Monthly Archives: April 2014

UltraDNS Dealing with DDoS Attack

UltraDNS said it has mitigated a distributed denial of service (DDoS) attack for most of its customers after the service was held down for most of the day. “Currently, only customers utilizing a segment of UltraDNS Name Server addresses are experiencing resolution latency due to intermittent network saturation in the Western US,” said Neustar director of product management, security solutions, Jim Fink in an email to Threatpost. “We continue to aggressively refine mitigations for these customers and hope to have the issue resolved shortly. We have been and will continue to provide regular updates to our UltraDNS customers via our usual customer notification process.” UltraDNS is a Neustar company. The SANS Institute’s Internet Storm Center said this afternoon that it received multiple reports of outages and DNS resolution issues, reportedly because of a 100 Gbps DDoS attack against one of UltraDNS’ customers that resulted in latency issues for others. “One reporting party did indicate that they learned that the management of UltraDNS had said that one of their customers was being attacked and that they black-holed that customer to get back on trend,” wrote ISC handler Russ McRee. “Resolver nodes around the world are resetting.” DDoS attacks the size of this one are quickly becoming the norm. A report from Arbor Networks this week said it has already tracked more than 70 DDoS attacks of 100 Gbps or more of bad traffic, topping out at 325 Gbps. The largest attacks on public record were recorded by traffic optimization and security provider CloudFlare Most volumetric attacks rely on some kind of amplification such as DNS reflection or Network Time Protocol amplification attacks where the requesting IP address is spoofed as the target’s and massive amounts of traffic is returned at relatively little cost to the attacker. With DNS amplification attacks, attackers take advantage of any number of the 28 million open DNS resolvers on the Internet to launch large-scale DDoS attacks. The motivations are varied. Ideological hackers use them to take down services in protest, while profit-motivated criminals can use DDoS as a cover for intellectual property theft and financial fraud. Beginning with the DDoS attacks against large U.S. banks early last year, the spike in these attacks merited a mention in the recent Verizon Data Breach Investigations Report. “We’re seeing a growing trend of combining DDoS with APT campaigns,” said Arbor Networks’ Gary Sockrider said. “Go back a few years, and DDOs was thought of more as a takedown mechanism, not for data exfiltration. Now we’re seeing it more frequently combined with APT, prolonged campaigns where an attacker is on your network and now need to get the data out, they’ll initiate a DDoS attack. It’s the equivalent of a natural disaster and while you’re dealing with it, that’s when they’ll exfiltrate data.” Source: http://threatpost.com/ultradns-dealing-with-ddos-attack/105806

See the original article here:
UltraDNS Dealing with DDoS Attack

France Getting Battered By DDoS Attacks

France is seeing massive amounts of DDoS traffic going through its networks, thanks to sizeable hits on the country’s popular hosting providers As the UK enjoys a relatively low volume of distributed denial of service (DDoS) attacks, France is seeing deluges of traffic hitting organisations frequently, according to research. Major hosting providers, including the hugely-polular, OVH have attracted DDoSers to France, which was only outdone by the US in terms of the amount of DDoS traffic passing through the countries’ networks, according to Arbor Networks. A record 325Gbps attack hit France this year, but it is not known who was involved. DDoS threat getting bigger and bigger Darren Anstee, director of solutions architects at Arbor, said France was being attacked largely because of the popularity of those hosting providers. “They’ve got a lot of big hosting providers and some of those are used by the gaming industry [which is subject to significant sized attacks],” he told TechWeekEurope . Arbor spotted an unprecedented rise in DDoS attacks over the first quarter of 2014. It saw 72 attacks larger than 100Gbps and 1.5 times the number of attacks over 20Gbps as in the whole of 2013. The epic increase in attack size has come as a result of what’s known as amplification. Protocols such as Network Time Protocol can be used to generate massive DDoS attacks with relatively little effort on behalf of the offenders. They can abuse vulnerable NTP servers by spoofing the IP address of a target, sending small requests and getting massive responses. The target IP is then flooded with that traffic. Even protocols used by popular gaming services, from Quake to the Steam protocol, can be abused for amplification purposes. Source: http://www.techweekeurope.co.uk/news/ddos-france-gaming-hosting-companies-144777

View the original here:
France Getting Battered By DDoS Attacks

Spike in DDoS attack size driven by NTP misuse

The beginning of 2014 saw 1.5 times the number of attacks over 20GB/sec, compared to the rest of 2013, according to new stats released by Arbor Networks today. At the Infosecurity Europe 2014, t…

Read the article:
Spike in DDoS attack size driven by NTP misuse

How to abuse Facebook feature to conduct powerful DDoS attack

A researcher discovered a flaw in the section “notes” of the social network Facebook that could be exploited by anyone to conduct a powerful DDoS attack. The Security researcher Chaman Thapa, also known as chr13, discovered a vulnerability in the   section ‘Notes’ of the popular social network Facebook that could be exploited by anyone to launch the distributed denial-of-service (DDoS) attack of more than 800 Mbps Bandwidth on any website. Chaman Thapa demonstrated that simply reading a ‘Note’ created by anyone on the Facebook platform an attacker could automatically generate malicious traffic against a target. The researcher published a blog post to describe the vulnerability, he exploited the possibility to include  tags inside the post to allow the creation of notes that have images from any source. The attack scenario is very simple, Facebook downloads external images from the original source for the first time only, to improve the performance it stores them in the cache for successive uses. If the image url has dynamic parameters, Facebook is not able to store the image in cache and practically it download all the images included in a note each time whenever anybody view the note. “Facebook Notes allows users to include tags. Whenever a tag is used, Facebook crawls the image from the external server and caches it. Facebook will only cache the image once however using random get parameters the cache can be by-passed and the feature can be abused to cause a huge HTTP GET flood.” Let’s see the DDoS attack scenario described by Chaman Thapa, let’s chose the target website “ target.com”  which include a large image on its server (e.g. 1Mb).  The researcher creates a  Facebook Note  which includes the above image multiple times with dynamic parameters, and some text. Facebook servers are forced to download 1 MB  of file 1000 times in one page view (It has been estimated that each note is now responsible for 1000+ http requests).  If 100 Facebook users are reading the same note at the same time, then Facebook servers will be forced to download  1 x 1000 x 100 = 100,000 Mb or 97.65Gb  bandwidth within few seconds from the targeted servers. In the image below is reported the graph for the 400 Mbps traffic generated from 127 Facebook servers in the proof-of-concept made by Thapa by attacking on his own web server. Following the description provided in the post by the Chaman Thapa. Steps to re-create the bug as reported to Facebook Bug Bounty on March 03, 2014. Step 1. Create a list of unique img tags as one tag is crawled only once .. Step 2. Use m.facebook.com to create the notes. It silently truncates the notes to a fixed length. Step 3. Create several notes from the same user or different user. Each note is now responsible for 1000+ http request. Step 4. View all the notes at the same time. The target server is observed to have massive http get flood. Thousands of get request are sent to a single server in a couple of seconds. Total number of facebook servers accessing in parallel is 100+. The researcher explained that the amplification factor of the DDoS attack depends on the dimension of the image downloaded, it could be even higher if the attacker includes in the note a pdf or a video. “A scenario of traffic amplification: when the image is replaced by a pdf or video of larger size, Facebook would crawl a huge file but the user gets nothing.” “Each Note supports 1000+ links and Facebook blocks a user after creating around 100 Notes in a short span. Since there is no captcha for note creation, all of this can be automated and an attacker could easily prepare hundreds of notes using multiple users until the time of attack when all of them is viewed at once.” noted Chaman Thapa. There is the concrete risk that a bad actor creates hundreds of notes with specially crafted script using multiple users at the same time, resulting a powerful DDoS attack. The alarming news is that the flaw is still unpached and Facebook has no plans to fix it. “ In the end, the conclusion is that there’s no real way to us fix this that would stop attacks against small consumer grade sites without also significantly degrading the overall functionality, ” replied Facebook to the researcher. Click here to read the entire article. Source: http://www.arie.co.za/how-to-abuse-facebook-feature-to-conduct-powerful-ddos-attack/

Follow this link:
How to abuse Facebook feature to conduct powerful DDoS attack

Researcher reveals how Facebook Notes can be used to DDoS sites

A programmer has divulged how the Facebook Notes feature can be used to launch distributed denial-of-service (DDoS) attacks against websites. In a blog post this weekend, researcher Chaman Thapa said that the DDoS abuse is possible due to Facebook’s protocol of allowing HMTL image tags in notes. “Facebook Notes allows users to include tags,” Thapa wrote in the Sunday blog post. “Whenever a tag is used, Facebook crawls the image from the external server and caches it. Facebook will only cache the image once, however, [and by] using random GET parameters the cache can be bypassed and the feature can be abused to cause a huge HTTP GET flood.” By creating a list of unique image tags, and using m.facebook.com to create notes, Thapa was able to create several notes, which were each responsible for sending an influx of HTTP request to the target server, he wrote. In only a couple of seconds, he was able to send thousands of GET requests to the designated server. Thapa disclosed the issue to Facebook’s bug bounty program on March 3, but after being alerted to the issue, the company ultimately said that the attack scenario was “interesting/creative,” – but one the company didn’t intend to fix due to the logistics involved. Thapa posted the email correspondence with Facebook (which occurred April 11) in his blog post. “In the end, the conclusion is that there’s no real way to us fix this that would stop ‘attacks’ against small consumer grade sites without also significantly degrading the overall functionality,” Facebook told Thapa. “Unfortunately, so-called ‘won’t fix’ items aren’t eligible under the bug bounty program, so there won’t be a reward for this issue. I want to acknowledge, however, both that I think your proposed attack is interesting/creative and that you clearly put a lot of work into researching and reporting the issue last month. That IS appreciated and we do hope that you’ll continue to submit any future security issues you find to the Facebook bug bounty program.” In a Friday email to SCMagazine.com, a Facebook spokesperson further explained the company’s decision on addressing the bug. “Ultimately, we decided against making changes to avoid disrupting intended and desirable functions,” the spokesperson wrote. Via his blog, Thapa also revealed that similar DDoS abuse can be carried out using Google’s Feedfetcher tool. According to a Google support page, Feedfetcher allows Google to grab RSS or Atom feeds when users add them to their Google homepage or Google Reader. Source: http://www.scmagazine.com/researcher-reveals-how-facebook-notes-can-be-used-to-ddos-sites/article/344271/

Continue Reading:
Researcher reveals how Facebook Notes can be used to DDoS sites

Innocent surfers drafted into ZOMBIE ARMY by sneaky XSS vuln

Javascript snafu turned 22,000 bods into unwitting DDoSers Visitors to a video distribution website were unwittingly turned into participants in a hacker’s DDoS battle against a third-party site earlier this month.…

Link:
Innocent surfers drafted into ZOMBIE ARMY by sneaky XSS vuln

UK webhost 123-Reg in DDOS attack

Businesses using 123-Reg’s web hosting service were knocked offline on Wednesday evening following a reported distributed denial of service (DDoS) attack. 123-Reg is the UK’s largest domain provider hosting over 1.4 million websites. The company said it was hit by a DDoS style attack that caused disruption to some customers on its shared hosting packages. DDoS attacks typically use a botnet of computers in a co-ordinated attack, driving web traffic to a particular website. The attack appeared to cause patchy service for websites hosted by the company for several hours with many customers taking to Twitter to vent their frustration. UK games and mobile apps start-up Greedy Goblin Games (@GreedyGoblins) tweeted 123-Reg: “It appears your shared hosting servers are down. Can access FTP but not websites”. While IT consultant @thepaulturvey tweeted: “Is there a problem with 123-Reg shared hosting? Multiple sites not responding”. 123-Reg support staff told one UK website owner: “There has been a DDOS type of attack targeting a website from our shared hosting platform which unfortunately affected some of our customers. Our system administrators have contained the attack and the connectivity issues should shortly be resolved”. Update: I’ve received the following statement from 123-Reg confirming the attack. 123-Reg did experience a DDoS attack targeted against one particular customer domain. It was a sustained attack which we monitored closely over the course of several hours. The attack itself was from 823 different IP addresses globally. This resulted in denigrated service to our hosting platform, meaning some customer sites were running slower, but no sites were taken offline as a result of this attack. Customer impact measured in terms of support queries was minimal — and likewise our social platforms saw a handful of comments — which are being addressed on a one to one basis via our support teams. Source: http://betanews.com/2014/04/23/uk-webhost-123-reg-in-ddos-attack/

Read this article:
UK webhost 123-Reg in DDOS attack

DrDoS attacks to reach 800 Gbps in 2015

While the network time protocol (NTP) DrDoS threats that became prevalent in early 2014 have been contained, new distributed reflected denial of service threats will lead to attacks in excess of 800 G…

Read More:
DrDoS attacks to reach 800 Gbps in 2015

DOSarrest Releases Latest Generation DDoS Mitigation System Software

VANCOUVER, BRITISH COLUMBIA–(Marketwired – Apr 23, 2014) – DOSarrest has just released its latest generation of proprietary backend software that incorporates an all-new customer-facing portal. This new release will enable DOSarrest to implement changes to customer configurations in seconds, enabling them to apply custom made DDoS mitigation modules extremely quickly. It is also equipped with an Intrusion Detection System (IDS), allowing the security team to pinpoint sophisticated layer 7 attacks as well as provide cloud based Web Application Firewall (WAF) services for its customers. Mark Teolis, GM at DOSarrest said: “This upgrade is by far our largest project to date, it has taken us over 2 years of development and testing to get here. This latest generation of software is extremely powerful, and can stop the next generation of sophisticated layer 7 attacks.” DOSarrest is now able to offer additional services, including: Cloud Based Web Application Firewall (WAF) Cloud based layer 7 load balancing, Local, Global with health checks Enhanced reporting on traffic types, status codes, cache performance, etc Create virtual servers, to have us pick-up, cache and deliver content from multiple customer servers IDS engine to detect and help stop any malicious traffic “We recognised our customers’ requirements to have comprehensive security related services, rather than disparate point solutions; this new system has all the features that we need to accommodate them. The best part about this new generation of software is its flexibility at the core. What used to take days and weeks to develop and implement, can now be measured in minutes and hours,” added Jag Bains, CTO at DOSarrest. Bains went on to say: “The best part of this new release is that it enables us to quickly react and stop sophisticated attacks that have not even been created yet!” Source: http://www.reuters.com/article/2014/04/23/idUSnMKWNkbj9a+1e0+MKW20140423

See the original article here:
DOSarrest Releases Latest Generation DDoS Mitigation System Software