Tag Archives: ddos-defense

More than 400 DDos attacks identified using new attack vector – LDAP

Hackers use misconfigured LDAP servers – Connectionless Lightweight Directory Access Protocol (CLDAP) – to provide a means to launch DDoS attacks. More than 400 DDoS attacks taking advantage of misconfigured LDAP servers have been spotted by security researchers. CLDAP DDoS attacks use an amplification technique, which takes advantage of the Connectionless Lightweight Directory Access Protocol (CLDAP): LDAP is one of the most widely used protocols for accessing username and password information in databases like Active Directory, which is integrated in many online servers. When an Active Directory server is incorrectly configured and exposes the CLDAP service to the Internet it is vulnerable to be leveraged to perform DDoS attacks. Since its discovery in October 2016, researchers at Corero Network Security have observed a total of 416 CLDAP DDoS attacks, most of which are hosting and internet service providers. The largest attack volume recorded was 33 Gbps, with an average volume of 10 Gbps. The attacks averaged 14 minutes long in duration. “These powerful short duration attacks are capable of impacting service availability, resulting in outages, or acting as a smoke screen for other types of cyber-attacks, including those intended for breach of personally identifiable data,” said Stephanie Weagle, vice president of marketing at Corero Network Security, in a blog post. Stephen Gates, chief research intelligence analyst from NSFOCUS, told SC Media UK that in the quest to find new means of launching DDoS attacks, hackers have once again found open devices on the Internet running weak protocols that can be exploited for their personal gain. “However, like any other reflective DDoS attack campaign, the number of available reflectors is of critical importance. In addition, the amplification factor those reflectors afford is the second stipulation,” he said. “In this case, the number of open devices on the Internet running CLDAP is relatively small, in comparison to open DNS and NTP reflectors; yet the amplification factor is respectable (~70x). Surely, this attack technique is new, but it is not the worse seen so far. This vector will likely be used in combination with other reflective attack techniques, and rarely used on its own. Until the world’s service providers fully implement BCP-38, similar discoveries and resulting campaigns will continue to plague us all.” Bogdan Botezatu, senior E-Threat analyst at Bitdefender, told SC that a CLDAP attack is designed around third parties: an entity running a misconfigured instance of CLDAP, a victim and an attacker. “The attacker would ask the CLDAP infrastructure to retrieve all the users registered in the Active Directory. Because the attacker makes this query look like it was initiated by the victim by replacing the originating IP address with the victim’s, the CLADP service will actually send the answer to the victim,” he said. “Subsequently, the victim finds itself being bombarded with the information they did not request. If the attacker can harness enough power, the victim’s infrastructure will crash under a load of unsolicited information.” He said that organisations could deploy strong, restrictive firewall policies for inbound traffic. “Load balancing and specialised hardware can also help organisations absorb the impact,” said Botezatu. Source: https://www.scmagazineuk.com/more-than-400-ddos-attacks-identified-using-new-attack-vector–ldap/article/652939/

View original post here:
More than 400 DDos attacks identified using new attack vector – LDAP

8 DDoS Attacks That Made Enterprises Rethink IoT Security

Distributed Denial of Service Disasters The overall frequency of distributed denial of service (DDoS) attacks increased in 2016 thanks, in part, to Internet of Things botnets, according to information service provider Neustar. The company said it mitigated 40 percent more DDoS attacks from January through November, compared to the year earlier. Neustar warned that as botnet code assemblies are published, dangerous new DDoS developments will continue to emerge, such as persistent device enrollment, which enables botnet operators to maintain control of a device even after it’s rebooted. From colleges to entire U.S. regions, here are eight situations where vulnerable IoT devices brought down networks. DDoS Attack Affects U.S. College For 54 Hours A distributed denial of service attack on a college in February, recently made public by security firm Incapsula, affected that institution’s network for 54 hours straight. Incapsula recently revealed the attack, noting that the attackers seemed adept at launching application layer assaults on vulnerable IoT devices. “Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet,” according to an Incapsula spokesperson in a blog post. “Our research showed that the pool of attacking devices included those commonly used by Mirai, including CCTV cameras, DVRs and routers.” DDoS Attack Takes Down Netflix, Twitter An October DDoS attack – which was launched through IoT devices and blocked an array of websites – deepened the industry’s concerns over the security risk of the Internet of Things. The denial of service attack was launched through Internet of Things consumer devices, including webcams, routers and video recorders, to overwhelm servers at Dynamic Network Services (Dyn) and led to the blockage of more than 1,200 websites. The attack on Dyn, which connects users to websites such as Twitter and Netflix, came from tens of millions of addresses on devices infected with malicious software codes, knocking out access by flooding websites with junk data. DDoS Attack Through Vending Machines Hits University Verizon’s preview of its 2017 Data Breach Digest in February revealed that an unnamed university was hit by a DDoS attack launched through vending machines, lights, and 5,000 other IoT devices. According to Verizon, an incident commander noticed that “name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood.” While administrators were locked out, the university intercepted “the clear text password for a compromised IoT device over the wire and then use that information to perform a password change before the next malware update.” DDoS Attacks Attempted Against Campaign Websites of Hillary Clinton And Donald Trump According to security firm Flashpoint, hackers attempted four Mirai botnet DDoS attacks in November against the campaign websites of Hillary Clinton and Donald Trump. According to Flashpoint, the company observed a 30-second HTTP Layer 7 (application layer) attack against Trump’s website, while the next day, it saw attacks against both Trump and Clinton’s campaign sites. While attacks were attempted, neither website observed or reported outages. “Flashpoint assesses with moderate confidence that the Mirai botnet has been fractured into smaller, competing botnets due to the release of its source code, which has led to the proliferation of actors exploiting the botnet’s devices,” a spokesperson wrote on Flashpoint’s website. BBC Domain Downed By By DDoS Attack On New Year’s Eve 2016, the BBC’s website was hit by a DDoS attack that downed its entire domain – including on-demand television and radio player – for more than three hours. While BBC originally said that it was undergoing a technical issue, the broadcaster’s news organization later said the outage was a result of a DDoS attack, according to “sources within the BBC.” Russian Banks Hit With Waves Of DDoS Attacks In November, at least five Russian banks, including Sberbank and Alfabank banks, were the victims of prolonged DDoS attacks that lasted over two days. According to Security Affairs, the attack came from a wide-scale botnet involving up to 24,000 computers and IoT devices that were located in 30 countries. The banks’ online clients services were not disrupted. According to security firm Kaspersky Lab, the incident was the first time that massive DDoS attacks hit Russian banks in 2016. Rio Olympics Organizations Hit By DDoS Attack Staged By LizardStresser Arbor Networks’ security engineering and response team revealed in a statement that several organizations affiliated with the Olympics came under “large-scale volumetric” DDoS attacks beginning in September 2015. “A large proportion of the attack volume consisted of UDP reflection and amplification attack vectors such as DNS, chargen, ntp, and SSDP, along with direct UDP packet-flooding, SYN-flooding, and application-layer attacks targeting Web and DNS services,” said Arbor Networks in a statement. According to Arbor Networks, a DDoS-for-hire service, called LizardStresser, staged most of the pre-Olympic attacks. Despite the attacks, Arbor Networks performed several mitigation measures to help Olympics administrators keep their systems running. Brian Krebs’ Website Experienced DDoS Attack In September 2016, security investigative reporter Brian Krebs’ information blog experienced a DDoS attack. The attack reportedly placed peak traffic at around 620 Gbps. Krebs determined a Mirai botnet was responsible for the attack: “The source code that powers the IoT botnet responsible for launching the historically large DDoS attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices,” he stated on his blog. “My guess is that (if it’s not already happening) there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems,” said Krebs in the blog post. Source: http://www.crn.com/slide-shows/internet-of-things/300084663/8-ddos-attacks-that-made-enterprises-rethink-iot-security.htm

Original post:
8 DDoS Attacks That Made Enterprises Rethink IoT Security

Teenage hacker jailed for masterminding attacks on Sony and Microsoft

Adam Mudd jailed for two years for creating attack-for-hire business responsible for more than 1.7m breaches worldwide. A man has been jailed for two years for setting up a computer hacking business that caused chaos worldwide. Adam Mudd was 16 when he created the Titanium Stresser program, which carried out more than 1.7m attacks on websites including Minecraft, Xbox Live and Microsoft and TeamSpeak, a chat tool for gamers. He earned the equivalent of more than £386,000 in US dollars and bitcoins from selling the program to cyber criminals. Mudd pleaded guilty and was sentenced at the Old Bailey. The judge, Michael Topolski QC, noted that Mudd came from a “perfectly respectable and caring family”. He said the effect of Mudd’s crimes had wreaked havoc “from Greenland to New Zealand, from Russia to Chile”. Topolski said the sentence must have a “real element of deterrent” and refused to suspend the jail term. “I’m entirely satisfied that you knew full well and understood completely this was not a game for fun,” he told Mudd. “It was a serious money-making business and your software was doing exactly what you created it to do.” Mudd showed no emotion as he was sent to a young offender institution. During the two-day hearing, Jonathan Polnay, prosecuting, said the effect of Mudd’s hacking program was “truly global”, adding: “Where there are computers, there are attacks – in almost every major city in the world – with hotspots in France, Paris, around the UK.” The court heard that Mudd, who lived with his parents, had previously undiagnosed Asperger syndrome and was more interested in status in the online gaming community than the money. The court heard that the defendant, now 20, carried out 594 of the distributed denial of service (DDoS) attacks against 181 IP addresses between December 2013 and March 2015. He has admitted to security breaches against his college while he was studying computer science. The attacks on West Herts College crashed the network, cost about £2,000 to investigate and caused “incalculable” damage to productivity, the court heard. On one occasion in 2014, the college hacking affected 70 other schools and colleges, including Cambridge, Essex and East Anglia universities as well as local councils. Mudd’s explanation for one of the attacks was that he had reported being mugged to the college but claimed no action was taken. Polnay said there were more than 112,000 registered users of Mudd’s program who hacked about 666,000 IP addresses. Of those, nearly 53,000 were in the UK. Among the targets was the fantasy game RuneScape, which had 25,000 attacks. Its owner company spent £6m trying to defend itself against DDoS attacks, with a revenue loss of £184,000. The court heard that Mudd created Titanium Stresser in September 2013 using a fake name and address in Manchester. He offered a variety of payment plans to his customers, including discounts for bulk purchases of up to $309.99 for 30,000 seconds over five years as well as a refer-a-friend scheme. Polnay said: “This is a young man who lived at home. This is not a lavish lifestyle case. The motivation around this we tend to agree is about status. The money-making is by the by.” When he was arrested in March 2015, Mudd was in his bedroom on his computer, which he refused to unlock before his father intervened. Mudd, from Kings Langley in Hertfordshire, pleaded guilty to one count of committing unauthorised acts with intent to impair the operation of computers; one count of making, supplying or offering to supply an article for use in an offence contrary to the Computer Misuse Act; and one count of concealing criminal property. Ben Cooper, defending, appealed for his client to be given a suspended sentence. He said Mudd had been “sucked into” the cyber world of online gaming and was “lost in an alternate reality” after withdrawing from school because of bullying. Mudd, who was expelled from college and now works as a kitchen porter, had been offline for two years, which was a form of punishment for any computer-obsessed teenager, Cooper said. The “bright and high-functioning” defendant understood what he did was wrong but at the time he lacked empathy due to his medical condition, the court heard. Cooper said: “This was an unhappy period for Mr Mudd, during which he suffered greatly. This is someone seeking friendship and status within the gaming community.” But the judge said: “I have a duty to the public who are worried about this, threatened by this, damaged by this all the time … It’s terrifying.” Source: https://www.theguardian.com/technology/2017/apr/25/teenage-hacker-adam-mudd-jailed-masterminding-attacks-sony-microsoft

Link:
Teenage hacker jailed for masterminding attacks on Sony and Microsoft

How can you prepare for a cyber attack?

Keeping your data secure is more important than ever, but it seems like there’s a new wide-scale data breach every other week. In this article, David Mytton discusses what developers can do to prepare for what’s fast becoming inevitable. Cyber security isn’t something that can be ignored anymore or treated as a luxury concern: recent cyber attacks in the UK have shown that no one is immune. The stats are worrying – in 2016, two thirds of large businesses had a cyber attack or breach, according to Government research. Accenture paints a bleaker picture suggesting that two thirds of companies globally face these attacks weekly, or even daily. According to the Government’s 2016 cyber security breaches survey, only a third of firms have cyber security policies in place and only 10% have an emergency plan. Given management isn’t handling the threat proactively, developers and operations specialists are increasingly having to take the initiative on matters of cybersecurity. This article covers some essential priorities developers should be aware of if they want their company to be prepared for attack. Know your plan There’s no predicting when a cyber attack might come, whether it be in the form of a DDoS, a virus, malware or phishing. It’s therefore important to be constantly vigilant, and prepared for incidents when they do occur. Senior leadership in your company should be proactive when laying out a plan in the event of an attack or other breach, however this might not always be the case. No matter what your position is within your company, there are preemptive actions you can take on a regular basis to ensure that you’re adequately prepared. If you’re in an Ops team, make sure you’re encouraging your team to test your backups regularly. There’s little use having backups if you’re unable to actually restore from them, as GitLab learned to their detriment earlier in the year. Use simulations and practice runs to ensure that everyone on your team knows what they’re doing, and have a checklist in place for yourself and your colleagues to make sure that nothing gets missed. For example, a DDoS attack may begin with a monitoring alert to let you know your application is slow. Your checklist would start with the initial diagnostics to pinpoint the cause, but as soon as you discover it is a DDoS attack then the security response plan should take over. If you happen to be on-call, make sure you’ve got all the tools you need to act promptly to handle the issue. This might involve letting your more senior colleagues know about the issue, as well as requesting appropriate assistance from your security vendors. Communication is always one of the deciding factors in whether a crisis can be contained effectively. As a developer or operations specialist, it’s important to be vocal with your managers about any lack of clarity in your plan, and ensure that there are clear lines of communication and responsibility so that, when the worst does occur, you and your colleagues feel clear to jump into action quickly. Remember your limits It might sound obvious, but it’s worth remembering: in a cyber attack or catastrophic incident, there is only so much you yourself can do. Too many developers and operations staff fall prey to a culture of being ‘superheroes’, encouraged (often through beer and pizza) to stay as late as they can and work as long as possible on fixes to particular issues. The truth is, humans make mistakes. Amazon’s recent AWS S3 outage is a good example: swathes of the internet were taken offline due to one typo. If you’re on-call while a cyber attack occurs there’s no denying you’re likely to work long hours at odd times of the day, and this can put a real strain on you, both mentally and physically. This strain can make it much harder for you to actually concentrate on what you’re doing, and no amount of careful contingency planning can compensate for that. At Server Density we’re keenly aware that employee health and well being is critical to maintaining business infrastructure, especially in the event of a crisis. That’s why we support movements like HumanOps, which promote a wider awareness of the importance of employee health, from the importance of taking regular breaks to ergonomic keyboards. All too often people working in IT forget that the most business-critical hardware they look after isn’t servers or routers, it’s the health and well being of the people on the front lines looking after these systems. Cyber attacks are stressful on everyone working in an organisation, and the IT teams take the brunt of the strain. However, with careful planning, clear lines of delegation and an appreciation of the importance of looking after each other’s health, developers and operations specialists should be able to weather the storm effectively and recover business assets effectively. Source: https://jaxenter.com/can-prepare-cyber-attack-133447.html

Read More:
How can you prepare for a cyber attack?

Linksys Routers Vulnerable to DDoS Attack

Flaws in the routers’ firmware could let hackers access configuration settings and execute remote commands. Linksys said it’s working on a patch. Linksys this week identified several vulnerabilities in its router firmware that allow hackers to bypass authentication and perform denial of service (DDoS) attacks. The company said it is working on a fix for the vulnerabilities, which were discovered by security researchers at IOActive in January and affect more than two dozen models of Linksys wireless routers in the WRT and EAxxx series. IOActive found 10 separate issues in the Linksys firmware, including high-risk vulnerabilities that could let hackers exploit routers using default credentials to log in, view router settings, and execute remote commands. “Two of the security issues we identified allow unauthenticated attackers to create a Denial-of-Service (DoS) condition on the router,” IOActive researcher Tao Sauvage wrote in a blog post. “By sending a few requests or abusing a specific API, the router becomes unresponsive and even reboots. The Admin is then unable to access the web admin interface and users are unable to connect until the attacker stops the DoS attack.” The vulnerabilities, which are similar to those found in many other Internet of Things (IoT) devices, are particularly worrisome because they could be used in future attacks of the sort that took large swaths of the internet offline for several hours last fall. Sauvage said that “11 percent of the active devices exposed were using default credentials, making them particularly susceptible to an attacker easily authenticating and potentially turning the routers into bots, similar to what happened in last year’s Mirai Denial of Service (DoS) attacks.” Linksys published a full list of the router models that are affected, and suggested that owners change the default password for their administrator account. The company said it is working to provide a firmware update for all of the affected models, but didn’t offer details on when it would be ready. Source: http://www.pcmag.com/news/353228/linksys-routers-vulnerable-to-ddos-attacks

View post:
Linksys Routers Vulnerable to DDoS Attack

New DDoS Attacks Use Far Fewer Infected Hosts

Akamai Technologies has identified a new attack method generating extremely large distributed denial of service (DDoS) attacks against educational institutions and other types of organizations but without the millions of infected hosts typically seen in these scenarios. In a threat advisory recently published by the content delivery network company’s security intelligence response team, researchers described a reflection and amplification method that can produce “significant attack bandwidth” through “significantly fewer hosts.” What’s required are open ports allowing LDAP traffic. The company’s security experts have detected and mitigated a total of 50 Connection-less Lightweight Directory Access Protocol (CLDAP) reflection attacks. CLDAP was intended as an “efficient alternative to LDAP queries done over Transmission Control Protocol (TCP). Most of the attacks seen in the wild used CLDAP reflection exclusively. Twice, education has been the target. However, the primary victims have been in the software and technology industry, where 21 attacks have taken place, and the gaming segment, which has had 15 attacks. The largest of the attacks hit its target with a peak bandwidth of 24 gigabits per second and a top count of packets per second of 2 million. The source port was 386, the port used by Lightweight Directory Access Protocol (LDAP). According to the report, signatures of the attack suggest that it’s “capable of impressive amplification.” For example, Akamai security people obtained sample malicious LDAP reflection queries that had a payload of only 52 bytes. Yet the attack data payload was 3,662 bytes, meaning that the amplification factor was 73. More typically, the average amplification rate was 57, according to the researchers. The attacks are launched using “attack scripts,” usually written in C and with only slight variations from one vector to another. When the script is run, the target IP becomes the source of all the 52-byte query payloads. These are then sent rapidly to every server in the supplied reflector list. From there, the CLDAP servers do as they’re designed and reply to the query. As a result, the report described, “the target of this attack must deal with a flood of unsolicited CLDAP responses.” The attack is “fueled” by the number of servers on the internet with port 389 open and listening. Once a server has been identified as a viable source, it’s added to the list of reflectors. The best mitigation, suggested the report, is to filter the port in question. “Ingress filtering of the CLDAP port from the internet will prevent discovery and subsequent abuse of this service,” the report noted. Another option is to apply rules, which won’t stop the outbreak, but will alert system administers when an attempt is made to use the systems as part of a reflection attack. Source: https://campustechnology.com/articles/2017/04/20/new-ddos-attacks-use-far-fewer-infected-hosts.aspx?admgarea=news

See more here:
New DDoS Attacks Use Far Fewer Infected Hosts

Should we worry the general election will be hacked?

“Brexit vote site may have been hacked” warned the headlines last week after a Commons select committee published its report into lessons learned from the EU referendum. The public administration and constitutional affairs committee (Pacac) said that the failure of the voter registration website, which suffered an outage as many people tried to sign to vote up at the last minute in 2016, “had indications of being a DDoS ‘attack’”. It said it “does not rule out the possibility that the crash may have been caused … using botnets”. In the same paragraph it mentioned Russia and China. It said it “is deeply concerned about these allegations about foreign interference”. With a general election just seven weeks away, how worried should we be about foreign interference this time round? Labour MP Paul Flynn, who sits on the Pacac, certainly thinks we should be worried – although closer inspection of the report finds that, beyond the headlines, there’s a startling lack of evidence for those particular fears. In reality, a DDoS – “distributed denial of service” – attack is the bombarding of a server with requests it can’t keep up with, causing it to fail. Not only is it not actually hacking at all, but it also looks rather similar to when a lot of people at once try to use a server that doesn’t have the capacity. Given the history of government IT projects, some might favour this more prosaic explanation of why the voter registration website went offline. And that’s just what the Cabinet Office did say: “It was due to a spike in users just before the registration deadline. There is no evidence to suggest malign intervention.” So perhaps we shouldn’t fear that kind of attack, but hacking elections takes many forms. The University of Oxford’s Internet Institute, found a huge number of Twitter bots posting pro-Leave propaganda in the run up to the EU referendum. At least, that was how it was widely reported. The actual reportreveals the researchers can’t directly identify bots – they just assume accounts that tweet a lot are automated – and admit “not all of these users or even the majority of them are bots”. But the accuracy, or inaccuracy, of the research aside, there’s a bigger issue. What the Oxford Internet Institute never says is that there’s no evidence bots tweeting actually affects how anyone votes. Bots generally follow people – we’re all used to those suggestive female avatars in our notifications feeds – but people don’t really follow bots back. So when they push out propaganda, is there anyone there to see it? Of course, en masse, those bots can affect the trending topics. But getting “#Leave” trending is not the same as controlling the messaging around it, and Twitter’s algorithm explicitly tries to mitigate against such gaming of the system. And again there’s the question: who looks at tweets via the trending topics tab anyway (except perhaps journalists looking for something to pad out a listicle)? Fake news, the last of the unholy trinity, is a harder problem. We know it exists, and we know it gets in front of many people via social media sites like Facebook. We don’t really know how much it affects people and how much people see it for what it is – but the history of untrue stories in the tabloid press on topics like migration does lend weight to the idea that fake news can influence opinion. What is and isn’t fake news is a contested field. At one end of the spectrum, mainstream publications report inaccurate stories about flights full of Romanians and Bulgarians heading for the UK. At the other, teenagers in Macedonia run pro-Trump websites where the content is pure invention. Most would agree the latter is fake news, even if not the former. But this is a different problem to DDoS attacks or bot armies. The Macedonian teens aren’t ideologically driven by wanting Trump in the White House, they’re motivated by the advertising revenue their well-shared stories can earn. Even when fake news is created for propaganda rather than profit, there’s rarely a shadowy overlord pulling the strings – and bad reporting is some distance away from hacking the election. While there’s a strong case that foreign actors have tried to influence elections in other countries – such as the DNC hack in the US – we probably don’t need to worry unduly about cyberattacks swinging the UK election. Besides: why would a foreign state bother? We’ve already got a divided country struggling with its own future without any need for outside interference. Source: https://www.theguardian.com/technology/2017/apr/20/uk-general-election-2017-hacking-ddos-attacks-bots-fake-news

More:
Should we worry the general election will be hacked?

Criminals Leverage CLDAP Protocol to Conduct Amplified DDoS Attacks

Distributed denial-of-service attacks have quickly become one of the favorite tools among cyber criminals around the world. It appears some groups are taking things to the next level by leveraging the CLDAP protocol. As a result, they can amplify their DDoS attacks by as much as 700%. This is a very troublesome development, to say the least. CLDAP PROTOCOL IS NOW A CRIMINAL TOOL For those people who are unaware of what the CLDAP protocol is, allow us to briefly explain. It is a communication protocol used to connect, search, and modify internet directories. As one would expect, this particular protocol provides high performance at all times, as it can pump through data at an accelerated pace. So far, this protocol has only been used among network administrators to query data with relative ease. Unfortunately, all good technologies are often used for nefarious purposes, and the CLDAP protocol is no different in this regard. A new report has surfaced, indicating criminals use CLDAP to amplify their direct denial-of-service attacks. It is believed they can make such attacks up to 70 times as powerful as before, which does not bode well for any part of the global internet infrastructure. Researchers claim cybercriminals have been abusing the CLDAP protocol since late last year. That is quite a worrisome thought, although it is unclear which companies or services were targeted exactly. DDoS attacks leveraging the CLDAP protocol is not a positive development, as it only allows cybercriminals to shut down online services and platforms more easily. The last thing this world needs is more tools for online criminals to do bigger damage with less effort. The amplification part of the CLDAP protocol is of particular concern to security researchers right now. By using the CLDAP protocol, DDoS attackers can artificially increase the number of times a data packet is enlarged. At its peak, the CLDAP protocol can increase data packet sizes by as much as 700%. To be more specific, One bit of data sent through a DDoS attack over the CLDAP protocol results in the target receiving 700 bytes of data. So far, researchers have discovered over four dozen DDoS attacks leveraging the CLDAP protocol. That is quite a significant number, although it is only a hint of what the future will hold. Given the vulnerability of the Internet of Things devices, leveraging a hundred devices can now become as powerful as using 7,000 devices in a coordinated DDoS attack. It wouldn’t take much effort to shut down websites, online banking portals or even DNS service provides such as DynDNS. To put this latter part into perspective, it takes 1 Gbps of sustained HTTP requests to shut down the average website. The biggest DDoS attack leveraging CLDAP put through 24 Gbps, and that was merely a test to see how well the protocol would hold up under sustained throughput. It is evident things will get a lot more troublesome from here on out. Anti-DDoS providers will need to find ways to filter CLDAP traffic rather than try to block it, as they will fall woefully short otherwise. Source: https://themerkle.com/criminals-leverage-cldap-protocol-to-conduct-amplified-ddos-attacks/

Continue Reading:
Criminals Leverage CLDAP Protocol to Conduct Amplified DDoS Attacks

IoT malware clashes in a botnet territory battle

The Hajime malware is competing with the Mirai malware to enslave some IoT devices Mirai — a notorious malware that’s been enslaving IoT devices — has competition. A rival piece of programming has been infecting some of the same easy-to-hack internet-of-things products, with a resiliency that surpasses Mirai, according to security researchers. “You can almost call it Mirai on steroids,” said Marshal Webb, CTO at BackConnect, a provider of services to protect against distributed denial-of-service (DDoS) attacks. Security researchers have dubbed the rival IoT malware Hajime, and since it was discovered more than six months ago, it’s been spreading unabated and creating a botnet. Webb estimates it’s infected about 100,000 devices across the globe. These botnets, or networks of enslaved computers, can be problematic. They’re often used to launch massive DDoS attacks that can take down websites or even disrupt the internet’s infrastructure. That’s how the Mirai malware grabbed headlines last October. A DDoS attackfrom a Mirai-created botnet targeted DNS provider Dyn, which shut down and slowed internet traffic across the U.S. Hajime was first discovered in the same month, when security researchers at Rapidity Networks were on the lookout for Mirai activity. What they found instead was something similar, but also more tenacious. Like Mirai, Hajime also scans the internet for poorly secured IoT devices like cameras, DVRs, and routers. It compromises them by trying different username and password combinations and then transferring a malicious program. However, Hajime doesn’t take orders from a command-and-control serverlike Mirai-infected devices do. Instead, it communicates over a peer-to-peernetwork built off protocols used in BitTorrent, resulting in a botnet that’s more decentralized — and harder to stop. “Hajime is much, much more advanced than Mirai,” Webb said. “It has a more effective way to do command and control.” Broadband providers have been chipping away at Mirai-created botnets, by blocking internet traffic to the command servers they communicate with. In the meantime, Hajime has continued to grow 24/7, enslaving some of the same devices. Its peer-to-peer nature means many of the infected devices can relay files or instructions to rest of the botnet, making it more resilient against any blocking efforts. Hajime infection attempts (blue) vs Mirai infection attempts (red), according to a honeypot from security researcher Vesselin Bontchev. Who’s behind Hajime? Security researchers aren’t sure. Strangely, they haven’t observed the Hajime botnet launching any DDoS attacks — which is good news. A botnet of Hajime’s scope is probably capable of launching a massive one similar to what Mirai has done. “There’s been no attribution. Nobody has claimed it,” said Pascal Geenens, a security researcher at security vendor Radware. However, Hajime does continue to search the internet for vulnerable devices. Geenens’ own honeypot, a system that tracks botnet activity, has been inundated with infection attempts from Hajime-controlled devices, he said. So the ultimate purpose of this botnet remains unknown. But one scenario is it’ll be used for cybercrime to launch DDoS attacks for extortion purposes or to engage in financial fraud. “It’s a big threat forming,” Geenens said. “At some point, it can be used for something dangerous.” It’s also possible Hajime might be a research project. Or in a possible twist, maybe it’s a vigilante security expert out to disrupt Mirai. So far, Hajime appears to be more widespread than Mirai, said Vesselin Bontchev, a security expert at Bulgaria’s National Laboratory of Computer Virology. However, there’s another key difference between the two malware. Hajime has been found infecting a smaller pool of IoT devices using ARM chip architecture. That contrasts from Mirai, which saw its source code publicly released in late September. Since then, copycat hackers have taken the code and upgraded the malware. Vesselin has found Mirai strains infecting IoT products that use ARM, MIPS, x86, and six other platforms. That means the clash between the two malware doesn’t completely overlap. Nevertheless, Hajime has stifled some of Mirai’s expansion. “There’s definitely an ongoing territorial conflict,” said Allison Nixon, director of security research at Flashpoint. To stop the malware, security researchers say it’s best to tackle the problem at its root, by patching the vulnerable IoT devices. But that will take time and, in other cases, it might not even be possible. Some IoT vendors have released security patches for their products to prevent malware infections, but many others have not, Nixon said. That means Hajime and Mirai will probably stick around for a long time, unless those devices are retired. “It will keep going,” Nixon said. “Even if there’s a power outage, [the malware] will just be back and re-infect the devices. It’s never going to stop.” Source: http://www.itworld.com/article/3190181/security/iot-malware-clashes-in-a-botnet-territory-battle.html

Continue reading here:
IoT malware clashes in a botnet territory battle

CLDAP reflection attacks may be the next big DDoS technique

Security researchers discovered a new reflection attack method using CLDAP that can be used to generate destructive but efficient DDoS campaigns. DDoS campaigns have been growing to enormous sizes and a new method of abusing CLDAP for reflection attacks could allow malicious actors to generate large amounts of DDoS traffic using fewer devices. Jose Arteaga and Wilber Majia, threat researchers for Akamai, identified attacks in the wild that used the Connection-less Lightweight Directory Access Protocol(CLDAP) to perform dangerous reflection attacks. “Since October 2016, Akamai has detected and mitigated a total of 50 CLDAP reflection attacks. Of those 50 attack events, 33 were single vector attacks using CLDAP reflection exclusively,” Arteaga and Majia wrote. “While the gaming industry is typically the most targeted industry for [DDoS] attacks, observed CLDAP attacks have mostly been targeting the software and technology industry along with six other industries.” The CLDAP reflection attack method was first discovered in October 2016 by Corero and at the time it was estimated to be capable of amplifying the initial response to 46 to 55 times the size, meaning far more efficient reflection attacks using fewer sources. The largest attack recorded by Akamai using CLDAP reflection as the sole vector saw one payload of 52 bytes amplified to as much as 70 times the attack data payload (3,662 bytes) and a peak bandwidth of 24Gbps and 2 million packets per second. This is much smaller than the peak bandwidths of more than 1Tbps seen with Mirai, but Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said this amplification factor can allow “a user with low bandwidth [to] DDoS an organization with much higher bandwidth.” “CLDAP, like DNS DDoS, is an amplification DDoS. The attacker has relatively limited bandwidth. By sending a small message to the server and spoofing the source, the server responds to the victim with a much larger response,” Williams told SearchSecurity. “You can only effectively spoof the source of connectionless protocols, so CLDAP is obviously at risk.” Arteaga and Majia said enterprises could limit these kinds of reflection attacks fairly easily by blocking specific ports. “Similarly to many other reflection and amplification attack vectors, this is one that would not be possible if proper ingress filtering was in place,” Arteaga and Majia wrote in a blog post. “Potential hosts are discovered using internet scans, and filtering User Datagram Protocol destination port 389, to eliminate the discovery of another potential host fueling attacks.” Williams agreed that ingress filtering would help and noted that “CLDAP was officially retired from being on the IETF standards track in 2003” but enterprises using Active Directory need to be aware of the threat. “Active Directory supports CLDAP and that’s probably the biggest reason you’ll see a CLDAP server exposed to the internet,” Williams said. “Another reason might be email directory services, though I suspect that is much less common.” Source: http://searchsecurity.techtarget.com/news/450416890/CLDAP-reflection-attacks-may-be-the-next-big-DDoS-technique

Read more here:
CLDAP reflection attacks may be the next big DDoS technique