Neustar released the findings of its latest DDoS report, including key trends. The global research reveals more activity around targeted, smaller assaults aimed at distracting firms’ IT departments wh…
View the original here:
7 key global DDoS trends revealed
Internet users Wednesday night protested the plans for a single gateway by attacking and bringing down the main websites of the prime minister, the Defence Ministry and the Ministry of Information and Communication Technology. Communications experts said “denial of service” attacks flooded the three sites, effectively making them impossible to access. The sites began to recover early Wednesday. The three sites went offline at about 10pm Wednesday, after netizens warned they intended to attack, and the government said such attacks would be treated as violations of the Computer Crime Act. The ICT deputy permanent secretary, Somsak Khaosuwan, claimed his ministry’s site did not crash because of an attack, but because it was overloaded by visitors monitoring the planned attack. Sites affected as of early Wednesday were the main government information website thaigov.go.th, the ICT ministry’s site at mict.go.th and the defence ministry’s website, mod.go.th. By early Wednesday, however, only the MICT site remained inaccessible, possibly because authorities had actually taken it offline. Warnings on Wednesday afternoon from credible sources in the Thai hacking community said they planned to attack government websites to protest the recent disclosure of government plans to reduce internet access to a single gateway, controlled by CAT Telecom Co. It appeared that the government site takedowns were by internet users, who answered calls on social media to go on online and continuously click refresh, causing overloads on the three targeted sites. The simultaneous denial-of-service attack works like normal attacks by over-exceeding a website’s capacity to handle internet traffic. But whereas normal attacks are carried out by a program or bot, Wednesday night’s protest was carried out by thousands of online users. After the secret plan was accidentally disclosed by a government press release, authorities sent out Deputy Prime Minister Prajin Junthong to try to spin the plan. He said that the single gateway initiative was only a proposition and that no “firm decisions have been made.” Critics of the plan idea contend it will take away freedom of information, with some even comparing it to the tightened grip of a communist country. A change.org petition opposing the single gateway initiative passed 100,000 signatures as of Wednesday. Source: http://www.bangkokpost.com/news/security/714432/single-gateway-protest-halts-government-websites
Read the original post:
Single gateway protest halts government websites into DDoS attacks
Should have stayed under the skirt of Mother Russia. Just a thought Dimitry Belorossov – a Russian cyber-criminal who used the Citadel banking trojan – has been sentenced to four years and six months in a US prison after pleading guilty to conspiring to commit computer fraud.…
See the article here:
Russian hacker, nabbed in Spain, cops 4+ years for Citadel botnet
Threat actors are leveraging a botnet made up of infected Linux machines to launch powerful distributed denial-of-service (DDoS) attacks against as many as 20 targets per day, according to Akamai’s Security Intelligence Response Team (SIRT). The botnet is composed of Linux machines infected with a stealthy trojan identified in 2014 as “XOR DDoS.” The threat was observed altering its installation depending on the victim’s Linux environment and running a rootkit to avoid detection. According to an advisory published on Tuesday, Akamai’s SIRT has seen DDoS attacks – SYN and DNS floods were the observed attack vectors – that reached anywhere from a few gigabits per second (Gbps) to nearly 179 Gbps. Although the advisory said that 90 percent of targets are located in Asia, Tsvetelin Choranov, security intelligence response engineer with Akamai’s SIRT, told SCMagazine.com in a Tuesday email correspondence that a very small number of attacks have been launched against entities in the U.S. “The target industries confirmed from our standpoint are online gaming and education,” Choranov said, adding, “We don’t have a defined number of systems infected by this malware. Some of the source IPs that we are seeing actively producing malicious traffic have spoofing capabilities.” The advisory noted that evidence suggests the malware is of Asian origin, but Choranov said that Akamai’s SIRT has not heard of anyone claiming responsibility for the DDoS attacks. He added that there is also no known reason for the attacks, such as extortion. Unlike a lot of malware, XOR DDoS is not spreading via exploitation of vulnerabilities. “Rather, it populates via Secure Shell (SSH) services that are susceptible to brute-force attacks due to weak passwords,” the advisory said. “Once login credentials have been acquired, the attackers [use] root privileges to run a Bash shell script that downloads and executes the malicious binary.” The advisory outlines two methods for detecting the malware. “To detect this botnet in your network, you can look for the communications between a bot and its C2, using the Snort rule shown in [the advisory],” the advisory said. “To detect infection of this malware on your hosts you can use the YARA rule [also in the advisory].” XOR DDoS is persistent, meaning it runs processes that will reinstall deleted files. Removing the threat involves identifying malicious files in two directories, identifying the processes responsible for persistence of the main process, killing those processes, and deleting the malicious files. “XOR DDoS malware is part of a wider trend of which companies must be aware: Attackers are targeting poorly configured and unmaintained Linux systems for use in botnets and DDoS campaigns,” the advisory said. Source: http://www.scmagazine.com/linux-botnet-observed-launching-powerful-ddos-attacks/article/441750/
Originally posted here:
Linux botnet observed launching powerful DDoS attacks
Enormous network of hijacked zombie servers threatens to batter everything in its path Cybercrooks have built a network of compromised Linux servers capable of blowing websites and other systems off the internet with at least 150Gbps of junk traffic.…
More:
Linux-powered botnet lets rip on victims with 180Gbps network floods
Attackers have developed a botnet capable of 150+ Gbps DDoS attack campaigns using XOR DDoS, a Trojan malware used to hijack Linux systems, according to Akamai. What is XOR DDoS? XOR DDoS is a T…
Read the article:
XOR DDoS botnet launching attacks from compromised Linux machines
Researchers have found that smartphone browsers can deliver a powerful flooding attack. Researchers suspect a mobile advertising network has been used to point hundreds of thousands of smartphone browsers at a website with the aim of knocking it offline. According to distributed denial-of-service protection service CloudFlare, one customer’s site recently came under fire from 4.5 billion page requests during a few hours, mostly from smartphone browsers on Chinese IP addresses. As CloudFlare’s Marek Majkowski notes, browser-based ‘Layer 7? flood attacks have been viewed as a theoretical threat for several years, but haven’t become a reality due to difficulties in efficiently distributing malicious JavaScript to force a large number of browsers to make HTTP requests to a targeted site. Security researchers have previously suggested web ads as an efficient way to distribute malicious JavaScript. Analysing the log files, Majkowski found the smartphone browser attack peaked at over 275,000 HTTP requests per second, with 80 percent coming from mobile devices and 98 percent from a Chinese IP address. The logs also reveal mobile versions of Safari, Chrome, Xiaomi’s MIUI browser, and Tencent’s QQBrowser. “Strings like ‘iThunder’ might indicate the request came from a mobile app. Others like ‘MetaSr’, ‘F1Browser’, ‘QQBrowser’, ‘2345Explorer’, and ‘UCBrowser’ point towards browsers or browser apps popular in China,” Majkowski said. Majkowski speculates that the attack was made possible by an ad network, and believes the reason so many mobile browsers visited the attack page hosting the malicious JavaScript was due to ads shown in iframes, either in mobile apps or mobile browsers. Here’s how the attack works: when a user opens an app or browses the web, they are served an iframe with an ad whose content was requested from an ad network. The ad network then forwards the request to a third-party that successfully bids for that inventory and then forwards the user to an attack page. “The user was served an attack page containing a malicious JavaScript which launched a flood of XHR requests against CloudFlare servers,” explained Majkowski. The attack site itself hosting the malicious JavaScript included instructions to launch an XHR in a loop. Source: http://www.zdnet.com/article/new-ddos-attack-uses-smartphone-browsers-to-flood-site-with-4-5bn-requests/
Read More:
New DDoS attack uses smartphone browsers to flood site with 4.5bn requests
A type of DDoS attack that has until now been mostly theoretical has become reality: CloudFlare engineers have spotted a browser-based Layer 7 flood hitting one of its customers with as many as 275,00…
More here:
Mobile ad network exploited to launch JavaScript-based DDoS attack
Once-theoretical attack vector appears fully-formed on CloudFlare’s doorstep CloudFlare has turned up an unusual form of denial-of-service attack: mobile advertisements that are pumping out around 275,000 HTTP requests per second.…
Continue reading here:
Mobile advertising DDoS JavaScript drip serves site with 4.5bn hits
CloudFlare has turned up an unusual form of denial-of-service attack: mobile advertisements that are pumping out around 275,000 HTTP requests per second.…
More:
Mobile advertising DDoS JavaScript drip serves site with 4.5 billion hits