Author Archives: Enurrendy

SNMP-Based DDoS Attack Spoofs Google Public DNS Server

The SANS Internet Storm Center this afternoon reported SNMP scans spoofed from Google’s public recursive DNS server seeking to overwhelm vulnerable routers and other devices that support the protocol with DDoS traffic. “The traffic is spoofed, and claims to come from Google’s DNS server. The attack is however not an attack against Google. It is likely an attack against misconfigured gateways,” said Johannes Ullrich, dean of research of the SANS Technology Institute and head of the Internet Storm Center. Ullrich said the ISC is still investigating the scale of the possible attacks, but said the few packets that have been submitted target default passwords used by SNMP. “The attack uses the default ‘read/write’ community string of ‘private.’ SNMP uses this string as a password, and ‘private’ is a common default,” Ullrich said. “For read-only access, the common default is ‘public.’” Ullrich explained that the attack tries to change configuration variables in the affected device, the TTL or Time To Live variable to 1 which he said prevents any future traffic leaving the gateway, and it also sets the Forwarding variable to 2, which shuts it off. “If this works, it would amount to a [DDoS] against the network used by the vulnerable router,” Ullrich said. Large-scale DDoS attacks rely on amplification or reflection techniques to amp up the amount of traffic directed at a target. DNS reflection attacks are a time-tested means of taking down networks with hackers taking advantage of the millions of open DNS resolvers on the Internet to get up to 100 to 1 amplification rates for every byte sent out. Earlier this year, home routers were targeted in DNS-based amplification attacks; more than five million were used during February alone as the starting point for DDoS attacks. Also earlier this year, hackers found a soft spot in Network Time Protocol (NTP) servers that synch time for servers across the Internet. NTP-based DDoS attacks, some reaching 400 Gbps, were keeping critical services offline. However, a concerted patching effort has kept these attacks at bay and in June, NSFocus reported that of the 430,000 vulnerable NTP servers found in February, all but 17,000 had been patched. Experts, however, warned that SNMP-based DDoS attacks could be the next major area of concern. Matthew Prince, CEO of CloudFlare, said in February that SNMP attacks could dwarf DNS and NTP. “If you think NTP is bad, just wait for what’s next. SNMP has a theoretical 650x amplification factor,” Prince said. “We’ve already begun to see evidence attackers have begun to experiment with using it as a DDoS vector. Buckle up.” SANS’ Ullrich, meanwhile, said he’s continuing to research this attack, and admins should be on the lookout for packets from the source IP 8.8.8.8, which is Google’s DNS server, with a target UDP port of 161. “Just like other UDP based protocols (DNS and NTP), SNMP has some queries that lead to large responses and it can be used as an amplifier that way,” Ullrich said. Source: http://threatpost.com/snmp-based-ddos-attack-spoofs-google-public-dns-server

Continue reading here:
SNMP-Based DDoS Attack Spoofs Google Public DNS Server

Image Silk-rd-20-Screenshot-Ddos-630x367.jpg

Silk Road 2.0 Hit by ‘Sophisticated’ DDoS Attack

Online black market Silk Road 2.0 experienced a distributed denial-of-service (DDoS) attack last week, which forced the site’s administrators to temporarily suspend services. News of the attack broke on bitcoin forums hours after it started, with the Silk Road team soon confirming the news via its own forums. For reasons that are less clear, black market Agora has faced outage issues problems of its own in the last few days. Silk Road remains defiant Silk Road 2.0 moderator ‘Defcon’ issued a statement saying that the site was facing a “very sophisticated” DDoS attack using the most advanced methods the site has experienced to date. The moderator said: “The dev team is working around the clock to get marketplace service restored, as well as watch the security of our systems closely. Much of the downtime you have seen is intentional on our part: if this is an attempt to locate our servers through packet analysis, we do not want to make it easy for our adversary and would rather be offline while we adapt our defences.” As the attack continued, Silk Road 2.0 remained offline. Defcon eventually issued a second update, indicating that the team is trying out different approaches to blocking the inbound DDoS. He stressed that the site is still processing withdrawals, although these have been delayed by the attacks. Silk Road 2.0 is aware that cashflow is very important and the site is therefore prioritising delayed withdrawals, the moderator added. Defcon ended the update on a defiant note: “To our adversaries: you cannot stop us. We will overcome every attack.” Questions persist Silk Road 2.0 vendors started reporting problems earlier last week, before the site was finally forced to shut down. Despite official updates, the outage prompted a number vendors to raise questions about the impact of the attack. Silk Road 2.0 was targeted by hackers in the past: last February, the site lost 4,476 BTC to an alleged hack, worth over $2.6m at the time. The attack was blamed on a transaction malleability exploit used by one of the vendors. The site decided to compensate affected customers and, by late May, it said more than 80% of bitcoins stolen in the alleged heist have been repaid to the victims. The source and goal of the latest attack remains unclear. Speculation is mounting that the attack was in fact launched by law enforcement in an attempt to ascertain the location of Silk Road 2.0 servers, while other users believe the attack was launched by criminals or competitors. Following the February hack, Silk Road 2.0 said it would introduce a multi-signature wallet system to replace its previous escrow platform. A multisig system should be less vulnerable to hackers, but has not been fully implemented yet. Online black market Agora faces outage Silk Road 2.0 is not the only black market suffering outage issues. While Silk Road 2.0 was struggling to restore services, which it eventually did late on Friday, competing market Agora went offline. Agora users started reporting intermittent problems on Saturday. The site was out of action over  much of the weekend and had still not become available by press time  (12:15 BST, Monday). The reason for the outage remains unclear. Earlier this month, Agora confirmed that it was suffering from availability issues on a regular basis. However, the team offered an extensive explanation into the inner workings of the market and the need for security, saying it considers that more important than around-the-clock availability. The Agora team said at the time: “Our primary goal is to stay hidden from law enforcement agencies and secure from hackers. We implement much more security measures than many others, which causes problems with availability.”   Source: http://www.coindesk.com/silk-road-2-0-shrugs-sophisticated-ddos-attack/

Read the article:
Silk Road 2.0 Hit by ‘Sophisticated’ DDoS Attack

How Boston Children’s Hospital Hit Back at Anonymous

Hackers purportedly representing Anonymous hit Boston Children’s Hospital with phishing and DDoS attacks this spring. The hospital fought back with vigilance, internal transparency and some old-fashioned sneakernet. That – and a little bit of luck – kept patient data safe. On March 20, Dr. Daniel J. Nigrin, senior vice president for information services and CIO at Boston Children’s Hospital, got word that his organization faced an imminent threat from Anonymous in response to the hospital’s diagnosis and treatment of a 15-year-old girl removed from her parent’s care by the Commonwealth of Massachusetts. The hospital’s incident response team quickly convened. It prepared for the worst: “Going dark” – or going completely offline for as long as the threat remained. Luckily, it never came to that. Attacks did occur, commencing in early April and culminating on Easter weekend – also the weekend of Patriot’s Day, a Massachusetts holiday and the approximate one-year anniversary of the Boston Marathon bombings – but slowed to a trickle after, of all things, after a front-page story about the incident ran in The Boston Globe . No patient data was compromised over the course of the attacks, Nigrin says, thanks in large part to the vigilance of Boston Children’s (and, when necessary, third-party security firms). The organization did learn a few key lessons from the incident, and Nigrin shared them at the recent HIMSS Media Privacy and Security Forum. As Anonymous Hit, Boston Children’s Hit Back As noted, the hospital incident response team – not just the IT department’s – planned for the worst. Despite that fact that the information Anonymous claimed to have, such as staff phone numbers and home addresses, is the stuff of “script kiddies,” Nigrin says Children’s took the threat seriously. Attacks commenced about three weeks after the initial March 20 warning. Initially, the hospital could handle the Distributed Denial of Service (DDoS) attacks on its own. Anonymous changed tactics. Children’s responded. The hackers punched. The hospital counterpunched. As the weekend neared, though, DDoS traffic hit 27 Gbps – 40 times Children’s typical traffic – and the hospital had to turn to a third-party for help. The attacks hit Children’s external websites and networks. (Hackers also pledged to hit anyone linked to Children’s – including the energy provider NStar, which played no role in the child custody case at all but sponsors Children’s annual walkathon.) In response, Nigrin took down all websites and shut down email, telling staff in person that email had been compromised. Staff communicated using a secure text messaging application the hospital had recently deployed. Internal systems were OK, he says, so Children’s electronic health record (EHR) system, and therefore its capability to access patient data, wasn’t impacted. In contrast to this internal transparency, Children’s, at the urging of federal investigators, didn’t communicate anything externally. Nonetheless, word got to The Boston Globe , which ran its front-page story on April 23. Nigrin, again, prepared for the worst. He didn’t have to. After the article came out, the Twitter account @YourAnonNews took notice, urging hackers to stop targeting a children’s hospital. Attacks continued, but at a much smaller clip. 6 Quick Tips for Beating Back Hackers In reflecting on the Anonymous attack, Nigrin offers the following security lessons that Boston Children’s learned. DDoS countermeasures are crucial. “We’re not above these kinds of attacks,” Nigrin says. Know which systems depend on external Internet access. As noted, the EHR system was spared, but the e-prescribing system wasn’t. Get an alternative to email. In addition to secure testing, Children’s used Voice over IP communications. In the heat of the moment, make no excuses when pushing security initiatives. Children’s had to shut down email, e-prescribing and external-facing websites quickly. “Don’t wait until it’s a fire drill,” Nigrin says. Secure your teleconferences. Send your conference passcode securely, not in the body of your calendar invite. Otherwise, the call can be recorded and posted on the Internet before you even hang up, he says. Separate signals from noise. Amid the Anonymous attack, several staff members reported strange phone calls from a number listed as 000-000-0000. At the time, it was hard to tell if this was related, and it made the whole incident that much harder to manage. Above all, Nigrin says healthcare organizations need to pay attention to the growing number of security threats the industry faces. “There are far more than we have seen in the past,” he says. Source: http://www.cio.com/article/2682872/healthcare/how-boston-childrens-hospital-hit-back-at-anonymous.html

Read the original:
How Boston Children’s Hospital Hit Back at Anonymous

5 most targeted industries for DDoS attacks

1. Gaming Gaming is the most-targeted industry, according to the report, accounting for more than 45% of total attacks. The industry, which includes any company related to online gaming or gaming-related content, is prone to attacks by motivated players seeking to gain a competitive advantage or by malicious actors seeking to steal personal data from players. The industry received a large percentage of infrastructure layer attacks and a fair percentage of application-layer attacks in Q2, including 46% of all NYN floods and 68% of GET floods. 2. Software and technology The software and technology industry, which includes companies that provide solutions such as SaaS and cloud-based technologies, was hit with the second-greatest number of attacks (22%), and was the most-frequently targeted with infrastructure-layer attacks. The report reveals that the most popular attack vectors against the software and technology industry were DNS and NTP reflection and amplification attacks, accounting for 33% and 26% respectively. SYN floods made up approximately 22% of attacks, and UDP floods accounted for 27%. 3. Media and entertainment The report reveals that the media and entertainment industry accounted for a smaller percentage of all attacks, at 15% in Q2. This marks a 39% decrease from last quarter. Despite this shift, the media and entertainment industry remains one of the most targeted industries for hackers. These attacks often offer higher visibility for malicious actors, with press coverage that helps campaign organizers reach out to supporters and recruit new participants. The media and entertainment industry was hit by mostly infrastructure attacks, including SYN floods (18%), UDP floods (25%) and UDP fragments (22%). 4. Financial services Major financial institutions, such as banks and trading platforms, were targeted in 10% of all attacks in Q2, according to the Prolexic report. Historically, financial institutions have been the target of many DDoS attacks, including those orchestrated by the group Izz ad-Din al Qassam Cyber Fighters (QCF), using the Brobot botnet. The report discloses that recent activity indicates a possible resurgence of the use of the Brobot botnet, but the financial sector did not experience many major attack campaigns this quarter. 5. Internet and telecom Including companies that offer internet-related services such as ISPs and CNDs, the internet and telecom industry was the fifth most-targeted industry in Q2, accounting for 4% of all attacks. Infrastructure-layer attack vectors were the most common, with 10% of all attacks as UPD floods, and 9% as UPD fragments. Internet and telecom was the target of 12% of all NTP flood attacks this quarter. Source: http://www.propertycasualty360.com/2014/09/12/5-most-targeted-industries-for-ddos-attacks?t=tech-management&page=6

Continue Reading:
5 most targeted industries for DDoS attacks

Attackers Compromise Vulnerable Web Servers to Power DDoS Assaults

Attackers are exploiting flaws in Linux and Windows software to turn poorly-maintained Web servers into denial-of-service engines. Web servers based on both Linux and Windows are rapidly being targeted by attackers and turned into server-side botnets capable of high-bandwidth denial-of-service attacks, two security firms stated in recently published analyses. On one hand, attackers are targeting unpatched or poorly-maintained Linux systems, exploiting known vulnerabilities and installing bot software to conscript the computers into a server-side botnet, according to an advisory released on Sept. 4 by Prolexic, a subsidiary of content-delivery provider Akamai. Yet, Windows servers are not immune. A recent attack against a client of Website security firm Sucuri used 2,000 servers to send a flood of packets to the victim’s network. Web servers running on Windows 7 and 8 accounted for almost two-thirds of those systems, the company stated in an advisory. In the past, Sucuri had usually seen traffic from botnets created by consumer desktop and laptop systems, CEO and co-founder Tony Perez told eWEEK. “This was different because of the anatomy of the network,” he said. “Normally, we see attacks coming from notebooks and desktops and PCs, but now Web servers are doing the denial-of-service.” By using Web servers, “the attackers have more horse power available to them, allowing them to have more devastating effect on unsuspecting web sites,” Perez said. Server-side botnets used for denial-of-service attacks first came to light in 2012, when the Izz ad-Din al-Qassam Cyber Fighters targeted financial institutions with massive bandwidth and application-layer attacks in alleged retaliation for the posting of videos to YouTube that were offensive to some Muslims. Rather than using botnets consisting of tens of thousands of consumer desktop systems, the attackers used hundreds to thousands of Web servers instead. While some attackers use vulnerabilities to compromise servers, others have significant success just by trying common passwords. The 2,000 servers that attacked Sucuri’s client sent some 5,000 HTTP requests per second, enough to not just overwhelm the victim’s Web server but the victim’s hosting provider as well. The hosting provider, which Perez declined to name, cut off the company for violating its terms of service, according to Perez. The campaign to create Linux-based DDoS botnets is more extensive, according to Prolexic. The attackers behind the denial-of-service botnet use vulnerabilities in popular Linux software, such as Apache Tomcat, Struts and Elasticsearch, the company said. Once a server is compromised, the attackers upload malware, which creates a copy of itself named .IptabLes or .IptabLex. IPTables is a common firewall and routing package included in most versions of the Linux operating system. “The analysis conducted within the lab environment showed that the binary exhibits DDoS functionality,” Prolexic stated in its alert. “Two functions found inside the binary indicate SYN and DNS flood attack payloads. These DDoS attack payloads are initiated once an attacker sends the command to an infected victim machine.” The botnet created by the campaign has been used to target financial institutions, and in one case, created a DDoS that peaked at 119 Gbps. “This bot seems to be in an early development stage and shows several signs of instability. More refined and stable versions could emerge in future attack campaigns.” The attacks appear to come from Internet addresses in Asia, and two hard-coded addresses contained in the malware binary are in China, according to Prolexic. Source: http://www.eweek.com/security/attackers-compromise-vulnerable-web-servers-to-power-ddos-assaults.html

Taken from:
Attackers Compromise Vulnerable Web Servers to Power DDoS Assaults

Webmin hole allows attackers to wipe servers clean

No RCE, but lots of Unix DDoS fun Holes in the Webmin Unix management tool – thankfully since patched – could allow attackers to delete data on servers, says security researcher John Gordon of the University of Texas.…

Visit site:
Webmin hole allows attackers to wipe servers clean

Use home networking kit? DDoS bot is BACK… and it has EVOLVED

OMG, it reconfigures your firewall… SAVE yourselves, Linux lords A router-to-router bot first detected two years ago has evolved – and now has the capability to reconfigure the firewalls of its victims.…

Excerpt from:
Use home networking kit? DDoS bot is BACK… and it has EVOLVED

WEBINAR – The Ultimate DDoS Info Session

DOSarrest and HOSTING partner together to help you understand the details of DDoS attacks – how they are executed, what they typically targets and how to quickly and efficiently recovered when you fall victor. It will be an interactive and informative session as all attendees will have a chance to participate in and defend against a DDoS attack in Real-Time and see its effects on a live website. Click here to register today!

Taken from:
WEBINAR – The Ultimate DDoS Info Session