Tag Archives: ddos

Image screen-shot-2015-07-05-at-9-21-10-pm.png

Here’s how the NSA spied on UN leaders and targeted DDoS attackers

XKeyscore runs on Linux-based servers across 150 field sites scattered across the globe. No matter what you’ve done on the internet, you can bet the National Security Agency has a record of it. Newly released documents leaked by Edward Snowden shed light on the scale and scope of the XKeyscore program, a program described by one classified document as the “widest-reaching” system for gathering information from the internet. The new batch of documents detail one of the most extensive programs used in the US government’s arsenal on global surveillance, more than two years after it was first revealed by The Guardian . The program, which runs on hundreds of Red Hat Linux-based servers scattered around the globe (likely in US Embassy buildings), allows analysts to filter the vast amount of incidental data created when a user browses the web. The program allows analysts to selectively pick out usernames and passwords, browser history, emails sent and received, social media data, and even locations and detect whether or not a computer is vulnerable to certain kinds of malware or other threats. A single unique identifier, such as a username, password, email fragment, or even images, can be used to trace a person’s online activities with extreme precision. One of the documents said the program was successful in capturing 300 terrorists based on intelligence it had collected. Out of all the programs, XKeyscore may be the largest in scope, with some field sites sifting through more than 20 terabytes of data per day, according to The Intercept , collected from the various fiber cables around the world. The newly-released trove of documents details a broader scope of access to personal information that NSA analysts have. Those include: The NSA was able to acquire talking points UN Secretary General Ban Ki-moon wanted to bring up with US President Barack Obama through the Blarney program, which feeds the XKeyscore program. (Blarney is thought to be a program that taps fiber optic cables at core internet choke points around the US and the world.)   When a group of people overload a server or network with a flood of network traffic (causing a “distributed denial-of-service” or DDoS attack), users can be identified using XKeyscore. One document boasts of how “criminals” can be found through the program.   NSA analysts can plug in queries such as “show me all the exploitable machines in [whichever] country” and have returned to them a list of computers and devices that are vulnerable to the hacking exploits of the NSA’s elite intrusion unit, known as Tailored Access Operations (TAO). That also extends to “find all iPhones in Nigeria,” or “find Germans living in Pakistan.” One of the documents showing how NSA analysts can use XKeyscore Oversight of the program is limited at best. The system is littered with reminders not to breach human rights’ laws or minimization procedures designed to prevent Americans’ data from being used by the program. Yet, not everything is audited. System administrators often log in to the program under one username, “oper,” which is used across multiple people and divisions, making any actions carried out under that name almost impossible to track.   XKeyscore can search other databases, like Nucleon, which “intercepts telephone calls and routes the spoken words” to a database. (So yes, the US government is listening to some people’s phone calls.) One newly-released document showed more than 8,000 people are ensnared by the program, with more than half-a-million voice files recorded each day.   An al-Qaeda operative is said to have searched Google for his own name, among other aliases, which was picked up by the XKeyscore program, another document shows .   The program is able to snoop inside documents attached to emails, one document says . That supposedly can help determine who had authored a Word or PowerPoint document.   NSA has its own internal online newspaper, a document shows , which the agency dubs the “NSA Daily.” It’s a top secret publication, which only agents belonging to UK, US, Australian, Canadian, and New Zealand intelligence agencies can access. The NSA said in a statement (of which portions had been used in previous statements) that its foreign intelligence operations are “authorized by law” and are “subject to multiple layers of stringent internal and external oversight.” Source: http://www.zdnet.com/article/nsa-xkeyscore-spy-united-nations-target-denial-service-more/

Continue Reading:
Here’s how the NSA spied on UN leaders and targeted DDoS attackers

DDoSers call 1988 and want its routing protocol hacked

500 routers whip up colossal DDOS over ye olde RIP protocol Attackers are exploiting an ancient networking protocol to enslave small home and office routers in distributed denial of service attacks, Akamai says.…

Original post:
DDoSers call 1988 and want its routing protocol hacked

‘Zombie’ network protocols become DDoS threats

Attackers won’t let RIPv1 rest in peace. Attackers continue to search for obsolete protocols that are no longer used but still running on networked computer systems in order to abuse them as denial of service amplifiers. Content delivery network firm Akamai’s PLXsert security team discovered that the routing information protocol version 1, introduced in 1988, was used in a denial of service attack against its customers in May this year. RIPv1 was designed for small networks in the early internet era. It broadcasts lists of routes and updates to devices listening for RIPv1 information. A small, 24-byte RIPv1 request with a forged source IP address can result in multiple, 504-byte response payloads, creating a large amount of unsolicited traffic directed towards victims’ networks and flooding them. Attackers were in particular looking for routers that contain large amounts of routes in the RIPv1 database, so as to maximise the traffic volumes and damage done to target networks. Internet luminaries disagree however as to how much of a threat RIPv1 represents. APNIC chief scientist Geoff Huston told iTnews  RIPv1 is late 80s technology that routes the now abandoned Class A/B/C network address structure. “I find it hard to think that RIPv1 is connected to the global internet and that there are enough of them out there to constitute a real threat,” Huston said. Finding even one site in 2015 that is running RIPv1 is “like discovering a Ford Model T on the streets still in working order,” Huston said. Director of architecture for internet performance company Dyn, Joe Abley, pointed out that the problem is not that operators use RIPv1 for routing, it’s that administrators leave RPv1 turned on. The protocol has been unsuitable for the past two decades because it doesn’t work with classless inter-domain routing. “Just because you no longer have any use for a protocol doesn’t mean you always remember to turn it off,” he told iTnews . “What is happening is that ancient systems that have been hidden in dark corners for decades are suddenly jumping out into the sunlight and running amok because someone realised they could provoke them into bad behaviour, from a distance.” He said there are end-systems connected to the internet that support the ancient routing protocol and which have it turned on by default. Old Sun Microsystems Solaris servers are examples of such systems that are now being abused as packet amplifiers in denial of service attacks. RIPv1 does not use authentication, leaving it wide open to anyone on the internet to connect to. The attack is not fundamentally different from reflection attacks using the domain name system, chargen, simple network management protocol, or any one of a variety of user datagram-based protocols, Abley said. “This attack is not new and special really, although the fact that it uses RIP certainly brings a roguish twinkle to this aged network administrator’s eye,” he said. It can however cause large traffic floods. “Akamai’s Prolexic team have seen attacks that delivered over 10 gigabit per second of traffic towards a single victim,” Abley said. “I wouldn’t categorise that as ‘not really a problem’, especially if I was the one on the receiving end.” Abley said as with most amplification attacks, “poking the bear from a great distance relies upon being able to fake the source address of the stick.” There would be fewer opportunities for this happen if network operators followed the advice in Internet Engineering Task Force best current practice documents such as BCP38, which details network ingress filtering and similar texts to protect their networks. Source: http://www.itnews.com.au/News/406090,zombie-network-protocols-become-ddos-threats.aspx#ixzz3eqpq5n9E

Continue reading here:
‘Zombie’ network protocols become DDoS threats

Anonymous DDoS UAE banking websites

Several UAE banks were hit by a co-ordinated cyber attack, known in the trade as a distributed-denial-of-service (DDoS) attack, on Tuesday, crippling e-banking operations and websites, and leaving the unnamed institutions fearing further assaults, Arabian Business’ sister websiteITP.net has reported. German systems integrator Help AG, which played a central role in the clean-up for one of the victims, told the website that the DDoS attack, which has been linked to cyber group Anonymous, happened on the last day of the month as the attackers sought to wreak maximum disruption during the banks’ busiest period. Help AG cited “sources in the market” who report “widespread” incidents in the UAE financial sector. A DDoS attack uses tens, sometimes hundreds, of thousands of computers to synchronise a bombardment of packet-traffic on a server. In the absence of sophisticated mitigation solutions, servers can be brought down and services brought to a halt. “Picking the last day of a month is a very wise choice from the attackers, as it is a widely known fact that the last three days of a calendar month are the busiest ones in the financial industry, as a lot of money is changing hands in the form of salaries, mortgage and loan payments,” Nicolai Solling, director of technology services, Help AG, told ITP.net by email.   Help AG’s systems identified hundreds of thousands of packets per second sustained for a number of hours on one UAE-based financial services institution. The attacks, the company said, were “not sophisticated in form”, but “followed very much the usual pattern of Anonymous, meaning application-level depletion attempts”. “Typically this is in the form of ‘get’ requests on the Web layer, which then tries to exhaust the Web servers, unfortunately something that often is too easy to achieve,” Solling explained. Anonymous is a global movement with no clear leadership, although it has spawned specific cyber groups such as LulzSec that perform co-ordinated campaigns on high-profile targets. This week’s attack was part of what the group calls #OpArabia. At the time of writing, the group listed several targets in Saudi Arabia, Egypt and the UAE on justpaste.it. Help AG did not disclose the identity of any victims, but the National Bank of Abu Dhabi (NBAD) was featured prominently on the list. “Help AG has for a period been aware of a number of threats on the region posed from Anonymous,” Solling said. Source: https://en-maktoob.news.yahoo.com/anonymous-cyber-hackers-hit-uae-banking-websites-112413582.html

View article:
Anonymous DDoS UAE banking websites

Rise in DDoS reflection attacks using abandoned routing protocol

There's been an increase in the use of outdated Routing Information Protocol version one (RIPv1) for reflection and amplification attacks, according to Akamai. RIPv1 is a fast, easy way to dynamica…

Original post:
Rise in DDoS reflection attacks using abandoned routing protocol

Anonymous celebrates Canada Day with DDos attacks

For Canadians, July 1 is Canada Day—but to Anonymous, it’s also the perfect occasion to launch a protest campaign of distributed denial of service (DDos) attacks. The internet activist group announced on Wednesday morning that it had planned #AntiCanadaDay protests in support of its #OpCyberPrivacy campaign, created in opposition to Canada’s controversial, recently-passed anti-terror legislation, Bill C-51. The bill grants the Canadian Security Intelligence Service (CSIS) broad powers—with judicial authoriziation—to do just about anything to “disrupt” and investigate terrorist plots and propaganda, both online and offline. “We protest against the systemic invasion of privacy by government and corperate [sic] entities around the world,” the announcement reads. “We stand ardent in our defiance to all those who would take away our rights and freedoms.” A full list of targets, posted shortly before the #AntiCanadaDay attacks began, lists the websites of Liberal party leader Justin Trudeau, Minister of Justice Peter McKay, the Canadian Security Intelligence Service (CSIS), and the Canadian Senate as “main targets.” A host of other lobbyist groups and senators who voted in favour of Bill C-51 are listed as targets too. “All Canadian government web assests [sic] are fair game,” read the statement. “Lazors free on all federal, provincial and municpal [sic] services.” Shortly after noon, accounts on Twitter associated with the campaign reported that multiple government of Canada websites had been taken offline. When Motherboard attempted to access sites such as Canada.ca and sencanada.ca, for example, pages either loaded slowly, displayed an error, or did not load at all. “Remember hold nothing down for protracted lengths,” said an operation admin in the group’s chat room. “This is after all just a protest.” In a separate chat room interview, members told VICE News reporter Hilary Beaumont that eight people belong to the core #OpCyberPrivacy team. “We all expect blowback for today,” wrote one of the users, but said that it was worth the risk. “This bill violates the charter of rights and freedoms, universal declaration of human rights,” a user said, citing the threat of more invasive spying offline, and the potential to be arrested without a warrant and held without charge. “They make the rules up as they go,” wrote another member. “So if I’m a perfectly law abiding citizen who is impacted greatly by something and I protest I can be arrested [because] criticizing that is terrorism.” By early afternoon, focus had shifted to sites such as the Canadian parliament domain parl.gc.ca, and Conservative party Prime Minister Stephen Harper’s domain pm.gc.ca. The admin said the government was “putting up a good fight.” “They are adding load balancers, moving servers, closing off access,” wrote another user. “Some of the pages up [at the moment] are only cached versions.” The protest is expected to continue until midnight. Source: http://motherboard.vice.com/read/anonymous-is-celebrating-canada-day-in-protest-with-attacks-on-government-sites?utm_source=mbtwitter

Read the original:
Anonymous celebrates Canada Day with DDos attacks

DDoS Attackers Exploiting ’80s-Era Routing Protocol

Latest wave of DDoS attacks abuses small office-home routers via the 27-year-old, outdated Routing Information Protocol Version 1 (RIPv1). An outdated and long-forgotten routing protocol is the latest weapon in a wave of distributed denial of service (DDoS) attacks executed via home and small business routers in the past two months. Akamai Technologies’ Prolexic Security Engineering & Research Team (PLXsert) today issued a threat advisory warning of a surge in DDoS attacks using the Routing Information Protocol version one (RIPv1) to wage DDoS reflection and amplification attacks. The 27-year-old routing protocol, which allows routers in a small network to share route information, has since been updated with a newer more secure version, but the older version 1 remains in use in many small office/home office router models. While some 2,000 SOHO routers so far have been used in this new attack campaign, Akamai also found around 53,000 routers with RIPv1 enabled and vulnerable to the very same attack, mostly Motorola Netopia 2000 and 3000 series devices in the US. The main ISP running those RIPv1-enabled routers was AT&T. Sponsor video, mouseover for sound The biggest attack spotted so far: around 12 gigabits-per-second. “That was just using a limited number of resources [routers],” says Jose Arteaga, senior security researcher with Akamai PLXsert. “We found a good number of devices available with this protocol open. Our concern there is if malicious actors continue to scan or incorporate more devices in this attack, attacks can grow to be quite large. They could reach 100-gig or more.” Artiago says there’s been no specific industry targeted in the attacks at this time, and the attacks are originating mostly out of Europe and most likely a DDoS-for-hire operation, he says. The main sources include the Russian Federation (39%), China (19%), and 15% in Germany and Italy. Unlike its successor RIPv2, RIPv1 doesn’t have an authentication feature, so routers communicating via RIPv1 aren’t vetted and authenticated, leaving them open to abuse. This isn’t the first time RIPv1 has been abused for a DDoS attack. The PLXsert team spotted similar attacks nearly two years ago but those attacks basically exploited it for a query flood, not a reflection attack, where traffic is redirected from an “innocent” device to a target on the network, Arteaga says. RIPv1 Not Resting In Peace The good news is that RIPv1 is not enabled by default on enterprise-grade routers. So why is it left open on some SOHO routers? “Could be an ISP enabling it for some reason or another, but it shouldn’t be” available, he says. It also may be useful in a very small business network, he says, but that comes with this risk of abuse by malicious actors. The common denominator in most of today’s DDoS attacks is the use of the UDP protocol. More than 56% of all DDoS attacks abuse UDP, according to DDoS security vendor Incapsula. Of those, 8% use a protocol popular among Internet of Things devices, SSDP (Simple Service Discovery Protocol) used in gaming consoles and printers, for example. “A common theme with these attacks is they are obviously taking advantage of UDP … there is no way [for a victim router] to refuse that request” because it’s a connectionless protocol, Akamai’s Arteaga says. It’s up to the ISPs offering these devices to block port 520 used by UDP, which then would prevent any reflection attacks, he says. And small businesses should use the more secure RIPv2 instead of version 1. Bottom line: DDoS isn’t going away, and attackers are constantly looking for new ways to abuse equipment on the Internet as weapons to attack their targets. “It has constantly increased in activity,” says David Fernandez, manager of the PLXsert team. “DDoS has not gone away.” Source: http://www.darkreading.com/perimeter/ddos-attackers-exploiting-80s-era-routing-protocol/d/d-id/1321138

Read More:
DDoS Attackers Exploiting ’80s-Era Routing Protocol

CSIS website goes down due to DDoS attack

The website for CSIS, the Canadian Security Intelligence Service, appears to have gone down again — less than 24 hours after a suspected rogue hacker took the site down in a so-called denial of service attack. The website for Canada’s spy agency went offline shortly after 9 a.m. ET Tuesday. While the cause is still unknown, when the website went down Monday night, sources told CTV’s Mercedes Stephenson that a rogue hacker who had previously launched attacks on several municipal and police websites, had claimed responsibility for the CSIS attack. A denial-of-service attack is not technically a hack into the site, but the attack does prevent Internet users from accessing the website. “Experts I’ve spoken to say it is very hard to stop this kind of attack,” Stephenson told CTV News Channel Tuesday morning. “The level of sophistication and the number of ways they are attacking one website at one time to send it offline is very hard to prevent.” She says sources tell her that the hacker isn’t attempting to steal information in these attacks. “This is all about trying to embarrass the government, intelligence agencies and the police,” she said. The hacker is trying to draw attention to the controversial Bill C-51, as well as the case of an Ottawa teen who was charged in an alleged “swatting” incident. The hacker believes the teen was framed, sources tell CTV. A spokesperson for the Ministry of Public Safety and Emergency Preparedness, acknowledged in a statement Monday night that the CSIS website had gone “temporarily offline.” “No information has been breached. We are taking cybersecurity very seriously,” spokesperson Jean-Christophe de Le Rue said. The same hacker was previously connected to hacking group Anonymous, but appeared to be operating alone on Monday, sources said. The person believed to be responsible tweeted out several messages about the CSIS website Monday, including: “I’m deciding if I should let CSIS back online and hit another government website, or if I should keep it offline for a while.” Less than two weeks ago, several government websites — including ServiceCanada.gc.ca and Parl.gc.ca — were hit by a denial of service attack. Anonymous claimed responsibility. Source: http://www.ctvnews.ca/canada/csis-website-goes-down-again-1.2447166

Link:
CSIS website goes down due to DDoS attack

Protests or profiteering? Whether it’s Anonymous, the Cyber Caliphate or Cyber Berkut, the hack remains the same

“Hacktivism” has been around since the Cult of the Dead Cow in the 1980s; only the names have changed. Where we once heard about Chaos Computer Club and the Legion of Doom, we now have high-profile examples like Anonymous, Anti-Sec and Lulzsec. This is not a comparison – 35 years ago it was mostly demonstrations and denials of service. Now, attacks have become exponentially more intrusive and destructive. With this escalation in damages comes a new name. Cyber terrorism is a term that the media has been using quite frequently. There have also been countless articles on the so-called Cyber Caliphate, Cyber Berkut, and even various disparate groups of “cyber freedom fighters” around the world. Is changing “hacktivism” to “terrorism” the government and media’s way of upping the ante on hacking? Indeed, what is the difference between hacktivism and cyber terrorism, if there is one? After all, they both seek out pretty much the same targets. They both have a singular purpose, in its simplest definition – to cause damage to an entity, organisation or group. So what sets these two categories of hackers apart? Is the answer in their motivation? Can we really view one as “good,” and the other “bad”, or is it simply a matter of personal opinion? Anonymous Anonymous is a loose association of activist networks that has an informal and decentralised leadership structure. Beginning in 2003, on the bulletin board 4Chan, Anonymous began to recruit and train young people interested in hacking for a cause. Throughout the years, they have run cyber attacks, mostly distributed denial of service (DDoS) attacks, against the financial, healthcare, education, religious organisations, oil, gas and energy industries – pretty much everything. They have also earned a spot on that distinguished list of attackers who have targeted consumer electronics giant Sony. Anonymous has really changed the nature of protesting. In 2013, Time magazine listed it as one of the top 100 influential “people” in the world. Supporters have called the group “freedom fighters” and even compared them to a digital Robin Hood. Others, however, consider them little more than cyber terrorists. In the public’s eye, it depends on their motivation, following and targets. The bottom line: This could either be a case of malicious activity masked by political motivation, or pure malicious activity. Cyber Berkut Cyber Berkut is a modern group of hacktivists and claims its name from the Ukrainian special police force “Berkut”, formed in the early 1990s. This pro-Russian group made a name for itself by conducting DDoS attacks against the Ukrainian government and Western corporate websites conducting business in the region. The group has also been known to penetrate companies and attempting to retrieve sensitive data. Following a heist, they would post on public-facing pastebin sites or their own non-English website, which includes a section called “BerkutLeaks”. Cyber Berkut was most recently credited for attacks against the Chancellor of the German Government, NATO, Polish websites and the Ukrainian Ministry of Defence. The group has been compared to Anonymous based on its methods of protest and political targets. Viewed as passionate about its targets, Cyber Berkut has a clear agenda. However, the group’s ideology in no way diminishes the amount of intended damage that might be inflicted on potential victims. Cyber Caliphate Cyber Caliphate, as the name implies, is a hacker group that associates with the Islamist terrorist group ISIS. It has attacked many different government and private industry entities, and claims responsibility for multiple website defacements and data breaches. The group has hacked various websites and social media accounts, including those of military spouses, US military command, Malaysia Airlines, Newsweek and more. Indeed, Cyber Caliphate is hungry for media attention. This raises the question: does Cyber Caliphate believe in its stated cause, or is this just opportunistic hacking under the cover of a cause for media attention? What if the group is just looking for fame and fortune? What if the group is not a group at all, but the work of one or two people collaborating with different contributors for specific targets? Motive doesn’t matter Is this really cyber terrorism, hacktivism or just another set of hackers trying to get famous by jumping on the media’s hot topic of the month? In some cases, it may seem romantic when people claim to be fighting for a cause – rather than more nefarious intent, or even just for a laugh. But the fact remains that cyber attacks are cyber attacks, whether they are motivated by politics, money or a distorted idea of fame. The key to fighting back – after ensuring that your organisation’s security is up to snuff – is threat intelligence. Threat intelligence gathering is the key to keeping up with the actions of these groups and their potential targets with impartial, straightforward news, gathered by specialists. Staying abreast of potential hacktivist attacks requires a proper investment in intelligence groups with the proper tools, people, processes and other resources to deliver up-to-date information. And not just about the groups, but the techniques they might be using. Information sharing among intelligence groups from different industries and countries also will help expedite the reverse engineering of malicious code and assist in the building of signature content and correlation logic that is deployed to our security technologies. So once attacks are observed globally, defences can be quickly built, detection logic integrated – and information disseminated to the security specialists on the front line who may be all that stands in the way of the kind of corporate meltdown that nearly sank Sony Pictures in December last year. Source: http://www.computing.co.uk/ctg/opinion/2414910/protests-or-profiteering-whether-its-anonymous-the-cyber-caliphate-or-cyber-berkut-the-hack-remains-the-same

See the original post:
Protests or profiteering? Whether it’s Anonymous, the Cyber Caliphate or Cyber Berkut, the hack remains the same