Category Archives: DDoS Criminals

Cisco patches six holes to stop DoS attacks

Cisco has released patches for six flaws in its Internetwork Operating System (IOS) which could be used as part of a DDoS (Distributed Denial of Service) attack. The update features five fixes for its IOS Software and a single patch for its Cisco 7600 Series Route Switch Processor 720 with 10 Gigabit Ethernet uplinks. The company said that the vulnerabilities are serious as they could be used to mount DoS attacks on its customers. It advises Systems Administrators to use the Cisco IOS Software Checker to determine if a given release is exposed to a Cisco product vulnerability. Not exploited yet So far there is no evidence that the vulnerabilities are being exploited, but any flaws that serious in Cisco’s IOS are made more significant because of the amount of control the software has over the market. IOS is a widely used network infrastructure and is working on millions of systems, ranging from the small home office router to the core systems of the world’s largest service provider networks. DoS attacks are the weapon of choice of hacktivists, though other groups have begun experimenting with it. Leaked PRISM documents proved a secret spy unit linked to the UK Government Communications Headquarters (GCHQ) had mounted DoS attacks against the Anonymous collective earlier in February. Cisco boasts that it is the most widely used network infrastructure software in the world. You can see details of the flaws and the patches at the Cisco site here. Source: http://www.techradar.com/news/networking/lan/cisco-patches-six-holes-to-stop-dos-attacks-1237692

View article:
Cisco patches six holes to stop DoS attacks

When ZOMBIES attack: DDoS traffic triples as 20Gbps becomes the new normal

Junk traffic mostly floods in from botnets DDoS traffic has more than trebled since the start of 2013, according to a new study released on Thursday that fingers zombie networks as the primary source of junk traffic that can be used to flood websites.…

More here:
When ZOMBIES attack: DDoS traffic triples as 20Gbps becomes the new normal

Analysis of 244,703 DDoS incidents

NSFOCUS released its DDoS Threat Report 2013, which details attack trends and methodologies over the past year. The report includes statistical analysis and key observations based on 244,703 DDoS inci…

Read this article:
Analysis of 244,703 DDoS incidents

Beware the headless browser DDoS Attacks!

The attacks that you nor your security provider know about, the classic “unknown unknowns”, are often seen as the biggest challenge.   I met with Jag Baines, CTO of DOSarrest some time ago on a visit to the UK with general manager Mark Teolis, who talked of such an attack vector that had not been as widely reported as they had hoped.   The two admitted that the methods of denial-of-service (DoS) attack had changed in the past few years, to the use of sophisticated botnets, and with more access power to compromised computing power, that gives access to tools such as “headless browsers”.   Baines explained that a headless browser is a web browser for all intents and purposes, just without the graphical elements; a legitimate browser web kit that has been modified to run a series of queries and target basic UIs on your website.   “It is gaining popularity on the ‘big and dumb’ attacks. You have no web application firewall and no box is going to be able to figure out what this thing is doing,” Baines said.   “You can download the software for free and modify it, PhantomJS is the most popular headless browser and people use it for legitimate purposes like monitoring services. We looked at adding a monitoring service to see how our website was doing a couple of years ago, and you can add a sensor and a certain location and tell it to tell you the load times of each element of the site, but others are modifying it for less than gallant reasons.”   Teolis said that such tools were made by programmers to test out their websites, but they were now used for nefarious purposes. “You open up hundreds of sessions on your laptop and see how it runs, but now you can have unlimited process using Javascript, cookies and Captcha, and any challenge.”   Baines said that any attacker would need access to the tool, and while you cannot effectively run headless browsers, an attacker would need to load up the program and need a victim to actively run it.   “An attacker accesses it and loads it up via a VBScript, the victim sends back a response and the headless browser tells you it looks like a legitimate session to get access to what they can find. It works because the attacker understands how the website is designed, tells you where the weaknesses are and point it at it. You cannot set up a web application firewall to prevent it as it is using the same protocol as a real visitor would.”   Teolis said that this attack form is low and slow, and the headless browser would infect a laptop, go to a command and control centre and await instructions. “It could download code, but the idea is to exhaust resources – it is Slow Loris attack version 2,” he said.   “All of the boxes could not stop it as slow and low attacks come twice an hour, but there are 50,000 of them, so how do you distinguish what is real and fake traffic? With headless browsers, it can process Javascript and Captcha and jump through hoops; so this will be a big problem for older boxes.”   Baines said that there tends to be a focus on volumetric attacks, but while users are scared of that, a lot of the headless browser attacks are TCP-based, so only around five to ten Gbps, but it is in the background and that is what is killing the site. “You’ll never see it, it runs as a separate process in the background. The only way you’ll know is to run a NetStack to see what is running out of port 80 and it is very sophisticated.”   DOSarrest admitted that there is no detection of a large collection of botnets for this service, but they predicted that this will happen as a victim can be hit 10 times or 50 times a minute.   Baines said: “You can rent a botnet for $10 an hour, but with a headless browser you have to be sophisticated to use it. It takes time and effort to get it installed, so you can run it on 10/15 machines to be effective and once you have your sophisticated botnet you are not going to share that, you are going to keep it and use it when the time calls for it. These guys are motivated either politically or commercially and will bring it out like a sniper only when they see fit.”   Asked if this could be used as part of a targeted attack, Teolis said that this is different as it uses DoS tactics, but if there are 10,000 different IPs attacking every ten minutes or every hour, then it will be hard to deal with.   Baines said: “If you look at it from the perspective of the cyber criminal, they want to cover their tracks and pull out data without anyone knowing and using headless browsers for any purposes, but there is going to be some footprint left behind. I don’t see it as a tool for theft, it is more about how to make the website unavailable and how does the attacker look like every other visitor.   “The intentions are different and to leave no logs or trace. There will be difference in patterns but it takes a dogged support guy to figure it out.”   The concept was presented last summer at the Def Con conference in Las Vegas, and Teolis said that the response was positive from delegates. In terms of how to protect against it, the solution does lay with a pure play DDoS protection service as this does not require signature-based solution. Teolis said that it offers support to parse it, run analysis on it and see the pattern and anything in particular that wasn’t there an hour ago.   “We are defending our customers during non attack periods , to compare and contrast and look at the pattern, look at the implementation. At the worst case we can put our finger in the dyke and block it, or we look at rate limiting expressions, maybe sanitise the options that come through – it is all dependant on what data we can gather,” he said.   “With real time support there is a human involved and you can develop some rule sets to determine what is going on and implement this module. We can do that in seconds, and that is part of our software and we can do it in under a minute.” Source: http://itsecurityguru.org/gurus/beware-headless-browser/#.UzMvWleTqM6

Excerpt from:
Beware the headless browser DDoS Attacks!

Why having a DDoS Playbook is essential for your organisation

Just like any major emergency, IT managers must prepare a playbook to follow in case a DDoS attack occurs. What follows are some of the most important considerations every manager needs to consider when creating their DDoS playbook: it’s about 75% preparation, 25% organised action. Situation awareness Every business operates within the context of certain realities. There are the human, political realities: are there competitors, activists or people who might have something against your organisation? Your team should be actively monitoring social media for indications of growing tension. And then there are known technological realities: what device types and browsers normally access your public websites? What is within the range of normal legitimate traffic and what is not? Document what’s normal, what’s not, how to monitor for it, and what to do about it when things change. Know thy network, and protect it In order to effectively protect your network, you and your team must understand it completely. Establish the following practices, share in a safe location, and update regularly: Create a detailed depiction of your network topology. This will ensure everyone is working from the same page and will be useful for team coordination while under attack. Establish baselines. Collect baseline measurements of all network activity as it relates to your public access points. Examples are graphing and threshold alerts for bits per second and packets per second on major ingress and egress links in your network. You should also identify all critical services (for example, DNS, web servers and databases) running in your network and define monitoring indices to assess health in real time. Defend from the edge. Deploy technology at the edge of your network to defend as best as possible. Understand it may have limited capabilities, but can be of use in thwarting a small attack or identifying a ramping attack. Give yourself options. Design a secure remote access configuration, preferably out of band, to allow for remote management of your systems while under attack. Create a strong DDoS response team Help your people be successful by designating a strong team leader and making sure everyone knows and understands their responsibilities. Include the following: Who should be notified and when (emergency contact info for your ISP, your own senior management, customer service and PR managers)? What info needs to be collected and when, and where is it logged? What action needs to be taken to protect infrastructure or service? What is the escalation path for critical decisions? Communicate the DDoS plan It’s not enough to have created a DDoS plan, but you need to share it and staff needs to know exactly when to initiate a DDoS response. It should be part of orientation for new staff, with hard copies at stations and version in your wiki or online shared resources. Run drills periodically, including contacting your ISP. Partner when necessary If an attack is beyond the capabilities of your team or your ISP, make sure you have done your research and know which expert you want to call. There are companies whose sole expertise is preparing for and defending against sophisticated and large scale DDoS attacks. Make sure you understand your needs and vendors’ service offerings beforehand so that when the need arises, you will have taken that difficult decision-making process out of the equation. Source: http://www.techradar.com/news/software/security-software/why-having-a-ddos-playbook-is-essential-for-your-organisation-1232315

View original post here:
Why having a DDoS Playbook is essential for your organisation

Westboro, Northboro Verizon service hit by DDoS attack

Since March 3 — and perhaps as far back as Feb. 26 — Verizon customers in Westboro and Northboro had been experiencing regular and constant interruptions to their Internet and phone service. Dozens of Westboro residents have discussed the service outages on Facebook (and offer sharp-tongued critiques of Verizon’s response), and six have filed complaints with the state Office of Consumer Affairs and Business Regulation. The disruptions, according to Verizon spokesman Philip G. Santoro, were caused by repeated cyberattacks on one residential customer in Westboro. The cyberattack is called a dynamic denial of service, a DDOS or DOS. In an email, Mr. Santoro described the attack thusly: “Someone deliberately flooded that customer with an overwhelming amount of traffic that rendered their Internet service inoperable.” “When that happened, it caused Internet service to periodically slow down for other customers in Westborough,” he wrote. “We are working to restore service to normal as soon as possible. DOS attacks are all too common today among customers of all Internet providers. It’s important to remind Internet users to keep their firewalls operating and to keep their security software current.” Interestingly, though, when I first asked Mr. Santoro about this, he said there were no widespread outages reported. I think that is because there was nothing physically wrong with the FiOS lines — no technical problems, no trees on the line, etc. At Verizon, the lines were all reported to be working as normal. But customers were calling in complaints and opening repair tickets left and right. The state logs the complaints and passes them on to the service provider, in this case Verizon, said Jayda Leder-Luis, communications coordinator for the Office of Consumer Affairs and Business Regulation. “DOS is a cybersecurity issue, one that can affect voice services that rely on access to the Internet (like VOIP),” she wrote in an email, referring to Voice Over Internet Protocol, in which phone service is provided through an Internet connection. “Those were the kinds of complaints we were receiving.” For dozens of residential and business customers in Westboro and Northboro, the interruptions were frustrating. “It happened around 3 o’clock, every day,” said Allen Falcon, chief executive officer for Cumulus Global, a cloud computing company in Westboro. “Sometimes it was a few minutes, sometimes 45 minutes to an hour.” A few times, the interruptions occurred in the morning, just after 9 a.m., he said. Since the company’s phone service and Internet connection runs through a FiOS line provided by Verizon, when the FiOS line goes out, customers lose both phone and Internet. “For us, it’s incredibly embarrassing as a technology company, to lose our service like this,” he said. “We’re talking to someone and the phone lines goes down, the Internet goes down.” The company has workarounds, in which the office can switch its Internet and phone service to a 4G service provided by their cellphones. “But it’s slower performing and more expensive,” he said. “Some days, around 3 p.m., we have to consider, ‘Should we switch, just in case?’ “ Several customers reported that Verizon had a lot of trouble pinpointing the cause of the interruptions, and several of them had Verizon technicians visit their homes and replace their routers. Since the cause was later determined to be this DOS cyberattack, replacing their routers looks like, in hindsight, a waste of time and money. Steve Winer, a Westboro resident, said Verizon installed a new router at his home, but it made no difference. The outages continued. “I am just wondering how much time and money was wasted on this,” he wrote in an email. “I know I spent at least a couple of hours on the phone, and others shared similar stories. But, if you add up all the shipped routers and unnecessary service calls, along with the time both of us customers and (Verizon) personnel, I am sure it really adds up, and could have been avoided if someone had simply put two and two together and posted a chronic outage which began in February.” On Tuesday, Verizon apparently pinpointed the exact Internet Protocol address of the Verizon customer being attacked, and shut down the customer’s FiOS service. The slowdowns and service interruptions have stopped. Let’s hope they never return. Source: http://www.telegram.com/article/20140323/COLUMN73/303239976/1002/business

View the original here:
Westboro, Northboro Verizon service hit by DDoS attack

Gang wielding ColdFusion exploits expands botnet of hacked e-commerce sites

A German website of French automaker Citroën is the latest of the wide array of higher-profile webshop sites that have been compromised by a hacker gang leveraging Adobe ColdFusion vulnerabilities. …

Continued here:
Gang wielding ColdFusion exploits expands botnet of hacked e-commerce sites

NATO websites hit by cyber attacks

A number of NATO websites have been hit by cyber attacks, but they have had no impact on the military alliance’s operations, a NATO spokeswoman said. The attacks, which affected NATO’s main website, came amid rising tensions over Russian forces’ occupation of Ukraine’s Crimea region where a referendum is to be held on Sunday. NATO spokeswoman Oana Lungescu said on Twitter that several NATO websites have been the target of a “significant DDoS (denial of service) attack.” She said there had been no operational impact and NATO experts were working to restore normal function. Source: http://www.itv.com/news/update/2014-03-16/several-nato-websites-hit-by-ddoscyber-attacks/

View original post here:
NATO websites hit by cyber attacks

162,000 reasons to tighten up WordPress security

“Cyber-criminals continue to innovate and find vulnerabilities to exploit for their criminal activity” says Lancope CTO Tim Keanini. 162,000 reasons to tighten up WordPress security WordPress may be one of the most popular website systems used to publish on the Internet, but its open source nature – and consequent security challenges – have been highlighted this week after around 160,000 WordPress sites have apparently been used as DDoS zombies. Security research firm Securi reports that the WordPress pingback option – which allows WordPress sites to cross-reference blog posts – has been misused in recent times by unknown hackers to launch large-scale, distributed denial-of-service (DDoS) attacks. The attack vector used is not unknown as, back in the summer of last year, Incapsula reported that one of its clients was targeted in a pingback DDoS attack involving 1,000 page hits a second. Securi says it has been monitoring a swarm attack involving more than 162,000 WordPress sites and collectively generating many hundreds of IP requests to a single WordPress site. Whilst Daniel Cid, Securi’s CTO, has declined to identify the site, this suggests the attack may have been a proof-of-concept trial. On a technical level, the attack vector exploits an issue with the XML-RPC (XML Remote Procedure Call) code within WordPress and which is used for pingbacks, trackbacks and remote access from mobile Web browsers. SCMagazineUK.com notes that WordPress has known about the issue for several years, but the problem is that it a key structural issue with WordPress’s kernel architecture. Despite this, WordPress development teams have changed the default setting of sites to operate with a Web cache, meaning there is less load placed on the hosting server concerned. The hackers, however, have generated fake website addresses within their IP calls, so bypassing the web cache. Securi’s CTO says he been talking to WordPress developer teams about the issue, who are reportedly investigating a workaround. Tim Keanini, CTO of Lancope, said that the structural natures of the issue mean that it is not something that will ever go away. “Think of it as a supply chain and these criminals need compromised connected computers for their botnets – if you are connected for whatever reason to the Internet, you are a part of this supply chain,” he said, adding that cyber-criminals continue to innovate and find vulnerabilities to exploit for their criminal activity. To add to this, he explained, we – as Internet users – continue to put insecure devices on the Internet and with the Internet of Things ramping up, he warns there is just no end to the supply of targets. “What we need to do is to focus on the precision, timeliness, and leadership through these crisis – not the fact that they will just go away. They are here to stay and a part of doing business in the Internet age. When these events happen, what does leadership look like that provides business continuity and restores customer confidence? That is the question we need to be asking because hanging your head in shame does no one any good,” he said. Sean Power, security operations manager with DDoS security vendor DOSarrest, said that the vulnerabilities in old versions of WordPress mean that hackers can exploit them to be used for DDoS attacks. “This is nothing new – in fact, it was first recognised back in 2007. Attackers exploited a vulnerability in the core WordPress application and therefore it could be used for malicious purposes in DDoS attacks,” he said. “The fix for this feature was actually released in the 3.5.1 version of WordPress in January 2013 and would be picked up by most good vulnerability scanners,” he added. Power went on to say that this a prime example of how users aren’t regularly performing updates to their websites – “because if they were, we wouldn’t still be seeing DDoS attacks being carried out by websites taking advantage of this old flaw.” Source: http://www.scmagazineuk.com/162000-reasons-to-tighten-up-wordpress-security/article/337956/

See original article:
162,000 reasons to tighten up WordPress security