Black Lotus delivers award winning DDoS protection ranging from full network defense to website and server protection, 24/7/365. Learn more by visiting http://www.blacklotus.net or call (866) 477-5554.

Recent Posts

New Facilities, Increased DDoS Mitigation Capacity Lead to Enhanced Security Solutions for Global Customers


SAN FRANCISCO, CA--(Marketwired - Jun 16, 2014) - Black Lotus Communications, a provider of availability security and distributed denial-of-service (DDoS) protection, today announced that two new network traffic scrubbing centers in Ashburn, Virginia and Amsterdam, Netherlands are now live. These scrubbing centers provide terabit-scale DDoS mitigation capacity to enterprise customers around the world, including service providers and hosting operators. By expanding to the East Coast and Europe, Black Lotus is allowing companies to take advantage of lower traffic latency, increased service redundancy and higher mitigation capacity to defend against the most harmful DDoS attacks.

The size and frequency of DDoS attacks have already grown rapidly in 2014, with cybercriminals regularly using new attack vectors and exploiting new vulnerabilities to inflict maximum damage on their targets. With Black Lotus' additional scrubbing facilities, customers across the U.S. and throughout Europe will be able to rest assured that these new attacks will be mitigated without delays and without impact to profits or productivity.

"After experiencing DDoS attacks while on another host, we realized we had to go on the offensive to effectively serve our customers around the world," said Dennis Steele, founder of Museter Online Radio Hosting. "We knew Black Lotus' international footprint would ensure 24/7 service and short turnaround times on DDoS mitigation."

As one of the few pure play DDoS security providers, Black Lotus has become a high-demand vendor for businesses that are interested in proactively addressing cybersecurity concerns. As cyber threats evolve over time, the company continues to develop its protection services to forecast potential vulnerabilities and address current and future attack vectors.

"As threats grow more complex in this rapidly evolving cybersecurity industry, organizations are looking to thwart new DDoS attack technology in the fastest and most efficient way," said Arman Khalili, chief executive officer of Black Lotus. "Since we are now offering the best security solution through the most efficient platform, we have strategically expanded our footprint to provide our global customers faster reaction time to ensure a more effective mitigation process."

Black Lotus' security-as-a-service platform now offers mitigation capacity multiple times larger than the biggest DDoS attack ever measured.

Service providers and data center companies that are interested in DDoS protection services can contact Black Lotus at sales@blacklotus.net or call 866-477-5554.

About Black Lotus 


Black Lotus Communications is a security innovator and pioneer of the first commercially viable DDoS mitigation solutions. These advanced solutions enhance the security posture of small and medium businesses and enterprise clients while reducing capital expenditures, managing risk, ensuring compliance, and improving earnings and retention. Breakthrough developments at Black Lotus include the world's first DDoS-protected hosting network, the first IPv6 DDoS mitigation environment, and the first highly effective Layer 7 attack mitigation strategy. For more information, visit www.blacklotus.net or follow Black Lotus on Twitter at https://twitter.com/ddosprotection.

CONTACT INFORMATION 


For more information, please contact:

Justine Boucher
Metis Communications
617-236-0500


Black Lotus Communications Launches New Scrubbing Centers in Virginia and Amsterdam

By Jeffrey Lyon → Monday, June 16, 2014
According to a study reported by Computer Weekly, the threat of distributed denial of service (DDoS) is growing. Specifically, between Q4 2013 and Q1 2014, the average bandwidth peak of volumetric attacks was 114% higher. The results of the report agree in spirit with the findings of Black Lotus’s Q1 2014 Threat Report.

In some cases, standard infection methods were sidelined in favor of reflection attacks, a subcategory of denial of service called distributed reflection denial of service (DrDoS). Malicious parties are able to generate more damaging campaigns by using reflection. As a result, those behind many of the first quarter’s most powerful DDoS attacks – including the #1 hit – used reflection rather than standard botnet infection tactics.

DrDoS involves sending spoofed requests to vulnerable servers around the world, which in turn send an amplified response back to the spoofed source, easily knocking it offline or even saturating upstream carrier networks. This increasingly popular reflection tactic takes advantage of bugs in Internet protocols to perform profoundly devastating damage.

Three protocols that have been widely used for these types of attacks are Domain Name System (DNS), Character Generator (CHARGEN), and Network Time Protocol (NTP). All of those protocols are forms of User Datagram Protocol (UDP), the design of which makes it easy to trick servers into responding to the victim rather than the attacker who originated the malicious requests.

Amplification attacks are gaining traction because the strength of the attack is boosted: data can be delivered to a target at a high volume, an amplification factor as high as x400, while the device or devices used in the effort do not have to generate the same amount of information. This means that an attacker with 100 Mbps of bandwidth could generate an attack as large as 40 Gbps.

Amplification and reflection techniques themselves had an average bandwidth increase of 39% vs. Q4 2013. The first quarter also logged the highest volume DDoS incident ever.

Core projections and statistics  from our first quarter threat report


As stated above, the findings of our Q1 2014 Threat Report – along with the projections for the near future based on the report’s findings – present a similarly challenging DDoS landscape for the Internet community. Exploits of the NTP protocol that became widespread in the first two months of the year have been thwarted by a broad and coordinated security response. However, we project that within the next 12 to 18 months, reflection attacks will become increasingly massive, with DrDoS threats potentially exceeding 800 Gbps in volume.

Within the first three months of 2014, the Black Lotus network mitigated the highest volume attack that has ever been perpetrated. That attack crescendoed on February 10, measuring 421 Gbps and 122 Mpps (millions of packets per second) at its height. The bit volume from the previous day, February 9, was similarly grandiose but did not quite match the massive scale of February 10.

Although these huge attacks will remain a significant concern just due to their horrific scope, they are many times larger than the typical DDoS assault. Our analysis found that the average bit volume and packet volume for the first quarter were 2.7 Gbps and 1.8 Mpps, respectively.

By comparison, the largest DrDoS attack observed in Q1 2014 was 156 times larger than average, which was derived from a sizable sample pool: 462,621 attacks, equivalent to 5140 attacks per day, 214 per hour, or 4 per minute.

Attacks of less than 3 Gbps might appear unintimidating to large enterprises; however, organizations that have smaller networks and/or may not have the capital to overprovision are often threatened by assaults of that scope.

The size of the average attack is similar to what our network experienced during the last quarter of 2013. Based on the 6-month period as a whole, the data suggests that a company’s DDoS mitigation protections should be established at a bare minimum of 5 Gbps.

Many service providers defend their networks up to 10 Gbps. As we know from this quarter, that level will protect against attacks of the average size but not against the many high-octane barrages that networks are experiencing more commonly worldwide.

The attacks on February 9 and 10 – with the latter achieving the strongest bit level as mentioned above – targeted a weakness in NTP daemons, as addressed by Black Lotus in our January 8 Threat Advisory. So that Black Lotus customers would be safeguarded against this form of attack, NTP defenses were implemented for all clients, regardless of subscription level.

As Vann Abernethy mentions in a piece for Wired, security organizations have estimated that there have been as many as 400,000 NTP servers that are susceptible to exploitation in the commission of DrDoS attacks. As many as 1000 of those servers could amplify data as much as 700 times, an amplification factor many times greater than the domain name system (DNS) DrDoS which targeted anti-spam organization Spamhaus.

 

The changing landscape


NTP reflection attacks have received significant attention during the first quarter because the bit volume was so massive. However, the majority of severe attacks –  primarily HTTP GET and SYN floods – targeted servers and applications. In other words, traditional, tried-and-true methods are still incredibly popular, despite the new threat of NTP amplification. For further analysis, see our Q1 2014 Threat Report.

By Kent Roberts


Study: DDoS Attacks Growing Stronger in 2014

By Kent Roberts → Wednesday, June 11, 2014

Session Will Explore Why Hosting Providers Must Also Deliver Security Assurances


SAN FRANCISCO, CA--(Marketwired - Jun 4, 2014) - Black Lotus, a provider of availability security and distributed denial of service (DDoS) protection, today announced that its founder, Jeffrey Lyon, will participate in the midday panel discussion at HostingCon 2014 in Miami on June 18, 2014 at the Miami Beach Convention Center. Experts from Symantec, Fireblade, NSFOCUS and Fortinet will also take part in the panel, titled "Shift Gears, You're a Security Provider Now." The discussion will focus on the rapidly escalating security threats facing hosting providers, and what organizations need to do in order to protect their infrastructures and the security of their customers.

During the past year, service providers have faced record-setting DDoS attacks, SQL injection vulnerabilities and the Heartbleed threat, among other security risks. In this precarious climate, hosting providers need to also play the role of security providers. In the panel, leading security experts specializing in Web hosting will discuss the necessity of this shift and answer questions from attendees about the tools and processes companies will need to ensure security in 2015 and beyond. In addition to Black Lotus' Jeffrey Lyon, the panel will include:


  • Piero DePaoli, senior director of product marketing, Symantec
  • Shay Rapaport, CEO and co-founder, Fireblade
  • Vann Abernethy, senior product manager, NSFOCUS
  • Hemant Jain, vice president of engineering, Fortinet


"Every hosting provider knows that an attack on its infrastructure is a threat to all of its customers, and thus, a serious threat to its own businesses," said Jeffrey Lyon. "This panel discussion and Q&A will give attendees in-depth information about how they can protect themselves and their clients as attacks grow more frequent, sophisticated and harmful."

HostingCon 2014 runs June 16th through 18th and is designed to serve the professional interests of the hosting and cloud community. Black Lotus' anti-DDoS solution, which works on a global terabit-scale network, allows its customers all over the world to enjoy continuous uptime in the face of DDoS attacks. Service providers and data center companies that are interested in DDoS protection services can contact Black Lotus at sales@blacklotus.net or call 866-477-5554.

About Black Lotus


Black Lotus Communications is a security innovator and pioneer of the first commercially viable DDoS mitigation solutions. These advanced solutions enhance the security posture of small and medium businesses and enterprise clients while reducing capital expenditures, managing risk, ensuring compliance, and improving earnings and retention. Breakthrough developments at Black Lotus include the world's first DDoS-protected hosting network, the first IPv6 DDoS mitigation environment, and the first highly effective Layer 7 attack mitigation strategy. For more information, visit www.blacklotus.net or follow Black Lotus on Twitter at https://twitter.com/ddosprotection.

For more information, please contact:


Justine Boucher
Metis Communications
617-236-0500



Black Lotus Founder to Speak on Security Panel at HostingCon 2014

By Jeffrey Lyon → Wednesday, June 4, 2014

Some of the largest, well-known, and important DDoS attacks ever carried out


Although distributed denial of service (DDoS) attacks happen all the time, we tend to only hear about the absolute largest ones. These attacks receive mainstream, global press attention either because the sites they have targeted are incredibly massive and have a large cultural footprint, because of the sheer amount of data transmitted in the attack, or a combination of the two. DDoS attacks have been not only growing in rate of occurrence, but also in sophistication and size, so this list is unfortunately bound to look different a year from now (or possibly even a week from now). But let’s take a look at a handful of the most notable attacks in recent memory, which are important either because of their size or the visibility/cultural importance of the target.

Spamhaus vs. Cyber Bunker (“Operation Stophaus”)

Known by many as “The DDoS Attack That Almost Broke The Internet”, the attack that took down Spamhaus in Spring of 2013 was truly massive. Spamhaus is an email filtering company that as its name might suggest, stops SPAM email from ever entering millions of inboxes around the world. They keep track of where these SPAM messages originate from and noticed that many were coming from a Dutch hosting company called Cyber Bunker. When Spamhaus inquired to Cyber Bunker about the SPAM and other baddies that were seemingly originating from them, they responded bombastically and claimed they were an independent nation that isn’t under the jurisdiction of Spamhaus or anyone else. Spamhaus acted accordingly and essentially worked with Cyber Bunker’s providers to sever their connections. Cyber Bunker responded by launching a huge DDoS attack, that at its peak, was funneling 300 Gbps to Spamhaus’ site. One of the largest DDoS attacks on record prior to the Spamhaus attack was around 100 gigabytes per second, to put it into perspective.

The Church of Scientology vs. Anonymous

The DDoS that was launched and carried out against the Church of Scientology’s website pales in comparison to the Spamhaus attack, but it’s important for putting the hacktivist collective known as Anonymous on the map and ensconcing them in the cultural lexicon. Anonymous stated through their website that they are opposed to the principles of the Scientology religion, and would act accordingly to expel it “…from the Internet and systematically dismantle the Church of Scientology in its present form.” The attack, carried out in January of 2008, seems almost infantile compared to the Spamhaus attack – at its peak, Anonymous was funneling 220 Mbps  at the main Scientology website. Although it was enough to knock the site out and render it inaccessible, it is less than 1,000 times as powerful as the Spamhaus attack. However, outside of tech circles, few people have ever heard of Spamhaus, let alone Cyber Bunker – the Church of Scientology, however, is incredibly controversial and well-known in mainstream circles. This attack received plenty of news coverage, and gave Anonymous global brand recognition. With their signature Guy Fawkes masks and relatively large amount of members, Anonymous quickly rose the ranks of the most notable hacking groups and are arguably the most influential hacktivist collective in history.

Mafiaboy vs. Yahoo, CNN, Dell, Amazon, E-Trade, et al

This series of attacks put the term “DDoS” on the radar for many people, as they occurred in 2000 and showed how potentially damaging they can be. A young hacker from Canada, who went by the online alias “Mafiaboy”, successfully took down Yahoo (at the time the 2nd largest site on the Internet and the world’s most popular search engine), Amazon, Dell, E-Trade, and several other high-profile and highly-trafficked sites using a simple yet effective DDoS method. Even for sites of these magnitudes, they were particularly vulnerable to DDoS attacks, in part due to the fact that the attacks themselves were relatively unknown outside of the techiest of spheres. And as if the sites under attack didn’t have enough egg on their collective faces already for leaving a huge security loophole open on their sites, it was made worse by the fact that Mafiaboy (birth name Michael Calce) was only fifteen years old at the time he carried out the attacks. The amount of damage that a single teenage hacker could reap brought worldwide attention to the concept of DDoS attacks, and caused many sites and hosting providers to immediately implement safeguards to prevent against them. As with anything, attacks and the attackers have grown more sophisticated since Mafiaboy’s exploits, but the relative ease at which a high school freshman could take down the 2nd largest website in the world brought some much needed awareness to DDoS attacks.

North Korea vs. The United States and South Korea 

Although this last example is not a specific, singular incident of a DDoS attack, it’s important to include as it shows how governments of nations at odds can employ DDoS as an effective and reliable agent in waging cyber warfare. South Korean websites, in both the mostly in the government sector, have experienced several large and sophisticated DDoS attacks, dating back to as early as 2009 and still occurring today. The first attack that garnered attention in 2009 affected mostly government sites, including many South Korean military sites. Interestingly enough, several prominent U.S. sites – including The White House, the Department of Defense, and The New York Stock Exchange – were affected as well. Officials and cyber security experts soon learned that the attacks in the U.S. and South Korea were related, and not long after that were able to determine that the attacks originated from a diplomatic enemy that the U.S. and South Korea both share – North Korea. In a country with arguably the most restricted access to the Internet, where only a handful of select individuals have access to a (state-run) Internet at dial-up speeds and 3G mobile internet is forbidden, it’s worth noting that they are employing DDoS attacks and other methods of cyber warfare. They have grown increasingly effective at mounting DDoS attacks as well - South Korean officials have gone on record saying that North Korea ranks behind only the United States and Russia in their ability to carry out DDoS attacks.

Derptrolling Attacks of 2014

From January 2 to January 6, 2014, Black Lotus collected data on the highly publicized @DerpTrolling (via Twitter) attacks against online gaming targets which included Xbox Live, EA, League of Legends, and Blizzard. The attacks claimed by the @DerpTrolling collective caused outages to major gaming networks such as Xbox Live, EA, League of Legends, and Blizzard, and were the result of the CVE-2013-5211 attack vector. Black Lotus measured the @DerpTrolling botnet at a maximum capability of approximately 28 Gbps. The attacker was likely seeking soft targets in an attempt to trigger IP address null routes by the carrier of each respective target. This would have the effect of rendering the target inoperable without the attacker having to exhaust any additional DrDoS resources. More detailed information can be found in a recent Black Lotus Threat Report here: http://www.blacklotus.net/pdf/Black-Lotus-Threat-Advisory-NTP-Reflection-Attacks-Jan-8-2014.pdf



The Largest DDoS Attacks on Record

By Jerry Whitehead III → Thursday, May 29, 2014

What to look for when evaluating your DDoS protection solution


As we’ve covered before in previous blog posts, and as you probably can surmise yourself given the seemingly daily news reports of new and bigger Distributed Denial of Service (DDoS) attacks, your site cannot afford to forgo DDoS protection services. Given the relative ease at which a handful of users or sometimes a single person can grind your site and your entire online business to a screeching halt, DDoS mitigation should be viewed as an essential component to your website and online presence.

As with anything, shopping around can drastically improve your results when arriving at a DDoS protection provider. But for many individuals and business professionals, it can be a bit overwhelming when beginning your search. By its very nature, DDoS is a very technical aspect of the Internet and comes with a lot of jargon and heady vocabulary that can be confusing to the average user. Don’t let that stop you from pursuing proper DDoS protection – we’re here to let you know what you should be looking for and explaining these metrics in layman’s terms so you’ll have a proper grasp on the basics of DDoS and how to properly safeguard against it.

First of all, we’ll briefly define a DDoS attack (although we won’t go into too much detail, since you can read an entire blog entry devoted to this topic here). A DDoS attack is when a large amount of computers, typically controlled by only a handful of actual human beings, all bombard your website with traffic – so much traffic that your bandwidth is quickly depleted and your site is rendered inaccessible. Some site owners assume that simply purchasing more bandwidth would help to prevent against DDoS attacks, but even the world’s biggest sites with astronomically high bandwidth capabilities can be taken down with DDoS, as the number of computers the attackers can control via botnets and malware Trojans can be in the millions.

So if more bandwidth isn’t the answer, what is? There are several key elements that you must weigh when choosing your DDoS protection. First how quickly your protection provider can give you emergency assistance in case of a DDoS attack. As there is no way to 100% prevent against DDoS attacks, emergency protection is one of the most important elements to consider, as you’ll want to have a way to quickly bring your site or sites back up to full strength in the event of an attack. Make sure the provider you choose not only offers a variety of packages based on size of potential attacks, but also one that has real life human beings standing by on call 24 hours a day, 7 days a week, 365 days a year. DDoS attacks can and do happen at any time, any day of the year, and the last thing you’d want to deal with when experiencing an attack is long wait times or having to interact with automated operators.

Secondly, look closely at what type of protection packages are offered. These will typically be broken down by a bit or packet rate threshold – the more gigabits per second of protection a package offers, the more secure your site will be against potential DDoS attacks. Keep in mind that while it is true that the higher the protection rate the more safe your site will be, you may not need the absolute largest type of protection, depending on your business. One of the biggest DDoS attacks on record occurred last year against the email-filtering company Spamhaus, which was under attack at a rate of approximately 300 gigabits per second – the previous record was around 100 gigabits per second, and a typical large-scale DDoS attack (one against a large enough company or entity to get attention) usually runs in the 50 gigabits per second range. Lately, attacks have become even larger with Black Lotus mitigating NTP protocol distributed reflection denial of service (DrDoS) attacks peaking at 421 Gbps in February 2014, possibly a world record! While it’s true that it’s better to be safe than sorry, if you run a local specialty soap shop in a small rural town, you may not need a package that safeguards against the largest scales of DDoS attacks.

Thirdly, consider a DDoS protection service that offers a seamless transition to integrating its protection into your current hosting situation, regardless of your provider. As we know, every minute that your website is down is potentially lost revenue, so choosing a solution that quickly and easily can be implemented with no migration time or costs is huge. There are many different options when it comes to working with your current web hosting provider – evaluate your options based on cost and ease of transition. Look for solutions that can work seamlessly with your site, regardless of your hosting provider and regardless of your location anywhere on the globe.

Fourthly, detailed reports are crucial as they can tell you not only where any potential attacks are coming from, but what methods in which they are being carried out. Some DDoS protection providers offer real-time analysis and reporting, meaning that at any time (whether you’re currently under attack or not), you can log in and see precise and accurate data regarding your traffic and its origins. Depending on your technical expertise, find a provider that will not only include reports when you need them, but also will provide the proper context as to what the data and numbers mean.

And finally, all DDoS protection essentially boils down to filtering your inbound web traffic through high capacity “scrubbers” as they are known. A typical DDoS mitigation service will filter all inbound traffic to your website through their system of scrubbers first. Using complex algorithms, the scrubbers determine which traffic is organic and clean, and which (if any) is resulting from DDoS style attacks. What you want to see here is not only the size and capabilities of the actual scrubbers, but also some flexibility in how they operate. Having the scrubbers be scalable to your site and operation is crucial, as is the ability to select how and when this traffic is filtered. If you are a service provider with your own BGP network, look into network wide protection which can be deployed by GRE tunnel or physical cross connection, allowing  you to essentially sell DDoS protection as part of your customer packages.

There are a handful of industry leaders in the DDoS mitigation space – by comparing packages, flexibility, support, and cost against your business and website’s needs, you will hopefully find the perfect protection package and provider that’s right for you.



.

What Your DDoS Protection Solution Absolutely Must Provide

By Jerry Whitehead III → Thursday, May 22, 2014
As our company continues to develop its technology and expand its presence, it’s a positive sign when others are recognizing how we’re growing and enhancing offerings. We had a lot of positive feedback during RSA when our booth visitors saw the awards we’ve won in security technology. This week, we received the great news that Red Herring selected us as a finalist for its Top 100 North America award. This list puts us in excellent company with the year’s most promising private technology ventures from across North America, including GENBAND, Rapid7 and Infinio.

This award has a long history; Red Herring has been selecting promising start-ups and "scale ups" (a phase from which we’ve almost graduated) since 1995. The finalists are evaluated individually from a pool of hundreds of candidates across the continent, spanning markets including security, software and hardware, life sciences, cloud, mobile and more. We were scored based on criteria judging our addressable market size, financing, our proof of concept and our management's expertise, among a handful of other categories.

It reinforces our team’s hard work and dedication to researching new threats and developing new technology when outside individuals and third party reviewers can look at Black Lotus’ standing and see the same exciting solutions and rapidly developing potential that we’ve been seeing from day one.

Already 2014 is proving to be an impressive year. Alex Vieux, publisher and CEO of Red Herring, says, "The finalists list confirms the excellent choices made by entrepreneurs and VCs and the start-ups' solid roots in corporate America, embracing their innovations…[and emphasizing] the United States’ entrepreneurial excellence.”

Black Lotus will be attending the Red Herring North America Forum from May 14 to 16 in Monterey, California to present our company’s strategy, and the top 100 winners will be announced at an awards ceremony on the final night.

Interested in more updates on our status and an insider look at the ceremony? Follow us on Twitter to make sure you don’t miss out!

Black Lotus Named a Top 100 North America Red Herring 2014 Finalist

By Jeffrey Lyon → Friday, May 9, 2014
The effect of the Heartbleed Bug was, to put it lightly, widespread. In fact, Security Affairs calls it “probably the most serious menace to the modern Internet.” Heartbleed is a loophole in OpenSSL that enables an intruder to see as much as 64 kB of unencrypted data that has been transferred by users into systems including Facebook and Google.

Any organization using OpenSSL may have been impacted by the bug. What’s most devastating about Heartbleed is that the vulnerability – discovered by Google’s Neel Mehta — has existed for two years. Mashable released a list of major sites that require password changes by all users to secure their accounts – critically important now that the bug is common knowledge.

NTP & DrDoS


Many users and IT security professionals are interested in the broad ramifications of Heartbleed. Specifically, worry is rising that the bug could be used to facilitate DDoS (distributed denial of service) attacks. By spoofing a request to a server that is not properly secured, hackers are able to direct a large amount of data at their target.

For example, a bug discovered in the network time protocol (NTP) daemon in early 2012 instructed the server to send hundreds of times the data to a fraudulent IP address which served as the recipient of the brute-force attack. Site security tool and content delivery network (CDN) powerhouse CloudFlare reported the largest distributed denial of service pummeling ever recorded in February – which at its peak hit 400 gigabytes per second (Gbps).

The attack directed toward CloudFlare is considered a subcategory of DoS called distributed reflection denial of service (DrDoS). NTP, domain name service (DNS), and any other tools based on uniform datagram protocol (UDP) are vulnerable to these reflection barrages if they meet the following criteria:

  • public facing (as opposed to outward facing or intranet/internal);
  • one or more of its default commands sends a sizable packet in response to a small request;
  • isn’t outfitted with monitoring capabilities to filter out unwanted traffic.

Understanding Heartbleed & Reverse Heartbleed


Heartbleed is the household name for CVE-2014-0160, its designation within the Common Vulnerabilities and Exposures catalog. It exploits the code of the incredibly popular open source security certificate software OpenSSL (version 1.0.1 without the patch provided in 1.0.1g) so that 64 kB of data held in memory on a server is obtained through a dysfunction in the TLS/DTLS (transport layer security/datagram transport layer security) heartbeat.

By spoofing a HeartbeatRequest so that it seems larger than it actually is, the server essentially is stumped by the situation. Rather than failing to deliver the amount of data ordered by the fraudulent HeartbeatRequest, the server meets the needs of the spoof by drawing on random data that exists in its memory. Our founder, Jeffrey A. Lyon, referred to this process in Network World as “the digital equivalent of short-changing a cashier.”

The data retrieved could include such information as passwords, allowing malicious parties to access user accounts. Private SSL keys could be obtained as well. Note that private keys were initially not considered vulnerable but that their exposure was since confirmed by numerous parties.

To thicken the plot, security industry publication SC Magazine reports that another rendition of Heartbleed has been discovered. In Reverse Heartbleed (also exploiting CVE-2014-0160), rather than a client device stealing information from a server, a server steals information from a client device. Login credentials and other sensitive data can be taken from PCs and smartphones. These client machines use OpenSSL to encrypt communication in some browsers and other applications that run within the local system.

Use of Heartbleed for DDoS


Because this process creates a larger response than the size of the request – as enabled via spoofing – it makes sense that amplification could occur, which in turn could be used by DrDoS instigators. Matthew Prince, founder of CloudFlare (a huge name in the security industry, as mentioned above), tweeted the below note, for example.


Prince’s comment was a bit oversimplistic and hasty, though, as is often true of tweets.

One major argument criticizing the possibility of a Heartbleed DDoS – offered by various security professionals – is that TLS only operates through stateful transport control protocol (TCP). The stateful nature of the interaction describes a communication agreement between client and server: a session must be enacted before the server could inundate any machine with data.

That line of thinking, unfortunately, is only half true. Note the type of TLS mentioned in passing above: datagram transport layer security (DTLS). DTLS is architected to perform identically to TLS through UDP instances, including VPNs (virtual private networks). The good news is that there is a standardized defense for distributed denial of service via DTLS – RFC4347, which was released by the Internet Engineering Task Force (IETF) in April 2006.

Because UDP is stateless, a session cannot occur through it with DTLS. Instead, the service has to make sure the request is legitimate by responding to ClientHello with HelloVerifyRequest and a cookie. The cookie must then be sent back to the server in a new ClientHello in order for the client to receive ServerHello. This form of validation makes malicious activity much less possible.

Response to Heartbleed & shifting focus back to NTP


Regardless of the distributed denial of service implications of Heartbleed – which are minimal compared to other threats – this vulnerability should be remediated immediately by system administrators:

  • All OpenSSL instances should be updated;
  • All passwords that may have been stolen should be changed; and
  • Passwords should continue to be modified on a regular basis.
  • SSL certificates that may have been stolen should be revoked (via the certificate authority, which is typically the brand of the certificate).

The real concern with DDoS right now is DrDoS utilizing NTP, along with the standard methods used by attackers in previous years (which are rising again now that many vulnerable NTP daemons have been patched). Our Q1 2014 Threat Report details attacks for the first three months of the year.


Heartbleed & DDoS: Is There a Connection?

By Kent Roberts → Tuesday, May 6, 2014