Category Archives: DDoS News

Defending against the dark arts of DDoS

In the magical world of Harry Potter, the boy wizard and his cohorts were enrolled in a class called Defence Against the Dark Arts as part of their curriculum. In the world of technology, defending against the “dark arts” of DDoS attackers is just as much a requirement. DDoS attacks suspend service to a website by overwhelming it with traffic from multiple sources, thus blocking access to the site and preventing users from accessing important information. Hackers can take down a website in one fell swoop using DDoS attacks, and the longer they last, the more costly they can be to a business. According to a report from TrendMicro Research, a week-long DDoS attack costs $150 on average from the Internet’s black market, while Verisign/Merrill Research reports that one-third of all downtime activity on the Internet can be attributed to DDoS attacks. Additionally, a newly-released report from Symantec indicates that DDoS attacks have increased by a staggering 183 per cent between January and August of 2014. In an exclusive interview with IT in Canada, Candid Wüeest, senior software engineer at Symantec Advanced Threat Research, discusses how businesses can defend against these attacks, and how Symantec can arm them for this battle. IT in Canada: Why are more businesses falling victim to DDoS attacks? Wüeest: I think we’re seeing more mid-sized and larger companies falling victim to DDoS attacks because they’re very easy to carry out by the attackers, and it can be very devastating on the receiving end as a result. The motivation behind it might often vary. For example, there are hacktivists who might do it to protest a company’s ideologies, but we also see others do it to make a profit. One of the most obvious profit-related (schemes) is extortion, where an attacked company might be told “Give us a certain amount of money or your online shop will be down.” The other is carried out by a company’s competition, using DDoS attacks to redirect customers to their business. With Thanksgiving coming up, if an online shop is not online during critical hours, people might go to a different shop, allowing the competition to profit from those sales. ITIC: The Symantec report notes that DDoS attacks increased by 183 per cent between January and August of 2014. What is the reason for that? CW: I think it’s a bit of a self-fulfilling prophecy. We see that they are successful, and more people in the media are talking about them. This shows hackers that it’s a proven way to attack someone, so they decide to go through with it, which also creates a bigger demand for automated tools and DDoS services. We are also seeing more advertising in the underground market for people selling these services, and this is probably the reason why you’re seeing more of them actually happening. ITIC: What can businesses do to prevent DDoS attacks? CW: When it comes to defending against DDoS attacks, there are a few strategies. The first one is to simply be prepared for them and know who to call. Have a response plan integrated into your system to accommodate DDoS attacks. In most case, when businesses fall victim to DDoS attacks, they don’t know what to do or who to call, or who is responsible at the IP level, and this results in valuable time and revenue being lost. The second one is planning for scalability and flexibility within your network. That starts with having the opportunity to filter out traffic whenever possible in multiple locations, have a load balancer in for multiple sites, or have a caching proxy in place. The third strategy involves implementing certain protection services. Nowadays, if you’re a medium- or large-sized business, you should also definitely speak with providers of specific protection services, which can help you mirror your website across multiple locations, allowing for better filtering if you are under attack. ITIC: Why are hackers now relying on mobile devices to execute attacks? CW: We’ve seen that hackers are experimenting with mobile phones. This not just because of their 4G and LTE capabilities, which means they can generate a lot of bandwidth traffic, but because they are very good at generating application level DDoS attacks. They can attempt to overload a database with queries and perhaps use up all of an application’s resources. This is done through WebRequest, which can be easily sent over any mobile network. We all know that most mobile phones are usually not protected by any kind of security software, so once they infected, they usually stay infected for a very long time because most people don’t notice it, as they don’t switch off their phones after 24 hours online. As a result, I think that mobile phones might be a better attacking platform than a laptop that you would shut down overnight. ITIC: What kinds of services does Symantec offer for defending against these attacks? CW: Symantec is very active in the intelligence and protecting people from becoming the source of an attack. We can help you defend against having your service compromised by any of the malware tools being used or a third-party amplification attack. We cooperate with different companies for the distribution of the network, but that is more of the focus of companies like Akamai and CloudFlare. With our knowledge that we have in the data centre, we can help with the flexibility of setting up networks that can be integrated into those services without having to switch too much on your existing platform. ITIC: Are DDoS issues more of a problem in Canada then they are in the U.S.? CW: As a country, Canada is doing well. It’s less of a problem there compared to the U.S., but we can’t expect there to be a country where DDoS attacks aren’t happening. One of the reasons is because they’re so easy to conduct, and many more hackers are relying on them now as a result. They are definitely happening in Canada, and people should definitely be preparing themselves if they haven’t already done so. ITIC: What can companies do to protect their cloud from attacks? CW: Cloud protection is an interesting problem. Companies should definitely read the FAQs from their cloud service providers to learn how they can protect against denial-of-service attacks. Sometimes, they might be a DDoS attack against a company’s online storage, but if it’s targeting the cloud provider, the business might not even notice that they are under attack. They might just notice that they are no longer available, or the availability of certain documents is failing. You should definitely talk to you cloud provider about how they are protected against DDoS attacks, and most of them do have a plan or have multiple locations and balancing in place to cope with these attacks. Make sure that you are aware of them, and if they don’t have them, you should consider moving to another one or plan a strategy on how you can switch to a secondary site in the event of an attack. ITIC: What does the future hold for DDoS attack prevention? CW: With DDoS attack prevention, we see that it’s moving in another way, but kind of complimenting to the whole bandwidth issue. At the moment, most of the mitigation tactics rely on providing a larger bandwidth so that the attackers cannot fill it up. This is good for basic attacks, but we see that there is a limitation to this. In the end, this is a race which will be won by the attackers most of the time because they can compromise more machines. What we see in the future is that we have to rely more on the protection of resources, such as websites and databases, and ensuring that they are protected and secure against having their resources used up. We also have to ensure we can perform proper filtering and only let genuine people in. We see more features being implemented in back service technologies or proxies that are close to the web server. Source: http://www.itincanadaonline.ca/index.php/security/1003-defending-against-the-dark-arts-of-ddos

Read the original post:
Defending against the dark arts of DDoS

Emoticons blast three security holes in Pidgin :-(

Dump docs on users’ disks using only ASCII art (°O°) Cisco researchers have reported a trio of vulnerabilities in popular instant messaging client Pidgin that allow for denial of service by way of emoticon abuse and remote arbitrary file creation.…

Read the article:
Emoticons blast three security holes in Pidgin 🙁

18 Election Websites Offline During the U.S. Midterm Elections possible DDoS attack

On the day of the U.S. midterm elections, the Contra Costa County Department of Elections website for was inaccessible starting at 7:20 a.m. local time. And it wasn’t alone, the Bay Area News Group reported that 18 election websites run by Florida-based SOE Software across the country were down for most of the election day. According to local news reports, Contra Costa County officials said the hosting of the website was contracted to SOE Software, which was also offline at the time. Election officials said SOE Software was working trying to fix the problem, and the sites were back online this week. The main function of election websites is to provide information on where voters can find polling stations, but they also provide features such as Vote by Mail ballot registration. Officials recommended that voters needing to find their polling station visit Get to the Polls, a website sponsored by the Pew Charitable Trust and others. It’s possible that the election websites were unprepared for the amount of traffic they would get on election day, but it’s also likely that a Distributed Denial of Service attack flooded SOE Software’s servers with requests, blocking legitimate traffic from reaching the websites it hosts. Source: http://www.thewhir.com/web-hosting-news/least-18-election-websites-offline-u-s-midterm-elections

Read More:
18 Election Websites Offline During the U.S. Midterm Elections possible DDoS attack

100 Bitcoin bounty slapped onto head of blackmailer who DDoS attack Bitalo site

  On Saturday, an attacker and blackmailer “DD4BC” sent a note to the Bitalo Bitcoin exchange threatening distributed denial of service (DDoS). DD4BC demanded 1 Bitcoin (about £206, $326) as protection money and for “info on how I did it and what you need to do to prevent it”. Hello Your site is extremely vulnerable to ddos attacks. I want to offer you info how to properly setup your protection, so that you can’t be ddosed! My price is 1 Bitcoin only. Right now I will star small (very small) attack which will not crash your server, but you should notice it in logs. Just check it. I want to offer you info on how I did it and what you have to do to prevent it. If interested pay me 1 BTC to [Bitcoin address] Thank you. Bitalo CEO Martin Albert eschewed the offer for lessons on avoiding DDoS. Instead, the exchange slapped a bounty on DD4BC’s head, to the tune of 100x the ransom money. That price may seem steep, but this is serious business to Albert, who told Motherboard that his company wants to show that it’s serious. He noted that while its users’ funds were never at risk because of Bitalo’s multi-signature setup, extortionists like DD4BC nonetheless threaten the smaller startups that complete the global Bitcoin community. These kind of people can do much more harm to the community than any government by regulation or something like that, in my opinion. Fear and uncertainty take their toll as well: Bitcoin value plummeted after the fall of Mt. Gox. DD4BC’s DDoS attack on Bitalo lasted two days. Albert said that the company soon found out that the same attacker was behind threats to others: Immediately we figured out it was not an unknown guy; it was this guy who also threatened many other people. The list of DD4BC’s targets include exchange CEX.io and Bitcoin sportsbook Nitrogen Sports, Albert said. Now, the company is offering 100 BTC – about $32,859 or £20,599 at Tuesday’s exchange rates – through the Bitcoin Bounty Hunter site. This isn’t the first bounty for a Bitcoin burglar, but it’s the biggest by far. Other bounties include: ?37.6875 (approx. $12,331, £7,710) For help in catching whomever broke into the email accounts of Satoshi Nakamoto – the person or people who created the Bitcoin protocol and reference software – and Bitcoin angel investor, evangelist, the founder himself of the Bitcoin Bounty Hunter site, and a man known by some as the “Bitcoin Jesus”, Roger Ver. ?2.1249 (approx. $698, £434) For help in catching whomever’s behind the missing 600K BTC from Mt. Gox. Ver told Motherboard that he started the bounty site in September after somebody got into an old email account and started making threats: Somebody hacked an old email account of mine and then was claiming they were going to steal my identity. [They also demanded] that I pay them $20,000 worth of bitcoin or they were going to ruin my life and ruin my family’s life, and they made all sorts of nasty threats. At the time, Ver offered a 37 BTC reward in a Facebook post for “information leading [to] the arrest of the hacker.” The problem was that he didn’t know what to do with the information people sent him, he said, some of which appeared legitimate but some of which were clearly a joke. Thus was Bitcoin Bounty Hunter born: a site that allows anyone to offer information and claim a bounty anonymously. It relies on the site proofofexistence.com, which requires informants to send in details in a manner that proves that they know something without revealing what it is that they know. In order to claim any of the bounties, the culprit has to be arrested and convicted. Why not just go to the cops? Ver told Motherboard that when he’s been targeted by theft in the past, he had to track down the stolen parts himself before the police became interested. The police in California did absolutely nothing to help, they didn’t even lift a finger. Going to the police, traditionally, they don’t do much of anything to help at all. By providing a bounty I think you can provide an incentive to have anybody – including the police – to actually do the right thing and help victims of crimes. Albert said there haven’t been any real tips on the Bitalo attacker yet, but the company’s also analysing traffic to try to get at the blackmailer’s identity. Source: http://nakedsecurity.sophos.com/2014/11/05/100-bitcoin-bounty-slapped-onto-head-of-blackmailer-who-ddosed-bitalo/

Taken from:
100 Bitcoin bounty slapped onto head of blackmailer who DDoS attack Bitalo site

Shellshock Being Used to Build a DDoS Botnet to launch DDoS attacks

The advisory alerts enterprises to a DDoS botnet-building operation by attackers taking advantage of the Shellshock Bash bug in Linux-based, Mac OS X and Cygwin systems. Failure to take action can result in a vulnerable system being used to propagate a DDoS botnet, launch DDoS attacks, exfiltrate confidential data and run programs on behalf of attackers. “PLXsert has observed the DDoS botnet-building operation of an attacker using Shellshock to gain access to and control Linux-based systems.” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “We are sharing this information to help enterprises patch their systems to prevent unauthorised access and use by this botnet. Akamai customers have multiple options to minimise the risk of a breach and to mitigate DDoS attacks enabled by this vulnerability.” Attackers breach vulnerable systems Malicious actors are using the Bash bug vulnerability, which is reportedly present in GNU Bash versions 1.03 through 4.3, to download and execute payloads on victim machines. These payloads include executable files and script files written in programming languages such as Perl, Python or PHP. The dropped files are capable of launching DDoS attacks, stealing sensitive information and moving laterally across internal networks to breach other systems. In addition, malicious attackers have implemented backdoor functionality to gain unrestricted access to victim machines in the future. DDoS botnet uses Internet Relay Chat IRC for communication PLXsert recorded an actual IRC conversation of a botnet-building operation that uses the Shellshock vulnerability to add new bots to a botnet. The observed botnet involved 695 bots. IRC channels #p and #x were used to issue commands, and new bots were requested to join channel #new. Web applications at high risk Web applications that use the Common Gateway Interface (CGI) method to serve dynamic content are at risk for the Bash bug.  It is important to check internal and external web servers for this type of application and others that may potentially pass input to Bash.  The Shellshock vulnerability has also been exploited in OpenSSH (OpenBSD Secure Shell), a set of computer programs that provides encrypted communication sessions. In this case the vulnerability is exploited after authentication, which lowers the risk of exploitation but should still be considered high risk. Enterprises need to patch (and re-patch) vulnerable hosts Enterprises must update and patch vulnerable hosts as soon as possible. Some of the earlier patches were insufficient. It is important to obtain and apply the latest patch from the operating system developer. Fully patched, remote exploitation attempts of this type will be unsuccessful. PLXsert anticipates further infestation and the expansion of this DDoS botnet. Get the Shellshock DDoS Botnet Threat Advisory to learn more In the Bash bug advisory, PLXsert shares its analysis and details, including: Vulnerable Bash versions DDoS building capabilities of binary payloads Types of DDoS attacks IRC conversation from within the DDoS botnet How to mitigate this vulnerability DDoS mitigation Source: http://www.australiansecuritymagazine.com.au/2014/11/akamai-observes-shellshock-used-build-ddos-botnet/

Read More:
Shellshock Being Used to Build a DDoS Botnet to launch DDoS attacks

White House Says Unclassified Network Hit In Cyberattack

Mitigation efforts have caused temporary outages and loss of connectivity for some staff, but no computers have been damaged, official says. An unclassified portion of the White House network has been hit with what appears to be an ongoing cyberattack. Efforts to mitigate the threat have resulted in temporary system outages and loss of network connectivity for some users, a National Security Council spokeswoman confirmed Wednesday. The attacks have not caused any damage to White House computers or systems, though some elements of the unclassified network have been impacted, the official said. “The temporary outages and loss of connectivity for our users is solely the result of measures we have taken to defend our networks,” the spokeswoman stressed in an emailed statement to Dark Reading. The Executive Office of the President (EOP) routinely receives alerts about potential cyberthreats against White House systems and discovered the current attack while following through on one such alert. White House cyber security staff is still assessing the severity of the attack and ways to mitigate it, the statement added. “Certainly a variety of actors find our networks attractive targets and seek access to sensitive government information.” An internal White House memo to staff members obtained by The Huffington Post noted that EOP component heads and senior directors at the NSC have put in place several interim measures to help employees on high priority tasks to continue work as usual. Some of the system outages and connectivity issues resulting from the attack have been resolved while others are in the process of being remediated, the memo said. The White House has not released any details on the nature of the attack or the person or group that might be responsible for it. But some media reports citing unnamed White House sources have claimed that the attacks have been going on for at least two weeks. This isn’t the first time that the White House has been the target of a cyberattack. In 2012, malicious attackers used a spear phishing attack to gain access to a non-classified system used by the White House Military Office. In 2009, the main White House website was one of the targets of a distributed denial of service (DDoS) attack campaign that also targeted the Pentagon, the Department of Homeland Security, and several other government networks. A similar DDoS attack temporarily took down the whitehouse.gov website back in 2001. Cyberattacks against White House networks have invariably tended to be portrayed as significantly hostile actions against the US by unfriendly nations. Many have tended to blame China in particular for such attacks though the actual proof for such claims has been somewhat tenuous. News of the latest attack is sure to fuel similar speculation especially because it comes just one day after security vendor FireEye’s new report on APT28, a Russian hacker collective that is believed responsible for numerous attacks against government and other websites. The group is believed engaged in widespread espionage activities and appears to be sponsored by the Russian government, according to FireEye. Security analysts themselves have in the past cautioned against reading too much into reports of cyberattacks against the White House in the absence of any real information on the nature or scope of the attacks. “Government networks the world over are on the front lines of a digital conflict, so it’s no surprise the White House has been targeted, as it presents a very rich target,” said Chris Boyd, malware intelligence analyst at Malwarebytes Lab in emailed comments. Though no White House systems appear to have been compromised, the attack serves as a reminder of how geopolitical tensions are expressed these days, he said. John Pescatore, director of emerging security threats at the SANS Institute said reports of the attacks needs to be viewed in a slightly broader context given all that has been happening recently with White House security. “Given what seems to be a decrease in rigor around physical protection of the White House, I think we do have to be concerned about cyber security protection around White Houses computer systems,” Pescatore said. “I have no insight into what attacks actually occurred, but the reports make it sound like suspicious activity was detected and dealt with quickly. Those are good things. But that is what the first reports of the fence jumper said as well.” Source: http://www.darkreading.com/attacks-breaches/white-house-says-unclassified-network-hit-in-cyberattack/d/d-id/1317060?_mc=RSS_DR_EDT

Link:
White House Says Unclassified Network Hit In Cyberattack

City of Phoenix Computers Under DDoS Attack

Police computer communication went down for almost an hour An attack targeting the computer systems of the public services in Phoenix, Arizona, affected the city’s activity for a period of almost an hour. Police work was also impacted, as officers were not able to search for information about suspects from the computers in their cars. According to information from inside sources, the attack had been carried out for days in a row, culminating with a disruption of the system on Saturday. No sensitive information was stolen There is no information about the identity of the attackers or their purpose, but Randell Smith, City CISO (Chief Information Security Officer), said in an interview for Fox 10 that he believed the goal to be gaining access to the network and obtaining as much personally identifiable information (PII) as possible; this is generally used for financial gains. No other possible reason was given by the CISO, who told the TV station that the defense tactics had held and no data could be exfiltrated. Over the weekend, the city’s servers received a heavy DDoS blow resulting in a 45-minute outage, and the public safety systems could not send information to police officers requesting details about names, license plates, and checking criminal records. Radio is the main communication system, which means that officers can still deliver details from the field to their colleagues. Important to note is that the entire computer system of the public service is affected, and the cybercriminals do not focus on a particular department. The city of Phoenix contacted the FBI along with technology partners to help put an end to the attacks. DDoS attack services can be rented At the moment, the City of Phoenix website is available intermittently until midnight Tuesday, for maintenance reasons and probably for analyzing any clues the crooks may have left behind. The current situation was uncovered by Fox 10, who managed to obtain internal letters containing references to the attack. In one of them, a deputy city manager wrote that the city could be under a coordinated denial of service (DoS) attack, given its intensity and persistence. Although it may appear a difficult task to pull, DSoS attacks can be easily carried out, even by those with little technical knowledge. The criminal market provides such services that can be sustained for a week, for as little as $100 / €79. Depending on the level of protection of the target system and the size of the attack, the price goes up. Still, for strong servers or websites with better protection in place, the cost is about $500 / €394 for a week-long incident. Source: http://news.softpedia.com/news/City-of-Phoenix-Computers-Under-DDoS-Attack-463286.shtml  

Continue Reading:
City of Phoenix Computers Under DDoS Attack

Shellshock over SMTP attacks mean you can now ignore your email

‘But boss, the Internet Storm Centre says it’s dangerous for me to reply to you’ Yet another round of Shellshock attacks is emerging, according to the SANS Internet Storm Center – this time, botnets are tapping hosts over SMTP.…

View original post here:
Shellshock over SMTP attacks mean you can now ignore your email

Register for DDoS Protection and Response Strategies Webinar!

  As cyber-criminals innovate and develop new techniques to tackle defensive methods, it has never been more important for information security professionals to have strong, proactive defense and remediation strategies in place. During this webinar, the speakers will share insight on how to address the risks and respond to attacks. Hear about the evolution of and motivations behind DDoS attacks and the attack vectors exploited Discover how to implement multi-layered DDoS defense Identify best practice detection and classification techniques Discover how to implement resilient DDoS incident response practices Date: November 12th 2014 Time: 10:00AM EST/15:00 GMT Click here to register !

See more here:
Register for DDoS Protection and Response Strategies Webinar!

DDoS attack on Ukraine election commission website

Ukraine’s election commission website has been attacked by hackers on the eve of the country’s parliamentary polls. According to Ukrainian officials, the website came under cyber attack on Saturday, just one day before Ukraine is set to hold general elections. “There is a DDoS attack on the commission’s site,” said the Ukrainian government information security service. A distributed denial-of-service (DDoS) attack slows down or disables a website by flooding it with communications requests. The security service labeled the attack as “predictable” and went on to say that the website’s design insures that it could not be completely taken down and that it is currently completely functional. “If a site runs slowly, that doesn’t mean it has been destroyed by hackers,” the statement added. As for reports that the site was in control of hackers, Markiyan Lubkivskyy, an adviser to the Ukrainian Security Service said, “Any statements regarding the alleged successful unauthorized intrusions into the cyber space of the Central Election Commission or the elements of the elections systems do not correspond to the facts. Hackers are controlling nothing.” Ukraine’s snap elections were called in August as President Petro Poroshenko came under pressure to purge the parliament of lawmakers allegedly tied to the overthrown government of Viktor Yanukovych. As many as 36 million Ukrainians are eligible to take part in the parliamentary elections. The leaders of the breakaway eastern regions of Donetsk and Lugansk have refused to allow the polls to be held in territories under their control, with a population of almost three million. Ukraine’s mainly Russian-speaking regions in the east have been the scene of deadly clashes between pro-Russia protesters and the Ukrainian army since the government in Kiev launched military operations in mid-April in a bid to crush the protests.   Source: http://www.presstv.ir/detail/2014/10/25/383623/ukraines-election-website-hacked/

Read More:
DDoS attack on Ukraine election commission website