Tag Archives: ddos

26-year-old hacker responsible for massive DDoS-attacks sentenced in Russia

A man was sentenced to probation after being convicted for Distributed Denial of Service (DDoS) attacks as a result of Group-IB and the The Ministry of the Interior (MVD) collaboration work. Group-IB assisted in the investigation, collection, preservation and identification of digital evidence. The criminal business owner turned out to be a 26-year-old resident of the Sayansk-city, Irkutsk region. The reason for the investigation was an attack on a large financial corporation, which owns several banks. Since the recourse to the Group-IB up to the moment of the attacker arrest there were record-breaking short terms – all of the work was done within a month. The criminal used underground hacking forums to find clients by posting advertisements for DDoS services. Russians, citizens of  the CIS, Britons and many others ordered his services regularly. Group-IB’s evidence said a man used the Dragon botnet to launch the attacks. In autumn 2012, authorities had arrested the suspect in Sayansk, Ziminsk district. During the investigation, the accused pleaded guilty and showed detailed process of launching cyber-attacks. Group-IB computer forensic experts proved the guilt of the arrested in committing a series of cybercrimes.  A Sayansk city court judge rendered a guilty verdict against 26-year-old man for unauthorized access to computer information and was condemned to two years of conditional sentence. The Group-IB experienced experts explained that such attacks are common now as a result of unfair competition between companies. “Commercial organizations should think about DDoS protection,” said Dmitry Volkov, Head of the Group-IB Investigation Department. “However, if the incident has already occurred, the Group-IB is ready to conduct a full and independent investigation and find the attacker using forensic methods and tools.” Source: http://www.digitaljournal.com/pr/1776830#ixzz2vCwNMKJi

Continued here:
26-year-old hacker responsible for massive DDoS-attacks sentenced in Russia

Cisco patches enterprise wireless vulns

Everything from DoS to device access Cisco has issued patches and mitigation instructions for 16 of its wireless products, to take care of a number of denial of service vulnerabilities and one unauthorised access vulnerability.…

See the original article here:
Cisco patches enterprise wireless vulns

Image 354ef7ad7bf2ce23a1f152437e4c3d18.png

Why is Meetup Site Down? Hacker Attempts to Extort $300 From CEO Scott Heiferman

The Meetup site is down after a hacker attempted to extort $300 from the site’s CEO Scott Heiferman. The social networking site was the victim of a DDoS attack that was allegedly paid for by one of Meetup’s competitors. The attack began on Thursday when CEO Scott Heiferman received an email that reads: Date: Thu, Feb 27, 2014 at 10:26 AM Subject: DDoS attack, warning A competitor asked me to perform a DDoS attack on your website. I can stop the attack for $300 USD. Let me know if you are interested in my offer. As soon as Heiferman received the email, the attack began and overwhelmed Meetup’s servers. The site went down and stayed that way for nearly 24 hours. The success of the site being back up was short-lived as Meetup was hit again and again with numerous DDoS attacks over the course of the weekend. Why is Meetup Site Down? Hacker Attempts to Extort $300 From CEO Scott Heiferman – photo from Twitter Stating his reasons for not paying the hacker behind the attack, Heiferman wrote on Meetup’s blog: We chose not to pay because: 1. We made a decision not to negotiate with criminals. 2. The extortion dollar amount suggests this to be the work of amateurs, but the attack is sophisticated. We believe this lowball amount is a trick to see if we are the kind of target who would pay.  We believe if we pay, the criminals would simply demand much more. 3. Payment could make us (and all well-meaning organizations like us) a target for further extortion demands as word spreads in the criminal world. 4. We are confident we can protect Meetup from this aggressive attack, even if it will take time. As of right now, the site is still down as the Meetup team continues to secure its servers. When users attempt to log onto the site, they are met with the following error message: Over the past several days, Meetup has suffered a prolonged denial of service (DDoS) attack, resulting in intermittent service outages for our website and apps. We’re working urgently to bring Meetup back and restore full functionality. We appreciate your patience. Heiferman encourages all Meetup users to stay informed by receiving updates via Twitter, Facebook or the company’s blog. Why is Meetup Site Down? Hacker Attempts to Extort $300 From CEO Scott Heiferman. Source: http://americanlivewire.com/2014-03-03-meetup-site-down/

Taken from:
Why is Meetup Site Down? Hacker Attempts to Extort $300 From CEO Scott Heiferman

DDoS Attack! Is Regulation The Answer?

Four security experts weigh in on why there’s been little progress in combating DDoS attacks and how companies can start fighting back. The scale, diversity, and magnitude of recent DDoS attacks have knocked enterprises back on their heels. Now they’re attracting attention from regulators. Intended or not, attackers are forcing a sea change. The question at hand is whether self-regulation will improve or if regulatory intervention is inevitable. Cloudflare’s recent analysis of a February 13 denial of service attack explains the most recent variation on a recurring DDoS attack theme, and in doing so illustrates that we’ve made little or no progress in mitigating root causes of DDoS: The attack was distributed , emanating from over four thousand servers and twelve hundred networks. The attack used reflection , a technique where the source IP address of query traffic is “spoofed.” All of the attacking hosts set the source IP address of queries to the IP address of the targeted host so that the responses will overwhelm the victim. The attack also used amplification , a technique where a small query results in a much larger response being transmitted in order to deplete the target’s resources more rapidly. There are also other similarities between this and prior DDoS attacks. The attacks exploit UDP-based services (DNS, chargen, and now NTP). They exploit the absence of anti-spoofing measures by ISPs or private networks, and they exploit the “open” operation of these services, taking advantage of open DNS resolvers, publicly accessible network time servers, and services that should be configured to respond only to clients within specific administrative domains. The takeaway is obvious: Services that run over UDP and are accessible in a public or open manner are targets for reflection or amplification attacks, and the ability to spoof IP addresses exacerbates this threat .    

Original post:
DDoS Attack! Is Regulation The Answer?

Crap hospital databases next goldmine for cyber-crooks, say Microsoft’s botnet slayers

Your medical files are worth big bucks to fraudsters RSA 2014   The low levels of security in healthcare IT systems, and the high value of its data, is going to make the sector the next big target for scammers, according to the Microsoft-backed team that takes down botnets.…

Read this article:
Crap hospital databases next goldmine for cyber-crooks, say Microsoft’s botnet slayers

The rise of UDP-based DDoS attacks

The DDoS war is ramping up with the use of network time protocol (NTP) amplification to paralyse, not just individual organisation’s networks, but potentially large proportions of general internet traffic. The largest ever DDoS attack to date with a DNS amplification hit the anti-spam company, Spamhaus last year. This attack reached 300 Gbps, taking Spamhaus offline and also affecting the DDoS mitigation firm, CloudFare. With the volume of traffic that was going through peering exchanges and transit providers, the attack also slowed down internet traffic for everyone else. However, in the last couple of months these UDP amplification attacks seem to have moved on to NTP, taking advantage of an exploit available in older, unpatched NTP systems. These servers are usually used for time synchronisation and utilise the UDP protocol on port 123. Like DNS, they will respond to commands issued by any client to query certain information, unless they are properly secured. These attack styles are not new, but their historically infrequent usage and the potential for mass disruption means they warrant more attention. Coverage of these attack styles in both industry and mainstream press is to be welcomed in my opinion, because these attacks are relatively defensible and coverage will hopefully get more administrators to secure or patch their NTP servers. What is all the fuss about? DNS amplification attacks ramp up the power of a botnet when targeting a victim. The basic technique of a DNS amplification attack is to spoof the IP address of the intended target and send a request for large DNS zone files to any number of open recursive DNS servers. The DNS server then responds to the request, sending the large DNS zone answer to the attack target rather than the attacker, because the source IP was spoofed. The DNS amplification attack on Spamhaus saw request data (the data the attacker sent to the DNS servers) of roughly 36 bytes in length, while the response data (the data from the DNS server to the attack target) was around 3000 bytes, meaning the attackers increased the bandwidth used by 100x. Not only is that a large increase in attack bandwidth, but these packets from the DNS servers arrive at the target in a fragmented state due to their large size and have to be reassembled, which ties up the routing resources as well. NTP amplification attacks work by spoofing the IP of the attack target and sending a ’monlist’ command request to the NTP servers. This command will return the IP addresses of the last 600 clients that have used the NTP server to synchronise time. By issuing this command a small request packet can trigger much larger UDP response packets containing active IP addresses and other data. The volume of the response data is related to the number of clients that communicate with any particular NTP server. This means that a single request which consists of a single 64-byte UDP packet can be increased to 100 responses each, which contain the last 600 client IP addresses that have synchronised with the server. Each of those 100 responses will be a UDP packet of around 482 bytes which gives the attacker a bandwidth amplification of around 700x [482 bytes x 100 responses = 48200 bytes / 64 bytes = 753.125]. With this level of amplification available and several popular DDoS attack tools already including a module for abusing ’monlist’ we could be on for a new record in DDoS attack size this year unless the vulnerabilities are patched soon. For example, if DNS amplification created a 300 Gbps, then NTP amplification means we could potentially see a 2.1 Tbps (21,000 Gbps) attack. There is no network that could absorb an attack of that size; it would have an enormous knock-on effect on general Internet traffic as the Spamhaus attack did with peering points, transit providers and content delivery networks being overloaded. This isn’t to say that DNS and NTP are the only amplification attack methods. There are other amplification and reflection-style tactics as well and, while not as popular as more tried-and-true DDoS methods, they represent a real threat if you are not prepared for them. Fixing the problem The easiest way to fix this and remove your NTP servers from being an attack vector for a DDoS is to update your NTP servers to version 4.2.7 which removes the ‘monlist’ command. Otherwise you can disable query within your NTP server via a configuration change: nano /etc/ntp.conf [Your configuration file might be located elsewhere] #Restrict general access to this device Restrict default ignore Restrict xxx.xxx.xxx.xxx mask 255.255.255.255 nomodify notrap Noquery This change will prevent your NTP server from being used to launch DDoS attacks against other networks, but an update to the latest version is still recommended. Conclusion DDoS attacks have been around in one form or another since the very beginnings of the internet, but the motivations, as well as the scale of these attacks seem to have grown significantly. In the early days it was just extortion; a hacker would ask for payment to stop the attacks. Nowadays, some businesses may pay for competitors to be attacked, as a few hours offline could be worth millions. You also have DDoS being used as a method of political activism by groups such as Anonymous, as well as the potential for a government to use DDoS to disrupt another country’s infrastructure. Systems administrators need to ensure their systems are reviewed regularly for patches and known vulnerabilities. If systems are left unpatched then at best you can be used as a vector to attack another network or organisation, but at worst those vulnerabilities could be exploited to take your systems offline or steal your data. Source: http://blogs.techworld.com/industry-insight/2014/02/the-rise-of-udp-based-ddos-attacks/index.htm

Read more here:
The rise of UDP-based DDoS attacks

Bitly faces complete shutdown of services due to DDoS attack

Online URL shortening services provided by Bitly are down due to a DDoS attack and engineers were trying to solve the issues at the time of publishing Online URL shortening service provided by Bitly was under a major DDoS (distributed denial-of-service attack) on Wednesday. The website states the problem on a banner on their site and a tweet was put out by the company that its services would be restored eventually. Bitly’s internal team of engineers are working on fixing the problem. We are currently working to mitigate a DDoS attack. Some of our site may be unavailable, but we’re working to restore full functionality. — Bitly (@Bitly) February 26, 2014 Services to the links was resumed a little later, however damage from the attack was still being worked on at the time of publishing this article. Bitly, informs on their website, “All links are working after mitigating an earlier DDOS attack. Some link metrics may still be delayed.” Update: All links are working after mitigating an earlier DDOS attack. Some link metrics may still be delayed. — Bitly (@Bitly) February 26, 2014   What is DDoS attack?  – Distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users. – Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. – As clarification, DDoS (Distributed Denial of Service) attacks are sent by two or more persons, or bots. – DoS (Denial of Service) attacks are sent by one person or system.   The company Bitly, Inc. was established in 2008 and is privately held and based in New York City. Bitly shortens more than one billion links per month, for use in social networking, SMS, and email services and is relied for accuracy and reliability. No doubt, this caused some what of a furor online with people even going so far as to refer to this attack as the ‘death of the internet’. #bitly is down. The internet is dying — iwyg (@_iwyg_) February 26, 2014 Why are so many #Bitly links failing to open today?? What’s up @hootsuite ?? — Slaweezy (@Slaweezy) February 26, 2014 On no #bitly is down and I haven’t had my fix of web based stats yet for the day #marketingbreakdown — Steve Scheja-Terry (@Von_Steve) February 26, 2014 The web is collapsing! #bitly is down! — Ben R. Hodges (@BenHodgesH2O) February 26, 2014

View article:
Bitly faces complete shutdown of services due to DDoS attack

Apple Daily in Hong Kong and Taiwan hit by DDoS attack

Apple Daily said its websites for both Hong Kong and Taiwan were hit by DDoS attacks on Saturday. IP addresses reveal that attacks originated from China, Russia, and France, according to Michael Yung, CIO of Next Media, the parent company of Apple Daily. Starting 1pm on Saturday, traffic to the Next Media website became increasingly huge that access to Apple Daily and other contents of the firm was significantly slow, Yung said, adding that audiences could only view text content via the newspaper’s mobile app. The firm’s website was restored at 6pm after several hours of fixing, Next Media said. According to Yung, small-scale attacks to the Next Media website are frequent but much more severe ones come before the June 4 commemoration and July 1 protest every year. Next Media said the attack is an act of harming freedom of press and but that won’t stop the organization from defending it. While Anonymous reportedly confirms that the attack came from the mainland Chinese government, Next Media said the identity of the attacker remains unknown at the moment because IP addresses identified could be fake. There’s also speculation that the attack’s related to Sunday’s “Free Speech, Free Hong Kong” protest organized by the Hong Kong Journalists Association. The protest is a response to recent moves that are seen as compromising editorial independence and freedom of speech. Of late, Commercial Radio fired its outspoken host Li Wei Ling while Chinese-language newspaper Ming Pao replaced its existing chief editor with a Malaysian journalist who’s not known to the local community and media industry. Source: http://news.idg.no/cw/art.cfm?id=F7551BB6-DF9A-6D69-EBD70AD566B9147F

Continued here:
Apple Daily in Hong Kong and Taiwan hit by DDoS attack

Cyber attacks: preventing disruption to your website

 One of the largest ever cyber attacks took place this month and it has been cited that it was the shape of things to come.  But it is not all doom and gloom – there is plenty that businesses can do to prepare for the future. Start by thinking about the impact of your website being down for a day to three days and how it would affect current and prospective clients and the reputation of your brand.  Google  is usually the first port of call when checking out products and services, so chances are high that any disruption to your web experience won’t be favourably looked upon by prospects. Cyber criminals will often inject malware into legitimate websites with the goal of getting innocent users to click on it, which will automatically trigger a download and can lead to all sorts of problems for the user.  As the website owner, you may be completely unaware, but this is something that Google is cracking down on. If a website is spotted hosting malicious links, Google can blacklist it, meaning it will not show up in searches and it will temporarily remove it from the Google index, which badly affects SEO.  Browsers, such as Chrome, Firefox etc will also flag insecure or risky websites and that may scare away potential customers.  It may take weeks of effort to get removed from blacklists and re-indexed. If this wasn’t bad enough, the risk is actually two-fold.  There are some would-be attackers that will threaten to hold your website to ransom.  In this case, they will identify the holes in your website and blackmail you into paying them in order for them not to get your website blacklisted. The best way to avoid getting blacklisted, or indeed blackmailed, is to have the website checked for malware and other infections.  And it is also highly recommended to have your website scanned for known vulnerabilities. This will ensure that there are no “holes” that attackers can exploit to install malware or create watering holes for unsuspecting customers. Another issue to avoid falling victim to is a DDoS attack.  DDoS attacks bombard a website with so many external communication requests that it floods the system and overloads the server to such a point that it can no longer function, leaving the website paralysed and unable to transact business. Attacks of this nature are on the rise and it’s fair to predict that this year will be no exception to this trend.  The best start is to have a plan in place- whether it is a hardware solution  that takes days to install and requires a higher up-front cost; or a provider who offers DDoS protection services that can be up and running in as little as a few hours for a monthly cost. In addition, it’s worth noting that some good DDoS protection services will offer a caching component that will allow bursts of legitimate traffic to your website without negatively impacting on the server.  Because it will automatically balance the load coming in, it keeps the website available to handle large amounts of requests with no disruption to your user base. So, make sure you do your research when choosing the best option for your website. Bear in mind that, while you can get a protection service in an emergency situation, as with so many things, the best offense is a good defence, so businesses should make sure that they have a proactive DDoS solution in place to avoid disruption to your web presence. Top tips: 1) Run malware detection and anti-virus on your website to spot and clear any existing infections 2) Enlist the services of a vulnerability scanner to identify and fix any exploits in your website 3) Have proactive DDoS protection in place; either in the form of hardware or a managed service 4) Have load balancing in place to ensure your website can handle increases in transactions Source: http://www.itproportal.com/2014/02/21/cyber-attacks-preventing-disruption-your-website/

Read More:
Cyber attacks: preventing disruption to your website