Verisign DDoS Trends Report: Verisign Mitigates More DDoS Attacks in Q1 2015 than Any Quarter in 2014

By Security

Verisign just released our Q1 2015 DDoS Trends Report, which provides a unique view into online distributed denial of service (DDoS) attack trends from mitigations on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services, and the security research of iDefense Security Intelligence Services.

Many notable observations were made: Verisign mitigated more DDoS attacks in Q1 2015 than in any other quarter in 2014, including seven percent more than Q4 2014. The public sector and financial services industries continued to experience an uptick in attacks, with each constituting 18 percent of total Q1 2015 mitigations. As noted in last quarter’s report, Verisign believes financial services firms and various international governing organizations may be targeted as part of political activism, or hacktivism. In addition, the ready availability and low cost of DDoS toolkits and DDoS botnets-for-hire is making it easier for actors to launch attacks.

(more…)

3 Key Steps for SMBs to Protect Their Website and Critical Internet Services

By DDoS Protection, Managed DNS, Security

The National Small Business Association (NBSA) recently released a report revealing that half of all small businesses have been the victim of a cyber-attack – and the cost of dealing with these attacks has skyrocketed to $20,752 per attack. In about a third of attacks, the victim’s website was taken down, often for days. The impact of such outages cannot be measured by the immediate lost revenue alone, as the long term impact of the harm to your reputation and customer loss cannot be easily calculated.

(more…)

Verisign OpenHybrid™ for Corero and Amazon Web Services Now Available

By DDoS Protection, Security

Verisign outlined its vision for a revolutionary new approach to Distributed Denial of Service (DDoS) protection by announcing the availability of the Verisign OpenHybrid™ architecture, which helps organizations protect their critical assets and applications across distributed environments from DDoS attacks, using a single solution. By integrating intelligence from a customer’s existing security defenses, Verisign OpenHybrid™ provides timely detection and restoration of services in the event of an attack, while providing increased visibility of DDoS threats across multiple environments such as private datacenters and public clouds.

In an earlier blog post on the topic, I noted the increasing scale and complexity of DDoS attacks, and the strong need for organizations to enable awareness and mitigation of attacks across on-premise devices, in addition to both public and private cloud environments using standards based open protocols.

Today we are pleased to announce two important updates in our path toward enabling open DDoS protection: the availability of Verisign OpenHybrid™ for Corero SmartWall TDS and Verisign OpenHybrid™ for customers hosted in the Amazon Web Services Elastic Compute Cloud.

(more…)

Blue Folder With Keyhole on digital background

“What’s in a Name?” Using DANE for Authentication of Internet Services

By Security

Do we already have strong security protections for our Internet services? For many years now, we have had numerous cryptographically enhanced protocols. Standards and suites like S/MIME, Transport Layer Security (TLS), IP Security (IPSec), OpenPGP, and many others have been mature for years, have offered us a range of protections and have been implemented by a wealth of code. Indeed, based on these protections, we already count on having “secure” eCommerce transactions, secure point-to-point phone calls that our neighbors can’t listen in on, secure Virtual Private Networks (VPN) that let us remotely connect to our internal enterprise networks, etc.  However, our Internet security protocols have all excluded a very important step from their security analyses; none of them describe a crucial step called secure key learning.  That is, before we can encrypt data or verify signatures, how does someone bootstrap and learn what cryptographic keys are needed?  In lieu of a way to do this, we have traditionally prefaced the security protections from these protocols with techniques like Out of Band (OOB) key learning (learning keys in an unspecified way) or Trust on First Use (ToFU) key learning (just accepting whatever keys are found first), and each protocol must do this separately (and potentially in its own, different, way).  This is because the protocols we use for protections have not formally specified a standardized way to securely bootstrap protocols.

(more…)

Minimum Disclosure: What Information Does a Name Server Need to Do Its Job?

By Security

Two principles in computer security that help bound the impact of a security compromise are the principle of least privilege and the principle of minimum disclosure or need-to-know.

As described by Jerome Saltzer in a July 1974 Communications of the ACM article, Protection and the Control of Information Sharing in Multics, the principle of least privilege states, “Every program and every privileged user should operate using the least amount of privilege necessary to complete the job.”

Need-to-know is the counterpart for sharing information: a system component should be given just enough information to perform its role, and no more. The US Department of Health and Human services adopts this principle in the HIPAA privacy policy, for example, which states: “protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.”

There may be tradeoffs, of course, between minimizing the amount of privilege or information given to a component in a system, and other objectives such as performance or simplicity. For instance, a component may be able to do its job more efficiently if given more than the minimum amount.  And it may be easier just to share more than is needed, than to extract out just the minimum required. The minimum amounts of privilege may also be hard to determine exactly, and they might change over time as the system evolves or if it is used in new ways.

Least privilege is well established in DNS through the delegation from one name server to another of just the authority it needs to handle requests within a specific subdomain. The principle of minimum disclosure has come to the forefront recently in the form of a technique called qname-minimization, which aims to improve privacy in the Domain Name System (DNS).

(more…)

Verisign Q4 2014 DDoS Trends: Public Sector Experiences Largest Increase in DDoS Attacks

By DDoS Protection, Security

Verisign just released our Q4 2014 DDoS Trends Report, which provides a unique view into online distributed denial of service (DDoS) attack trends from mitigations on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services, and the security research of iDefense Security Intelligence Services. Many notable observations were made, including a rise in the average size of DDoS attacks against our customers; the most common attack vector continued to be User Datagram Protocol (UDP) amplification attacks leveraging Network Time Protocol (NTP), while Simple Service Discovery Protocol (SSDP) also continued to be exploited. Verisign also mitigated more attacks in December than any other month in 2014.

The most notable observation, however, is that public-sector customers experienced the largest increase in attacks, constituting 15 percent of total mitigations in Q4. Verisign believes the steep increase in the number of DDoS attacks levied at the public sector may be attributed to attackers’ increased use of DDoS attacks as tactics for politically motivated activism, or hacktivism, against various international governing organizations, as well as in reaction to various well-publicized events throughout the quarter, including protests in Hong Kong and Ferguson, Missouri. As outlined in iDefense’s 2015 Cyber Threats and Trends blog post, the convergence of online and physical protest movements contributed to the increased use of DDoS as a tactic against organizations, including the public sector, throughout 2014.

(more…)

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

By Recursive DNS, Security

At Verisign, we’ve made the Domain Name System (DNS) our business for more than 17 years. We support the availability of critical Internet infrastructure like .com and .net top-level domains (TLDs) and the A and J Internet Root Servers, and we provide critical Managed DNS services that ensure the availability of externally facing websites to customers around the world.

As we continue to expand our role in Internet security, we are excited to announce the next step in protecting the stability of enterprise DNS ecosystems: Verisign Recursive DNS. This new cloud-based recursive DNS service leverages Verisign’s global, securely managed DNS infrastructure to offer the performance, reliability and security that enterprises demand when securing their internal networks and that communications safely and securely reach their intended destinations.

(more…)

Verisign OpenHybrid™: An Essential New Approach to DDoS Protection

By DDoS Protection, Security

Distributed Denial of Service (DDoS) attacks are a threat to businesses worldwide and the attacks are getting larger and more sophisticated.  The industry’s approach to protecting against DDoS attacks must change, and change fundamentally, to stay ahead of this growing threat.

For too long, the problem has been tackled piecemeal, using isolated devices or services. But protecting against DDoS attacks increasingly requires communication and coordination between many components – from networking equipment, to specialized appliances and cloud-based services.

A shift in security architecture is needed to an open platform where devices and services from different vendors can share and act on information in concert. It must be a hybrid platform, allowing on-premise routers and security appliances to detect and mitigate attacks locally, while automating alerting and switchover to cloud-based services if an attack threatens to swamp the business’ network connection.

(more…)

New from Verisign Labs: What’s in your attack surface?

By Security
Recently, Verisign Labs researcher Eric Osterweil and Verisign CSO Danny McPherson, along with Lixia Zhang, a professor of computer science at UCLA, received the Best Paper Award at this year’s IEEE Workshop on Secure Network Protocols (NPSec ‘14) for their paper, “The Shape and Size of Threats: Defining a Networked System’s Attack Surface.” Below is a guest post from one of the authors, Eric Osterweil, principal researcher for Verisign Labs, describing the genesis of the research and future plans.

(more…)

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps On The Rise

By DDoS Protection, Security

Verisign just released its Q3 2014 DDoS Trends Report, which details observations and insights derived from distributed denial of service attack mitigations enacted on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services from July through September of this year. Many notable observations were made, including a rise in the average number of attacks per customer, exploitation of the recently publicized SSDP vulnerability and some notable malicious code trends that will likely contribute to increased DDoS attack activity in the future.

(more…)