A massive worldwide effort is under way to harden the net’s clocks against hack attacks. The last few months have seen an “explosion” in the number of attacks abusing unprotected time servers, said security company Arbor. Unprotected network time servers can be used to swamp target computers with huge amounts of data. About 93% of all the vulnerable servers are now believed to have been patched against attacks. ‘Appropriate’ use The attack that paved the way for the rapid rise was carried out by the Derp Trolling hacker group and was aimed at servers for the popular online game League of Legends, said Darren Anstee, a network architect at net monitoring firm Arbor. That attack took advantage of weaknesses in older versions of the software underlying the network time protocol (NTP). Known as an “NTP reflection” attack, it used several thousand poorly configured computers handling NTP requests to send data to the League of Legend servers. Around the world about 1.6 million NTP servers were thought to be vulnerable to abuse by attackers, said Harlan Stenn from the Network Time Foundation that helped co-ordinate action to harden servers. Precise timings are very important to the steady running of the net and many of the services, such as email and e-commerce, that sit on it. Early 2014 saw the start of an Open NTP initiative that tried to alert people running time servers to the potential for abuse, Mr Stenn told the BBC. Now, he said, more than 93% of those vulnerable servers had been updated. However, he said, this did leave more than 97,000 still open to abuse. Arbor estimates that it would take 5,000-7,000 NTP servers to mount an overwhelming attack. The feature that attackers had exploited had been known for a long time in the net time community and was not a problem as long as those servers were used “appropriately”, he said. “This was before spammers, and well before the crackers started using viruses and malware to build bot armies for spamming, phishing, or DDoS attacks,” he said. Distributed Denial of Service (DDoS) attacks are those that try to shut servers down by overwhelming them with data. The success of the Derp Trolling attack prompted a lot of copycat activity, said Mr Anstee from Arbor. “Since that event it’s gone a bit nuts to an extent and that tends to happen in the attack world when one particular group succeeds,” he said. “We’ve seen an explosion in NTP reflection activity.” NTP reflection attacks can generate hundreds of gigabits of traffic every second, said Mr Anstee, completely overwhelming any server they are aimed at. The copycat attacks have fed into a spike in the number of “large events”, mainly DDoS attacks, that Arbor sees hitting the net, he said. “Historically we used to see a couple of hundred gigabit events every year,” said Mr Anstee. “In February 2014 we tracked 43.” Source: http://www.bbc.com/news/technology-26662051
Tag Archives: ddos
Elance hit by major DDoS attack, downing service for many freelancers
The freelancer platform Elance has been under a sustained distributed denial-of-service (DDoS) attack for more than a day, making the service unavailable for many users — but apparently not compromising their data. The attack seems to have been a so-called NTP reflection attack, judging from an Elance tweet referencing a piece I recently wrote about the technique. Such attacks use botnets and badly configured NTP servers — essentially time checks for computers’ clocks — to amplify a small amount of data into a large one that overpowers the targets’ systems. Mountain View, Calif.-based Elance has over 4 million users (it will roughly double that through its upcoming merger with chief rival oDesk). It’s not clear how many have been affected by the outage, as a company spokeswoman told me only that “some users have not been impacted.” One comment on my February DDoS story suggests that oDesk was also down in the last day, though it’s not yet clear whether this was connected to the Elance attack. Elance’s spokeswoman said by email that the attack began at 6am PT on Monday and remains ongoing, albeit sporadically. She didn’t respond to a question about the possible motivation, but she did say Elance had defenses in place to ward off DDoS attacks on its service, and has “since invested in new technology to try to thwart the attackers.” She added: “We have a unique community of both businesses and freelancers and we’ve reached out to inform them about the attack and let them know that none of their data was compromised but to expect delays. Both sides of our community have been very responsive and sympathetic.” Source: http://gigaom.com/2014/03/18/elance-hit-by-major-ddos-attack-downing-service-for-many-freelancers/
More:
Elance hit by major DDoS attack, downing service for many freelancers
Gang wielding ColdFusion exploits expands botnet of hacked e-commerce sites
A German website of French automaker Citroën is the latest of the wide array of higher-profile webshop sites that have been compromised by a hacker gang leveraging Adobe ColdFusion vulnerabilities. …
Continued here:
Gang wielding ColdFusion exploits expands botnet of hacked e-commerce sites
NATO websites hit by DDoS attack
Hackers brought down several public NATO websites over the weekend in what appeared to be the latest escalation in cyberspace over growing tensions over Crimea. A spokesperson for the Western military alliance said the cyber attacks had begun on Saturday evening and continued on Sunday, although most services had now been restored. “It doesn’t impede our ability to command and control our forces. At no time was there any risk to our classified networks,” another NATO official said. NATO’s main public website, which carried a statement by Secretary-General Anders Fogh Rasmussen saying that Sunday’s referendum on Crimea’s status would violate international law and lack legitimacy, worked intermittently. The distributed denial of service (DDoS) attack also hit the site of a NATO-affiliated cyber security centre in Estonia. NATO’s unclassified email network was also affected. A group calling itself “cyber berkut” said the attack had been carried out by patriotic Ukrainians angry over what they saw as NATO interference in their country. The claim, made at www.cyber-berkut.org, could not be independently verified. “Berkut” is a reference to the feared and now disbanded riot squads used by the government of ousted pro-Russian Ukrainian President Viktor Yanukovich. Cyber warfare expert Jeffrey Carr, in a blog on the attacks, described cyber berkut as staunch supporters of Yanukovich and a “pro-Russia hacktivist group working against Ukrainian independence”. Lungescu noted the statement but said due to the complexities involved in attributing the attacks, NATO would not speculate about who was responsible or their motives. “Kicking sand” John Bumgarner, chief technology officer at the non-profit research institute US Cyber Consequences Unit, said initial evidence strongly suggested the attacks were launched by pro-Russian sympathisers. “One could equate these cyber attacks against NATO as kicking sand into one’s face,” he said. Crimeans voted in a referendum on Sunday on whether to break away from Ukraine and join Russia, with Kiev accusing Moscow of rapidly building up its armed forces on the peninsula in “crude violation” of an international treaty. The website for the Crimea referendum said on Sunday it had come under cyber attack overnight, although it appeared to be working on Sunday. Cyber attacks on NATO’s computer systems are common, but a NATO official said the latest one was a serious online assault. Ian West, director of NATO’s cyber defence nerve centre at Mons in southern Belgium, said last year that the alliance’s network intrusion detection systems handled around 147 million “suspicious events” every day and around 2500 confirmed serious attacks on its computers in the previous year. Tensions between Moscow and the West have been rising steadily since Russia intervened following the ouster of Yanukovich. Ukrainian and Russian websites have both been targets for cyber attacks in recent weeks but this appeared the first major attack on a Western website since the crisis began. Suspected Russian hackers used DDoS attacks to cripple websites and services in Estonia in 2007 during a dispute over a war memorial, and against Georgia during its brief 2008 war with Russia. Moscow denied orchestrating such attacks, saying they were simply carried out by independent patriots. Groups calling themselves cyber berkut have attacked several Ukrainian websites in recent weeks, computer security experts say. Source: http://www.itnews.com.au/News/375271,nato-websites-hit-by-ddos-attack.aspx
View post:
NATO websites hit by DDoS attack
High-bandwidth NTP amplification DDoS attacks escalate
Prolexic issued a high alert threat advisory on NTP amplification DDoS attacks. This attack method has surged in popularity this year, fueled by the availability of new DDoS toolkits that make it simp…
See original article:
High-bandwidth NTP amplification DDoS attacks escalate
WordPress USED AS ZOMBIE in DDoS attacks
Tens of thousands of vulnerable WordPress sites have been co-opted into a server-based botnet being used to run DDoS attacks. More than 160,000 legitimate WordPress sites were abused to run a large HTTP-based (layer 7) distributed flood attack against a target, which called in cloud security firm Sucuri for help. Security experts discovered that the attack traffic was coming from WordPress sites with pingbacks enabled on blog posts, which is on by default. Pingbacks allow automatic backlinks to be created when other websites link to a page on a WordPress blog. The problem can be fixed by installing a simple plugin, as explained by Sucuri CTO and OSSEC Founder Daniel Cid in a blog post. “Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites,” Cid explains. “Note that XML-RPC is used for pingbacks, trackbacks, remote access via mobile devices and many other features you’re likely very fond of. But, it can also be heavily misused.” Sean Power, security operations manager for DOSarrest, a DDoS mitigation technology services firm, said the attack relied on exploiting vulnerabilities in old versions of WordPress. This type of issue has been known about since 2007 and the specific problem abused in the latest run of attacks was fixed more than a year ago in a WordPress core release in January 2013. “Attackers exploited a vulnerability in the core WordPress application and therefore it could be used for malicious purposes in DDoS attacks,” Power explained. “The fix for this feature was actually released in the 3.5.1 version of WordPress in January 2013 and would be picked up by most good vulnerability scanners. “This is a prime example of how users aren’t regularly performing updates to their websites, because if they were, we wouldn’t still be seeing DDoS attacks being carried out by websites taking advantage of this old flaw,” Power added. WordPress is an open source blogging platform and content management system (CMS) that’s used by millions of websites across the interwebs. Source: http://www.theregister.co.uk/2014/03/12/wordpress_vuln_creates_botnet_army/
View the original here:
WordPress USED AS ZOMBIE in DDoS attacks
MUM’s WordPress recipe blog USED AS ZOMBIE in DDoS attacks
Well, it’s statistically reasonably likely. Just update to 3.8.1, OK? Tens of thousands of vulnerable WordPress sites have been co-opted into a server-based botnet being used to run DDoS attacks.…
View post:
MUM’s WordPress recipe blog USED AS ZOMBIE in DDoS attacks
Over 162,000 WordPress sites exploited in DDoS attack
DNS and NTP servers are not the only publicly accessible resources that can be misused to amplify DDoS attacks. Sucuri CTO Daniel Cid revealed details of a recent incident in which they received a …
Original post:
Over 162,000 WordPress sites exploited in DDoS attack
DDoS Attacks Still a Significant Threat
It’s an attack vector that’s been around ever since the Internet became a valuable business tool. Distributed Denial of Service, of DDoS, attacks are still one of the most prevalent threats facing businesses today. There are reports suggesting that DDoS attacks are on the rise and that the Internet’s DNS infrastructure – critical for the operation of the Internet – remains vulnerable and a significant target. Jag Bains, the CTO at DOSarrest Internet Security, spoke to us about DDoS attacks and what can be done to mitigate their impact. When we spoke with Michael McKinnon from AVG at the Tech Leaders forum in Queensland earlier this year, he said “So much damage is being done, for example, through spoof traffic. If most major network providers were responsible enough to stop traffic from leaving their networks that they knew were coming from IP addresses they weren’t responsible for then we would have spoof traffic on the Internet and cut down networks responsible for this kind of damage”. I asked Bains what could be done to prevent DDoS attacks from being a viable attack vector and whether there was a benefit for network operators to not block the attacks. “They’re not doing it from a revenue opportunity. One guy’s server is compromised for a few days and it flips out a huge bill. But, it’s too much of a headache [for telcos] to make it a revenue stream’” said Bains. “The big guns behind some of these attacks are occurring out of data centres that have compromised servers or hosting networks with compromised servers,” he added. Although it is possible to block spoof packets coming from a network, this would not be as straightforward as it sounds. Bains suggested that there would be significant cost. “It comes at a CPU cost to your routers. You’re dealing with high traffic volumes that might create a different type of bottleneck,” said Bains. I challenged Bains on this, noting that Moore’s Law will take this year’s bottleneck and make it insignificant in a short time. In fact, if we’d taken action like this against DDoS attacks a decade ago there would be little need to suffer these attacks. “Let’s say we did that and it might help to stem these tidal wave attacks. But that doesn’t mean DDoS would have been thwarted. One of the most interesting things in the DDoS arena is the rise of application attacks coming from legitimate sources,” he said. As well as their use to cripple companies and use as a form of ransomware – it’s not unknown for gambling operators in unregulated markets to use DDoS attacks to either cripple or ransom their competition – they can be used to manipulate financial markets. According to Bains the recent Mount Gox attack, that resulted in losses of hundreds of millions of dollars of Bitcoin, was at least partly a DDoS attack. “Hammering the exchange affected stability. Prices lowered and couldn’t come back up and they were using it to influence the peaks and troughs,” he said. “It’s a tool that’s crude in its intentions but highly effective”. Bains’ company, DOSarrest claims to have a solution. Their software can shift the traffic from a DDoS attack to a server environment that is specifically designed to deal with the attack. “All users have to do is change their DNS record to point to one of our IPs. We’re able to take the DOS attack out of hosting the network, bring it to a topology or infrastructure that is groomed specifically for that only”. What’s clear is that DDoS attacks are here to stay and that there is no silver bullet that will prevent their occurrence. However, it is possible to mitigate the damage they can do. Source: http://www.cso.com.au/article/540163/ddos_attacks_still_significant_threat/?fp=4&fpid=959105
View the original here:
DDoS Attacks Still a Significant Threat
Over 160,000 legitimate WordPress sites used for DDoS attack
Distributed Denial of Service (DDoS) attacks aren’t new and 2013 was one of the worst years when it comes to such attacks that too through the use of large botnets and / or specialised DDoS tools; however, use of legitimate WordPress blogs and sites to carry out such attacks is something that isn’t widespread, but is becoming a trend lately. According to Sucuri Research over 162,000 legitimate WordPress blogs and sites were a part of huge DDoS attacks on one of its client’s website. The attacker(s) used WordPress websites as indirect amplification vectors through a simple one line command. “Any WordPress site with XML-RPC enabled (which is on by default) can be used in DDOS attacks against other sites”, notes Sucuri CTO and OSSEC Founder Daniel Cid in a blog post. Cid explained that the DDoS attack was a large layer 7 HTTP-based distributed flood attack through which the perpetrators forced legit WordPress sites to send out thousands of requests per second to the victim’s servers. All the GET requests being sent to victim’s servers had a random value that bypassed their caching mechanism thereby forcing to load the whole page on every request, which killed the server quickly. “One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file” revealed Cid. Cid provides a couple of workarounds to ensure that your WordPress site isn’t DDoSing someone else’s site. First is to disable the XML-RPC (pingback) functionality from your site. This can be done by removing the xmlrpc.php or disabling the notifications in your blog’s settings. However, the thing is as soon as you upgrade your WordPress, the file come right back. Another solution is that users use some cloud based security solution or proxy site that will ensure that such misuse is prohibited. “This is a well known issue within WordPress and the core team is aware of it, it’s not something that will be patched though. In many cases this same issue is categorized as a feature, one that many plugins use, so in there lies the dilemma”, concludes Cid. Source: http://www.techienews.co.uk/977737/160000-legitimate-wordpress-sites-used-ddos/
Read this article:
Over 160,000 legitimate WordPress sites used for DDoS attack