
compare to normal DNS traffic
o Almost all the TCP packets carry SYN flag
o The Source IP seems spoofed
183.131.2.66
183.131.2.67
183.131.2.70
183.131.2.71
183.131.2.72
24. Case 1: e, g.root-servers.net SYN Flood
• Botnet command and controller(C2) and attacking instructions have
been logged (botnet family : elknot)
• 18 related C2 servers logged in this attack
25. Case 2: .gov ddos
• We detected 94 attacks target .gov sites last month.
(Aug. 10 – Sep.10 )
• whitehouse.gov , fbi.gov, nasa.gov, e.g.
• Reflection/Amplification are the most popular
attack vectors, 65%+,
o DNS > NTP> Chargen > SSDP is most be used UDP
protocol to launch amplification attacks
26. Case 2: Attack Target nsa.gov
• We detected nsa.gov(23.196.119.211) briefly been UDP
reflection/amplification attacked at 11:30:00(UTC) on Aug.19
• An obvious spike
The traffic figure of 23.196.119.211 from 2016-08-15 13:15:55 to 2016-08-22 10:52:52
27. Case 2: Attack Target nsa.gov
• UDP reflection amplification
• Mixed mulitiple attack vectors
o UDP port 1900 SSDP-based DDoS
o UDP port 123 NTP-based DDoS
o UDP port 53 DNS reflection DDoS
oPacket size is unusually large, Most of
the packet sizes are 1500 bytes
reaching MTU threshold