Tag Archives: ddos

Major DNS provider hit by mysterious, focused DDoS attack

Attack on NS1 sends 50 million to 60 million lookup packets per second. Unknown attackers have been directing an ever-changing army of bots in a distributed denial of service (DDoS) attack against NS1, a major DNS and traffic management provider, for over a week. While the company has essentially shunted off much of the attack traffic, NS1 experienced some interruptions in service early last week. And the attackers have also gone after partners of NS1, interrupting service to the company’s website and other services not tied to the DNS and traffic-management platform. While it’s clear that the attack is targeting NS1 in particular and not one of the company’s customers, there’s no indication of who is behind the attacks or why they are being carried out. NS1 CEO Kris Beevers told Ars that the attacks were yet another escalation of a trend that has been plaguing DNS and content delivery network providers since February of this year. “This varies from the painful-but-boring DDoS attacks we’ve seen,” he said in a phone interview. “We’d seen reflection attacks [also known as DNS amplification attacks] increasing in volumes, as had a few content delivery networks we’ve talked to, some of whom are our customers.” In February and March, Beevers said, “we saw an alarming rise in the scale and frequency of these attacks—the norm was to get them in the sub-10 gigabit-per-second range, but we started to see five to six per week in the 20 gigabit range. We also started to see in our network—and other friends in the CDN space saw as well—a lot of probing activity,” attacks testing for weak spots in NS1’s infrastructure in different regions. But the new attacks have been entirely different. The sources of the attacks shifted over the week, cycling between bots (likely running on compromised systems) in eastern Europe, Russia, China, and the United States. And the volume of the attacks increased to the 30Gbps to 50Gbps range. While the attacks rank in the “medium” range in total volume, and are not nearly as large as previous huge amplification attacks, they were tailored specifically to degrading the response of NS1’s DNS structure. Rather than dumping raw data on NS1’s servers with amplification attacks—where an attacker sends spoofed DNS requests to open DNS servers that will result in large blocks of data being sent in the direction of the target—the attackers sent programmatically generated DNS lookup requests to NS1’s name servers, sometimes at rates of 50 million to 60 million packets per second. The packets looked superficially like genuine requests, but they were for resolution of host names that don’t actually exist on NS1’s customers’ networks. NS1 has shunted off most of the attack traffic by performing upstream filtering of the traffic, using behavior-based rules that differentiate the attacker’s requests from actual DNS lookups. Beevers wouldn’t go into detail about how that was being done out of concern that the attackers would adapt their methods to overcome the filtering. But the attacks have also revealed a problem for customers of the major infrastructure providers in the DNS-based traffic management space. While the DNS specification has largely gone unchanged since it was created from a client perspective, NS1 and other providers have carried out a lot of proprietary modification of how DNS works behind the scenes, making it more difficult to use multiple DNS providers for redundancy. “We’ve moved a bit away from the interoperable nature of DNS,” Beevers said. “You can’t slave one DNS service to another anymore. You’re not seeing DNS zone transfers, because features and functionality of the [DNS provider] networks have diverged so much that you  can’t transfer that over the zone transfer mechanism.” To overcome that issue, Beevers said, “people are pulling tools in-house to translate configurations from one provider to another—that did work very well for some of our customers [in shifting DNS during the attack].” NS1, like some of its competitors, also provides a service that allows customers to run the company’s DNS technology on dedicated networks. “so if our network gets hit by a big DDoS attack, they can still have access.” Fixing the interoperability problem will become more urgent as attacks like the most recent one become more commonplace. But Beevers said that it’s not likely that the problem will be solved by a common specification for moving DNS management data. “DNS has not evolved since the ’80s, because there’s a spec,” he said. “But I do believe there’s room for collaboration. DNS is done by mostly four or five companies— this is one of those cases where we have a real opportunity because community is small enough and because the traffic management that everyone uses needs a level of interoperability.” As companies with big online presences push for better ways to build multi-vendor and multi-network DNS systems to protect themselves from outages caused by these kinds of attacks, he said, the DNS and content delivery network community is going to have to respond. Source: http://arstechnica.com/information-technology/2016/05/major-dns-provider-hit-by-mysterious-focused-ddos-attack/

Visit site:
Major DNS provider hit by mysterious, focused DDoS attack

DDoS-for-Hire Services Go Up on Fiverr for 5 Bucks

In a new wrinkle in cybercriminal business modeling, distributed denial of service (DDoS)-for-hire services are being offered on the popular website Fiverr—where, as its name suggests, various professional services are offered for $5. According to Imperva, DDoS-for-hire services are a widespread business for hackers, typically billing themselves as “stressor” services to “help test the resilience of your own server.” In reality, they’re renting out access to a network of enslaved botnet devices, (e.g., Trojan-infected PCs), which are used as a platform to launch DDoS attacks. And once a user hands over his money, the criminals don’t care whose servers are ‘stress tested.’ A year ago, Imperva’s survey of the 20 most common stressor services showed that the average price was $38 per hour, and went as low as $19. Recently, the SecureWorks Underground Hacker Marketplace Report showed that, on the bottom end, the cost of hiring such a service on the Russian underground dropped to just five dollars per hour. “The price tag made us think of Fiverr—a trendy online marketplace where various professional services are offered for five bucks?” Incapsula researchers said, in a blog. “Would DDoS dealers have the audacity to use this platform to push their wares? A quick site search confirmed that, in fact, they would.” Imperva reached out to see if the Fiverr offers were the innocent stress testers they claimed to be. “To do so, we created an account on Fiverr and asked each of the stressor providers the following question: Regarding the stress test, does the site have to be my own?” the researchers noted. “Most had the good sense to ignore our message. One suggested that we talk on Skype.” In the end, an offering with a skull and bones image that offered to “massive DDoS attack your website” responded, saying: “Honestly, you [can] test any site. Except government state websites, hospitals.” Imperva quickly contacted Fiverr to let them know about the misuse of their service—they responded and acted to remove the providers. “Fiverr’s decisive action should serve as an example to an online community that, by and large, has accepted the existence of illegal stressors as a fact of life,” the researchers noted. Source: http://www.infosecurity-magazine.com/news/ddosforhire-services-go-up-on/

More:
DDoS-for-Hire Services Go Up on Fiverr for 5 Bucks

Image shutterstock_387773863-300x300.jpg

Devices Infected With New Ransomware Versions Will Execute DDoS Attacks

A combination of Ransomware and DDoS attacks is heralding a new wave of cyber attacks against consumers and enterprises around the world. Security experts are concerned this may become a standard practice going forward; this is not good news by any means. Ransomware And DDoS Is A Potent Mix Over the past few years, ransomware attacks have become the norm rather than an exception. But the people responsible for these attack continue to improve their skills, and infected machines will now start executing distributed denial of service attacks as well. Not only will users not be able to access their files, but the device will also become part of a botnet attacking other computers and networks around the world. KnowBe4 CEO Stu Sjouwerman stated: “ Adding DDoS capabilities to ransomware is one of those ‘evil genius’ ideas. Renting out DDoS botnets on the Dark Web is a very lucrative business, even if prices have gone down in recent years. You can expect [bundling] it to become a fast-growing trend.” One of the first types of ransomware to embrace this new approach is Cerber, a Bitcoin malware strain which has been wreaking havoc for quite some time now. Attacks have been using “weaponized” Office documents to deliver malware to computers, which would then turn into a member of a botnet to DDoS other networks. While some people see this change as a logical evolution of ransomware attacks, this is a worrying trend, to say the least. Assailants can come up with new ways to monetize their ransomware attacks, even if the victim decides not to pay the fee. As long as the device is infected, it can be used to execute these DDoS attacks, which is a service worth the money to the right [wrong] people. A recent FireEye report shows how the number of Bitcoin ransomware attacks will exceed 2015 at the rate things are going right now. Now that DDoS capabilities are being added to the mix, it is not unlikely the number of infections will increase exponentially over the next few months. Moreover, removing the ransomware itself is no guarantee computer systems will not be used for DDoS purposes in the future, and only time will tell if both threats can be eliminated at the same time. Source: http://themerkle.com/devices-infected-with-new-ransomware-versions-will-execute-ddos-attacks/

View post:
Devices Infected With New Ransomware Versions Will Execute DDoS Attacks

Japanese teens DDoS attack takes out 444 school websites

A Japanese teenager was charged on May 11 for allegedly launching a DDoS attack against the Osaka Board of Education, which shut down 444 school websites. The 16-year-old faces obstruction of business charges for the attack, which was carried out last November, and marked the first time in Japan’s history that a cyber attack was launched against a local government, according to Japan Today. The teen said he launched the attack to remind his teachers “of their own incompetence,” according to the publication. The student reportedly told police he wanted to join the hacking collective Anonymous and that he didn’t know that schools other than his own would be impacted. He faces up to three years in prison and a 500,000 yen fine. Source: http://www.scmagazine.com/japanese-teen-launches-massive-ddos-attack-to-remind-teachers-they-are-incompetent/article/496756/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineHome+%28SC+Magazine%29

View article:
Japanese teens DDoS attack takes out 444 school websites

Malicious Android apps slip into Google Play, top third party charts

Enlist phones in ad fraud, premium SMS, loser DDoS Malicious Android applications have bypassed Google’s Play store security checks to enslave infected devices into distributed denial of service attack, advertising fraud, and spam botnets.…

Read More:
Malicious Android apps slip into Google Play, top third party charts

Anonymous teams up with GhostSquad to attack major banks

Anonymous has joined forces with GhostSquad to launch successful cyberattacks on eight international banks that were forced to shut down their websites. The hacktivist collective alongside the hacker group GhostSquad have launched a new operation called Op Icarus which aims to punish corrupt banks and individuals in the financial sector. So far the Central Bank of the Dominican Republic, the Guernsey Financial Services Commission, the Central Bank of Maldives and the Dutch Central Bank were all offline for a brief period on May 6 after being hit with distributed denial of service (DDoS) attacks. A day later, the National Bank of Panama and the Central Bank of Kenya were hit with cyberattacks, followed by the Central Bank of Bosnia and Herzegovina and the Central Bank of Mexico were taken offline as a result of DDoS attacks. All eight of the international banks that have been targeted by Op Icarus have managed to bring their systems back online. Anonymous did send a warning to the banking community in the form of a video that was posted on May 4 which said: “We will not let the banks win, we will be attacking the banks with one of the most massive attacks ever seen in the history of Anonymous”. Members of the group also reportedly told the site Hack Read that: “The National Bank of Panama was a special target considering the importance of the Panama leaks. We want to make sure the corrupt elite named in the papers would be punished one day”. With the addition of the cyberattack against the Central Bank of Greece and the Central Bank of Cyprus, Anonymous has now launched 10 attacks on international banks on its list of 160 potential banks that could be targeted by its members. Anonymous has planned Op Icarus to be a month long campaign against the banking industry as a whole. The US Federal Reserve Bank, the IMF, the World Bank, the New York Stock Exchange and the Bank of England are all listed by the group as potential targets and with more than half of the campaigns’ allotted time remaining, this will most likely not be the group’s grand finale. Source: http://betanews.com/2016/05/12/anonymous-op-icarus/

See the original post:
Anonymous teams up with GhostSquad to attack major banks

Playbook: Prepare your business for DDoS attacks

Like any business initiative, good preparation and planning can go a long way toward making the DDoS response process as manageable, painless, and inexpensive as possible. Read the DDoS Response Playbok and find out: How you can effectively plan and execute your DDoS response plan What are the best practices for choosing and setting up the right mitigation solution for your organization What the steps and procedures for authoritatively responding to a DDoS attack. DDoS … More ?

Read More:
Playbook: Prepare your business for DDoS attacks

Bitrated faces severe DDoS attack and $3,200 ransom demand

A couple of hours ago, Bitrated, a bitcoin trust platform meant for reputation management and consumer protection has posted a tweet, warning users about an ongoing DDoS attack, carried out in the form of an extortion attempts. During the last couple of weeks, numerous Bitcoin-related companies, but also other businesses from all around the world have been affected by such attacks. According to a Medium post written by the Bitrated, it seems like they received a warning mail five minutes prior to the commencement of the attack, asking for a total of 7 BTC, worth around $3,200 at the time of writing. Unlike other extortionists who decided not to stand up to their promise, Bitrated’s servers were attacked for a couple of hours, and were put under a strain of 3.2 Gb/s. In return, DigitalOcean null routed trading on their network infrastructure. According to Bitrated, the company has an ethic code which makes them unable to succumb to any extortion attempts. They believe that blackmail demands are unethical, and funding the extortionists will undoubtedly lead to further attacks. Bitrated also mentioned that due to their nature of being a bootstrapped startup, they do not have the financial resources required to counter-attack such demands, which is why the service may be unavailable for a while. Based on everything that has been outlined so far, what do you personally think about this DDoS attack? Let us know your thoughts in the comment section below. UPDATE: The DDoS attacks have stopped. Therefore, the platform is available. Bitrated encourages users who wish to do so, to withdraw their funds from the system as soon as possible. Source: http://themerkle.com/bitrated-faces-severe-ddos-attack-and-3200-ransom-demand/

Read the article:
Bitrated faces severe DDoS attack and $3,200 ransom demand

Anonymous Threatens Bank DDoS Disruptions

Follows Collective’s ‘Total War’ Against Donald Trump After earlier this year declaring “total war” against U.S. Republican presidential candidate Donald Trump, the hacktivist group Anonymous is now threatening global banks with 30 days of distributed denial-of-service attack disruptions. As a preview, on May 2, the group claimed to have disrupted the website of Greece’s central bank. “Olympus will fall. A few days ago we declared the revival of Operation Icarus. Today we have continuously taken down the website of the Bank of Greece,” the group said in the video posted on You Tube and delivered in the classic Anonymous style via a disembodied, computerized voice. “This marks the start of a 30-day campaign against central bank sites across the world,” it adds. “Global banking cartel, you’ve probably expected us.” Of course, banks have previously been targeted en masse by DDoS attackers. Beginning in 2012, for example, attacks waged by a group calling itself the “Izz ad-Din al-Qassam Cyber Fighters” continued to disrupt U.S. banks’ websites as part of what it called “Operation Ababil.” In March, the Justice Department unsealed indictments against seven Iranians – allegedly working on behalf of the Iranian government – accusing them of having waged those attacks. Regardless of who was involved, it’s unclear if Anonymous could bring similar DDoS capabilities to bear for its Operation Icarus. A Central Bank of Greece official, who declined to be named, confirmed the May 2 DDoS disruption to Reuters , though said the effect was minimal. “The attack lasted for a few minutes and was successfully tackled by the bank’s security systems. The only thing that was affected by the denial-of-service attack was our website,” the official said. Greek banks have been previously targeted by DDoS extortionists, demanding bitcoins. “It would have been better if no disruption occurred, but it is good that the attack – if that is what caused the disruption – was handled so quickly,” says information security expert Brian Honan, who’s a cybersecurity expert to the EU’s law enforcement intelligence agency, Europol. A “World Banking Cartel Master Target List” published by Anonymous to text-sharing site Pastebin early this month lists the U.S. Federal Reserve, as well as Fed banks in Atlanta, Boston, Chicago, Dallas, Minneapolis, New York, Philadelphia, Richmond and St. Louis. Also on the target list are websites for the International Monetary Fund, the World Bank as well as 158 central banks’ websites. In a related video missive issued March 31, Anonymous urged its members to “take your weapons and aim them at the New York Stock Exchange and Bank of England,” promising that “this is the operation to end all others.” The planned Anonymous operation follows elements of the collective earlier this year declaring “total war” against Trump, and on April 1 temporarily disrupting several of Trump’s websites, The Hill reports. Since then, of course, Trump has become the only Republican presidential candidate left standing after his massive win in this week’s Indiana primary. Banks: Beware DDoS Threats While the Anonymous bark doesn’t always equal its bite, in the wake of this alert, “banks in the United Kingdom, United States and Latin America should be very prepared” against potential attacks, says Carl Herberger, vice president of security for DDoS-mitigation and security firm Radware. “In the same vein as someone yelling ‘bomb’ at an airport or fire at a movie theater, cyber-attack threats – whether idle or not – are not to be taken lightly,” he says, although he adds that the number of threatened DDoS attacks outweighs the quantity of actual attacks. Herberger says in light of the new threat, all banks should review their DDoS defense plans, keeping in mind that DDoS attackers do continue to refine their tactics, as seen in the disruption of Geneva-based encrypted email service ProtonMail. “As the attacks on ProtonMail in November 2015 have demonstrated … attackers change the profile of their attacks frequently and leverage a persistent and advanced tactic of revolving attacks geared to dumbfound detection algorithms,” he says, dubbing such tactics “advanced persistent DoS.” Maintain a DDoS Defense Plan Security experts have long recommended that all organizations have a DDoS defense plan in place. The U.K.’s national fraud and cybercrime reporting center, ActionFraud, for example, recently issued the following advice to all organizations: Review: “Put appropriate threat reduction/mitigation measures in place,” tailored to the risk DDoS disruptions would pose to the organization. Hire: If DDoS attacks are a threat, seek professional help. “If you consider that protection is necessary, speak to a DDoS prevention specialist.” Prepare: All organizations should liaise with their ISP in advance of any attack. “Whether you are at risk of a DDoS attack or not, you should have the hosting facilities in place to handle large, unexpected volumes of website hits.” DDoS Extortions Spike The guidance from ActionFraud, released April 29, also warned that the center has recently seen a spike in DDoS extortion threats from an unnamed “online hacking group” demanding the equivalent of $2,250 to call off their planned attack. “The group has sent emails demanding payment of 5 bitcoins to be paid by a certain time and date. The email states that this demand will increase by 5 bitcoins for each day that it goes unpaid,” ActionFraud’s alert states. “If their demand is not met, they have threatened to launch a [DDoS] attack against the businesses’ websites and networks, taking them offline until payment is made.” ActionFraud advises targeted organizations: “Do not pay the demand.” That echoes longstanding advice from law enforcement agencies globally. ActionFraud also urges organizations to keep all copies of DDoS extortion emails – including complete email headers – as well as a complete timeline for the threats and any attacks, and to immediately report threats or attacks to authorities. Investigators say that keeping complete records – including packet-capture logs – is essential for helping to identify perpetrators. Or as ActionFraud advises: “Keep a timeline of events and save server logs, web logs, email logs, any packet capture, network graphs, reports, etc.” Masquerading as Armada Collective? CloudFlare, a DDoS mitigation firm, reports that related attacks began in March and have been carried out under the banner of Armada Collective, as well as potentially Lizard Squad, although it’s not clear if those groups are actually involved. It’s also unclear if the threatened DDoS disruptions have ever materialized. “We’ve been unable to find a single incident where the current incarnation of the Armada Collective has actually launched a DDoS attack,” CloudFlare CEO Matthew Prince says in a blog post. “In fact, because the extortion emails reuse bitcoin addresses, there’s no way the Armada Collective can tell who has paid and who has not. In spite of that, the cybercrooks have collected hundreds of thousands of dollars in extortion payments.” Source: http://www.bankinfosecurity.com/anonymous-threatens-bank-ddos-disruptions-a-9085

See the article here:
Anonymous Threatens Bank DDoS Disruptions

Explanation of DDoS attacks and SQL Injections

In most articles about Hack you usually follow attacks by groups like Anonymous, LulzSec and AntiSec. And you’ve heard also spoke websites and platforms that have been hacked as Sony earlier this year, for example. But are you aware of the methods used to break down these services? There are many tools and techniques that some hackers use to reach their goals but I will not give you all this turnkey. Here I will briefly explain the operating principle of the two most known attacks on the web. —  DDoS (Distributed) Denial of Service — SQL injections or SQLi DDoS attacks (Distributed) Denial of Service First of all what is a DDoS attack? A Denial of Service (also known as Distributed Denial of Service, or DDoS), resulting in denial-of-service attack. This kind of attack is to make available a service. Here I take the example (according to the diagram above) an attack on a web server by flooding the network to prevent its operation. You understood the objective and a successful DDoS attack is to render inoperative the website for everyone. As it works? In a DDoS attack, it’s all about logistics. And nothing like an example to explain it all Take a good million malicious people coming together in order to sabotage the company’s affairs X using its call center. They will coordinate their actions say Friday at 10am to call all at the same time the company X. This will be bombarded with millions of phone calls and probably will not manage. The result is that legitimate customers wanting to call this company will struggle to reach her. A DDoS attack on a web server works exactly the same way. Indeed, there is virtually no way of knowing if the generated traffic comes from legitimate requests or hackers. It is a type of attack usually very effective but requires substantial resources following the targeted server. Implementation of the attack A DDoS attack works virtually like a brute force. You’ll need a fairly large number of computers to attack all coordinates simultaneously. According to the example I gave you the call center, you can imagine that he rather difficult to directly control thousands of computers to attack a server. This is where the zombie machines come in. As you probably know, there are a multitude of malware and trojans that once installed on a system dormant pending instructions from the hacker who created it. One such instruction could be for example to send multiple requests to a web server. And so one hacker would have infected several thousand computers could use them to perpetrate the attack. With the use of multiple botnets in general it is very difficult to trace the source of such attacks because the hacker does not have to use its own machine to perform its action (besides controlling botnets but it goes without saying). SQL or SQLI injections What is SQL injection? A SQL injection is an achievement, that is to say a security flaw in an application connected to a database. Typically such flaws leverages bad programming techniques of some developers. ^^ This attack allows a compromise or even a server database if the user using the database system rights. But unlike a DDoS attack a SQLi attack can be easily avoided if a web application is programmed correctly. Implementation of the attack When you want to connect to a web site, you enter your user name and password. To test these settings, the web application will make a request of this type: 1 SELECT user_id FROM users WHERE username = ‘myuser’ AND password = ‘mypass’; Note that the String variables must be enclosed in single quotes. Thus the combination of username (myuser) and password (mypass) must match a line in the table of users (users) to a user_id is returned. If no line is, no user_id is back and in this way the connection with the entered password is invalid. However, if a user enters a substitution value that can be interpreted in the query, then at that time your application is susceptible to SQL injection. Suppose myuser ‘- entered the fields username with any password. This would give: 1 SELECT user_id FROM users WHERE username = ‘myuser’ – ‘AND password =’ ??mypass’; The key to this application is the inclusion of two hyphens (-). This is actually the token to comment out an SQL query. And so everything after the two dashes will be ignored. Here the query executed will be: 1 SELECT user_id FROM users WHERE username = ‘myuser’ As you have noticed most glaring omission here is the verification of the password! And this is by including in the fields username both indents that the password is completely ignored. This is called a SQL injection. The results By imagining that the site has full control over its database, then the consequences can be quite devastating. This can give the possibility to hack delete, create or edit database records, etc … To illustrate the damage that can be caused, consider this request as an example: 1 SELECT user_id FROM users WHERE username = ‘lama’; DROP TABLE users; – ‘AND password =’ ??mypass’; Here we have entered the user name input fields Lama ‘; DROP TABLE users; -. The semicolon used to end a statement and to create a new following. DROP TABLE users; will delete the users table in the database. Basically the query executed by data base will be: 1 SELECT user_id FROM users WHERE username = ‘lama’; 2 DROP TABLE users; Sure SQL permissions as the hacker can do a lot worse! As clear the entire database, create new logins, etc … Protect a SQL injection SQL injection can be easily circumvented by “disinfectant” or “escaping” the data. In English we can translate these words by “Sanitize” or “Escape”. In this way a chain inside a request can not be terminated prematurely. For example, to search the user name Wada in database you are forced to escape the single quote after the L. So you can “sanitize” the chain by inserting a . Returning to the previous SQL injection example with the value myuser ‘-. 1 SELECT user_id FROM users WHERE username = ‘myuser ‘ – ‘AND password =’ ??mypass’; Escaping the single quote after myuser, the database will search the user name myuser ‘-. So the query is executed fully and includes the second condition on the password. There are several methods to escape a string in a request. PHP for example you can use the mysql_real_escape_string () to escape a string in a request. 1 $ Sql ??= “SELECT user_id FROM users”; 2 mysql_real_escape_string ( “myuser” – “). $ Sql. = “AND password = ‘”. mysql_real_escape_string ( “mypass”).

Follow this link:
Explanation of DDoS attacks and SQL Injections