Black Lotus delivers award winning DDoS protection ranging from full network defense to website and server protection, 24/7/365. Learn more by visiting or call (866) 477-5554.

Recent Posts

Total attack frequency drops 44 percent in Q4 2014, confirming company’s forecast of fewer, more complex methods
SAN FRANCISCO--()--The average packet volume for distributed denial of service (DDoS) attacks increased 340 percent to 4.36 million packets per second (Mpps), and the average bit volume swelled 245 percent to 12.1 gigabits per second (Gbps) in the final quarter of 2014. The increases in average attack packet and bit volume signal a change of attack methods deployed by perpetrators. Cybercriminals favored more complex attacks, using multiple vectors and blending application layer, SYN and user-datagram protocol (UDP) flood attacks together. These findings were issued today via the Black Lotus Q4 2014 Threat Report. Black Lotus, a leader in availability, security and provider of DDoS protection, issues its Threat Reports each quarter, analyzing its network logs’ newest attack data and evaluating the results for trends in attack size, duration, method, source and other characteristics.
“We found DDoS attacks continued trending down in frequency quarter over quarter, but, on average, attack volumes multiplied”
Black Lotus customers experienced a continued drop in attack quantity paired with an increase in volume compared to the previous quarter, according to the Black Lotus Q4 2014 Threat Report, which analyzes DDoS attack data between Sept. 30 and Dec. 30, 2014. Black Lotus revised its estimate that enterprises will need security measures capable of handling 15 Gbps minimum in bit volume, up from its Q3 prediction of five Gbps minimum, to protect against the majority of attacks throughout 2015. Black Lotus’ research team anticipates attackers will continue to try new DDoS recipes to confuse security teams, while agitators steal user credentials, customer billing information or confidential files.
The report findings also show that:
  • The largest bit volume DDoS attack observed during the report period was 41.1 Gbps on Oct. 1, a swell in volume since the beginning of 2014, due to attackers’ usage of blended, complex attacks to achieve outages. Organizations should take care to scrutinize other parts of their systems to guard against credential leaks or other data breaches, as cyberattackers will often use DDoS as a distraction for other nefarious activity.
  • Forty-nine percent of the 143,410 attacks observed during Q4 2014 were regarded as severe, and more than half of all attacks mitigated resulted from UDP flood attacks, which cause poor host performance or extreme network congestion via producing high amounts of packets and IP spoofing.
  • The average attack during the period reported was 12.1 Gbps, a jump in bit volume, and 4.36 Mpps, tripling average packet volume since last quarter. This indicated a continued reliance on leveraging multi-vector attacks, signaling the need for security practitioners to tap intelligent DDoS mitigation rather than padding networks with extra bandwidth.
“We found DDoS attacks continued trending down in frequency quarter over quarter, but, on average, attack volumes multiplied,” said Shawn Marck, co-founder and chief security officer of Black Lotus. “With networks and IT teams becoming defter at spotting and stopping volumetric attacks, cybercriminals are turning to blended approaches to confuse organizations, often using DDoS attacks as smokescreens for other underhanded activity.”
Download the full Black Lotus Q4 2014 Threat Report for more details.
About Black Lotus Communications
Black Lotus Communications is a security innovator that pioneered the first commercially viable DDoS mitigation solutions. These advanced solutions enhance the security posture of small and medium businesses and enterprise clients while reducing capital expenditures, managing risk, ensuring compliance, and improving earnings and retention. Breakthrough developments at Black Lotus include the world's first DDoS-protected hosting network, the first IPv6 DDoS mitigation environment, and the first highly effective Layer 7 attack mitigation strategy. For more information, visit www.blacklotus.netor follow Black Lotus on Twitter at


Metis Communications
Justine Boucher, 617-236-0500

Black Lotus Quarterly Threat Report Reveals Average DDoS Attack Tripled in Volume

By Frank Ip → Monday, March 30, 2015
Hacking into a business’s network to steal credit card numbers and other personal information is old school. Today’s hackers are concocting schemes that are far more sinister and often involve extortion rather than outright theft.
Ransomware is malware that locks users out of their systems. Users see a notice that their data is being held for ransom, and the notices often feature a countdown timer to convey a sense of urgency. Often, the hackers claim to be law enforcement and suggest that the user has committed a crime, like child pornography or copyright violation. The hackers count on the potential embarrassment to encourage their victims to pay up rather than call law enforcement. This scheme has had tragic consequences. One teenager even committed suicide after receiving a ransomware notice that was supposedly from law enforcement.  
The newest variation of ransomware is targeting gamers. It’s a variant of Cryptolocker and affects over 20 games, including Minecraft, World of Warcraft, and the Steam platform. In this scenario, the hackers tend to be upfront about demanding a ransom instead of pretending to be law enforcement. While young gamers often don’t have sensitive information on their computers, they make an enticing target because of the value they place on their gaming profiles.
While ransomware typically targets individuals, it has a malicious big brother that goes after much bigger targets. In this scheme, hackers infiltrate an organization’s network, steal sensitive information, and hold it for ransom. They threaten to release the information if the organization doesn’t meet their demands. One recent victim is none other than the government of South Korea. In March, a hacker demanded a ransom in exchange for not releasing information on the country’s nuclear power plants. The attacker then tweeted his demands and boosted his credibility by posting information on the country’s APR-1400 reactor. While the South Koreans insist that the posts didn’t contain sensitive data, the incident underscores the seriousness of these extortion attacks.
In a separate incident, the hacker group Rex Mundi announced that it had stolen hundreds of blood test results from the French lab Labio. The group published the names of the patients who were affected and threatened to release their blood test results if Labio didn’t pay up. In another example, the hacker group Anonymous threatened a DDoS attack on the BBC if they didn’t reinstate the host of Top Gear after he was suspended for allegedly punching a producer.

Cyber criminals are becoming increasingly sophisticated, both in terms of technology and in how they use it. For instance, hackers could easily launch a massive DDoS attack and demand a ransom to stop it. And you don’t have to be the government of South Korea or the BBC to be a victim. If your company is connected to the internet, you’re vulnerable. It’s tough to cover all of the bases, which is why many companies are outsourcing at least part of their data security, like DDoS protection and mitigation. How safe is your network, and what additional steps are you taking to protect it?

Cyber Criminals Are Turning to Extortion

By Frank Ip → Friday, March 27, 2015
Have you ever been the victim of a pickpocket? They often work in pairs, with one crook distracting you with conversation while the other relieves you of your wallet. Some cyber criminals are now using DDoS attacks to perpetrate “cyber pickpocketing” on a massive scale.
DDoS Attacks As Distractions
Think about what happens when you become the victim of a DDoS attack. Phones ring off the proverbial hook, customers complain about the breakdown in service, users panic, etc. – all while you’re trying to detect the source, stop the attack, and get your systems back up and running. Can you imagine a better distraction? Cyber criminals have already come to that realization, which is why they’re now using DDoS attacks to camouflage more sinister breaches. The next time your company experiences a DDoS attack, you may want to make sure it’s not just a smokescreen for the real crime.
How It Works
Unlike typical DDoS attacks, which often consume the network’s entire bandwidth, these distraction attacks leave just enough bandwidth open for hackers to accomplish their true purpose. Hackers count on everyone being so busy with the DDoS attack that they don’t notice the breach – or, if they do, they put it on the back burner until the DDoS attack is resolved. In the meantime, the hackers are busy extracting data, installing malware, or carrying out some other type of mischief. In addition, during traffic surges, some security protocols default to open in an attempt to keep things up and running. This creates the perfect opportunity for hackers to access just about anything they want.
In a variation of that scheme, some hackers use DDoS attacks to probe for system vulnerabilities. In this case, the DDoS acts as a Trojan horse, with the real threat going undetected. In 2013, attackers used this technique to steal $1 million in bitcoins from Danish payment processor BIPS.
Best practices
With the increase in “DDoS as distraction” attacks, your best bet is to avoid putting all of your IT resources into stopping the attack. Instead, assume that it might be a smokescreen for other illegal activity. Hold a team back and task them with monitoring the network for anything unusual. And, once you’ve successfully mitigated the DDoS attack, give your system a thorough checkup to make sure everything is in order.

No company is too big, too small, or too obscure to be the victim of a DDoS attack, whether it’s carried out as a nuisance or as camouflage for something else. Due to the many moving parts involved in data security, as well as the constantly evolving sophistication of hackers, many companies are deciding to outsource at least some parts of their data security to experts. And even the experts tend to specialize, with some focusing only on things like DDoS detection and mitigation. Whether you outsource your security or take care of things in-house, it’s critical to have detailed plans in place for both prevention and response. How confident are you in your network’s security?

DDoS Attacks: The New Trojan Horse

By Frank Ip → Monday, March 23, 2015
“Hacktivism” is going mainstream, and DDoS attacks are becoming the weapon of choice. They’re inexpensive and fairly easy to carry out, especially if you take advantage of some of the “DDoS as a service” options that are out there. A DDoS attack takes a lot less effort than carrying a sign and rallying outside of a business’s headquarters, and it delivers a far bigger punch than the inconvenience of a protest. As a result, companies are going to need DDoS response plans, and those plans are going to have to cover more than just the technical aspects.

The BBC “attack”
The BBC provides an interesting example. The BBC recently suspended Jeremy Clarkson, host of the wildly popular Top Gear series. The suspension happened after Clarkson allegedly punched one of the producers, and it left the last three episodes of the season in question. Fans were outraged, and the hacktivist group Anonymous sent an open letter to the BBC in which they threatened to launch a DDoS attack if the BBC didn’t reinstate Clarkson. The letter read, in part, “You don’t want to piss of 300 million viewers. You are warned: DDoS cannons will fire if you don’t comply.”

A few days later, the BBC website went down. Despite the timing, the BBC says that the outage was due to an internal server problem rather than a DDoS attack.

The PR angle
We may never know whether the BBC outage was really due to a DDoS attack, but the BBC’s response raises some interesting questions. Why would an organization deny that it had been a victim of an attack? There are actually several reasons they might want to keep that quiet. For one thing, company executives might worry that customers will start thinking their information is at risk, or that the company’s services are unreliable. They might worry that publicly admitting their vulnerability would invite more attacks. Public companies might fear a drop in stock price. But there are other issues at play, too.

Hactivists tend to have a lot of popular support, and some organizations have experienced backlash after taking legal action against the hackers. On the other hand, not taking any action could invite more attacks. So executives might think it’s easier to just make the problem go away. And then there’s the whole extortion angle. If you give into hacktivists’ demands, even once, you’re opening the floodgates for more of the same. Labeling it an “internal server problem” might be the easiest solution, from a PR angle.

Whether or not the BBC outage was the result of a DDoS attack isn’t really the point, however. The point is that everybody is vulnerable. Even if your company is in the unlikely position of never having offended a single person, you’re still not safe from attackers who assail businesses because they’re bored—or just to prove they can. What systems does your company have in place to defend against DDoS attacks? How long would it take you to notice an attack was underway? How would you stop it? And what would your public response be? If you don’t know the answers to those questions, you need to find out, and you need to do it today.

DDoS Attacks Are More Than Just a Technical Problem

By Frank Ip → Friday, March 20, 2015
Looking at how much technology has changed our world over the years – even just over the past decade – can take your breath away. But, while the speed of incremental change is constantly accelerating, drastic overnight change is far less common. It still happens, however, and the Sony breach is one recent example. When that news hit, IT security professionals all over the world were slapped in the face with the reality of business disruption attacks, which can cripple an organization’s internal networks to the point where its employees can’t do business. The result was a wakeup call that initiated a shift from a “defend and detect” mode to “detect and respond”.
Cyber security as part of disaster management
What does this shift imply? For one thing, it means that more and more businesses will formulate documented responses to cyber attacks. Shawn Marck, CSO of cyber security firm Black Lotus, predicts, “Cyber security response will become a basic element of disaster and business continuity planning. What will you do if all of your emails and financial records are suddenly gone? What will be your PR response if negative information is stolen and exposed? What are your plans for retaining customers if your business is down for days at a time? If those customers leave, what will you do to get them back? And what support will you offer customers whose personal data is stolen? Companies that have a documented response plan will be at a distinct advantage over those that have to come up with it in the middle of a crisis.” Backing up what Marck says, research firm Gartner recently released a report saying that, by 2018, 40 percent of companies will have a formal plan in place for responding to cyber attacks, up from zero percent just a few years ago.
Shift toward detection and response
But disaster preparedness is just one piece of the puzzle. IT security professionals also need to have a plan in place for detecting an attack as soon as it begins and for stopping it before irreversible damage is done. Gartner vice president Paul Proctor says, “Entirely avoiding a compromise in a large, complex organization is just not possible, so a new emphasis toward detect and respond approaches has been building for several years, as attack patterns and overwhelming evidence support that a compromise will occur.” That brings cyber attack detection and mitigation to the top of the priority list for IT professionals in companies of all sizes.

Marck explains, “Standard detection strategies like pre-defined traffic patterns aren’t enough anymore, especially against the rising threat of application-layer attacks. Both detection and response strategies are becoming increasingly complex as these attacks become more sophisticated.”

In fact, many companies are choosing to outsource attack detection and mitigation. Some companies just don’t have the skills or resources to handle such a mission-critical project in-house. Others recognize the benefit of partnering with specialists who are plugged into that world and always up-to-date on the latest developments and attack methods. Regardless of whether you outsource your cyber security or do it in-house, it’s something that no business can afford to ignore.

The Next Evolution of Cybersecurity

By Frank Ip → Tuesday, March 17, 2015
Network security is something no one can take for granted these days. Not only are hackers becoming more sophisticated in their methods, they’re also becoming more sophisticated in how they use information once they access it. It’s not just about stealing credit card numbers, anymore. Eweek recently reported on five ways today’s hackers are pushing the envelope when it comes to wielding their power, and it’s worth taking notice.
Blackmail and extortion: The Sony breach showed us how awkward things can get when private communications become public. It’s a great setup for blackmail, especially if the victim is well known or has a lot to lose. Some hackers are digging up personal information on their victims and threatening to release it if their demands – usually money – aren’t met. A variation on this theme is extortion. Hackers use malware to lock people out of their own computers and demand money to let them back in.
The Internet of Things: It’s not just our computers and our phones that we have to worry about anymore. We now have all sorts of “things” connected to our networks: lighting, climate control, home security, etc. And very few of those things are secured. Determined hackers can find their way in and either use those devices to send out spam or use them as a gateway to the network of a home or office, providing access to all kinds of information.
Employee devices: Sophisticated hackers can use a single employee device to breach an entire company network. Now that almost everybody brings at least a personal cell phone to work, this is a growing risk for companies of all sizes.
Increasingly complex data: Credit card numbers are minor league. Sure, hackers can steal them, but they’re only good until the victim shuts down that account. Today’s hackers have access to much more personal information…information that can’t be easily changed. That includes personal contacts, medical information, shopping habits, and the like. All of that detailed information makes identity theft both easier and more effective.
Infrastructure: Our country’s infrastructure is complex and vulnerable, and both individual and state-sponsored hacktivists are taking advantage of that fact, sometimes to make a statement and sometimes to wreak havoc. One hacker can take down an entire electrical grid. Anything that depends on being connected is vulnerable: traffic control, air traffic control, subways, water filtration, and much more. This gives hacktivists the ability to make a huge impact with little effort.

Technology has changed our world, and I don’t think any of us want to go backwards. But all that connectivity also makes us vulnerable—as individuals, as businesses, and as a society. And it’s becoming more and more obvious that a single breach can have a widespread ripple effect. What if a hacker sold your company’s proprietary information to your biggest competitor? What about altering your company’s financial records to make it appear as if someone had committed fraud? The stakes are simply too high to make network security just another item on your to-do list. Whether you handle it internally or enlist the help of outside experts, your company’s security needs to be a top priority.

Hackers Are Using Stolen Data As a Weapon

By Frank Ip → Tuesday, March 10, 2015
One thing that makes DDoS protection so challenging is that while we and other providers of network security work furiously to shut down one vector of attack, the hackers are working just as hard to figure out how to exploit yet another vulnerability. Through late 2013 and all of 2014, for example, we saw hackers begin to change their focus from DNS servers to NTP servers.
If DNS servers are the telephone books of the internet, NTP servers are the time-keepers. They’re what millions of computers, phones, and other devices use to sync their built-in clocks. While that sounds innocuous – and, for the most part, it is – NTP servers have some inherent vulnerabilities that act as a siren song for aspiring attackers.
NTP servers are set up to send responses only to the address where the request originated. That’s a potentially huge obstacle in a DDoS attack because, theoretically, you shouldn’t be able to attack anyone but yourself. But many NTP servers allow spoofing, which means they accept queries from falsified IP addresses. In a process called reflection, spoofing makes it seem as if the request is coming from the target of the attack, but it’s actually coming from a third party. If the server doesn’t realize that, it sends a “response” to a server that never even asked for one.
While there are more open DNS servers than NTP servers, NTP servers have a much higher amplification factor. Amplification is simply the ability to generate a big response from a small request. It’s what lets hackers launch attacks that are much bigger than their own available bandwidth. NTP servers are the perfect environment for amplification because so many of them support the MONLIST command. That means they keep a list of the last 600 addresses the server interacted with, and they’ll send that list out when requested. In an NTP-based DDoS attack, the attacker sends a server a spoofed request for its MONLIST. That server then sends all 600 of those addresses to the target of the attack. That’s an amplification factor of around 200, meaning a hacker could generate a response that takes up 200 times the bandwidth of the original request. When you draw additional servers into the attack – each with its own list of 600 addresses – you can see how the surge in traffic could easily overwhelm a network.

The key to preventing DDoS attacks of any type is your ability to stay one step ahead of the attackers. Because they never stop; even before security experts shut down one vector of attack, they’re working on another. So, at the same time you’re defending your network from one attack, you have to simultaneously predict what form the next attack will take. That’s why so many businesses choose to outsource their DDoS protection; it’s a full-time job all by itself. But whether you choose to outsource your network security or manage it in-house, make sure there’s always a clear focus on what’s coming next.

NTP Servers: The Next Front in the War Against DDoS Attacks

By Frank Ip → Saturday, March 7, 2015