DDoSInfo – Information about DDoS and Denial of Service Attacks

In late April, a Russian-speaking blogger upset with recent events in Estonia posted a series of dispatches calling on like-minded people to attack government servers in that country.

…VolchenoK’s dispatch was echoed in posts on other Russian-speaking websites and helped set the groundwork for more than a week of distributed denial of service (DDoS) attacks, which sometimes brought official Estonian websites to their knees.

The assault on the Estonian sites was motivated by the government’s removal of a Soviet-era memorial from the center of that country’s capital.

…The attacks should serve as a wake-up call for US government officials about the potency of several new DDoS tools adopted by cyber criminals, says Arbor Networks senior security engineer Jose Nazario.

…The Estonia attacks are a graphic example of the damage that disaffected groups can cause when they vent their rage on internet targets, he says. Combined with a separate round of attacks on sites belonging to both pro-Russian and anti-Russian groups over the last three months, they raise the possibility that attacks based on political, ethnic or cultural differences may be on the rise.

…Posts like the one left by VolchenoK included a do-it-yourself script users could run to turn their computers into individual launch pads for the attacks. They also included instructions on when participants should start and stop them to ensure the incursions caused as much damage as possible.

…They also employed protocols such as ICMP and TCP SYN, which have been used for so long that they are no longer effective against many hardened targets.

…Over the past several months, Nazario has documented attacks on sites belonging to groups on both sides of the Russian establishment. Targets include the Party of Regions, a pro-Russian party led by Ukrainian Prime Minister Viktor Yanukovych; the site of Gary Kasparov, the Russian chess grandmaster turned critic of Russian President Vladimir Putin; and namarsh.ru, another dissident site.

…It doesn’t rely on the more primitive IRC protocol, doesn’t scan for new hosts to infect and is cloaked in a rootkit, making it hard for users or security researchers to detect.

…More than three dozen servers have been detected as command and control centers for BlackEnergy, and because the tool is available for $40 the number could grow, Nazario says. HTML-based bots like BlackEnergy are harder for security professionals to detect and stop because the data they generate looks similar to web traffic.

…So Nazario is working with the computer emergency response teams of various governments to snuff out the command and control servers that act as the hubs for these networks. Among the techniques for stopping them are the blacklisting of domain names and internet protocol addresses and the sharing of signature files that can be used by Snort and other intrusion detection systems to pinpoint the servers.

Full Article Here

The countdown to Nov 11th and the most recently rumored “cyber Jihad” against the West has sparked some other questions. One in particular is the comparison of their individual capabilities for possible denial of service (DoS) attacks.

Symantec’s analysis of the purported DoS tool to be used in this “E-Jihad,” known as “E-Jihad 3.0,” has shown it to be crude and unsophisticated. First, it requires a user to manually install it onto a computer. The user must then log into a “cyber-jihadist” Web site through the tool, which sends back attack commands. The Web site in question is currently offline and we believe it may have been since July 2007. Symantec has detection for this tool as Hacktool.Dijah and has set up intrusion prevention system (IPS) blocking.

Since January 2007, Symantec has been tracking the evolution of what is commonly referred to as the “Storm” threat. This term so far has incorporated various malicious online activities like distributed denial of service (DDoS) attacks, spam, pump-and-dump stock emails, and botnets. Symantec has been prompt to add detection and remediation for all these activities under either the Trojan.Peacomm family or Trojan.Packed.13.

The full capabilities and size of the Storm botnet are as-yet unknown. Systems continue to be infected on a daily basis through various techniques, such as spam, social engineering, and browser exploits. The use of the Overnet peer-to-peer protocol, used by many legitimate file-sharing clients like eMule and MLDonkey, also makes it difficult to track and isolate where commands are coming from. It is also constantly evolving with new methods to infect users. The latest techniques discovered have shown that they are now incorporating network encryption, worm-like propagation across drives, and also injecting malicious IFRAME code into .htm, .html and .php files found on compromised computers.

Comparing the E-Jihad and Storm techniques mentioned above clearly shows that the “cyber terrorists” in this case are well behind the cyber criminals. Although it must be noted that at this time it is not clear whether the “E-Jihad 3.0” tool will be used in the rumored E-Jihad on Nov 11th or even if it is all just a pie in the sky.

However, we should not rule out the impact that a basic DoS attack can have. Lessons learned from May 2007 in Estonia have shown us that manually entered DoS commands by individual users on systems can cause an impact if there is enough popular support. If we look at the figures below, we can see just how much bandwidth can be consumed in a simple enough attack.

Magnitude of 25.000 bytes/sec. = 24 KB/sec. = 192 Kbps for each single attacker

Assuming N=100 attackers => 192×100 = 18.7 Mbps denial of service attack

If these figures are exponentially multiplied by the number of attackers, such an attack can have a considerable impact on a target. However, this would require a considerable amount of organization. With the Storm threat this is all simplified because one user can issue commands to unknowingly compromised computers that are hosting the threat’s bots. There is no definitive figure on just how many computers the Storm bots occupy, but various reports suggest anywhere from thousands to millions. With these figures in mind, a DDoS attack from the Storm threat should theoretically outweigh an organized E-Jihad using the “E-Jihad 3.0” tool and poses the greater threat. Yet, with the Storm threat being controlled by cyber criminals who are motivated by money, it is unclear just who or for what they might lease their botnet herds out to. Time will tell.

To minimize the risk of an attack as much as possible, never install an unknown program, keep your antivirus definitions up-to-date, and never open attachments from unknown sources.

Scottish law firm MacRoberts has improved its online security after suffering a distributed denial of service (DDoS) attack.

The attack at the end of 2006 took the company’s entire inbound and outbound emails out of service for two days.

‘Things ground to a halt very quickly,’ said David Murphy, director of IT at MacRoberts.

‘Mail was trickling in and out and we were getting bombarded with thousands of spam emails.

‘We tried to kick our old security vendor into action but they could not do anything.’

Since the breach, MacRoberts has installed a switched security system from vendor Postini which filters all mail before it reaches the law firm, dramatically reducing the chance of being affected by further attacks.

‘The new system can filter out these attacks as they happen,’ said Murphy.

‘We have suffered attacks since and been fine – all we know of it is a report from Postini saying they have occurred,’ he said.

Previously the firm’s IT staff needed to check thousands of spam emails to ensure genuine messages had not been blocked. The new system has freed up half a day’s work every day.

Graham Titterington, principal analyst at Ovum, says a DDoS attack is a result of many factors.

‘Attacks could be motivated by a competitor looking for advantage, or more likely out of malice towards the law firm,’ he said.

This post is from the Heise Security website and it attempts to predict the trends for 2007.

It’s the season of the end-of-the-year reviews. We have used our crystal ball to jump forwards a year to provide you the ultimate review of 2007 — here and now.

2007 was the year of the super bots: Never before has malicious software been equipped with so many functions that help it to hide from antivirus software and to resist removal. The majority of malicious software programs used root kits, and their number doubled again on last years figure to over 500. Local privilege escalation vulnerabilities in Windows were increasingly exploited; accounts with restricted user rights were used to gain system rights. Initially, the protective functions in Windows Vista, which has been available for end customers since January, made it more difficult for malicious code to infiltrate the system. The crimeware scene responded and numerous vulnerabilities appeared as the year progressed and these were exploited to cancel or bypass the majority of the security functions. The user account protection (UAC), in particular, proved to be ineffective: Most users just confirmed any respective requests, since they did not undertand the displayed information.

(more…)

Richard Stiennon has announced his top ten threats for 2007 on his blog at ZDNet. His top ten threats are as follows.

1. 100% Growth in revenue for cyber crime
2. DDoS in support of phishing attacks
3. Successful DDoS attack against a financial services firm
4. Attacks against DNS are the threat of the year
5. No abatement in identity theft
6. More attacks against wireless networks
7. MySpace grows up and gets secure
8. YouTube abuse threatens site
9. Network infrastructure shows signs of overloading
10. Spread of Windows Vista will have zero impact on the overall threatscape

View the entire contents of the report HERE

The Host Guru are running an interview with Derek Raines of Gigenet which is well known for the DDoS attack filtering they offer their customers. Derek talks about the industry they are in, the types of customers they service, the attacks they have thwarted and whether or not fears of internet terrorism is driving sales.

Full Interview Here

CafePress.com, which provides online stores for thousands of blogs and web sites, has been hit with a distributed denial of service attack (DDoS) which has disrupted service for many of its merchants during the critical final shopping days before Christmas.

The attack began Tuesday evening and was continuing to cause “significant service interruptions” late Thursday. The cafepress.com main site and a sampling of online stores were accessible early Friday.

"EveryDNS, sister company to OpenDNS (which runs the PhishTank anti-phishing initiative), has been hit by a massive distributed denial-of-service attack. The attack started sometime Friday afternoon and, from all indications, was targeting Web sites that used free DNS management services provided by EveryDNS. At the height of the DDoS bombardment, EveryDNS was being hit with more than 400mbps of traffic at each of its four locations around the world. From the article: ‘"We were collateral damage," Ulevitch explained… Because law enforcement is involved, Ulevitch was hesitant to release details of the actual target but there are signs that some of the targets were "nefarious domains" that have since been terminated.’"

OpenDNS, which makes use of EveryDNS services, was affected for a time, until they spread their authoritative DNS more broadly. The EveryDNS site is now reporting that the attack is continuing but has been mitigated and is not affecting operations.

In case you were hoping to take advantage of the Amazon Customers Vote deal for a $100 Xbox 360 on Thanksgiving, Amazon.com was reportedly not reachable from least 2-2:15pm EST (11am-11:15am PST). Presumably, the traffic caused by the $100 Xbox seekers was simply too much.

Some people are complaining that they couldn’t even load the Amazon homepage…

Update: There are over 500 comments in a thread on the Amazon Customers Vote Forum with disgruntled customers chiming in, in addition to other blogs which have noted the outage. Plenty of people are not happy and some are filing Better Business Bureau complaints.

Looks like a great case of a traffic flood that caused DDoS like behavior.