Tag Archives: ddos

NTP Patches Flaws That Enable DDoS

The network time protocol, at the center of a number of high-profile DDoS attacks in 2014, was updated on Thursday to ntp-4.2.8p8. The latest version includes patches for five vulnerabilities, including one rated high-severity. NTP, specifically the NTP daemon, synchronizes system clocks with time servers. Vulnerable NTP servers were used two years ago with regular frequency to carry out amplification attacks against targets. High-bandwidth NTP-based DDoS attacks skyrocketed as attackers used vulnerable NTP implementations to amplify DDoS attacks much in the way DNS amplification has been used in the past. Some NTP amplification attacks reached 400 Gbps in severity, enough to bring down even some of the better protected online services. US-CERT today released a vulnerability notification about the latest set of NTP vulnerabilities. “Exploitation of one of these vulnerabilities may allow a remote attacker to cause a denial-of-service condition,” the US-CERT advisory said. US-CERT also published a list vendors potentially vulnerable to attack; as of this afternoon, only the NTP project’s ntpd implementation is known to be affected. The status of the remainder of the A-Z list of vendors is characterized as unknown. “Unauthenticated, remote attackers may be able to spoof or send specially crafted packets to create denial of service conditions,” US-CERT said. One of the vulnerabilities, privately reported by Cisco, is a crypto-NAK crash or denial-of-service bug. Crypto-NAK responses are sent by NTP servers if a server and client do not agree on a message authentication code. The four remaining flaws were disclosed by Red Hat researchers. One is related to the crypto-NAK issue. “An attacker who knows the origin timestamp and can send a spoofed packet containing a CRYPTO-NAK to an ephemeral peer target before any other response is sent can demobilize that association,” an NTP.org bug report says. Another patch corrects a flaw where spoofed server packets were processed. “An attacker who is able to spoof packets with correct origin timestamps from enough servers before the expected response packets arrive at the target machine can affect some peer variables and, for example, cause a false leap indication to be set,” said the bug report. An autokey association reset flaw was also patched. Here an attacker who spoofs a packet with a correct origin timestamp before the response arrives can send a crypto-NAK or bad MAC and cause an association’s peer variables to be cleared, eventually preventing it from working correctly. The final vulnerability addressed is an issue where broadcast clients may be flipped into interleave mode. Source: NTP Patches Flaws That Enable DDoS https://wp.me/p3AjUX-uOO

Russia’s top 3 banks were target of world’s largest DDoS attack

Russia’s three largest Russian banks – VTB, Sberbank and Bank of Moscow – came under a massive DDoS-attack in the fall of 2015, a top manager at VTB has said. Claiming the attackers demanded a bitcoin payment for stopping the attack. A senior official from one of Russia’s largest banks has revealed that the lender became the target of the most extensive DDoS-attack in the entire history of monitoring in the fall of 2015. “A certain group of perpetrators” carried out a series of “the strongest DDoS-attacks” against Sberbank, VTB and Bank of Moscow for several days, Dmitry Nazipov, senior vice president of VTB, told the Russian media on June 1. According to him, the bank received a “fairly typical letter” in English at that time demanding a bitcoin payment in return for stopping the attacks. “Obviously, we did not agree to pay, but that attack was generally localized in three days, and was not repeated on such a scale thereafter,” said Nazarov. He pointed out that to solve the problem, VTB collaborated with police, telecom service providers and the Central Bank’s information security center, FinCert. In September 2015, the deputy head of the Central Bank’s main security and information protection directorate, Artyom Sychev, said that the websites of five major Russian banks had been subjected to a DDoS-attack. He did not disclose the names of the banks. Sychev said that after the end of the attacks, some of the banks attacked received letters from extortionists who demanded that 50 bitcoins (the average value of a bitcoin was around $230 in September 2015 – RBTH) be transferred to them for not repeating such attacks. He noted that the banks did not suffer damage as a result of the attack. Earlier on June 1, the Federal Security Service and the Interior Ministry reported the detention of 50 suspects in a theft of 1.7 billion rubles ($25 million) from financial institutions. The police also said that they could prevent 2.2 billion rubles’ ($32.5 million) worth of possible damage. The law enforcement agencies turned to security software producer Kaspersky Lab for help in identifying the suspects. According to the company, the hackers stole 3 billion rubles ($44.5 million). Six Russian banks, including Metallinvestbank, the Russian International Bank, Metropol and Regnum, were victims of the hackers. Source: https://rbth.com/business/2016/06/02/russias-top-3-banks-were-target-of-worlds-largest-ddos-attack_599743

Anonymous Announces #OpSilence, Month-Long Attacks on Mainstream Media

Members of the Ghost Squad Hackers team, one of most active Anonymous sub-divisions, have carried out DDoS attacks on CNN and FOX News as part of a new hacktivism campaign. Called OpSilence, the campaign’s goal is to attack all mainstream media that fails to report on the Palestine war or the true crimes happening in Syria, one of the hackers told Mic. #OpSilence will take place during the entire month of June 2016 The operation will be run similarly to #OpIcarus , a month-long series of attacks that took place in the month of May against various banks around the world. Any hacktivism group is welcomed to join, and the campaign comes on the heels of OpIcarus, which just ended yesterday. Ghost Squad Hackers didn’t wait for June to start to begin their attacks, and they’ve already hit the email servers of FOX News and CNN. The group has been changing tactics lately, switching from DDoSing public websites to attacking mail servers, as they did most recently against the Bank of England. Other hackers have taken a pro-Palestine stance before Taking a pro-Palestine stance isn’t something strange for hackers, many others supporting this cause as well. The previous group that did so was CWA (Crackas With Attitude), whose hacked targets include CIA Director John Brennan’s personal AOL email account, FBI Deputy Director Mark Giuliano, US National Intelligence Director James Clapper, and President Barack Obama’s Senior Advisor on science and technology John Holdren. The group is also responsible for hacking the JABS US national arrests database. They also leaked details for 2,400 US government officials, 80 Miami police officers, 9,000 DHS employees, and 20,000 FBI staffers. Back in February, the group’s leader, a sixteen-year-old boy, was arrested in East Midlands, England. Source: http://news.softpedia.com/news/anonymous-announces-opsilence-month-long-attacks-on-mainstream-media-504760.shtml

See the article here:
Anonymous Announces #OpSilence, Month-Long Attacks on Mainstream Media

DDoS Attacks via TFTP Protocol Become a Reality After Research Goes Public

Almost three months after researchers from the Edinburgh Napier University published a study on how to carry out reflection DDoS attacks by abusing TFTP servers, Akamai is now warning of real-life attacks. Akamai SIRT, the company’s security team, says its engineers detected at least ten DDoS attacks since April 20, 2016, during which crooks abused Internet-exposed TFTP servers to reflect traffic and send it tenfolds towards their targets, in a tactic that’s called a “reflection” (or “amplification”) DDoS attack. The crooks sent a small number of packets to TFTP servers, which contained various flaws in the protocol implementation, and then sent it back multiplied to their targets. The multiplication factor for TFTP DDoS attacks is 60, well above the regular average for reflection DDoS attacks, which is between 2 and 10. First instances of TFTP reflection DDoS attacks fail to impress Akamai says the attacks they detected employing TFTP servers were part of multi-vector DDoS attacks, during which crooks mixed different DDoS-vulnerable protocols together, in order to confuse their target’s IT department and make it harder to mitigate. Because the attack wasn’t pure, it never reached huge statistical measurements. Akamai reports the peak bandwidth was 1.2 Gbps and the peak packet volume was 176,400 packets per second. These are considered low values for DDoS attacks, but enough to consume the target’s bandwidth. Akamai SIRT says they’ve seen a weaponized version of the TFTP attack script circulating online as soon as the Napier University study was released. The crooks seem to have misconfigured the attack script The attack script is simple and takes user input values such as the victim’s IP, the attacked port, a list of IP addresses from vulnerable, Internet-available TFTP servers, the packet per second rate limit, the number of threads, and the time the script should run. In the attacks it detected, Akamai says the crooks ignored to set the attacked port value, and their script send out traffic to random ports on the target’s server. Back in March, Napier University researchers said they’ve found over 599,600 publicly open servers that had port 69 (TFTP) open. Akamai warns organizations to secure their TFTP servers by placing these servers behind a firewall. Since the 25-year-old TFTP protocol doesn’t support modern authentication methods, there is no good reason to have these types of servers exposed to the Internet. Source: http://news.softpedia.com/news/ddos-attacks-via-tftp-protocol-become-a-reality-after-research-goes-public-504713.shtml#ixzz4AH801pER

More:
DDoS Attacks via TFTP Protocol Become a Reality After Research Goes Public

How visibility can help detect and counter DDoS attacks

It’s been proven that preventive medical strategies are more cost-effective for treatment and better solutions to support long-term health than reactive medical measures. Anticipating issues and preparing for and supporting healthy systems is simply more logical than troubleshooting and fixing things when they go wrong. The same concept has been successfully used in IT security for years and it should be no different when planning for DDoS attacks. But despite their relatively predictable nature and … More ?

See original article:
How visibility can help detect and counter DDoS attacks

UK-Based Llyod’s Bank Sees Decrease in Cyberattacks

Swimming against the torrent of relentless headlines highlighting the lack of cybersecurity among banks, government agencies, and popular websites, the Lloyds Banking Group has seen an 80-90% drop in cyberattacks. The reason? “Enhanced” cybersecurity measures. While banks around the world begin to accept the uncomfortable reality wherein a $81 million cyber-heist is entirely plausible whilst relying on the global banking platform (SWIFT), one UK-based bank has seen a drop in cyber-attacks. UK-based Llyods Banking Group has seen a drop of between 80% to 90%, even though there has been an increase in cyberattacks targeting the UK this year. The revelation was made by Miguel-Ángel Rodríguez-Sola, the group director for digital, marketing & customer development. One of the most common attack vectors remain Distributed Denial of Service (DDoS) attacks. “There had been an increase in the UK in terms of cyber attacks between June and February this year,” Rodríguez-Sola stated. He added “However, over the last two months, I have had five-times less than at the end of last year.” Speaking to the Telegraph , he claimed a greater collaborative effort with law enforcement agencies. More notably, he spoke about the enabling of additional layers of cyber-defenses, without going into specifics. In statements, he said: We needed to re-plan our digital development to make sure that we put in new defences, more layers. [The number of cyberattacks] is now one-fifth or one-tenth of what it was last year. The news of a decrease in cyberattacks faced by the banking group comes during a time when a third bank was recently revealed to be a victim of the same banking group which was involved in a staggering $81 million dollar heist involving the Bangladesh Central Bank. Increasing reports of other member banks of the SWIFT network falling prey to cyberheists has spurred SWIFT to issue a statement, urging banks to report cybercrimes targeting member banks. Source: https://hacked.com/uk-based-llyods-bank-sees-decrease-cyberattacks/

View article:
UK-Based Llyod’s Bank Sees Decrease in Cyberattacks

Anonymous is 2016’s top trending hacktivist group

Anonymous emerges as the leader in 2016’s Trending Hacktivist Groups Anonymous continued to remain at the top in the top trending hacktivist group, says SurfWatch Labs based on the data collected on threat intelligence and social media hype. The hacktivist group was followed by Turk Hack Team (THT), New World Hacking (NWO), and Ghost Squad Hackers. In comparison to other years, the data shows that hacktivism has decelerated and lost its impetus but still has managed to cause enough damages to gather mainstream media attention. The government agencies were hit the most by hacktivism campaigns says the security firm with the most publicity having been created around the now-notorious COMELEC hack by Anonymous Philippines and Lulzsec Philippines, during which information for around 50 million Filipino voters were disclosed. Other than this incident, at the start of the year, the hacktivist groups created a lot of attention to their causes via the massive DDoS attack on BBC, the DDoS attacks on Donald Trump’s websites part of #OpTrump, the DDoS attacks on the Bank of Greece part of #OpIcarus, and the ones on Nissan part of #OpKillingBay. The Bank of Cyprus, the pulling down of ISIS Twitter profiles followed by the Belgium attacks, and the leak of data from NASA’s internal network were some of the other small hacktivism incidents that also managed to garner a lot of attention to causes and the groups behind them. During the first months of 2016, the top five hacktivism campaigns were #OpTrump, #OpKilling Bay, #OpWhales, #OpIsrael, and #OpAfrica. Since #OpIcarus was supposed to last for the entire month of May, it was not included in the list. However, the campaign is sure to become a support in Anonymous’ standard operations. Former big names such as the Syrian Electronic Army (SEA) and Lizard Squad seem to have disappeared with no or little activity from its members, points out SurfWatch Labs in its report. Looks like the SEA group members are perhaps busy avoiding getting arrested considering that the US has filed former charges against members of the group. Source: http://www.techworm.net/2016/05/anonymous-2016s-top-trending-hacktivist-group.html

See the original article here:
Anonymous is 2016’s top trending hacktivist group

Major DNS provider hit by mysterious, focused DDoS attack

Attack on NS1 sends 50 million to 60 million lookup packets per second. Unknown attackers have been directing an ever-changing army of bots in a distributed denial of service (DDoS) attack against NS1, a major DNS and traffic management provider, for over a week. While the company has essentially shunted off much of the attack traffic, NS1 experienced some interruptions in service early last week. And the attackers have also gone after partners of NS1, interrupting service to the company’s website and other services not tied to the DNS and traffic-management platform. While it’s clear that the attack is targeting NS1 in particular and not one of the company’s customers, there’s no indication of who is behind the attacks or why they are being carried out. NS1 CEO Kris Beevers told Ars that the attacks were yet another escalation of a trend that has been plaguing DNS and content delivery network providers since February of this year. “This varies from the painful-but-boring DDoS attacks we’ve seen,” he said in a phone interview. “We’d seen reflection attacks [also known as DNS amplification attacks] increasing in volumes, as had a few content delivery networks we’ve talked to, some of whom are our customers.” In February and March, Beevers said, “we saw an alarming rise in the scale and frequency of these attacks—the norm was to get them in the sub-10 gigabit-per-second range, but we started to see five to six per week in the 20 gigabit range. We also started to see in our network—and other friends in the CDN space saw as well—a lot of probing activity,” attacks testing for weak spots in NS1’s infrastructure in different regions. But the new attacks have been entirely different. The sources of the attacks shifted over the week, cycling between bots (likely running on compromised systems) in eastern Europe, Russia, China, and the United States. And the volume of the attacks increased to the 30Gbps to 50Gbps range. While the attacks rank in the “medium” range in total volume, and are not nearly as large as previous huge amplification attacks, they were tailored specifically to degrading the response of NS1’s DNS structure. Rather than dumping raw data on NS1’s servers with amplification attacks—where an attacker sends spoofed DNS requests to open DNS servers that will result in large blocks of data being sent in the direction of the target—the attackers sent programmatically generated DNS lookup requests to NS1’s name servers, sometimes at rates of 50 million to 60 million packets per second. The packets looked superficially like genuine requests, but they were for resolution of host names that don’t actually exist on NS1’s customers’ networks. NS1 has shunted off most of the attack traffic by performing upstream filtering of the traffic, using behavior-based rules that differentiate the attacker’s requests from actual DNS lookups. Beevers wouldn’t go into detail about how that was being done out of concern that the attackers would adapt their methods to overcome the filtering. But the attacks have also revealed a problem for customers of the major infrastructure providers in the DNS-based traffic management space. While the DNS specification has largely gone unchanged since it was created from a client perspective, NS1 and other providers have carried out a lot of proprietary modification of how DNS works behind the scenes, making it more difficult to use multiple DNS providers for redundancy. “We’ve moved a bit away from the interoperable nature of DNS,” Beevers said. “You can’t slave one DNS service to another anymore. You’re not seeing DNS zone transfers, because features and functionality of the [DNS provider] networks have diverged so much that you can’t transfer that over the zone transfer mechanism.” To overcome that issue, Beevers said, “people are pulling tools in-house to translate configurations from one provider to another—that did work very well for some of our customers [in shifting DNS during the attack].” NS1, like some of its competitors, also provides a service that allows customers to run the company’s DNS technology on dedicated networks. “so if our network gets hit by a big DDoS attack, they can still have access.” Fixing the interoperability problem will become more urgent as attacks like the most recent one become more commonplace. But Beevers said that it’s not likely that the problem will be solved by a common specification for moving DNS management data. “DNS has not evolved since the ’80s, because there’s a spec,” he said. “But I do believe there’s room for collaboration. DNS is done by mostly four or five companies— this is one of those cases where we have a real opportunity because community is small enough and because the traffic management that everyone uses needs a level of interoperability.” As companies with big online presences push for better ways to build multi-vendor and multi-network DNS systems to protect themselves from outages caused by these kinds of attacks, he said, the DNS and content delivery network community is going to have to respond. Source: http://arstechnica.com/information-technology/2016/05/major-dns-provider-hit-by-mysterious-focused-ddos-attack/

Visit site:
Major DNS provider hit by mysterious, focused DDoS attack

DDoS-for-Hire Services Go Up on Fiverr for 5 Bucks

In a new wrinkle in cybercriminal business modeling, distributed denial of service (DDoS)-for-hire services are being offered on the popular website Fiverr—where, as its name suggests, various professional services are offered for $5. According to Imperva, DDoS-for-hire services are a widespread business for hackers, typically billing themselves as “stressor” services to “help test the resilience of your own server.” In reality, they’re renting out access to a network of enslaved botnet devices, (e.g., Trojan-infected PCs), which are used as a platform to launch DDoS attacks. And once a user hands over his money, the criminals don’t care whose servers are ‘stress tested.’ A year ago, Imperva’s survey of the 20 most common stressor services showed that the average price was $38 per hour, and went as low as $19. Recently, the SecureWorks Underground Hacker Marketplace Report showed that, on the bottom end, the cost of hiring such a service on the Russian underground dropped to just five dollars per hour. “The price tag made us think of Fiverr—a trendy online marketplace where various professional services are offered for five bucks?” Incapsula researchers said, in a blog. “Would DDoS dealers have the audacity to use this platform to push their wares? A quick site search confirmed that, in fact, they would.” Imperva reached out to see if the Fiverr offers were the innocent stress testers they claimed to be. “To do so, we created an account on Fiverr and asked each of the stressor providers the following question: Regarding the stress test, does the site have to be my own?” the researchers noted. “Most had the good sense to ignore our message. One suggested that we talk on Skype.” In the end, an offering with a skull and bones image that offered to “massive DDoS attack your website” responded, saying: “Honestly, you [can] test any site. Except government state websites, hospitals.” Imperva quickly contacted Fiverr to let them know about the misuse of their service—they responded and acted to remove the providers. “Fiverr’s decisive action should serve as an example to an online community that, by and large, has accepted the existence of illegal stressors as a fact of life,” the researchers noted. Source: http://www.infosecurity-magazine.com/news/ddosforhire-services-go-up-on/

More:
DDoS-for-Hire Services Go Up on Fiverr for 5 Bucks

Devices Infected With New Ransomware Versions Will Execute DDoS Attacks

A combination of Ransomware and DDoS attacks is heralding a new wave of cyber attacks against consumers and enterprises around the world. Security experts are concerned this may become a standard practice going forward; this is not good news by any means. Ransomware And DDoS Is A Potent Mix Over the past few years, ransomware attacks have become the norm rather than an exception. But the people responsible for these attack continue to improve their skills, and infected machines will now start executing distributed denial of service attacks as well. Not only will users not be able to access their files, but the device will also become part of a botnet attacking other computers and networks around the world. KnowBe4 CEO Stu Sjouwerman stated: “ Adding DDoS capabilities to ransomware is one of those ‘evil genius’ ideas. Renting out DDoS botnets on the Dark Web is a very lucrative business, even if prices have gone down in recent years. You can expect [bundling] it to become a fast-growing trend.” One of the first types of ransomware to embrace this new approach is Cerber, a Bitcoin malware strain which has been wreaking havoc for quite some time now. Attacks have been using “weaponized” Office documents to deliver malware to computers, which would then turn into a member of a botnet to DDoS other networks. While some people see this change as a logical evolution of ransomware attacks, this is a worrying trend, to say the least. Assailants can come up with new ways to monetize their ransomware attacks, even if the victim decides not to pay the fee. As long as the device is infected, it can be used to execute these DDoS attacks, which is a service worth the money to the right [wrong] people. A recent FireEye report shows how the number of Bitcoin ransomware attacks will exceed 2015 at the rate things are going right now. Now that DDoS capabilities are being added to the mix, it is not unlikely the number of infections will increase exponentially over the next few months. Moreover, removing the ransomware itself is no guarantee computer systems will not be used for DDoS purposes in the future, and only time will tell if both threats can be eliminated at the same time. Source: http://themerkle.com/devices-infected-with-new-ransomware-versions-will-execute-ddos-attacks/

View post:
Devices Infected With New Ransomware Versions Will Execute DDoS Attacks