500 routers whip up colossal DDOS over ye olde RIP protocol Attackers are exploiting an ancient networking protocol to enslave small home and office routers in distributed denial of service attacks, Akamai says.…
Original post:
DDoSers call 1988 and want its routing protocol hacked
Attackers won’t let RIPv1 rest in peace. Attackers continue to search for obsolete protocols that are no longer used but still running on networked computer systems in order to abuse them as denial of service amplifiers. Content delivery network firm Akamai’s PLXsert security team discovered that the routing information protocol version 1, introduced in 1988, was used in a denial of service attack against its customers in May this year. RIPv1 was designed for small networks in the early internet era. It broadcasts lists of routes and updates to devices listening for RIPv1 information. A small, 24-byte RIPv1 request with a forged source IP address can result in multiple, 504-byte response payloads, creating a large amount of unsolicited traffic directed towards victims’ networks and flooding them. Attackers were in particular looking for routers that contain large amounts of routes in the RIPv1 database, so as to maximise the traffic volumes and damage done to target networks. Internet luminaries disagree however as to how much of a threat RIPv1 represents. APNIC chief scientist Geoff Huston told iTnews RIPv1 is late 80s technology that routes the now abandoned Class A/B/C network address structure. “I find it hard to think that RIPv1 is connected to the global internet and that there are enough of them out there to constitute a real threat,” Huston said. Finding even one site in 2015 that is running RIPv1 is “like discovering a Ford Model T on the streets still in working order,” Huston said. Director of architecture for internet performance company Dyn, Joe Abley, pointed out that the problem is not that operators use RIPv1 for routing, it’s that administrators leave RPv1 turned on. The protocol has been unsuitable for the past two decades because it doesn’t work with classless inter-domain routing. “Just because you no longer have any use for a protocol doesn’t mean you always remember to turn it off,” he told iTnews . “What is happening is that ancient systems that have been hidden in dark corners for decades are suddenly jumping out into the sunlight and running amok because someone realised they could provoke them into bad behaviour, from a distance.” He said there are end-systems connected to the internet that support the ancient routing protocol and which have it turned on by default. Old Sun Microsystems Solaris servers are examples of such systems that are now being abused as packet amplifiers in denial of service attacks. RIPv1 does not use authentication, leaving it wide open to anyone on the internet to connect to. The attack is not fundamentally different from reflection attacks using the domain name system, chargen, simple network management protocol, or any one of a variety of user datagram-based protocols, Abley said. “This attack is not new and special really, although the fact that it uses RIP certainly brings a roguish twinkle to this aged network administrator’s eye,” he said. It can however cause large traffic floods. “Akamai’s Prolexic team have seen attacks that delivered over 10 gigabit per second of traffic towards a single victim,” Abley said. “I wouldn’t categorise that as ‘not really a problem’, especially if I was the one on the receiving end.” Abley said as with most amplification attacks, “poking the bear from a great distance relies upon being able to fake the source address of the stick.” There would be fewer opportunities for this happen if network operators followed the advice in Internet Engineering Task Force best current practice documents such as BCP38, which details network ingress filtering and similar texts to protect their networks. Source: http://www.itnews.com.au/News/406090,zombie-network-protocols-become-ddos-threats.aspx#ixzz3eqpq5n9E
Continue reading here:
‘Zombie’ network protocols become DDoS threats
Several UAE banks were hit by a co-ordinated cyber attack, known in the trade as a distributed-denial-of-service (DDoS) attack, on Tuesday, crippling e-banking operations and websites, and leaving the unnamed institutions fearing further assaults, Arabian Business’ sister websiteITP.net has reported. German systems integrator Help AG, which played a central role in the clean-up for one of the victims, told the website that the DDoS attack, which has been linked to cyber group Anonymous, happened on the last day of the month as the attackers sought to wreak maximum disruption during the banks’ busiest period. Help AG cited “sources in the market” who report “widespread” incidents in the UAE financial sector. A DDoS attack uses tens, sometimes hundreds, of thousands of computers to synchronise a bombardment of packet-traffic on a server. In the absence of sophisticated mitigation solutions, servers can be brought down and services brought to a halt. “Picking the last day of a month is a very wise choice from the attackers, as it is a widely known fact that the last three days of a calendar month are the busiest ones in the financial industry, as a lot of money is changing hands in the form of salaries, mortgage and loan payments,” Nicolai Solling, director of technology services, Help AG, told ITP.net by email. Help AG’s systems identified hundreds of thousands of packets per second sustained for a number of hours on one UAE-based financial services institution. The attacks, the company said, were “not sophisticated in form”, but “followed very much the usual pattern of Anonymous, meaning application-level depletion attempts”. “Typically this is in the form of ‘get’ requests on the Web layer, which then tries to exhaust the Web servers, unfortunately something that often is too easy to achieve,” Solling explained. Anonymous is a global movement with no clear leadership, although it has spawned specific cyber groups such as LulzSec that perform co-ordinated campaigns on high-profile targets. This week’s attack was part of what the group calls #OpArabia. At the time of writing, the group listed several targets in Saudi Arabia, Egypt and the UAE on justpaste.it. Help AG did not disclose the identity of any victims, but the National Bank of Abu Dhabi (NBAD) was featured prominently on the list. “Help AG has for a period been aware of a number of threats on the region posed from Anonymous,” Solling said. Source: https://en-maktoob.news.yahoo.com/anonymous-cyber-hackers-hit-uae-banking-websites-112413582.html
View article:
Anonymous DDoS UAE banking websites
There's been an increase in the use of outdated Routing Information Protocol version one (RIPv1) for reflection and amplification attacks, according to Akamai. RIPv1 is a fast, easy way to dynamica…
Original post:
Rise in DDoS reflection attacks using abandoned routing protocol
For Canadians, July 1 is Canada Day—but to Anonymous, it’s also the perfect occasion to launch a protest campaign of distributed denial of service (DDos) attacks. The internet activist group announced on Wednesday morning that it had planned #AntiCanadaDay protests in support of its #OpCyberPrivacy campaign, created in opposition to Canada’s controversial, recently-passed anti-terror legislation, Bill C-51. The bill grants the Canadian Security Intelligence Service (CSIS) broad powers—with judicial authoriziation—to do just about anything to “disrupt” and investigate terrorist plots and propaganda, both online and offline. “We protest against the systemic invasion of privacy by government and corperate [sic] entities around the world,” the announcement reads. “We stand ardent in our defiance to all those who would take away our rights and freedoms.” A full list of targets, posted shortly before the #AntiCanadaDay attacks began, lists the websites of Liberal party leader Justin Trudeau, Minister of Justice Peter McKay, the Canadian Security Intelligence Service (CSIS), and the Canadian Senate as “main targets.” A host of other lobbyist groups and senators who voted in favour of Bill C-51 are listed as targets too. “All Canadian government web assests [sic] are fair game,” read the statement. “Lazors free on all federal, provincial and municpal [sic] services.” Shortly after noon, accounts on Twitter associated with the campaign reported that multiple government of Canada websites had been taken offline. When Motherboard attempted to access sites such as Canada.ca and sencanada.ca, for example, pages either loaded slowly, displayed an error, or did not load at all. “Remember hold nothing down for protracted lengths,” said an operation admin in the group’s chat room. “This is after all just a protest.” In a separate chat room interview, members told VICE News reporter Hilary Beaumont that eight people belong to the core #OpCyberPrivacy team. “We all expect blowback for today,” wrote one of the users, but said that it was worth the risk. “This bill violates the charter of rights and freedoms, universal declaration of human rights,” a user said, citing the threat of more invasive spying offline, and the potential to be arrested without a warrant and held without charge. “They make the rules up as they go,” wrote another member. “So if I’m a perfectly law abiding citizen who is impacted greatly by something and I protest I can be arrested [because] criticizing that is terrorism.” By early afternoon, focus had shifted to sites such as the Canadian parliament domain parl.gc.ca, and Conservative party Prime Minister Stephen Harper’s domain pm.gc.ca. The admin said the government was “putting up a good fight.” “They are adding load balancers, moving servers, closing off access,” wrote another user. “Some of the pages up [at the moment] are only cached versions.” The protest is expected to continue until midnight. Source: http://motherboard.vice.com/read/anonymous-is-celebrating-canada-day-in-protest-with-attacks-on-government-sites?utm_source=mbtwitter
Read the original:
Anonymous celebrates Canada Day with DDos attacks
Latest wave of DDoS attacks abuses small office-home routers via the 27-year-old, outdated Routing Information Protocol Version 1 (RIPv1). An outdated and long-forgotten routing protocol is the latest weapon in a wave of distributed denial of service (DDoS) attacks executed via home and small business routers in the past two months. Akamai Technologies’ Prolexic Security Engineering & Research Team (PLXsert) today issued a threat advisory warning of a surge in DDoS attacks using the Routing Information Protocol version one (RIPv1) to wage DDoS reflection and amplification attacks. The 27-year-old routing protocol, which allows routers in a small network to share route information, has since been updated with a newer more secure version, but the older version 1 remains in use in many small office/home office router models. While some 2,000 SOHO routers so far have been used in this new attack campaign, Akamai also found around 53,000 routers with RIPv1 enabled and vulnerable to the very same attack, mostly Motorola Netopia 2000 and 3000 series devices in the US. The main ISP running those RIPv1-enabled routers was AT&T. Sponsor video, mouseover for sound The biggest attack spotted so far: around 12 gigabits-per-second. “That was just using a limited number of resources [routers],” says Jose Arteaga, senior security researcher with Akamai PLXsert. “We found a good number of devices available with this protocol open. Our concern there is if malicious actors continue to scan or incorporate more devices in this attack, attacks can grow to be quite large. They could reach 100-gig or more.” Artiago says there’s been no specific industry targeted in the attacks at this time, and the attacks are originating mostly out of Europe and most likely a DDoS-for-hire operation, he says. The main sources include the Russian Federation (39%), China (19%), and 15% in Germany and Italy. Unlike its successor RIPv2, RIPv1 doesn’t have an authentication feature, so routers communicating via RIPv1 aren’t vetted and authenticated, leaving them open to abuse. This isn’t the first time RIPv1 has been abused for a DDoS attack. The PLXsert team spotted similar attacks nearly two years ago but those attacks basically exploited it for a query flood, not a reflection attack, where traffic is redirected from an “innocent” device to a target on the network, Arteaga says. RIPv1 Not Resting In Peace The good news is that RIPv1 is not enabled by default on enterprise-grade routers. So why is it left open on some SOHO routers? “Could be an ISP enabling it for some reason or another, but it shouldn’t be” available, he says. It also may be useful in a very small business network, he says, but that comes with this risk of abuse by malicious actors. The common denominator in most of today’s DDoS attacks is the use of the UDP protocol. More than 56% of all DDoS attacks abuse UDP, according to DDoS security vendor Incapsula. Of those, 8% use a protocol popular among Internet of Things devices, SSDP (Simple Service Discovery Protocol) used in gaming consoles and printers, for example. “A common theme with these attacks is they are obviously taking advantage of UDP … there is no way [for a victim router] to refuse that request” because it’s a connectionless protocol, Akamai’s Arteaga says. It’s up to the ISPs offering these devices to block port 520 used by UDP, which then would prevent any reflection attacks, he says. And small businesses should use the more secure RIPv2 instead of version 1. Bottom line: DDoS isn’t going away, and attackers are constantly looking for new ways to abuse equipment on the Internet as weapons to attack their targets. “It has constantly increased in activity,” says David Fernandez, manager of the PLXsert team. “DDoS has not gone away.” Source: http://www.darkreading.com/perimeter/ddos-attackers-exploiting-80s-era-routing-protocol/d/d-id/1321138
Read More:
DDoS Attackers Exploiting ’80s-Era Routing Protocol
The website for CSIS, the Canadian Security Intelligence Service, appears to have gone down again — less than 24 hours after a suspected rogue hacker took the site down in a so-called denial of service attack. The website for Canada’s spy agency went offline shortly after 9 a.m. ET Tuesday. While the cause is still unknown, when the website went down Monday night, sources told CTV’s Mercedes Stephenson that a rogue hacker who had previously launched attacks on several municipal and police websites, had claimed responsibility for the CSIS attack. A denial-of-service attack is not technically a hack into the site, but the attack does prevent Internet users from accessing the website. “Experts I’ve spoken to say it is very hard to stop this kind of attack,” Stephenson told CTV News Channel Tuesday morning. “The level of sophistication and the number of ways they are attacking one website at one time to send it offline is very hard to prevent.” She says sources tell her that the hacker isn’t attempting to steal information in these attacks. “This is all about trying to embarrass the government, intelligence agencies and the police,” she said. The hacker is trying to draw attention to the controversial Bill C-51, as well as the case of an Ottawa teen who was charged in an alleged “swatting” incident. The hacker believes the teen was framed, sources tell CTV. A spokesperson for the Ministry of Public Safety and Emergency Preparedness, acknowledged in a statement Monday night that the CSIS website had gone “temporarily offline.” “No information has been breached. We are taking cybersecurity very seriously,” spokesperson Jean-Christophe de Le Rue said. The same hacker was previously connected to hacking group Anonymous, but appeared to be operating alone on Monday, sources said. The person believed to be responsible tweeted out several messages about the CSIS website Monday, including: “I’m deciding if I should let CSIS back online and hit another government website, or if I should keep it offline for a while.” Less than two weeks ago, several government websites — including ServiceCanada.gc.ca and Parl.gc.ca — were hit by a denial of service attack. Anonymous claimed responsibility. Source: http://www.ctvnews.ca/canada/csis-website-goes-down-again-1.2447166
Bad taste still lingers Botnet slaughterer Brian Wallace has created a module to detect when attackers are using the popular browser-busting BeEF hacking framework.…
Continue reading here:
Vegan eats BeEf, gets hooked
“Hacktivism” has been around since the Cult of the Dead Cow in the 1980s; only the names have changed. Where we once heard about Chaos Computer Club and the Legion of Doom, we now have high-profile examples like Anonymous, Anti-Sec and Lulzsec. This is not a comparison – 35 years ago it was mostly demonstrations and denials of service. Now, attacks have become exponentially more intrusive and destructive. With this escalation in damages comes a new name. Cyber terrorism is a term that the media has been using quite frequently. There have also been countless articles on the so-called Cyber Caliphate, Cyber Berkut, and even various disparate groups of “cyber freedom fighters” around the world. Is changing “hacktivism” to “terrorism” the government and media’s way of upping the ante on hacking? Indeed, what is the difference between hacktivism and cyber terrorism, if there is one? After all, they both seek out pretty much the same targets. They both have a singular purpose, in its simplest definition – to cause damage to an entity, organisation or group. So what sets these two categories of hackers apart? Is the answer in their motivation? Can we really view one as “good,” and the other “bad”, or is it simply a matter of personal opinion? Anonymous Anonymous is a loose association of activist networks that has an informal and decentralised leadership structure. Beginning in 2003, on the bulletin board 4Chan, Anonymous began to recruit and train young people interested in hacking for a cause. Throughout the years, they have run cyber attacks, mostly distributed denial of service (DDoS) attacks, against the financial, healthcare, education, religious organisations, oil, gas and energy industries – pretty much everything. They have also earned a spot on that distinguished list of attackers who have targeted consumer electronics giant Sony. Anonymous has really changed the nature of protesting. In 2013, Time magazine listed it as one of the top 100 influential “people” in the world. Supporters have called the group “freedom fighters” and even compared them to a digital Robin Hood. Others, however, consider them little more than cyber terrorists. In the public’s eye, it depends on their motivation, following and targets. The bottom line: This could either be a case of malicious activity masked by political motivation, or pure malicious activity. Cyber Berkut Cyber Berkut is a modern group of hacktivists and claims its name from the Ukrainian special police force “Berkut”, formed in the early 1990s. This pro-Russian group made a name for itself by conducting DDoS attacks against the Ukrainian government and Western corporate websites conducting business in the region. The group has also been known to penetrate companies and attempting to retrieve sensitive data. Following a heist, they would post on public-facing pastebin sites or their own non-English website, which includes a section called “BerkutLeaks”. Cyber Berkut was most recently credited for attacks against the Chancellor of the German Government, NATO, Polish websites and the Ukrainian Ministry of Defence. The group has been compared to Anonymous based on its methods of protest and political targets. Viewed as passionate about its targets, Cyber Berkut has a clear agenda. However, the group’s ideology in no way diminishes the amount of intended damage that might be inflicted on potential victims. Cyber Caliphate Cyber Caliphate, as the name implies, is a hacker group that associates with the Islamist terrorist group ISIS. It has attacked many different government and private industry entities, and claims responsibility for multiple website defacements and data breaches. The group has hacked various websites and social media accounts, including those of military spouses, US military command, Malaysia Airlines, Newsweek and more. Indeed, Cyber Caliphate is hungry for media attention. This raises the question: does Cyber Caliphate believe in its stated cause, or is this just opportunistic hacking under the cover of a cause for media attention? What if the group is just looking for fame and fortune? What if the group is not a group at all, but the work of one or two people collaborating with different contributors for specific targets? Motive doesn’t matter Is this really cyber terrorism, hacktivism or just another set of hackers trying to get famous by jumping on the media’s hot topic of the month? In some cases, it may seem romantic when people claim to be fighting for a cause – rather than more nefarious intent, or even just for a laugh. But the fact remains that cyber attacks are cyber attacks, whether they are motivated by politics, money or a distorted idea of fame. The key to fighting back – after ensuring that your organisation’s security is up to snuff – is threat intelligence. Threat intelligence gathering is the key to keeping up with the actions of these groups and their potential targets with impartial, straightforward news, gathered by specialists. Staying abreast of potential hacktivist attacks requires a proper investment in intelligence groups with the proper tools, people, processes and other resources to deliver up-to-date information. And not just about the groups, but the techniques they might be using. Information sharing among intelligence groups from different industries and countries also will help expedite the reverse engineering of malicious code and assist in the building of signature content and correlation logic that is deployed to our security technologies. So once attacks are observed globally, defences can be quickly built, detection logic integrated – and information disseminated to the security specialists on the front line who may be all that stands in the way of the kind of corporate meltdown that nearly sank Sony Pictures in December last year. Source: http://www.computing.co.uk/ctg/opinion/2414910/protests-or-profiteering-whether-its-anonymous-the-cyber-caliphate-or-cyber-berkut-the-hack-remains-the-same
See the original post:
Protests or profiteering? Whether it’s Anonymous, the Cyber Caliphate or Cyber Berkut, the hack remains the same
FINRA memo June 19, 2015 announces: An increasing number of member firms have been subjected to DDoS attacks originating from a cyber-criminal group called DD4BC. The latest in ongoing efforts by cyber criminals to extort money and disrupt practices for online business. The cyber-crime group DD4BC is one of the most active at DDoS attacks on industry’s, asking for ransom payments in exchange for the return of website service. Many businesses do not understand what a DDoS attack is and how they occur. Nor, do they understand what to do if they become subject to an attack. Ransom demands for large firms can be several thousand if not hundreds of thousands of dollars in BitCoin. The danger in paying the ransom to DDoS blackmailers is that it encourages them to attack. In some cases the attackers will make repeated attacks and repeated blackmail demands. FINRA is notifying financial and securities firms to be on the lookout for these types of attacks and be prepared with a plan in place to mitigate damages and reduce business disruption. Attacks on FINRA Member firms and Financial Services The DDoS attacks FINRA is cautioning about render a website or network unavailable for its intended users by sending an overwhelming number of incoming messages to the website, causing the site to “fail to load” or show as “unsecure” when legitimate users try to access it. Cyber Crime Group DD4BC makes extortion demands on targeted systems The end goal for DD4BC criminals in these attacks is extortion. DD4BC criminals will first send a firm an email announcing their plan to target the website with a DDoS attack. They further state, the attack can be avoided by paying ransom in BitCoin. To prove they are serious, DD4BC initiates a minor attack, with a threat of more attacks if the ransom is not paid within 24 hours. A bounty on the DD4BC cyber crime group The Bitcoin community and other firms are fighting back. A recent threat to Bitalo.com (a bitcoin exchange firm) resulted in Bitalo offering a reward of 100 times the amount DD4BC had asked for. Other firms have also pledged “would be blackmailed” bitcoin rewards for information leading to the arrest and conviction of DD4BC criminals. What to do if faced with an attack: A firms first point of contact in the event of attack is the local FBI office, Cyber Crimes division. The FBI works diligently in tracking and capturing these cyber criminals. The earlier they have information about an attack, the better their chances are at locating the criminals and alerting other firms to danger. Additionally, FINRA is asking that financial firms notify the SEC and FINRA. They will use this information to identify the extent of industry attacks and help firms stop these crimes. Prepare in advance for an Attack: Most DDoS attacks start as a sharp spike in traffic. Familiarize yourself with typical inbound traffic statistics for your website by auto-generating reports to monitor traffic on a daily and weekly basis. Work with your website host to “overprovision” band-width for your website. This can often be done for very little additional cost. And, while it is not likely to prevent damage from an attack, it could add a few minutes of lead time. Also, many host companies can set up alerts to notify you if there is a sudden spike in band width usage. What is your response plan: Prevention is the best strategy. Have your system evaluated for best practices before an attack starts. If you need help there are DDoS mitigation firms that specialize in securing IT systems to detect, monitor, and block attacks. Determine where your system is weak and make changes to improve security. Have a contingency plan in place to reach customers if the firm’s website is unavailable. Alternative communication methods include customer service phone support and cloud based communication portals. Maintain email and VOIP phone service on a different server than your website. DDoS attacks tend to cripple everything on the server. Segregating digital data through separate network connection hosts adds a layer of protection for confidential email lists and customer data. What to do if you are under attack: Call your website hosting company or ISP to let them know of what’s happening. They may be able to make routing adjustments to your traffic and prevent malicious traffic from making it in to your website. DDoS mitigation and monitoring services can also provide assistance. If needed, website hosts and ISP’s can direct you to a company that specializes in scrubbing data and diverting traffic when under DDoS attack. If the attack is lasting a relatively long time, direct your site to a hosted “We Are Down “ landing page for customers. Use the page to provide customers with alternative ways to reach your firm. This will bring confidence to your customers and save them the frustration of multiple unsuccessful attempts to reach your company online. Source: http://www.finracompliance.com/ddos-attacks-target-financial-firms-and-broker-dealers/
Continue reading here:
DDoS Attacks Target Financial Firms and Broker Dealers