ddos

They call me the content machine. I write about information security topics, with an emphasis on cryptography and distributed denial-of-service (DDoS) attacks. I've written for DarkReading, SC Magazine, and Network World. But most people know me from my monthly column at SecurityWeek.

Click the selectors in the Content pane to filter the content.


Oct. 11, 2017 tags:  ddos in-the-news

IoT Attacks: India no. 2 source country

Had a long, fun, wide-ranging interview with India Economic Times.


July 5, 2017 tags:  ddos in-the-news infosec

Hunting for IoT devices to be used for massive botnet

Had a fantastic, wide-ranging interview with Malaya Business Insight reporter Raymond Gregory.


June 12, 2017 tags:  ddos in-the-news

Ten steps for combating DDoS in real time

Hey look, IT News Africa reprinted my ten-step guide to combating DDoS in real time. This is basically a shortened, texty version of the DDoS playbook.


Jan. 4, 2017 tags:  SSL-TLS cryptography ddos

David Holmes Greatest Hits 2016 Edition

I wrote, starred in, or was mentioned in 48 pieces last year. A new record. Here's the best of them.


Nov. 24, 2016 tags:  ddos in-the-news security-week

This Web-based Tool Checks if Your Network Is Exposed to Mirai

“Regulation will likely be the fix for IoT security,” F5 Networks evangelist David Holmes notes in a SecurityWeek column, citing Mikko Hypponen, Chief Risk Officer of F-Secure. However, he also explains that Internet security cannot be regulated like other manufacturing processes. Increasing awareness among users could also help resolve this issue, with the IoT Defense scanner being a small step in this direction.


Nov. 13, 2016 tags:  ddos in-the-news

The Internet Of Things, DNS Weaknesses, Or Trump: Which Will Sink The Internet?

Got quoted by a Forbes article. “Nearly all clients rely on DNS to reach their intended services, making DNS the most critical—and public—of all services,” explains David Holmes... and “This single point of total failure…makes DNS a very tempting target for attackers,” Holmes continues. The pic is Jon Postel, who I consider a father of the Internet.


Oct. 31, 2016 tags:  ddos hackers

Mirai Strikeback - an iRule to kill IoT Bot Processes from your F5

Wrote this cool script to kill Mirai bots that are attacking your website. Use at your discretion!


Oct. 28, 2016 tags:  ddos hackers security-week

What's the Fix for the IoT DDoS Attacks?

Here is an early reaction to the Dyn DNS DDoS attack of Friday, Oct 21. I spent about 8 hours working on an article about the Brian Krebs attack from an airplane over the Atlantic. About halfway through, the Dyn attack happened, and I had to rewrite the article! It was a long day, but at least when I got down there was a decent article ready to go :)


Oct. 27, 2016 tags:  ddos hackers

Making Sense of the Krebs / OVH / Dyn DDoS Attacks

The right guy at the right time. Here's my take on the huge DDoS attacks of September and October 2016. Had to rush this one to release as an official company position on the attacks. I like how it came out.


Oct. 12, 2016 tags:  SSL-TLS ddos infosec hackers

SecureLink Belgium Interview

Q: Explain who you are and what you do

Thank you. Before we start, I need you to promise me something. You can only ask me one question about Donald Trump, okay? No more than that.

Q: How long have you been at F5?

I’ve been at F5 for 16 years, which is an eternity in the tech world. I was the last person hired during the so-called dot-com bust, during which time a hiring freeze was put in place. On my first day, there were already rumors of layoffs, and I thought “oh no, I am the new guy, of course they will eliminate my position!” So I worked day and night to show my value but I six months later I was still “the new guy”. One day the police sent us a picture of a dead body in an F5 T-shirt and I thought “oh no, the reduction in workforce is really starting!” But it turned out to be a homeless man who had gotten the shirt from the local food bank. Anyway…

Q: Many people know F5 from their ADC solutions, why the increased focus on security these days?

Yes, many people know F5 as the world’s most-expensive, I mean the world’s best load balancer, but what they don’t realize is that we’ve spent the last 10 years moving into Security. There are two reasons for this.

First, the reason it is called an ADC and not just a LB is because it naturally consolidates adjacent functions, such as caching or acceleration but now security functions like firewalls as these technologies become commodities.

Second, F5 is the number one commercial SSL termination device. If someone is paying to decrypt SSL, they are most likely deploying F5 devices. As more and more of the world’s traffic goes encrypted, it makes the F5 the first device in the network that can do layer 7 security controls. And that means attaching WAF functionality, or doing cookie inspection, or passing through to devices like FireEye.   Q: You travel the globe as part of your job – do you see that security has a different place on the agenda here in Europe than North America for instance?

This is my 13th country, and fourth continent visited in 2016. So I do get to see a bit of how businesses are dealing with security around the world. What I can say about Europe is that continually impressed at the technical depth of the security professionals here. In my opinion, Europe has the best defensive security expertise in the world. There are so many excellent security conferences here, such as the CCC in Germany, RSA Europe and Hack-in-the-box in Amsterdam. The level of security awareness among everyday operations people is excellent as well.

Belgium functions as a hub in Europe. Many organisations have European headquarters here and you have institutions like the European Parliament and NATO. Naturally the security demands of these organisations are extremely high. Perhaps this is also one of the reasons the security expertise in EMEA is so high and organisations like Securelink are instrumental in maintaining the security at the highest level.

I remember one conversation I had with a customer in eastern Europe, and then first thing he said was <accent here> “David, ve will not put our data in Amerikan cloudt.”

Q: What about Australia or New Zealand?

Australia is the opposite. They are SUPER friendly with public cloud. In 2012 one of the CIOs of their four banks gave a keynote where he announced that his bank was aggressively adopting a “cloud first” strategy. Now there are telcos there that are trying to re-sell “multi-cloud” solutions but it’s tricky. Multi-cloud might seem like the ultimate availability solution, but I think we’re years away from consistent, reliable APIs.

Q: What about Africa?

Africa has its own challenges. In Nigeria, distributed denial of service is getting to be a thing, so of course we try to sell them our DDoS service. This service is classified as “Insurance” but nobody in Nigeria believes in insurance and even if they did, they want the premium to be approximately 0 euros.

Also, a big security thing in Africa right now are little plastic physical locks that you put on your Ethernet ports. They are locked with a key. [ aside: they keep the key taped under the desk ]. That’s Africa.

Q. We see many organisations looking at their cloud strategy, public vs private etc. How do you think organisations should handle their security when moving to a hybrid or public cloud scenario?

Let me give you three short cuts for cloud security, whether that’s public, private or hybrid.

For users, deploy federated logins using SAML assertions. You get SSO and don’t have keep your passwords in the cloud. And if you do it right, you can even prevent your passwords from ever transiting to the cloud and back. There’s a trick to it and we’re helping a lot of people right now who are transition to Office 365 and don’t want the CXO passwords going to Microsoft.

Second, for applications, when possible, embed your application security policy into your applications! So if you move them to the cloud, the policy goes with them. Or if they burst here and there or jump clouds, the policy goes with them too.

Lastly, if you’re considering moving to the cloud, leave your really old legacy stuff behind. If an app isn’t based on a recent Windows or Linux suite, it’s often not worth moving it to the cloud. The analyst firm Securois has an interesting term for people who try to move their really old apps to the cloud: cloud tourists. They visit the cloud, look around, start to spend some money, realize that it’s a sunk cost and not going to get them any value, and they go back home.

Q. Let’s talk about so-called Hacktivism. You track Anonymous, right? What is Anonymous doing?

I love anonymous. They used to have a brilliant leader named Sabu (expand). But lately they’ve been somewhat floundering – not a real central figure since then ( e.g. Anonymous 127.0.0.1 story).

However, they have launched their own political party in the United States called The Humanity Party, or ThuMP for short. It has three main tenants, the first of which is to establish a single, united one-world Government (the United Kingdom has already voted out of it). The other two are social equality and um, free WiFi for everyone. Can’t say I disagree with that last one. Instead of donations they invite you to Like their Facebook page.

Q. Let’s talk a moment about cryptography and SSL. What is new there?

Ivan Ristic, the author of the book “Bulletproof SSL/TLS”, runs an SSL scoring service over at Qualys SSL Labs. The scoring uses the grading system, A, B, C, D, F, which is nice because I can remember that.

So for the last five years, half the SSL administrator’s I’ve worked with are trying to get an A+ on their website. And it’s not just pride because people are writing articles basically “SSL shaming” entire industries. It started in Australia where Troy Hunt (the owner of the HaveIBeenPwnd website) posted the scores of all the banks in Australia.

But I’ve seen that done in Poland and even here Belgium as well. In the states, someone posted the SSL scores for all of the presidential candidates. Wouldn’t it be cool if that’s how we actually choose our presidential leaders? By their cryptographic security posture? That would be much better than how we’re doing it now, because apparently whatever we are doing isn’t working very well.

Would you like to know what Hillary Clinton gets?

She gets an A, but it’s actually a private server in her laundry room.

Q. What do you see as the most serious security threat?

There are rumors of the Russian’s hacking our election and trying to throw it to Donald Trump. Why they would do this, other than as the ultimate party joke, is sort of beyond me. But it is quite concerning. Security professionals have been warning about the dangers of automated voting systems for years, and I worry that people aren’t taking it as seriously as they should. I would imagine that you’ve been doing it here for years, and it’s working?

But if you meant “what are the most serious threats to the Enterprise” I’d have to say Malware. It has been the number one threat this year, and the last five years running. That’s why FireEye was such a security darling. The biggest problem with malware, at least in the states, is that all the malware authors know that they need to hide their malware inside SSL connections so it won’t be detected.

In the States we can decrypt that traffic (if the customer wants) and clone it over to FireEye or an IDS. You can’t do that in many places here in Europe, and I’m interested to see how that works out.   Q. To what extent is IoT the next driver for increased security risks?

Do you know what an oxymoron is? Two words that don’t go together, like ‘military intelligence’ or ‘found missing’ or ‘Microsoft Works’. Well ‘IoT Security’ is like that. It used to be a joke until about 2 weeks ago, when someone launched a 620 Gbps attack using (at least partly) a new IoT botnet. That was the largest DDoS attack I’m aware of, though the record has possibly been broken since then.

Most IoT devices connect one-way up to a cloud module, so that’s good. I think IoT security is going to be a huge issue for a long, long time because that’s basically a brand new industry. I mean, the Internet has been around for 30 years and it’s still far from secure even with every researcher in the world trying to fix it, so why would anyone assume the IoT universe won’t be anything but suboptimal?

I think for Europe this is a real challenge and opportunity. Germany is still the economic powerhouse of Europe, and they rely on manufacturing. They absolutely have to get IoT security right as they build their internet-connected cars and airplane engines.

Q. How can do you provide protection against multi-faceted DDoS attacks?

I just wrote a whitepaper called the 2016 DDoS Trend analysis, and buried within that paper are 8 references to Huey Lewis. I mention that because no one has been able to locate them all yet and I have gift card I need to give away.

But in our paper we note that we now see the majority of DDoS attacks as comprising multiple attack vectors and they’re getting more sophisticated, too. For example, stateful TCP floods are way up, and on some days they are outnumbering stupid UDP floods.

So we have some customers who don’t want to deal with any of it at all and just contract us to handle all their attacks for them 24/7. But many other customers are going for a blend of cloud-protection and on-premises DDoS.

For on-premises, if you have an F5, there’s a LOT you can do. We have a best practices document that shows you how to handle every DDoS attack type we’ve ever seen. Just google ‘David Holmes DDoS Recommended Practices’ and you’ll find it.

Q. Looking in a crystal ball, where do you think the security threats will come from in 5 to 10 years?

First, let me say that I think people are terrible at predicting the future. Just awful. With that said, let me um, try to predict the future.

I think finding sufficient entropy will continue to be a source of frustration among security professionals. Computers today are awful at getting real random data from which to generate keys or other cryptographic material, so everyone cheats at this. Professor Nadia Heninger from the University of Michigan has done some amazing work here [talk a little about her work]

Time synchronization is going to be another sore point. Real authentication and authorization systems require at least some kind of crude but secure time synchronization. The Internet has always been terrible about this so both Microsoft and Google are coming up with their own secure time mechanisms.

Lastly, as I get older, I am really hopeful that we will achieve The Singularity before I expire.


Sept. 15, 2016 tags:  ddos infosec

2016 DDoS Attack Trends

Here's an awesome whitepaper I wrote in the fall of 2016. I embedded eight references to Huey Lewis and the News. Can you find them all?


May 16, 2016 tags:  SSL-TLS cryptography ddos

The Top Ten Hardcore F5 Security Features in BIG-IP 12.1

It took me 23 hours to write this! But people LOVED IT. Continuing my tradition of the top security features of each F5 BIG-IP release.


Feb. 4, 2016 tags:  ddos

Firewall Roundtable Discussion

Here's a fun virtual roundtable that Brian McHenry and me did for the DevCentral guys, Jason Rahm and John Wagnon. Over a half hour we discuss the F5 advanced firewall module. We chat about the market, the history and some of the things that differentiate the product.


Jan. 25, 2016 tags:  SSL-TLS cryptography ddos

The Top Ten Hardcore F5 Security Features in BIG-IP 12.0

Another of the famous top ten lists for F5. Selecting the best of over 100 security features is a daunting task. I had considered using the darts-against-printed-spreadsheets approach, but ultimately just went through them all, one by one, and selected the best, just for you. Remember, these are the hardcore security doodads, of interest to network operators, security engineers and the paranoid.


Jan. 11, 2016 tags:  SSL-TLS cryptography ddos infosec

David Holmes Greatest Hits, 2015 Edition

Here's the complete list of everything authored by yours truly in 2015. Except the NC-17 stuff, which I've been told should remain unpromoted. Actually, this website you're reading right now is basically my greatest hits, but this blog post gather just a single, awesome year of it.


June 4, 2015 tags:  ddos infosec hackers security-week

Three Reasons Mobile DDoS Never Materialized

A deeper dive in to the theoretical topic of mobile malware.


June 1, 2015 tags:  ddos

F5 DDoS Protection Volume 2 - Recommended Practices

This may be the most significant document I've ever written. Customers used to ask me if we a a Best Practices document around DDoS and I got tired of telling them we didn't. So I wrote it. It took my close to 9 months to birth this baby. It documents every single kind of DDoS we've ever seen and how to combat them. My magnum opens for DDoS.


May 24, 2015 tags:  ddos hackers

F5 SilverLine DDoS

A launch blog for the SilverLine DDoS Protection service.


May 17, 2015 tags:  ddos infosec security-week

Where is the Android DDoS Armageddon?

I won a long-standing bet with my colleague, Pete Silva, about the Android Armageddon. Here's my write-up where I claim to win!


March 17, 2015 tags:  ddos infosec hackers security-week

Why do Bulldozers Incite DDoS Attacks?

Three different reasons why tractor companies find themselves in the crosshairs of DDoS attackers.


Jan. 7, 2015 tags:  ddos infosec security-week

The Real Story Behind the Kate Upton Nude DDoS Attack

This is the most-read article I've ever written. A true-story about a cyberattack that supposedly involved the nude pictures of Jennifer Lawrence and Kate Upton.


Dec. 14, 2014 tags:  ddos

The F5 DDoS Protection Reference Architecture

Here is one of the most important papers I ever wrote. The description of a proper DDoS-resistant network architecture. The real meat of the knowledge lies with the recommended practices document, but this whitepaper outlines it pretty well and makes its case.


Nov. 3, 2014 tags:  SSL-TLS cryptography ddos

The Top Ten Hardcore F5 Security Features in BIG-IP 11.6

Here's where the Top Ten really started to get funky. Check out the mood music while you read this. It's David Holmes.


Sept. 14, 2014 tags:  ddos

F5 DDoS Protection Architecture Overview

Not one of my favorite videos, but hey, it was real. Later I learned to take my glasses off, which brings you closer to the audience.


June 1, 2014 tags:  ddos infosec

The F5 DDoS Playbook: Ten Steps for Combating DDoS in Real Time

After many discussions with some of the most high profile brands in the world, I've consolidated their feedback into this single playbook. These are the ten steps you need to do when you get attacked with a distributed denial-of-service. It's basically vendor agnostic, with just the F5 logo on it.


April 30, 2014 tags:  SSL-TLS cryptography ddos

The Top Ten Hardcore F5 Security Features in BIG-IP 11.5.0

This is the one that started it all! Okay so that means it was the worst, and yeah I hadn't figured out to do the top ten in reverse order yet.


March 14, 2014 tags:  ddos

Why massive DDoS attacks are here to stay

Cyber journalist Byron Acohido interviewed me about DDoS attacks in 2014. I predicted ever larger ones, and I was right :)


March 11, 2014 tags:  ddos

Why massive DDoS attacks are here to stay

Haha, here's a short interview I did about distributed denial of service attacks for cyberjournalist Byron Acohido. This is back when I still wore glasses for interviews, and was probably 15 lbs heavier.


Dec. 10, 2013 tags:  ddos

The DDoS Reference Architecture

Peter Silva meets with David Holmes to get the scoop on F5's DDoS Reference Architecture. David has circled the globe talking to customers about their security concerns and shares some of that insight along with explaining how F5 can mitigate those attacks.


July 3, 2013 tags:  ddos infosec

ComputerWorld: How Can We Get Out of the DNS DDoS Trap?

I wrote a piece about the UDP-based distributed denial of service (DDoS) attack involving Spamhaus and CyberBunker. It was published in ComputerWorld in 2013.


March 26, 2012 tags:  ddos infosec

The DDoS Threat Spectrum

Here's a great paper I wrote about how to categorize different DDoS attacks by type and by threat. Not a lot of discussion about mitigation, just classification and examination of the different attacks.


Jan. 27, 2012 tags:  SSL-TLS cryptography ddos infosec

The New Datacenter Firewall Paradigm

Written in 2012, this was a new way to think about Data Center Firewalls. Written with the amazing Lori MacVittie.


May 16, 2011 tags:  SSL-TLS cryptography ddos

SSL Renegotiation DOS iRule - Updates

Here's an update to the SSL Renegotiation DoS article. This iRule is tighter and more performant, if that's even a word.


May 3, 2011 tags:  SSL-TLS cryptography ddos

SSL Renegotiation DOS Attack - an iRule Countermeasure

This is one of the articles that launched my career as a technical evanglist. I worked on this blog article in my spare time (waiting for builds) as a developer. It hit at just the right time and got a few mentions in the right places. And now here I am, doing this for a living.