Tag Archives: cybercrime

As coronavirus cases surge, so do cyberattacks against the healthcare sector

The healthcare sector should brace itself against an increase in cyberattack rates and a variety of attack vectors over the coming months, researchers have warned. On Tuesday, cybersecurity firm Check Point released new statisticsthat show a 45% increase in cyberattacks since November against the global healthcare sector, over double an increase of 22% against all worldwide industries in the same time period. According to the researchers, attack vectors employed by threat actors are wide-ranging; including distributed denial-of-service (DDoS) attacks, social engineering, botnets, phishing, and ransomware. However, ransomware, in particular, is of serious concern. We’ve already seen just how debilitating a ransomware attack wave can be. The WannaCry outbreak of 2017 locked up and disrupted operations for countless businesses worldwide, and in the past four years, ransomware has continued to grow in popularity due to how lucrative a criminal business it has become. When it comes to hospitals, some providers will pay blackmail fees demanded by ransomware operators rather than risk patient care. The death of a patient due to a ransomware attack on a hospital has already occurred. Check Point says that ransomware attack rates are surging against the healthcare sector. The Ryuk ransomware strain is now the most popular malware to deploy in these attacks, followed by Sodinokibi. Overall, an average of 626 attacks was recorded on a weekly basis against healthcare organizations in November, in comparison to 430 in October. Central Europe has been hardest hit in the past two months, with a 145% increase in healthcare-related attacks, followed by East Asia, Latin America, and then the rest of Europe and North America. Healthcare organizations in Canada and Germany experienced the largest surge in cyberattack rates at 250% and 220%, respectively. Check Point says that the reason for the increase is financial, with threat actors seeking to cash in on the worldwide disruption caused by COVID-19. While bog-standard fraudsters are targeting the general public through phishing, emails, texts, and phone calls in coronavirus-related campaigns, other groups are hoping to profit through more debilitating attacks on core services. “As the world’s attention continues to focus on dealing with the pandemic, cybercriminals will also continue to use and try to exploit that focus for their own illegal purposes — so it’s essential that both organizations and individuals maintain good cyber-hygiene to protect themselves against covid-related online crime,” the team says. Source: https://www.zdnet.com/article/as-coronavirus-cases-surge-so-do-cyberattacks-against-the-healthcare-sector/

Read the original post:
As coronavirus cases surge, so do cyberattacks against the healthcare sector

DDoS Attacks Remain a Serious Threat to Businesses Worldwide

So, what exactly is a DDoS attack? DDoS attack stands for Distributed Denial of Service attack. This is when multiple systems flood a targeted system, rendering it unavailable. One analogy is to think of a DDoS attack as several people on a conference call continually yelling over the one person who is actually speaking to the group, making it impossible for anyone to hear the speaker. Those who are yelling would be a DDoS attack on the speaker. Why are businesses targeted? There are many reasons. It could be to damage the reputation of the business. If a popular social media site like Twitter were repeatedly unavailable over a period of time, end users would eventually grow tired of the inconsistent experience and move away from the platform. Those same users might also comment negatively about the platform on other social media platforms, damaging the company’s reputation. It could also be to harm the business financially, by making it impossible for customers to complete transactions via the company website. Imagine how much money an e-commerce site like Amazon would lose every minute of downtime that their site is not available or able to process transactions. Think about the last time you clicked Submit on a website and you watched the spinning wheel for some amount of time before you received a timeout or error message. Did you go back and set up your order or fill out that form a second time and try again, or were you sufficiently frustrated that you went to another site or simply didn’t complete what you were doing? Our online attention span is typically not very long. One of the most infamous DDoS attacks was the 2016 attack on Dyn, a provider of Domain Name System (DNS) services. DNS is the system that translates names to IP addresses. It’s a near real-time conversion service that acts as the internet’s map. This is how, when you type in www.google.com, you wind up at Google’s web search engine, which has a numeric address, or IP address, on the internet. When Google publishes its services, it does so at this numeric IP address. It’s DNS that tells your web browser what IP address to go to when you type in www.google.com. The attack method used on Dyn was a sophisticated botnet that took advantage of numerous Internet of Things (IoT)devices like printers, cameras, thermostats, baby monitors and other “smart” devices connected to the internet, many in people’s homes. This attack was one of the first to highlight the weak cybersecurity that many manufacturers had built into these devices. These were designed to easily install in your home and get connected to the internet, most often via Wi-Fi, to make your home smarter. Unfortunately, this also let the bad guys have a massive attack surface to work with. A botnet is a term used to define a number of connected devices that are infected by malware and used together as one collective weapon system. In this case, that weapon is designed to generate a massive flood of traffic that will render its target inaccessible, thus a DDoS attack. DDoS attacks are on the rise Several firms are reporting a significant increase in DDoS attacks this year. Similar to cyberattacks in general, the pandemic has brought about a significant increase in activity. In the case of DDoS attacks, some of these reports indicate a doubling of activity in the first quarter of 2020. Perhaps more concerning is that the duration and sophistication of these attacks is also increasing. This is leading to increased disruption for impacted system, which means increased risk of financial and reputational loss, both significant concerns for businesses of all sizes. The pandemic has seen a significant increase in attacks targeting health care, government and educational platforms. All areas that have become even more critical during the pandemic. In some cases, the cybercriminals are extorting the targeted entities – either to get them to pay a ransom to stop the attack or to simply create a lack of trust in the impacted entity. Protecting your organization from DDoS attacks In the face of this increasing threat, organizations need to do all they can to mitigate this threat. While the threat is sophisticated and complex, the mitigation opportunities are improving. To start, organizations need to focus on being sure that their infrastructure is as resilient as possible. This means leveraging some basic network architecture designs, including geographic dispersion of servers across different data centers. Consider data centers across multiple providers as one option. Regardless of data center provider, be sure there are multiple access paths to the network to avoid any single point of failure. Redundancy is king. Redundant servers, switches, routers, firewalls, data centers, connectivity, power, etc. Redundant systems help prevent bottlenecks and single points of failure that can be exploited via a DDoS attack. As these threats have matured, so has the technology to defeat or minimize them. From next-generation firewalls to load balancers and other technologies, the technology is continually improving and including features designed to defeat or minimize DDoS attacks. You should also be sure that your network bandwidth is optimized to withstand a DDoS attack. If you can justify the expense, obtain as much bandwidth as possible to help manage a flood of traffic, should that occur. Also consider multiple internet connections to both load balance your connectivity and provide redundant backup. If one connection becomes flooded, you will have a secondary connection available to mitigate the impact. As DDoS attacks increase, more and more service providers are implementing systems to mitigate the attacks. Check with your internet and DNS providers and find out what technologies they may employ to minimize the effects of an attack, should one occur. If they don’t, check to see if any of the providers available to you do. Given the pervasive nature of DDoS attacks, even the most basic mitigation strategies should be in place. While you may never be able to prevent a DDoS attack completely, hopefully some of these strategies are available to you to increase your DDoS protection. The attack surface is large and bad actors will continue to exploit it. You have a responsibility to be as prepared as possible, to protect your reputation and your balance sheet. Source: https://www.cpomagazine.com/cyber-security/ddos-attacks-remain-a-serious-threat-to-businesses-worldwide/

Read the article:
DDoS Attacks Remain a Serious Threat to Businesses Worldwide

Teen who shook the Internet in 2016 pleads guilty to DDoS attacks

One of the operators behind a Mirai botnet pleaded guilty to their involvement in a huge DDoS attack that caused a massive Internet disruption during October 2016. Multiple high-profile websites and online services including Amazon, PayPal, Visa, Netflix, the PlayStation Network, and Airbnb were taken down as a direct result of this DDoS attack. The botnet, a variant of the Mirai botnet, was developed by the defendant with the help of others between roughly 2015 until November 2016, specifically for being used to target gaming platforms in DDoS attacks. The conspirators used it to infect and convert Internet-connected video cameras, recorders, and other Internet-of-Things (IoT) devices into bots that were used as the “army” that powered the group’s DDoS attacks. Over 100,000 infected devices used in the attack The defendant, a minor when the attacks took place, and his conspirators targeted their massive DDoS (Distributed Denial of Service) attack at the Sony PlayStation Network’s gaming platform but it also affected the systems of Domain Name System (DNS) provider Dyn. After the attack, many of the sites and services using Dyn’s DNS servers were also affected by this attack and remained down throughout the next day while the DNS provider was working to bring back up the main DNS servers targeted by the conspirators’ botnet. “We saw both attack and legitimate traffic coming from millions of IPs across all geographies,” Scott Hilton, Dyn EVP of Product, said in a summary of the attack. “It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be. “We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints.” Dozens of big sites and platforms affected The huge 2016 Dyn DDoS attack resulted in a massive Internet disruption later spread to hundreds of thousands of sites that used the DNS provider’s services. The list of impacted sites also included dozens of high-profile websites and online platforms that suffered losses from remediation costs and lost advertising revenues. The massive DDoS attack indirectly affected Dyn’s servers and brought down a substantial part of the Internet across both North America and Europe together with Sony’s PlayStation Network, the primary target of the attack. “According to court documents, on Oct. 21, 2016, the individual and others used the botnet they created to launch several DDoS attacks in an effort to take the Sony PlayStation Network’s gaming platform offline for a sustained period,” DoJ press release said. “The DDoS attacks impacted a domain name resolver, New Hampshire-based Dyn, Inc., which caused websites, including those pertaining to Sony, Twitter, Amazon, PayPal, Tumblr, Netflix, and Southern New Hampshire University (SNHU), to become either completely inaccessible, or accessible only intermittently for several hours that day. “ The identity of the defendant was withheld because they were juvenile at the time the offense was commissioned. The individual’s sentencing was scheduled for January 7, 2021. Source: https://www.bleepingcomputer.com/news/security/teen-who-shook-the-internet-in-2016-pleads-guilty-to-ddos-attacks/

View article:
Teen who shook the Internet in 2016 pleads guilty to DDoS attacks

DOSarrest Unleashes new version of its Simulated DDoS Attack platform

VANCOUVER, British Columbia, Dec. 01, 2020 (GLOBE NEWSWIRE) — DOSarrest Internet Security announced today that they have released a new version of its C ybe r A ttack P reparation P latform ( CAPP ) . CAPP is a serve yourself portal allowing customers to test their DDoS protection services they have in place or to stress test their website’s software capability under load. The service has over 50 different types of DDoS attacks in stock, the latest version is a completely new software build of the backend to accommodate a larger and more powerful botnet along with resource management. This version of CAPP, has a new easy to use Wizard to help customers navigate and launch multiple different attacks on multiple targets simultaneously. The customer interface is also integrated into DOSarrest’s customer portal along with all of their other Internet security services. Some of the new attacks now available include: SSL Connection Overload, GRE Protocol Floods, Database Stress Testing, Variable ICMP Type Floods & Advanced TCP Table Exhaustion, Enhanced HTTP Attacks – Able to randomize User agents, URI’s, referrers and much more, all with a high number of concurrent connections. DOSarrest CTO Jag Bains comments, “It’s interesting to see how different systems react to attacks; CAPP not only shows you the traffic to the victim but also shows you the traffic response from the victim. A small attack to a target can actually produce a response back that’s 500 times larger.” Bains adds, “Every time a customer uses the service, they learn something new, sometimes it’s bad news; the good news is, it’s only a test.” CEO of DOSarrest, Mark Teolis states “Pretty much all of the new attacks and enhancements are a result of customer feedback over the last few years of operating the service first launched in 2018. Customers know they have weak or overcommitted resources, and they want test them to make sure they don’t fail.” About DOSarrest Internet Security: DOSarrest founded in 2007 in Vancouver, B.C., Canada serves a global client base and specializes in fully managed cloud based Internet security services including DDoS prot e ction for websites , Net w ork Infrastructure protection , W eb A pplication F ir e w a ll (WAF) , Traff i c Analyzer as well as C A PP . Source: https://www.globenewswire.com/news-release/2020/12/01/2137310/0/en/DOSarrest-Unleashes-new-version-of-its-Simulated-DDoS-Attack-platform.html

Read the original post:
DOSarrest Unleashes new version of its Simulated DDoS Attack platform

DDoS cyberattacks have skyrocketed this year. Just ask the New Zealand stock exchange

The New Zealand stock exchange (NZX) website has gone down again in what appears to be the latest disruption caused by cyber attackers. The NZX website has been targeted by repeated distributed denial of service (DDoS) attacks over the last week, beginning last Tuesday. Such attacks disrupt service by saturating the network with significant volumes of internet traffic, and have caused NZX to halt trading four days in a row. The latest outage comes less than an hour after NZX revealed it had contingency arrangements in place with the Financial Markets Authority should its website go down again. The arrangements, which come after NZX teamed up with cyber defence experts Akamai Technologies, are for the release of and access to market announcements that are intended to allow trading to continue. NZX chief executive Mark Peterson said he’d been advised by independent cyber specialists that the recent attacks are “among the largest, most well-resourced and sophisticated they have ever seen in New Zealand”. On Friday, the Government Communications Security Bureau (GCSB) was directed to help the NZX with the attacks amid reports a crime syndicate was demanding Bitcoin payments. In an appearance on The AM Show on Monday, Rush Digital founder Danu Abeysuriya told host Ryan Bridge the attackers can be difficult to track. “Whoever’s doing it has a lot of resources organised – so it could be a really cashed-up criminal gang, which is highly likely, or something more,” he said. “It’s highly likely that it’s a ransom-type attack.” Abeysuriya said technology company Garmin recently paid a ransom of about 10 million Euros following a cyber-attack. Source: https://www.newshub.co.nz/home/money/2020/08/nzx-website-goes-down-yet-again.html

See more here:
DDoS cyberattacks have skyrocketed this year. Just ask the New Zealand stock exchange

How do cybercriminals secure cybercrime?

Trend Micro unveiled new insights analyzing the market for underground hosting services and detailing how and where cybercriminals rent the infrastructure that hosts their business. Over the past five years, increased use and abuse of compromised assets has formed a whole new market. There are varied types of underground hosting and associated services used by cybercriminals to operate their businesses, including bulletproof hosting, VPNs, anonymizers, and DDoS protection. Such services could variously be used to … More ? The post How do cybercriminals secure cybercrime? appeared first on Help Net Security .

More:
How do cybercriminals secure cybercrime?

Docker servers infected with DDoS malware in extremely rare attacks

Up until recently, Docker servers misconfigured and left exposed online have been historically targeted with cryptocurrency-mining malware, which has helped criminal groups generate huge profits by hijacking someone else’s cloud resources. However, in a report published this week, security researchers from Trend Micro have discovered what appears to be the first organized and persistent series of attacks against Docker servers that infect misconfigured clusters with DDoS malware. According to Trend Micro, the two botnets are running versions of the XORDDoS and the Kaiji malware strains. Both malware operations have a long and well-documented history, especially XORDDoS, which has been spotted used in the wild for many years. However, the two DDoS botnets had usually targeted routers and smart devices, and never complex cloud setups, such as Docker clusters. “XORDDoS and Kaiji have been known to leverage telnet and SSH for spreading before, so I see Docker as a new vector which increases the potential of the botnet, a green field full of fresh fruit to pick with no immediate competitors,” Pascal Geenens, cybersecurity evangelist at Radwa r e , told ZDNet via email earlier this week. “Docker containers will typically provide more resources compared to IoT devices, but they typically run in a more secured environment, and it might be hard to impossible for the container to perform DDoS attacks,” Geenens added. “The unique perspective of IoT devices such as routers and IP cameras is that they have unrestricted access to the internet, but typically with less bandwidth and less horsepower compared to containers in a compromised environment,” the Radware researcher told ZDNet . “Containers, on the other hand, typically have access to way more resources in terms of memory, CPU, and network, but the network resources might be limited to only one or a few protocols, resulting in a smaller arsenal of DDoS attack vectors supported by those ‘super’ bots.” However, these limitations don’t usually impact crypto-mining botnets, which only need an open HTTPS channel to the outside world, Geenens said. But despite the limitations in how a DDoS gang could abuse hacked Docker clusters, Geenens says this won’t stop hackers from attacking this “green field full of fresh fruit to pick” as there are very few vulnerable IoT devices that haven’t been infected already, which has forced hackers to target Docker servers to begin with. And on a side note, Geenens also told ZDNet that he suspects that DDoS operators are already quite familiar with Docker systems already. While this is the first time they’re hacking Docker clusters, Geenens believes hackers often use Docker to manage their own attack infrastructure. “I have no immediate proof, but I’m pretty sure that in the same way as legitimate applications benefit from [Docker’s] automation and agility (DevOps), so will illegal applications.” The most common source of Docker hacks is the management interface (API) being left exposed online without authentication or being protected by a firewall. For readers looking to secure their servers, that would be a good first thing to check. In its report, Trend Micro also recommends that server administrators secure their Docker deployments by following a series of basic steps, detailed here . Source: https://www.zdnet.com/article/docker-servers-infected-with-ddos-malware-in-extremely-rare-attacks/

Originally posted here:
Docker servers infected with DDoS malware in extremely rare attacks

Huge Cyberattacks Attempt To Silence Black Rights Movement With DDoS Attacks

After the death of George Floyd and the subsequent protests across the U.S., cyberattacks on advocacy groups spiked by an astonishing 1,120 times. It’s unclear who is behind the attacks, but they included attempts to neuter anti-racist organizations’ freedom of speech. The data comes from Cloudflare, a Silicon Valley company that protects a vast number of websites from distributed denial of service (DDoS) attacks, where servers are flooded with traffic to make them inaccessible. As its tech is used by a number of advocacy groups—including Black Lives Matter—Cloudflare saw what was happening around the time of Floyd’s death, caused by a police officer—former Minneapolis police officer Derek Chauvin—kneeling on Mr. Floyd’s neck till the life drained out of him. Fighting prejudice online And organizations whose purpose is to fight prejudice went from seeing almost no attacks on their sites to significant attempts to knock them offline. They included nearly 140 million likely malicious requests to load their websites. DDoS attacks see sites swamped with such requests, which mimic a massive number of people trying to get on a site at the same time, clogging up traffic to the page and making it inaccessible. “Those groups went from having almost no attacks at all in April to attacks peaking at 20,000 requests per second on a single site,” the company’s CEO, Matthew Prince, and its chief technology officer, John Graham-Cumming, wrote in a blog post. “One particular attacker, likely using a hacked server in France, was especially persistent and kept up an attack hitting an advocacy group continuously for over a day. We blocked those malicious HTTP requests and kept the site online.” In May, attacks on government, police and emergency services websites were up 1.8 times and 3.8 times on military websites, compared to the figures in April. Last week, the Minneapolis Police Department website was down after a reported DDoS attack. “We have been listening carefully to those who have taken to the streets in protest to demand justice and an end to structural racism, and believe that their powerful stories can serve as catalysts for real change. But that requires them to be heard,” the Cloudflare chiefs wrote in the post. “Unfortunately, if recent history is any guide, those who speak out against oppression will continue to face cyberattacks that attempt to silence them.” Source: https://www.forbes.com/sites/thomasbrewster/2020/06/03/huge-cyber-attacks-attempt-to-silence-black-rights-movement-with-ddos-attacks/#3460b946742b

Original post:
Huge Cyberattacks Attempt To Silence Black Rights Movement With DDoS Attacks

RangeAmp DDoS attacks can take down websites and CDN servers

A team of Chinese academics has found a new way to abuse HTTP packets to amplify web traffic and bring down websites and content delivery networks (CDNs). Named RangeAmp, this new Denial-of-Service (DoS) technique exploits incorrect implementations of the HTTP “Range Requests” attribute. HTTP Range Requests are part of the HTTP standard and allow clients (usually browsers) to request only a specific portion (range) of a file from a server. The feature was created for pausing and resuming traffic in controlled (pause/resume actions) or uncontrolled (network congestion or disconnections) situations. The HTTP Range Requests standard has been under discussion at the Internet Engineering Task Force (IETF) for more than half a decade, but, due to its usefulness, has already been implemented by browsers, servers, and CDNs. Two RangeAmp attacks discovered Now, a team of Chinese academics says that attackers can use malformed HTTP Range Requests to amplify how web servers and CDN systems react when having to deal with a range request operation. The team says two different RangeAmp attacks exist. The first is called a RangeAmp Small Byte Range (SBR) attack. In this case [see (a) in the image below], the attacker sends a malformed HTTP range request to the CDN provider, which amplifies the traffic towards the destination server, eventually crashing the targeted site. The second is called a RangeAmp Overlapping Byte Ranges (OBR) attack. In this case [see b) in the image below], the attacker sends a malformed HTTP range request to a CDN provider, and in the case, the traffic is funneled through other CDN servers, the traffic is amplified inside the CDN networks, crashing CDN servers and rendering both the CDNs and many other destination sites inaccessible. Image: Weizhong et al. Academics said they tested RangeAmp attacks against 13 CDN providers and found that all were vulnerable to the RangeAmp SBR attack, and six were also vulnerable to the OBR variant when used in certain combinations. Researchers said the attacks were very dangerous and required a minimum of resources to carry out. Of the two, RangeAmp SBR attacks could amplify traffic the most. The research team found that attackers could use a RangeAmp SBR attack to inflate traffic from 724 to 43,330 times the original traffic. Image: Weizhong et al. RangeAmp OBR attacks were a little harder to carry out, as the six vulnerable CDNs needed to be in specific (master-surrogate) configurations, but when conditions were met, reserchers said OBR attacks could also be used to inflate traffic inside a CDN network with amplification factors of up to nearly 7,500 times the initial packet size. Image: Weizhong et al. Of the two, OBR attacks were considered more dangerous, as attackers could take down entire chunks of a CDN provider’s network, bringing down connectivity for thousands of websites at a time. CDN vendors notified seven months ago Academics said that for the past few months they have been silently contacting the affected CDN providers and disclosing the details of the RangeAmp attack. Of the 13 CDN providers, researchers said that 12 responded positively and either rolled out or said they planned to roll out updates to their HTTP Range Request implementation. The list includes Akamai, Alibaba Cloud, Azure, Cloudflare, CloudFront, CDNsun, CDN77, Fastly, G-Core Labs, Huawei Cloud, KeyCDN, and Tencent Cloud. “Unfortunately, although we have sent them emails several times and have tried to reach out to their customer services, StackPath did not provide any feedback,” the research team said. “In general, we have tried our best to responsibly report the vulnerabilities and provide mitigation solutions. The related CDN vendors have had nearly seven months to implement mitigation techniques before this paper was published.” Each CDN provider’s reply, along with technical details about the RangeAmp attacks, are available in the research team’s paper, entitled “CDN Backfired: Amplification Attacks Based on HTTP Range Requests,” available for download in PDF format from here. Source: https://www.zdnet.com/article/rangeamp-attacks-can-take-down-websites-and-cdn-servers/

See original article:
RangeAmp DDoS attacks can take down websites and CDN servers

Are you Ready for These 26 Different Types of DDoS Attacks?

The scourge of distributed denial-of-service (DDoS) attacks has been a major concern for businesses and governments for more than two decades. First reported in 1996, this is a destructive and ever-evolving vector of cyber raids that knocks electronic networks offline by flooding them with the traffic they can’t handle. Not only is DDoS a way for hacktivists to manifest protest against Internet censorship and controversial political initiatives, but it’s also a goldmine of opportunities for achieving strictly nefarious goals. For instance, the latest tweak in this epidemic is what’s called “ransom DDoS,” a technique used to extort money from organizations in exchange for discontinuing a massive incursion. A big hurdle to thwarting the DDoS phenomenon is that it’s heterogeneous and spans a variety of different tactics. To begin with, there are three overarching categories of these attacks that form the backbone of this ecosystem: Volume-based (volumetric) attacks are the “classic” ones that congest a target network’s bandwidth with a hefty amount of traffic packets. Protocol attacks are aimed at exhausting server or firewall resources. Application layer (layer 7 DDoS) attacks zero in on specific web applications rather than the whole network. These ones are particularly hard to prevent and mitigate while being relatively easy to orchestrate. Furthermore, there are dozens of sub-types that fall into either one of the above generic groups but exhibit unique characteristics. Here’s a complete breakdown of the present-day DDoS attack methods. 1. SYN Flood This attack exploits the TCP three-way handshake, a technique used to establish any connection between a client, a host, and a server using the TCP protocol. Normally, a client submits a SYN (synchronize) message to the server to request a connection. When a SYN Flood attack is underway, criminals send a plethora of these messages from a spoofed IP address. As a result, the receiving server becomes incapable of processing and storing so many SYN packets and denies service to real clients. 2. LAND attack To perform a Local Area Network Denial (LAND) attack, a threat actor sends a fabricated SYN message in which the source and destination IP addresses are the same. When the server tries to respond to this message, it gets into a loop by recurrently generating replies to itself. This leads to an error scenario, and the target host may eventually crash. 3. SYN-ACK Flood The logic of this attack vector is to abuse the TCP communication stage where the server generates a SYN-ACK packet to acknowledge the client’s request. To execute this onslaught, crooks inundate the CPU and RAM resources of the server with a bevy of rogue SYN-ACK packets. 4. ACK & PUSH ACK Flood Once the TCP three-way handshake has resulted in establishing a connection between a host and a client, ACK or PUSH ACK packets are sent back and forth until the session is terminated. A server targeted by this type of a DDoS attack cannot identify the origin of falsified packets and wastes all of its processing capacity trying to determine how to handle them. 5. Fragmented ACK Flood This attack is a knockoff of the above-mentioned ACK & PUSH ACK Flood technique. It boils down to deluging a target network with a comparatively small number of fragmented ACK packets that have a maximum allowed size, usually 1500 bytes each. Network equipment such as routers ends up running out of resources trying to reassemble these packets. Furthermore, fragmented packets can slip below the radar of intrusion prevention systems (IPS) and firewalls. 6. Spoofed Session Flood (Fake Session Attack) In order to circumvent network protection tools, cybercriminals may forge a TCP session more efficiently by submitting a bogus SYN packet, a series of ACK packets, and at least one RST (reset) or FIN (connection termination) packet. This tactic allows crooks to get around defenses that only keep tabs on incoming traffic rather than analyzing return traffic. 7. UDP Flood As the name suggests, this DDoS attack leverages multiple User Datagram Protocol (UDP) packets. For the record, UDP connections lack a handshaking mechanism (unlike TCP), and therefore the IP address verification options are very limited. When this exploitation is in full swing, the volume of dummy packets exceeds the target server’s maximum capacity for processing and responding to requests. 8. DNS Flood This one is a variant of UDP Flood that specifically homes in on DNS servers. The malefactor generates a slew of fake DNS request packets resembling legitimate ones that appear to originate from a huge number of different IP addresses. DNS Flood is one of the hardest denial-of-service raids to prevent and recover from. 9. VoIP Flood This is a common form of UDP Flood that targets a Voice over Internet Protocol (VoIP) server. The multitude of bogus VoIP requests sent from numerous IP addresses drain the victim server’s resources and knock it offline at the end of the day. 10. NTP Flood (NTP Amplification) Network Time Protocol (NTP), one of the oldest networking protocols tasked with clock synchronization between electronic systems, is at the core of another DDoS attack vector. The idea is to harness publicly-accessible NTP servers to overload a target network with a large number of UDP packets. 11. CHARGEN Flood Similarly to NTP, the Character Generator Protocol (CHARGEN) is an oldie whose emergence dates back to the 1980s. In spite of this, it is still being used on some connected devices such as printers and photocopiers. The attack comes down to sending tiny packets containing a victim server’s fabricated IP to devices with CHARGEN protocol enabled. In response, the Internet-facing devices submit UDP packets to the server, thus flooding it with redundant data. 12. SSDP Flood Malefactors can exploit networked devices running Universal Plug and Play (UPnP) services by executing a Simple Service Discovery Protocol (SSDP) reflection-based DDoS attack. On a side note, SSDP is embedded in the UPnP protocol framework. The attacker sends small UDP packets with a spoofed IP address of a target server to multiple devices running UPnP. As a result, the server is flooded with requests from these devices to the point where it goes offline. 13. SNMP Flood (SNMP Amplification) Tasked with harvesting and arranging data about connected devices, the Simple Network Management Protocol (SNMP) can become a pivot of another attack method. Cybercriminals bombard a target server, switch, or router with numerous small packets coming from a fabricated IP address. As more and more “listening” devices reply to that spoofed address, the network cannot cope with the immense quantity of these incoming responses. 14. HTTP Flood When executing an HTTP Flood DDoS attack, an adversary sends ostensibly legitimate GET or POST requests to a server or web application, siphoning off most or all of its resources. This technique often involves botnets consisting of “zombie” computers previously contaminated with malware. 15. Recursive HTTP GET Flood To perpetrate this attack, a malicious actor requests an array of web pages from a server, inspects the replies, and iteratively requests every website item to exhaust the server’s resources. The exploitation looks like a series of legitimate queries and can be difficult to identify. 16. ICMP Flood Also referred to as Ping Flood, this incursion aims to inundate a server or other network device with numerous spoofed Internet Control Message Protocol (ICMP) echo requests or pings. Having received a certain number of ICMP pings, the network responds with the same number of reply packets. Since this capability to respond is finite, the network reaches its performance threshold and becomes unresponsive. 17. Misused Application Attack Instead of using spoofed IP addresses, this attack parasitizes legitimate client computers running resource-intensive applications such as P2P tools. Crooks reroute the traffic from these clients to the victim server to bring it down due to excessive processing load. This DDoS technique is hard to prevent as the traffic originates on real machines previously compromised by the attackers. 18. IP Null Attack This one is carried out by sending a slew of packets containing invalid IPv4 headers that are supposed to carry transport layer protocol details. The trick is that threat actors set this header value to null. Some servers cannot process these corrupt-looking packets properly and waste their resources trying to work out how to handle them. 19. Smurf Attack This one involves a malware strain called Smurf to inundate a computer network with ICMP ping requests carrying a spoofed IP address of the target. The receiving devices are configured to reply to the IP in question, which may produce a flood of pings the server can’t process. 20. Fraggle Attack This DDoS technique follows a logic similar to the Smurf Attack, except that it deluges the intended victim with numerous UDP packets rather than ICMP echo requests. 21. Ping of Death Attack To set this raid in motion, cybercrooks poison a victim network with unconventional ping packets whose size significantly exceeds the maximum allowed value (64 bytes). This inconsistency causes the computer system to allocate too many resources for reassembling the rogue packets. In the aftermath of this, the system may encounter a buffer overflow or even crash. 22. Slowloris This attack stands out from the crowd because it requires very low bandwidth and can be fulfilled using just one computer. It works by initiating multiple concurrent connections to a web server and keeping them open for a long period of time. The attacker sends partial requests and complements them with HTTP headers once a while to make sure they don’t reach a completion stage. As a result, the server’s capability to maintain simultaneous connections is drained and it can no longer process connections from legitimate clients. 23. Low Orbit Ion Cannon (LOIC) Originally designed as a network stress testing tool, LOIC can be weaponized in real-world DDoS attacks. Coded in C#, this open-source software deluges a server with a large number of packets (UPD, TCP, or HTTP) in an attempt to disrupt a target’s operation. This onslaught is usually backed by a botnet consisting of thousands of machines and coordinated by a single user. 24. High Orbit Ion Cannon (HOIC) HOIC is a publicly accessible application that superseded the above-mentioned LOIC program and has a much bigger disruptive potential than its precursor. It can be used to submit a plethora of GET and HTTP POST requests to a server concurrently, which ends up knocking a target website offline. HOIC can affect up to 256 different domains at the same time. 25. ReDoS ReDoS stands for “regular expression denial-of-service.” Its goal is to overburden a program’s regular expression implementation with instances of highly complex string search patterns. A malicious actor can trigger a regular expression processing scenario whose algorithmic complexity causes the target system to waste superfluous resources and slow down or crash. 26. Zero-Day DDoS This term denotes an attack that takes advantage of uncatalogued vulnerabilities in a web server or computer network. Unfortunately, such flaws are surfacing off and on, making the prevention a more challenging task. A Serious Threat Although distributed denial-of-service is an old school attack vector, it continues to be a serious threat to organizations. The monthly number of such attacks exceeds 400,000. To top it off, cybercriminals keep adding new DDoS mechanisms to their repertoire and security providers aren’t always prepared to tackle them. Another unnerving thing is that some techniques, including Low and High Orbit Ion Cannon, are open source and can be leveraged by wannabe criminals who lack tech skills. Such an attack may get out of hand and go way beyond the intended damage. To prevent DDoS attacks and minimize the impact, businesses should learn to proactively identify the red flags; have an appropriate response plan in place; make sure their security posture has no single point of failure, and continuously work on strengthening the network architecture. Source: https://www.securitymagazine.com/articles/92327-are-you-ready-for-these-26-different-types-of-ddos-attacks

Read the original:
Are you Ready for These 26 Different Types of DDoS Attacks?