How long does it take for one out of the box digital video recorder to be compromised with malware once the device has been connected to the Internet? The unfortunate answer is just one day. When, …
More:
Attackers rope DVRs in bitcoin-mining botnet in record time
UltraDNS said it has mitigated a distributed denial of service (DDoS) attack for most of its customers after the service was held down for most of the day. “Currently, only customers utilizing a segment of UltraDNS Name Server addresses are experiencing resolution latency due to intermittent network saturation in the Western US,” said Neustar director of product management, security solutions, Jim Fink in an email to Threatpost. “We continue to aggressively refine mitigations for these customers and hope to have the issue resolved shortly. We have been and will continue to provide regular updates to our UltraDNS customers via our usual customer notification process.” UltraDNS is a Neustar company. The SANS Institute’s Internet Storm Center said this afternoon that it received multiple reports of outages and DNS resolution issues, reportedly because of a 100 Gbps DDoS attack against one of UltraDNS’ customers that resulted in latency issues for others. “One reporting party did indicate that they learned that the management of UltraDNS had said that one of their customers was being attacked and that they black-holed that customer to get back on trend,” wrote ISC handler Russ McRee. “Resolver nodes around the world are resetting.” DDoS attacks the size of this one are quickly becoming the norm. A report from Arbor Networks this week said it has already tracked more than 70 DDoS attacks of 100 Gbps or more of bad traffic, topping out at 325 Gbps. The largest attacks on public record were recorded by traffic optimization and security provider CloudFlare Most volumetric attacks rely on some kind of amplification such as DNS reflection or Network Time Protocol amplification attacks where the requesting IP address is spoofed as the target’s and massive amounts of traffic is returned at relatively little cost to the attacker. With DNS amplification attacks, attackers take advantage of any number of the 28 million open DNS resolvers on the Internet to launch large-scale DDoS attacks. The motivations are varied. Ideological hackers use them to take down services in protest, while profit-motivated criminals can use DDoS as a cover for intellectual property theft and financial fraud. Beginning with the DDoS attacks against large U.S. banks early last year, the spike in these attacks merited a mention in the recent Verizon Data Breach Investigations Report. “We’re seeing a growing trend of combining DDoS with APT campaigns,” said Arbor Networks’ Gary Sockrider said. “Go back a few years, and DDOs was thought of more as a takedown mechanism, not for data exfiltration. Now we’re seeing it more frequently combined with APT, prolonged campaigns where an attacker is on your network and now need to get the data out, they’ll initiate a DDoS attack. It’s the equivalent of a natural disaster and while you’re dealing with it, that’s when they’ll exfiltrate data.” Source: http://threatpost.com/ultradns-dealing-with-ddos-attack/105806
See the original article here:
UltraDNS Dealing with DDoS Attack
A researcher discovered a flaw in the section “notes” of the social network Facebook that could be exploited by anyone to conduct a powerful DDoS attack. The Security researcher Chaman Thapa, also known as chr13, discovered a vulnerability in the section ‘Notes’ of the popular social network Facebook that could be exploited by anyone to launch the distributed denial-of-service (DDoS) attack of more than 800 Mbps Bandwidth on any website. Chaman Thapa demonstrated that simply reading a ‘Note’ created by anyone on the Facebook platform an attacker could automatically generate malicious traffic against a target. The researcher published a blog post to describe the vulnerability, he exploited the possibility to include tags inside the post to allow the creation of notes that have images from any source. The attack scenario is very simple, Facebook downloads external images from the original source for the first time only, to improve the performance it stores them in the cache for successive uses. If the image url has dynamic parameters, Facebook is not able to store the image in cache and practically it download all the images included in a note each time whenever anybody view the note. “Facebook Notes allows users to include tags. Whenever a tag is used, Facebook crawls the image from the external server and caches it. Facebook will only cache the image once however using random get parameters the cache can be by-passed and the feature can be abused to cause a huge HTTP GET flood.” Let’s see the DDoS attack scenario described by Chaman Thapa, let’s chose the target website “ target.com” which include a large image on its server (e.g. 1Mb). The researcher creates a Facebook Note which includes the above image multiple times with dynamic parameters, and some text. Facebook servers are forced to download 1 MB of file 1000 times in one page view (It has been estimated that each note is now responsible for 1000+ http requests). If 100 Facebook users are reading the same note at the same time, then Facebook servers will be forced to download 1 x 1000 x 100 = 100,000 Mb or 97.65Gb bandwidth within few seconds from the targeted servers. In the image below is reported the graph for the 400 Mbps traffic generated from 127 Facebook servers in the proof-of-concept made by Thapa by attacking on his own web server. Following the description provided in the post by the Chaman Thapa. Steps to re-create the bug as reported to Facebook Bug Bounty on March 03, 2014. Step 1. Create a list of unique img tags as one tag is crawled only once .. Step 2. Use m.facebook.com to create the notes. It silently truncates the notes to a fixed length. Step 3. Create several notes from the same user or different user. Each note is now responsible for 1000+ http request. Step 4. View all the notes at the same time. The target server is observed to have massive http get flood. Thousands of get request are sent to a single server in a couple of seconds. Total number of facebook servers accessing in parallel is 100+. The researcher explained that the amplification factor of the DDoS attack depends on the dimension of the image downloaded, it could be even higher if the attacker includes in the note a pdf or a video. “A scenario of traffic amplification: when the image is replaced by a pdf or video of larger size, Facebook would crawl a huge file but the user gets nothing.” “Each Note supports 1000+ links and Facebook blocks a user after creating around 100 Notes in a short span. Since there is no captcha for note creation, all of this can be automated and an attacker could easily prepare hundreds of notes using multiple users until the time of attack when all of them is viewed at once.” noted Chaman Thapa. There is the concrete risk that a bad actor creates hundreds of notes with specially crafted script using multiple users at the same time, resulting a powerful DDoS attack. The alarming news is that the flaw is still unpached and Facebook has no plans to fix it. “ In the end, the conclusion is that there’s no real way to us fix this that would stop attacks against small consumer grade sites without also significantly degrading the overall functionality, ” replied Facebook to the researcher. Click here to read the entire article. Source: http://www.arie.co.za/how-to-abuse-facebook-feature-to-conduct-powerful-ddos-attack/
Follow this link:
How to abuse Facebook feature to conduct powerful DDoS attack
Businesses using 123-Reg’s web hosting service were knocked offline on Wednesday evening following a reported distributed denial of service (DDoS) attack. 123-Reg is the UK’s largest domain provider hosting over 1.4 million websites. The company said it was hit by a DDoS style attack that caused disruption to some customers on its shared hosting packages. DDoS attacks typically use a botnet of computers in a co-ordinated attack, driving web traffic to a particular website. The attack appeared to cause patchy service for websites hosted by the company for several hours with many customers taking to Twitter to vent their frustration. UK games and mobile apps start-up Greedy Goblin Games (@GreedyGoblins) tweeted 123-Reg: “It appears your shared hosting servers are down. Can access FTP but not websites”. While IT consultant @thepaulturvey tweeted: “Is there a problem with 123-Reg shared hosting? Multiple sites not responding”. 123-Reg support staff told one UK website owner: “There has been a DDOS type of attack targeting a website from our shared hosting platform which unfortunately affected some of our customers. Our system administrators have contained the attack and the connectivity issues should shortly be resolved”. Update: I’ve received the following statement from 123-Reg confirming the attack. 123-Reg did experience a DDoS attack targeted against one particular customer domain. It was a sustained attack which we monitored closely over the course of several hours. The attack itself was from 823 different IP addresses globally. This resulted in denigrated service to our hosting platform, meaning some customer sites were running slower, but no sites were taken offline as a result of this attack. Customer impact measured in terms of support queries was minimal — and likewise our social platforms saw a handful of comments — which are being addressed on a one to one basis via our support teams. Source: http://betanews.com/2014/04/23/uk-webhost-123-reg-in-ddos-attack/
Read this article:
UK webhost 123-Reg in DDOS attack
While the network time protocol (NTP) DrDoS threats that became prevalent in early 2014 have been contained, new distributed reflected denial of service threats will lead to attacks in excess of 800 G…
Read More:
DrDoS attacks to reach 800 Gbps in 2015
VANCOUVER, BRITISH COLUMBIA–(Marketwired – Apr 23, 2014) – DOSarrest has just released its latest generation of proprietary backend software that incorporates an all-new customer-facing portal. This new release will enable DOSarrest to implement changes to customer configurations in seconds, enabling them to apply custom made DDoS mitigation modules extremely quickly. It is also equipped with an Intrusion Detection System (IDS), allowing the security team to pinpoint sophisticated layer 7 attacks as well as provide cloud based Web Application Firewall (WAF) services for its customers. Mark Teolis, GM at DOSarrest said: “This upgrade is by far our largest project to date, it has taken us over 2 years of development and testing to get here. This latest generation of software is extremely powerful, and can stop the next generation of sophisticated layer 7 attacks.” DOSarrest is now able to offer additional services, including: Cloud Based Web Application Firewall (WAF) Cloud based layer 7 load balancing, Local, Global with health checks Enhanced reporting on traffic types, status codes, cache performance, etc Create virtual servers, to have us pick-up, cache and deliver content from multiple customer servers IDS engine to detect and help stop any malicious traffic “We recognised our customers’ requirements to have comprehensive security related services, rather than disparate point solutions; this new system has all the features that we need to accommodate them. The best part about this new generation of software is its flexibility at the core. What used to take days and weeks to develop and implement, can now be measured in minutes and hours,” added Jag Bains, CTO at DOSarrest. Bains went on to say: “The best part of this new release is that it enables us to quickly react and stop sophisticated attacks that have not even been created yet!” Source: http://www.reuters.com/article/2014/04/23/idUSnMKWNkbj9a+1e0+MKW20140423
See the original article here:
DOSarrest Releases Latest Generation DDoS Mitigation System Software
DDoS attacks are now more unpredictable and damaging than ever, crippling websites, shutting down operations, and costing millions of dollars in downtime, customer support and brand damage, according …
A number of users have taken to social media to report issues with their Blockchain.info wallets on Monday. The reason, according to Blockchain, relates to what has been described as “higher than usual traffic volumes due to DDoS [distributed denial of service] attacks” on the company’s servers. Upon this writing, the website presents the following message: Blockchain.info is currently down for maintenance. For status updates please see Twitter. Apologies for any inconvenience. The company took the opportunity to remind users that their wallets were safe, but made the suggestion that all users make backups upon full service restoration. Distributed denial of service attacks target one or more machines by bombarding them with information requests, slowing down services for legitimate users. DDoS attacks are almost commonplace against larger websites, often becoming a frequent occurrence. Blockchain.info serves as the internet’s most popular bitcoin-related website. Growing tremendously fast, the service recently announced the creation of their 1.5 millionth wallet. Last week, it was announced that the company, led by Nic Cary, had signed a five-year deal to hold rights to the bitcoin.com domain name. Source: http://newsbtc.com/2014/04/21/blockchain-info-services-due-ddos-attacks/
Continue Reading:
Blockchain.info Services Down Due to DDoS Attacks
In the past couple of years we’ve seen a drastic increase in the number of DDoS (distributed denial-of-service) attacks taking place, many of which are being carried out as a means of protest by various groups. The attacks are attempts to make a machine or network resource such as a website totally unavailable to anyone trying to reach it. The reasons for the attacks vary, as do the means used to carry them out. A typical attack generally consists of efforts by two or more persons, and in many cases, botnets, to temporarily or indefinitely interrupt or suspend services of a specific host connected to the Internet. Such attacks usually lead to a server overload and are implemented by either forcing the targeted computer(s) to reset, or consuming enough of its resources so that it can no longer provide its intended service, or by obstructing the communication media between the intended users and the targeted victim so that they can no longer communicate. Based on a new report, now it appears that the attackers are changing their techniques in order to launch much larger scale attacks on websites. In a Global DDoS Attack Report from the 1st quarter of 2014 released Thursday, Prolexic Technology describes seeing a new trend toward “reflection and amplification techniques” which are being used more frequently in lieu of the botnet methods. The report states, “Instead of using a network of zombie computers, the newer DDoS toolkits abuse Internet protocols that are available on open or vulnerable servers and devices. We believe this approach can lead to the Internet becoming a ready-to-use botnet for malicious actors.” Prolexic mentions that these new attack tools can deliver a much more powerful punch. In this Q1 2014 report they saw a 39 percent increase in average bandwidth and also saw the largest-ever DDoS attack, one that involved multiple reflection techniques combined with a traditional botnet-based application attack. That attack generated peak traffic of more than 200 Gbps (gigabits per second) and 53.5 Mpps (million packets per second). The report also states, “Compared to the same quarter one year ago, peak attack bandwidth increased 133% compared to Q1 last year.” The full report showed that the media and entertainment industry were the targets in more than half of the attacks in the first quarter. Prolexic Technology is owned by Akamai. Unfortunately, the new techniques are becoming all too popular with some websites now providing easy access to the services for use in launching these types of attacks. Source: http://www.slyck.com/story2396_Lookout_DDoS_Attackers_Are_Changing_Their_Techniques
Home gateway routers are being targeted by cybercriminals launching denial-of-service attacks They are standard pieces of kit, without which no home or small office can connect to the internet. And millions of them harbour a security vulnerability that threatens to do untold damage to the workings of the web. Welcome to the humble home gateway – the little routers sitting on our desks are being inducted into battle by criminals launching denial-of-service (DoS) attacks to bring down websites and hold organisations to ransom. A subtle flaw in some home gateways (they act as ‘open DNS proxies’) allows attackers to use them for ‘amplification’ where very small DNS queries (50 bytes) generate very DNS large answers (4 , 000 bytes). Attackers employ another simple trick – IP address spoofing – to disguise their own identity and cover their tracks while directing waves of traffic to any target they choose, anywhere on the internet. An amplification attack can create and send a target trillions of bytes of unwanted data over a few hours. The attack on Spamhaus in 2013 generated traffic measured at an enormous 300Gb/s. Many web resources aren’t equipped to deal with such large volumes of traffic and either become unavailable, or slow down to the point where visitors notice. There is also considerable collateral damage to the infrastructure over which these attacks are launched. These attacks are effective because the amplification effect makes the results wildly disproportionate to the effort needed to launch them. Moreover, home gateways acting as DNS proxies make queries appear legitimate to DNS resolvers and mask the ultimate targets of attacks. As such, they are becoming the weapon of choice for those who aim to damage or hold to ransom any target they wish with impunity. Nor is there any shortage of opportunity for these criminals. Research has found there are 24 million home gateways (home routers) that can be used for amplification attacks. These exploitable routers exist across the globe and it is not a problem limited to developing nations. For online criminals, there really is no place like ‘home’ from which to launch an attack. One of the systems most impacted by DNS amplification attacks are ISP resolvers. The fact they’re typically provisioned with ample network bandwidth and deployed on high-performance hardware to ensure they are always responsive and highly available make them ideal for attackers, as they can piggyback on someone else’s high performance infrastructure. ISPs get drawn directly into the mire when open DNS proxies on home routers forward queries received on their WAN interface to whatever DNS resolver they are configured to use. In most cases this is an ISP ’ s resolver (consumers may also configure alternative DNS services from Google and others), and even those who go to great lengths to protect their infrastructure can become collateral damage in the path on an attack. Bandwidth taken up by DDoS traffic causes networks to suffer from congestion and lowered performance. If quality of service falls noticeably, customers will vote with their feet and walk away to another service provider. And the ultimate recipients of the traffic, the targets themselves, often legitimately enquire about what ISP have done to limit the effects of attacks. Since this vulnerability provides enormously rich pickings for criminals at little cost, fixing it should be a priority for ISPs. As with any type of online threat, denial-of-service attacks are protean in nature; they evolve and adapt to circumvent attempts to prevent them. Unfortunately, existing perimeter defences are useless against this new generation of attacks because they’re designed to deter DDoS traffic coming into a provider network instead of traffic going out. What’s called for is the applications of DNS-based security intelligence techniques; by incorporating DNS-level security tools, organisations and ISPs can effectively counter amplification attacks. Deterrence starts with monitoring DNS query data as it is generated so suspicious activity on the network can be identified quickly. Something else that’s needed is dynamic threat lists that track special purpose-built DNS domains designed and deployed specifically for these kinds of attacks. To eliminate false positives, it’s also crucial these lists are carefully vetted. Servers should be configured with highly targeted filters to manage malicious traffic, while ensuring legitimate traffic is not affected. Additional rate limits based on response size can catch malicious traffic not caught by other filters. And, following best practice, DNS data logging is also useful for forensics and reporting. DNS-based security can be used by network operators in a layered security approach. The insidiousness of malware threats requires a defence-in-depth strategy based on various layers of firewalls, packet filters, anti-virus software, intrusion detection and prevention, and many more. Owing to its strategic place in the network, DNS-based security must be added to this portfolio of protection: observing, as it does, every Internet communication, it serves as a lightweight but powerful tool in the armoury. For far too long, people have unknowingly been hosting a serious security weakness in their houses and in their offices. With DNS-level security we can finally plug this breach, and turn the home once more into a castle. Source: http://www.information-age.com/technology/security/123457905/there-no-place-home-gateway-ddos-attackers
Read More:
There is no place like home gateway for DDoS attackers