500 routers whip up colossal DDOS over ye olde RIP protocol Attackers are exploiting an ancient networking protocol to enslave small home and office routers in distributed denial of service attacks, Akamai says.…
Original post:
DDoSers call 1988 and want its routing protocol hacked
There's been an increase in the use of outdated Routing Information Protocol version one (RIPv1) for reflection and amplification attacks, according to Akamai. RIPv1 is a fast, easy way to dynamica…
Original post:
Rise in DDoS reflection attacks using abandoned routing protocol
For Canadians, July 1 is Canada Day—but to Anonymous, it’s also the perfect occasion to launch a protest campaign of distributed denial of service (DDos) attacks. The internet activist group announced on Wednesday morning that it had planned #AntiCanadaDay protests in support of its #OpCyberPrivacy campaign, created in opposition to Canada’s controversial, recently-passed anti-terror legislation, Bill C-51. The bill grants the Canadian Security Intelligence Service (CSIS) broad powers—with judicial authoriziation—to do just about anything to “disrupt” and investigate terrorist plots and propaganda, both online and offline. “We protest against the systemic invasion of privacy by government and corperate [sic] entities around the world,” the announcement reads. “We stand ardent in our defiance to all those who would take away our rights and freedoms.” A full list of targets, posted shortly before the #AntiCanadaDay attacks began, lists the websites of Liberal party leader Justin Trudeau, Minister of Justice Peter McKay, the Canadian Security Intelligence Service (CSIS), and the Canadian Senate as “main targets.” A host of other lobbyist groups and senators who voted in favour of Bill C-51 are listed as targets too. “All Canadian government web assests [sic] are fair game,” read the statement. “Lazors free on all federal, provincial and municpal [sic] services.” Shortly after noon, accounts on Twitter associated with the campaign reported that multiple government of Canada websites had been taken offline. When Motherboard attempted to access sites such as Canada.ca and sencanada.ca, for example, pages either loaded slowly, displayed an error, or did not load at all. “Remember hold nothing down for protracted lengths,” said an operation admin in the group’s chat room. “This is after all just a protest.” In a separate chat room interview, members told VICE News reporter Hilary Beaumont that eight people belong to the core #OpCyberPrivacy team. “We all expect blowback for today,” wrote one of the users, but said that it was worth the risk. “This bill violates the charter of rights and freedoms, universal declaration of human rights,” a user said, citing the threat of more invasive spying offline, and the potential to be arrested without a warrant and held without charge. “They make the rules up as they go,” wrote another member. “So if I’m a perfectly law abiding citizen who is impacted greatly by something and I protest I can be arrested [because] criticizing that is terrorism.” By early afternoon, focus had shifted to sites such as the Canadian parliament domain parl.gc.ca, and Conservative party Prime Minister Stephen Harper’s domain pm.gc.ca. The admin said the government was “putting up a good fight.” “They are adding load balancers, moving servers, closing off access,” wrote another user. “Some of the pages up [at the moment] are only cached versions.” The protest is expected to continue until midnight. Source: http://motherboard.vice.com/read/anonymous-is-celebrating-canada-day-in-protest-with-attacks-on-government-sites?utm_source=mbtwitter
Read the original:
Anonymous celebrates Canada Day with DDos attacks
Latest wave of DDoS attacks abuses small office-home routers via the 27-year-old, outdated Routing Information Protocol Version 1 (RIPv1). An outdated and long-forgotten routing protocol is the latest weapon in a wave of distributed denial of service (DDoS) attacks executed via home and small business routers in the past two months. Akamai Technologies’ Prolexic Security Engineering & Research Team (PLXsert) today issued a threat advisory warning of a surge in DDoS attacks using the Routing Information Protocol version one (RIPv1) to wage DDoS reflection and amplification attacks. The 27-year-old routing protocol, which allows routers in a small network to share route information, has since been updated with a newer more secure version, but the older version 1 remains in use in many small office/home office router models. While some 2,000 SOHO routers so far have been used in this new attack campaign, Akamai also found around 53,000 routers with RIPv1 enabled and vulnerable to the very same attack, mostly Motorola Netopia 2000 and 3000 series devices in the US. The main ISP running those RIPv1-enabled routers was AT&T. Sponsor video, mouseover for sound The biggest attack spotted so far: around 12 gigabits-per-second. “That was just using a limited number of resources [routers],” says Jose Arteaga, senior security researcher with Akamai PLXsert. “We found a good number of devices available with this protocol open. Our concern there is if malicious actors continue to scan or incorporate more devices in this attack, attacks can grow to be quite large. They could reach 100-gig or more.” Artiago says there’s been no specific industry targeted in the attacks at this time, and the attacks are originating mostly out of Europe and most likely a DDoS-for-hire operation, he says. The main sources include the Russian Federation (39%), China (19%), and 15% in Germany and Italy. Unlike its successor RIPv2, RIPv1 doesn’t have an authentication feature, so routers communicating via RIPv1 aren’t vetted and authenticated, leaving them open to abuse. This isn’t the first time RIPv1 has been abused for a DDoS attack. The PLXsert team spotted similar attacks nearly two years ago but those attacks basically exploited it for a query flood, not a reflection attack, where traffic is redirected from an “innocent” device to a target on the network, Arteaga says. RIPv1 Not Resting In Peace The good news is that RIPv1 is not enabled by default on enterprise-grade routers. So why is it left open on some SOHO routers? “Could be an ISP enabling it for some reason or another, but it shouldn’t be” available, he says. It also may be useful in a very small business network, he says, but that comes with this risk of abuse by malicious actors. The common denominator in most of today’s DDoS attacks is the use of the UDP protocol. More than 56% of all DDoS attacks abuse UDP, according to DDoS security vendor Incapsula. Of those, 8% use a protocol popular among Internet of Things devices, SSDP (Simple Service Discovery Protocol) used in gaming consoles and printers, for example. “A common theme with these attacks is they are obviously taking advantage of UDP … there is no way [for a victim router] to refuse that request” because it’s a connectionless protocol, Akamai’s Arteaga says. It’s up to the ISPs offering these devices to block port 520 used by UDP, which then would prevent any reflection attacks, he says. And small businesses should use the more secure RIPv2 instead of version 1. Bottom line: DDoS isn’t going away, and attackers are constantly looking for new ways to abuse equipment on the Internet as weapons to attack their targets. “It has constantly increased in activity,” says David Fernandez, manager of the PLXsert team. “DDoS has not gone away.” Source: http://www.darkreading.com/perimeter/ddos-attackers-exploiting-80s-era-routing-protocol/d/d-id/1321138
Read More:
DDoS Attackers Exploiting ’80s-Era Routing Protocol
The website for CSIS, the Canadian Security Intelligence Service, appears to have gone down again — less than 24 hours after a suspected rogue hacker took the site down in a so-called denial of service attack. The website for Canada’s spy agency went offline shortly after 9 a.m. ET Tuesday. While the cause is still unknown, when the website went down Monday night, sources told CTV’s Mercedes Stephenson that a rogue hacker who had previously launched attacks on several municipal and police websites, had claimed responsibility for the CSIS attack. A denial-of-service attack is not technically a hack into the site, but the attack does prevent Internet users from accessing the website. “Experts I’ve spoken to say it is very hard to stop this kind of attack,” Stephenson told CTV News Channel Tuesday morning. “The level of sophistication and the number of ways they are attacking one website at one time to send it offline is very hard to prevent.” She says sources tell her that the hacker isn’t attempting to steal information in these attacks. “This is all about trying to embarrass the government, intelligence agencies and the police,” she said. The hacker is trying to draw attention to the controversial Bill C-51, as well as the case of an Ottawa teen who was charged in an alleged “swatting” incident. The hacker believes the teen was framed, sources tell CTV. A spokesperson for the Ministry of Public Safety and Emergency Preparedness, acknowledged in a statement Monday night that the CSIS website had gone “temporarily offline.” “No information has been breached. We are taking cybersecurity very seriously,” spokesperson Jean-Christophe de Le Rue said. The same hacker was previously connected to hacking group Anonymous, but appeared to be operating alone on Monday, sources said. The person believed to be responsible tweeted out several messages about the CSIS website Monday, including: “I’m deciding if I should let CSIS back online and hit another government website, or if I should keep it offline for a while.” Less than two weeks ago, several government websites — including ServiceCanada.gc.ca and Parl.gc.ca — were hit by a denial of service attack. Anonymous claimed responsibility. Source: http://www.ctvnews.ca/canada/csis-website-goes-down-again-1.2447166
The Dyre/Dyreza information-stealer has without a doubt filled the vacuum generated by the 2014 and 2015 law enforcement takedowns of botnet infrastructure of several prominent financial Trojan groups…
Follow this link:
Why a Dyre infection leads to more than just stolen banking credentials
Roughly 1,400 passengers were temporarily stranded at Warsaw’s Frederic Chopin airport over the weekend after hackers were purportedly able to modify an entire airline’s flight plans via a distributed denial of service (DDoS) attack. On Sunday someone was able to infiltrate the computer system of the Polish airline LOT and successfully cancel 10 of the carrier’s flights. A dozen other flights were reportedly delayed, according to Reuters. Many passengers were able to board the flights — destined for Munich, Hamburg, Dusseldorf, and Copenhagen, among other cities — later in the day and regular service was resumed Monday according to LOT spokesman Adrian Kubicki. The airline insists that at no point was the safety of any ongoing flights at risk, nor were any other airports affected, but stressed that the attack could be a sign of things to come. “We’re using state-of-the-art computer systems, so this could potentially be a threat to others in the industry,” Kubicki warned, adding that authorities were investigating the attack. LOT’s chief executive Sebastian Mikosz reiterated Kubicki’s sentiments in a press conference on Monday. “This is an industry problem on a much wider scale, and for sure we have to give it more attention,” Mikosz said, “I expect it can happen to anyone anytime.” Kubicki claimed the attack may have been the result of a distributed denial of service attack on Monday and that LOT experienced something he called “a capacity attack” that overloaded the airline’s network. While technical details around the incident have been scant, several security researchers agree it could be cause for alarm. Ruben Santamarta, a principal security consultant for IOActive has called the security of planes into question before and based on the statement given by LOT’s spokesman believes the airline may have fallen victim to a targeted attack. “Initially, it seems that flight’s plan couldn’t be generated which may indicate that key nodes in the back office were compromised,” Santamarta said Monday. “On the other hand the inability to perform or validate data loading on aircraft (including flight plans), using the standard procedures, should make us think of another attack vector, possibly against the ground communication devices.” Last summer at Black Hat Santamarta described how aircraft — including passenger jets – along with ships, oil rigs, and wind turbines could be compromised by exploiting its embedded satellite communications (SATCOM) equipment. Andrey Nikishin, Director of Future Technology Projects at Kaspersky Lab, believes there could be two stories behind the hack. The incident could’ve come as a result of human error, or an electrical or hard drive malfunction, Nikishin claims, or perhaps stem from a “more Hollywood style scenario” wherein the attack is a precursor to a bigger, more significant disruption. “Warsaw airport is fairly small compared to Schiphol (Amsterdam) or Heathrow (London) and, depending on the time of day, there are only around 11 flights taking off every hour. ” “What if the incident was just a training action or reconnaissance operation before a more massive cyber-attack on a much busier airport like Charles de Gaulle in Paris or JFK in New York?” Nikishin said. “Regardless of the reason and the threat actors, we can see how our life depends on computers and how vulnerable to cyber-threats national critical infrastructure objects have become.” Earlier this year security researcher Chris Roberts made headlines by getting removed from an American Airlines flight and questioned by the F.B.I. after he claimed he was able to compromise its onboard infrastructure. Roberts told the F.B.I. that he managed to hack into several planes’ in-flight entertainment systems nearly 20 times from 2011 to 2014 although most airlines have refuted these claims. Source: https://threatpost.com/polish-planes-grounded-after-airline-hit-with-ddos-attack/113412
Read More:
Polish Planes Grounded After Airline Hit With DDoS Attack
Lack of some elementary security measures can risk your router’s security and this has stemmed to grow into a large-scale denial-of-service (DDoS) attacks using these hacker-controlled routers. A web security firm Incapsula has discovered a new router based botnet Mr Black while investigating some DDoS attacks against its customers since this December. Hackers exploited routers’ negligent security measures to launch these attacks all over the world. According to this report published by the security firm, the routers made by Ubiquiti Networks had DDoS malware installed on them. The routers were not hacked due to some vulnerability in the hardware. Instead, it happened because of the deployment of the router in an insecure manner that exposed their management interfaces using the default credentials over SSH and HTTP. The routers that were inspected were found to have 4 versions of Mr Black, a DDoS program and altogether thirty-seven variations of Mr Black were detected. Other DDoS programs included DoFloo, Mayday and Skynet (a remote sensing tool). In some earlier versions of the report, Incapsula said that it believed that the hacktivist group Anonymous was one of the few groups those used the compromised routers. It is yet not clear that why Anonymous was highlighted in the report, but it is certain that few people who call themselves “Anonymous” were using the routers. The original article on the Daily Dot was edited to remove the fact that botnet directs to irc (dot) anonops (dot) com. Total 40,269 different IP addresses were detected from 1,600 ISPs spread across 109 countries. The main affected countries were Thailand (64%), Brazil (21%), United States (4%) and India (3%). To control these routers, 60 servers were hacked and majority of these were in China and the U.S. To save themselves from the DDoS attacks, users must make sure that their routers’ management interfaces aren’t exposed over HTTP or SSH to the internet. They can also use some tools available to scan their router’s IP for open ports and change their default login credentials. With inputs from Anon.hq Source: http://omdpatel.blogspot.tw/2015/06/anonymous-hijacks-thousands-of-insecure.html
Read more here:
Anonymous Hijacks Thousands of Insecure Routers to Power Its DDoS Tools
The media and Latin American journalists are starting to experience firsthand what until recently seemed to be the exclusive concern of US, European or Asian media outlets: cyberattacks.? This type of online criminal activity, known as Distributed Denial of Service (DDoS), is the other side of technological advances that aim to maximize flow of information online.? Cybercrime legislation is backward and broken in Latin America, where the lack of a culture of information security or economic resources of journalists and media outlets ensures that attacks are successful.? One of the most recent cases occurred in Mexico, where minutes after publishing an investigation about the alleged responsibility of federal police in extrajudicial executions of several young people in Apatzingan, a town in the state of Michoacan, the Aristegui Noticias site was out of services for hours, a victim of a DDoS attack.? The Knight Center for Journalism in the Americas consulted Robert Guerra, an expert on cyber security and Internet freedom, and Luis Horacio Najera, a Mexican journalist and expert in the field, on the consequences of these attacks for media companies.? “The main consequence of a cyber attack in the context of Latin America is the reduction of critical spaces that encourage debate or the exposure of misconduct and abuse of power, like corruption,” Guerra said. Guerra, founder of Privaterra, an organization based in Canada that advises private companies and NGOs on data privacy, believes that “any attack, whether cyber or physical, deteriorates freedom of expression and of the press in the country where it occurs.” In the context of countries like Mexico, where media workers are victims of assassinations, kidnappings and threats, this “silent war” on the Internet is presented as a new alarm when speaking about freedom of expression and of the press. Momentary “blackouts” of online media affect the flow of information, the legitimacy of the company and its journalists, and also cause adverse economics effects for the media companies which base their income in online advertising. “The attacks almost always occur as a result of some publication, that is to say they are more reactive than proactive,” Guerra said of the Latin American case. “The freedom of the press is vulnerable not only when a journalist is killed or a broadcaster is exploited.” In fact, in the 2014 Annual Report of the Special Rapporteur for Freedom of Expression of the Inter-American Commission on Human Rights (CIDH), at least four cases of these attacks on media in Mexico were reported. “With the changes in technology and ways of doing journalism, cyber attacks will become more frequent because they attack the legitimacy of the journalist, and also affect the publication of news. Therefore, all attacks and threats should be condemned with the same intensity,” Guerra added. In addition to clear legislation, the region also lacks information on how and where these attacks occur, as well as statistics on their targets and consequences. In 2000, one of the companies specializing in digital security solutions, Arbor Networks, joined Google Ideas (an Internet research and conflict solution implementation think tank) to create a map that tracks digital attacks happening around the world, in real time. The aim was to create a tool for identifying these anonymous attacks: What is the origin of the attack, its target, and the duration and type of attack? It also aimed to analyze trends. Looking at the map, you can see that the peak of the cyber attacks in Latin America happened in December 2014. “It’s very interesting to see that most of the attacks are concentrated in a few countries in the region and that they are the result of specific moments in those countries,” Guerra said. “In the case of Guatemala, a reason for the attacks may be that at that time people were discussing the results of the International Commission Against Impunity in Guatemala. In the case of Peru, the second round of December 2014 regional elections may have influenced events.” What is a DDoS attack? At the technical level, a DDoS attack occurs when millions of simultaneous requests are sent to a single server in order to make it collapse. It is a targeted, deliberate action using hundreds of connected computers to make a simultaneous attack.? In an interview with the Knight Center, Hector Jara, founder and director of Enfinity, a Panamanian cybersecurity and information safety management company, explained the concept with an analogy. “Imagine a highway where a few cars circulating at high speeds and the traffic is fluid. As you add more and more cars, the driving pace slows and traffic is less fluid. If we continue to add cars, you will reach a point where the highway is saturated and cannot meet the demand, and the cars will be stopped. The same thing happens with connections to a website. The number of connections that it can respond to is limited, and if it makes more and more connection, at some point it will be saturated. The more capacity the organization has, this is more difficult to achieve – we think of Google Facebook, among others – but the limit always exists.” Jara also explained how criminal organizations use other types of attacks – for example phishing – through which they infect computers of ordinary users. “These infected computers are known as zombies , and can be controlled and used by these organizations to launch other attacks, such as DDoS. In fact these organizations assemble networks of zombie computers (known as botnets ) that they then ‘rent’ for non-sanctioned purposes”. The cybersecurity expert said that in addition to political purposes and censorship attacks, other attacks are related to digital protest. For example, the term Hacktivism is a new form of protest increasingly being used. One of the latest examples of the use of technology as a means of social protest was during the removal of former President Fernando Lugo of Paraguay when attacks on public bodies were made and one of them closed access to the official website of the Presidency. Asked about possible actions against these attacks, Jara explained that “while we can design a communications architecture in a way that can protect against these attacks – for example there are technological tools such as Web Application Firewalls and services such as CloudFlare , which can mitigate the impact and in some cases completely limit it – by the nature of the attack, if those interested in launching the attack had enough resources and time, it is likely that the would force a site out of operation.” While in the United States DDoS attacks are considered crimes and are punishable under the penal code, this has not been shown to combat the situation. The question is what can legislation achieve regarding this issue. Experts agree that international cooperation is key to fighting cybercrime. In 2014, Mexico hosted the “Workshop on legislation on cybercrime in Latin America”, organized to support Latin American countries in developing legislation on cyber crime, in accordance with international standards proposed in the “Budapest Convention “. During the meeting, possible reforms to criminal law of the participating countries and constitutional reforms in telecommunications were debated. While Argentina, Chile, Colombia, Costa Rica, Mexico, Paraguay and Peru have expressed their interest in joining the treaty, Dominican Republic and Panama have already completed this process. “Most regional legislation concerning information security have been poorly, and in many cases have been motivated by local public security crisis,” said Guerra of Privaterra. “So, from the start, these are deficient laws that in many cases secretly seek to impact civil society through censorship and criminalization of social networking activity.” Guerra also said it is not possible to speak of general solutions in Latin America, but that “each region has its own dynamics, and accordingly, legislation should create or strengthen legal counter methods to give tools for protection to civil society. These tools should be autonomous and independent of government.” Meanwhile, Jara noted that while regulations should establish a legal framework that protects personal information and data, in the case of journalists, these professionals should take measures to protect such data. “Because of the work, they may be a target of criminal organizations and sometimes governments. If they also have blogs or personal pages, they should ensure the safety of them, as a vulnerable site also becomes the focus of attack, ” Jara said. Source: https://knightcenter.utexas.edu/blog/00-16118-ddos-attacks-are-growing-digital-threat-freedom-expression-latin-america
Read More:
DDoS attacks are a growing digital threat to freedom of expression in Latin America
Could you pass up a $40,000 return on a $20 investment? Odds are you couldn’t if you enjoy wreaking havoc on a business. New research released today by Incapsula shows distributed denial of service (DDoS) assaults continue to be expensive nuisances for online businesses — and that the attacks can be launched from botnets-for-hire for around $38 a month. A DDoS attack costs a business $40,000 per hour in terms of lost business opportunities, loss of consumer trust, data theft, intellectual property loss and more, Incapsula estimates. When you consider top attacks last for days and that half of all targets are repeatedly hit, it’s easy to see how quickly costs escalate. A Lot for a Little “What is most disconcerting is that many of these smaller assaults are launched from botnets-for-hire for just tens of dollars a month. This disproportion between attack cost and damage potential is the driving force behind DDoS intrusions for extortion and vandalism purposes,” the security firm noted in its 2015 DDoS Threat Landscape Report (registration required). Last year Incapsula reported a 240 percent increase in DDoS activity. This year, although DDoS activity is still rising, Incapsula highlighted shifts in the methods, length and types of attacks. Incapsula defines an attack as a persistent DDoS event against the same target (IP address or domain). It is preceded by a quiet (attack free) period of at least 10 minutes and succeeded by another such period of the same duration or longer. The study differentiates between network layer and application layer attacks. These definitions refer to the Open Systems Interconnection model (OSI Model), which conceptualizes the process of data transmission by segmenting packets into seven layers. Network layer attacks target the network and transport layers (OSI layers 3 and 4), while application layer attacks target OSI layer 7. The analysis is based on data from 1,572 network layer and 2,714 application layer DDoS attacks on websites using Imperva Incapsula services from March 1 through May 7. “Assaults against network infrastructures continue to grow in size and duration. Those aimed at applications are both long in duration and likely to be repetitive. The upshot for organizations of all sizes is that simply weathering the storm is no longer a viable strategy — the impact will be big, durable and likely recurring,” the report notes. On That Depressing Note Here are a few of the report’s key findings: Once a target, always a target: 20 percent of websites are attacked more than five times DDoS attacks can last a long time: While 71 percent of all network layer attacks last under three hours, more than 20 percent last more than five days Some attacks are exceptionally long: The longest attack was 64 days DDoS for hire is more readily available than ever: Botnet-for-hire fingerprints are on roughly 40 percent of all attacks Five countries create most DDoS botnet traffic : 56 percent of DDoS bot traffic emerged from China, Vietnam, US, Brazil and Thailand What’s a Botnet-for-Hire? Opportunistic cybercriminals have the botnet-for-hire business model, a subscription scheme that provides each user with limited access to the botnet resources (usually for a cumulative duration of no more than 60 minutes per month). “During these short periods, individuals with little or no DDoS skill are able to execute assaults using one of the few available scripts (which are reminiscent of our definition of attack vectors),” the report notes. The average cost to rent-a-botnet for an hour each month through a DDoS subscription package is around $38, with fees as low as $19.99. The takeaway: It costs very little to bring down a website. “Perhaps putting a price tag on the damage caused by such services will bring more public attention to their activity, and to the danger posed by the shady economy behind DDoS attacks,” the report notes. Source: http://www.cmswire.com/information-management/you-can-bring-down-a-website-for-38/
Continue Reading:
Cost to launch DDoS attack from botnets for hire