Category Archives: DDoS Vendors

DDoS attacks: Bigger, Badder and Nastier than last year

DDoS bots are evolving, developing immunity to cookie and JavaScript challenges along the way. A raft of next-generation DDoS attacks have marked the first months of 2014, says a new report from Incapsula, which notes that large-scale SYN floods attacks now account for a hefty 51.5 percent of all large-scale attacks. The research – which covers the whole of 2013 and the first two months of 2014 – says that 81 percent of DDoS attacks seen in 2014 are now multi-vectored, with almost one in every three attacks now above 20 Gbps in data volume terms. The analysis – entitled the `2013-2014 DDoS Threat Landscape Report’ – says that application (Layer 7) DDoS attacks are becoming a major headache for IT professionals as this year progresses, with DDoS bot traffic up by 240 percent in the three months to the end of February this year. Interestingly, Incapsula says that 29 per cent of botnets have been seen attacking more than 50 targets a month. The analysis – which is based on 237 network DDoS attacks that exceeded 5 Gbps and targeting Web sites on Incapsula’s network – concludes that DDoS bots are evolving, developing immunity to cookie and JavaScript challenges along the way. In fact, says Incapsula, during the final quarter of 2013, the firm’s research team reported the first encounter with browser-based DDoS bots that were able to bypass both JavaScript and Cookie challenges – the two most common methods of bot filtering. The problem, concludes the report, is that the DDoS attack perpetrators are now looking to raise the stakes even higher by introducing new capabilities, many of which are specifically designed to abuse the weaknesses of traditional anti-DDoS solutions. As a result, in 2014, the research predicts, many IT organisations will need to re-think their security strategies to respond to latest Layer 3-4 and Layer 7 DDoS threats. According to Barry Shteiman, Director of Security Strategy with Imperva, the report exposes advancements in both network and application layers. The most interesting take-out from the report, he says, is that the application DDoS attacks are now originating in botnets. “Last year we wrote extensively about the trend on CMS hacking for industrialised cybercrime where attackers use botnets in order to turn onboard infected machines into botnets and then use those as platforms for network and application attacks,” he said. “For DDoS attacks, it just makes sense. When a hacker has the power of masses with a large botnet, there are great opportunities to disrupt service. When servers are being infected rather than user’s computers, it’s even worse, just because of the bandwidth and computing power that becomes available to the hacker,” he added. Ashley Stephenson, CEO of Corero Network Security, said that it is essential that the governments take a more active role in encouraging private sector organisations to address the issue of DDoS attacks – and to put in place the appropriate plans to deal with these unavoidable security risks to their business and the nation’s financial infrastructure. “As consumers saw in late 2012 and early 2013, in both the US and UK, banks and financial institutions were successfully targeted by attacks which compromised their online services,” he told SCMagazineUK.com . The Corero CEO went on to say that his company believes that mandated controls – like those recently proposed by the Federal Financial Institutions Examination Council (FFIEC) – will drive organisations to take pro-active steps to regaining control of their online presence. “These mandates, at a minimum, offer guidance for financial institutions for appropriate DDoS activity monitoring and adequate incident response planning, this will ultimately lead to the deployment of more effective DDoS defence solutions,” he explained. Source: http://www.scmagazineuk.com/ddos-attacks-bigger-badder-and-nastier-than-last-year/article/342078/

Read More:
DDoS attacks: Bigger, Badder and Nastier than last year

How a website flaw turned 22,000 visitors into a botnet of DDoS zombies

Researchers have uncovered a recent denial-of-service attack that employed an unusual, if not unprecedented, technique to surreptitiously cause thousands of everyday Internet users to bombard the target with a massive amount of junk traffic. The attack worked by exploiting a Web application vulnerability on one of the biggest and most popular video sites on the Web, according to a blog post published recently by researchers at security firm Incapsula, which declined to identify the site by name. Malicious JavaScript embedded inside the image icons of accounts created by the attackers caused anyone viewing the users’ posts to run attack code that instructed their browser to send one Web request per second to the DoS victim. In all, the technique caused 22,000 ordinary Web users to unwittingly flood the target with 20 million GET requests. “Obviously one request per second is not a lot,” Incapsula researchers Ronen Atias and Ofer Gayer wrote. “However, when dealing with video content of 10, 20, and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.” The novel attack was made possible by the presence of a persistent cross-site scripting (XSS) vulnerability in the video site, which Incapsula didn’t identify except to say it fell in the Alexa top 50 list. XSS exploits effectively allow attackers to store malicious JavaScript on a website that gets invoked each time someone visits. The booby-trapped user icons contained an iframe tag that pulled malicious instructions off an attacker-controlled command and control server. The malicious instructions caused browsers to surreptitiously flood the DDoS target with an unusually high number of GET requests. Incapsula was able to mitigate the effects of the attack using a combination of progressive challenges and behavior-based security algorithms. Remember the Samy Worm? The attack is only the latest to harness the tremendous power of XSS vulnerabilities. The technique came into vogue in 2005 with the advent of the Samy worm. Named after its creator, a hacker named Samy Kamkar, the XSS exploit knocked MySpace out of commission for a day by forcing anyone who viewed his profile to become a MySpace friend. In less than 24 hours, Kamkar, who later served time in jail for the stunt, gained more than one million followers. “The nature and beauty of persistent XSS is that the attacker doesn’t need to target specific users,” Matt Johansen, senior manager of Whitehat Security’s threat research center, told Ars. “The malicious JavaScript is stored on the website and replayed to anybody who visits this in the future. This particular JavaScript forced each browser that was running it to make a request in one-second intervals.” Last year, Johansen and other colleagues from Whitehat Security demonstrated a proof-of-concept ad network that created a browser-based botnet using a technique that’s similar to the one Incapsula observed exploiting the XSS weakness. “The delivery mechanism [in the Incapsula-observed attack] was different as it was from persistent XSS in the site instead of an ad network,” Johansen explained. “The only difference there was how the malicious JavaScript was rendered in the user’s (bot’s) browser. The code that is quoted in the [Incapsula] article is using a very similar technique to the code we wrote for our talk. Instead of using (image) tags like we did, this attacker is using tags which then make one request per second. We were just loading as many images as possible in the time our JavaScript was running.” Incapsula’s discovery comes three months after criminals were observed using another novel technique to drastically amplify the volume of DDoS attacks on online game services and other websites. Rather than directly flooding the targeted services with torrents of data, an attack group sent much smaller sized data requests to time-synchronization servers running the Network Time Protocol. By manipulating the requests to make them appear as if they originated from one of the gaming sites, the attackers were able to vastly increase the firepower at their disposal. The technique abusing the Network Time Protocol can result in as much as a 58-fold increase or more. Miscreants have long exploited unsecured domain name system servers available online to similarly amplify the amount of junk traffic available in DDoS attacks. Incapsula’s finding underscores the constantly evolving nature of online attacks. It also demonstrates how a single weakness on one party’s website can have powerful consequences for the Internet at large, even for those who don’t visit or otherwise interact with the buggy application. Source: http://arstechnica.com/security/2014/04/how-a-website-flaw-turned-22000-visitors-into-a-botnet-of-ddos-zombies/

Visit site:
How a website flaw turned 22,000 visitors into a botnet of DDoS zombies

Week in review: AET costs, Windows XP deadline, routers expose ISPs to DNS-based DDoS attacks

Here's an overview of some of last week's most interesting news, reviews and articles: Cost of Advanced Evasion Techniques in recent data breaches A new report by McAfee examines the controversy…

Read More:
Week in review: AET costs, Windows XP deadline, routers expose ISPs to DNS-based DDoS attacks

Millions of home routers expose ISPs to DDoS attacks

DNS software specialist Nominum has revealed that DNS-based DDoS amplification attacks have significantly increased in the recent months, targeting vulnerable home routers worldwide. The research reveals that more than 24 million home routers have open DNS proxies which potentially expose ISPs to DNS-based DDoS attacks. In February of this year more than 5 million of these routers were used to generate attack traffic. DNS is the most popular protocol for launching amplification attacks and during an attack in January more than 70 percent of total DNS traffic on one provider’s network was associated with amplification. The attraction for the attacker is that DNS amplification requires little skill or effort but can cause major damage. Using home routers helps mask the attack target making it harder for ISPs to trace the ultimate recipient of the waves of amplified traffic. The amount of amplified traffic can amount to trillions of bytes every day, disrupting networks, websites and individuals and leading to additional costs. “Existing in-place DDoS defenses do not work against today’s amplification attacks, which can be launched by any criminal who wants to achieve maximum damage with minimum effort,” says Sanjay Kapoor, CMO and SVP of Strategy at Nominum. “Even if ISPs employ best practices to protect their networks, they can still become victims, thanks to the inherent vulnerability in open DNS proxies”. To address the gap in defenses Nominum has launched its Vantio ThreatAvert product to enable ISPs to neutralize attack traffic. Kapoor says, “ISPs today need more effective protections built-in to DNS servers. Modern DNS servers can precisely target attack traffic without impacting any legitimate DNS traffic. ThreatAvert combined with ‘best in class’ GIX portfolio overcomes gaps in DDoS defenses, enabling ISPs to constantly adapt as attackers change their exploits, and precision policies surgically remove malicious traffic”. Source: http://betanews.com/2014/04/02/millions-of-home-routers-expose-isps-to-ddos-attacks/

View article:
Millions of home routers expose ISPs to DDoS attacks

Blizzard games still suffering after DDoS attack

Blizzard has confirmed that some of its games are being affected by distributed denial of service attacks (DDoS attacks) on its European online services. Diablo , World of Warcraft , StarCraft and Hearthstone may all be affected by the attacks, suffering disconnections and high latency — a longer gap between the time when you click or press a button and the effect of that action, which makes the game can feel laggy. According to Blizzard’s official update, the attacks aren’t focusing on the company’s infrastructure, however the ripples of the DDoS attacks are still being felt by some of the playerbase. The issue may also be causing problems with the Blizzard authentication servers, which in turn leads to failed or slow login attempts. The company stated: “while we are closely monitoring the situation we wanted to thank you for your patience and apologise for any inconvenience this may cause.” On a lighter note, here’s the trailer for Blizzard’s new game Outcasts: Vengeance of the Vanquished . Blizzard Outcasts — Vengeance of the VanquishedBlizzard Entertainment What with it being an April Fool’s Day joke (despite Blizzard’s protestation that they “have no idea why you would doubt us, but yes, we are indeed making this game. For realsies.”) the game is unlikely to be affected by disconnections and latency. Silver linings and all that… Source: http://www.wired.co.uk/news/archive/2014-04/01/blizzard-ddos

Follow this link:
Blizzard games still suffering after DDoS attack

Cisco patches six holes to stop DoS attacks

Cisco has released patches for six flaws in its Internetwork Operating System (IOS) which could be used as part of a DDoS (Distributed Denial of Service) attack. The update features five fixes for its IOS Software and a single patch for its Cisco 7600 Series Route Switch Processor 720 with 10 Gigabit Ethernet uplinks. The company said that the vulnerabilities are serious as they could be used to mount DoS attacks on its customers. It advises Systems Administrators to use the Cisco IOS Software Checker to determine if a given release is exposed to a Cisco product vulnerability. Not exploited yet So far there is no evidence that the vulnerabilities are being exploited, but any flaws that serious in Cisco’s IOS are made more significant because of the amount of control the software has over the market. IOS is a widely used network infrastructure and is working on millions of systems, ranging from the small home office router to the core systems of the world’s largest service provider networks. DoS attacks are the weapon of choice of hacktivists, though other groups have begun experimenting with it. Leaked PRISM documents proved a secret spy unit linked to the UK Government Communications Headquarters (GCHQ) had mounted DoS attacks against the Anonymous collective earlier in February. Cisco boasts that it is the most widely used network infrastructure software in the world. You can see details of the flaws and the patches at the Cisco site here. Source: http://www.techradar.com/news/networking/lan/cisco-patches-six-holes-to-stop-dos-attacks-1237692

View article:
Cisco patches six holes to stop DoS attacks

When ZOMBIES attack: DDoS traffic triples as 20Gbps becomes the new normal

Junk traffic mostly floods in from botnets DDoS traffic has more than trebled since the start of 2013, according to a new study released on Thursday that fingers zombie networks as the primary source of junk traffic that can be used to flood websites.…

More here:
When ZOMBIES attack: DDoS traffic triples as 20Gbps becomes the new normal

Analysis of 244,703 DDoS incidents

NSFOCUS released its DDoS Threat Report 2013, which details attack trends and methodologies over the past year. The report includes statistical analysis and key observations based on 244,703 DDoS inci…

Read this article:
Analysis of 244,703 DDoS incidents

Huobi Site Down as It Fends Against DDOS Attacks

Huobi, claimed to be the world’s largest Bitcoin exchange by volume, appears to be down due to “maintenance” to fend off “a large number of DDOS attacks”. The homepage immediately redirects to the warning. Trading and all site functions are unavailable. The warning states that all should return to normal by 15:00. As of 17:00 China Standard Time (CST), the site is still down. Bitcoin (BTC) remains at 3475 yuan on Huobi, or $558, diverging from the $565 found on other major exchanges. For Huobi, the last week has been one of when it rains, it pours. Earlier last week, they launched Litecoin trading. Litecoin prices underwent an enormous boom and bust in span of 48 hours as hype quickly built up in anticipation for LTC’s addition to Huobi, followed by its crash back to earth. On Friday, Bitcoin on Huobi took a reverse course: it crashed by 14% from 3700 to 3200, only to immediately reverse course almost all the way back to par. On OKCoin, BTC swung by double the magnitude, bottoming at 2653, or a loss of 30%. The “flash crash” seemed to have resulted from a rumor on Weibo that China’s central bank issued a document asking all Bitcoin transactions to cease by April 15. The Weibo was forwarded to Sino Financial Report, one of the biggest news agencies in China, without confirmation, and from there to a large number of readers. The Sina news feed was later edited to have a vaguer tone and then removed altogether. So rapid was the rumor and its “retraction” that USD-based exchanges barely had time to react at all, with BTC-e and Bitstamp losing no more than 7% during the period. Since the event, Bitcoin prices have followed a gradual downtrend, trading well below $600, their lowest levels since MtGox’s was becoming a reality. The “flash crash” is reminiscent to the one observed in equity markets on May 6, 2010, when the Dow Jones Industrial Average crashed by over 1000 points (9%) and recovered in a matter of minutes. There, an abnormally large sell order triggered a sell-off exaggerated by high frequency traders looking to capitalize. It has not been confirmed if the flash crash and today’s outage are linked in any way. In theory, one can speculate that the abnormally high volume and severe price movements exposed a vulnerability to potential hackers not previously observed. Source: http://www.dcmagnates.com/huobi-site-down-as-it-fends-against-ddos-attacks/

See original article:
Huobi Site Down as It Fends Against DDOS Attacks

Westboro, Northboro Verizon service hit by DDoS attack

Since March 3 — and perhaps as far back as Feb. 26 — Verizon customers in Westboro and Northboro had been experiencing regular and constant interruptions to their Internet and phone service. Dozens of Westboro residents have discussed the service outages on Facebook (and offer sharp-tongued critiques of Verizon’s response), and six have filed complaints with the state Office of Consumer Affairs and Business Regulation. The disruptions, according to Verizon spokesman Philip G. Santoro, were caused by repeated cyberattacks on one residential customer in Westboro. The cyberattack is called a dynamic denial of service, a DDOS or DOS. In an email, Mr. Santoro described the attack thusly: “Someone deliberately flooded that customer with an overwhelming amount of traffic that rendered their Internet service inoperable.” “When that happened, it caused Internet service to periodically slow down for other customers in Westborough,” he wrote. “We are working to restore service to normal as soon as possible. DOS attacks are all too common today among customers of all Internet providers. It’s important to remind Internet users to keep their firewalls operating and to keep their security software current.” Interestingly, though, when I first asked Mr. Santoro about this, he said there were no widespread outages reported. I think that is because there was nothing physically wrong with the FiOS lines — no technical problems, no trees on the line, etc. At Verizon, the lines were all reported to be working as normal. But customers were calling in complaints and opening repair tickets left and right. The state logs the complaints and passes them on to the service provider, in this case Verizon, said Jayda Leder-Luis, communications coordinator for the Office of Consumer Affairs and Business Regulation. “DOS is a cybersecurity issue, one that can affect voice services that rely on access to the Internet (like VOIP),” she wrote in an email, referring to Voice Over Internet Protocol, in which phone service is provided through an Internet connection. “Those were the kinds of complaints we were receiving.” For dozens of residential and business customers in Westboro and Northboro, the interruptions were frustrating. “It happened around 3 o’clock, every day,” said Allen Falcon, chief executive officer for Cumulus Global, a cloud computing company in Westboro. “Sometimes it was a few minutes, sometimes 45 minutes to an hour.” A few times, the interruptions occurred in the morning, just after 9 a.m., he said. Since the company’s phone service and Internet connection runs through a FiOS line provided by Verizon, when the FiOS line goes out, customers lose both phone and Internet. “For us, it’s incredibly embarrassing as a technology company, to lose our service like this,” he said. “We’re talking to someone and the phone lines goes down, the Internet goes down.” The company has workarounds, in which the office can switch its Internet and phone service to a 4G service provided by their cellphones. “But it’s slower performing and more expensive,” he said. “Some days, around 3 p.m., we have to consider, ‘Should we switch, just in case?’ “ Several customers reported that Verizon had a lot of trouble pinpointing the cause of the interruptions, and several of them had Verizon technicians visit their homes and replace their routers. Since the cause was later determined to be this DOS cyberattack, replacing their routers looks like, in hindsight, a waste of time and money. Steve Winer, a Westboro resident, said Verizon installed a new router at his home, but it made no difference. The outages continued. “I am just wondering how much time and money was wasted on this,” he wrote in an email. “I know I spent at least a couple of hours on the phone, and others shared similar stories. But, if you add up all the shipped routers and unnecessary service calls, along with the time both of us customers and (Verizon) personnel, I am sure it really adds up, and could have been avoided if someone had simply put two and two together and posted a chronic outage which began in February.” On Tuesday, Verizon apparently pinpointed the exact Internet Protocol address of the Verizon customer being attacked, and shut down the customer’s FiOS service. The slowdowns and service interruptions have stopped. Let’s hope they never return. Source: http://www.telegram.com/article/20140323/COLUMN73/303239976/1002/business

View the original here:
Westboro, Northboro Verizon service hit by DDoS attack