Tag Archives: denial of service

Amazon cloud infested with DDoS botnets

Security researchers have found yet another exploit on the Amazon cloud computing platform through the Elasticsearch distributed search engine tool. According to analysis, hackers are able to gain access to the search engine to deploy a battalion of botnets on Amazon cloud. The vulnerability should be a cause of alarm and, therefore, merits the attention of enterprises because it could manipulate Amazon cloud platforms in an attempt to launch distributed denial of service attacks against hundreds of thousands of websites. Amazon cloud users can a representational state transfer API to search various documents through Elasticsearch, an open-source search engine server built based on Java. It is more popular among cloud environments for its distributed architecture that enables multiple nodes. Researchers found security issues on the versions 1.1.x of Elasticsearch because its API scripting lacks a mechanism to authenticate access and a sandbox security infrastructure. Therefore, anyone, including hackers, can penetrate Elasticsearch just so easy. After that, attackers could carry out several malicious activities using Elasticsearch’s scripting capability such as carrying out arbitrary code on the server. As of now there is no patch coming from the developers of Elasticsearch. Nonetheless, versions 1.2.0 and up are safe from being exploited by hackers. New offshoots of Mayday Trojan for Linux has been spotted over the past week and the malware already launched DDoS attacks against targets DNS amplification. A Mayday variant was reported to be running on an Amazon server that has been compromised through the Elasticsearch exploit, though there are other platforms that could have been potentially manipulated. However, the Mayday variant did not resort to DNS amplification on the compromised EC2 instances. Instead it was used to launch attacks by flooding several websites with UDP traffic. As a result, many regional banking institutions in the United States and electronics companies in Japan had to transfer their IP addresses to DDoS mitigation service vendors. The Amazon EC2-run virtual machines were also reported to have been attacked by hackers through a CVE-2014-3120 exploit in the 1.1.x versions of Elasticsearch. Researchers observed that many commercial enterprises still use those versions. According also to security researchers, attackers have changed proof-of-concept exploit code for CVE-2014-3120 to install a Web shell developed based on Perl. A Web shell is a script that enables hackers to deploy Linux shell commands backdoor through the Web. The script was then further manipulated to download a fresh variant of the Mayday DDoS botnet. Amazon has already notified its customers about the issue. Source: http://www.techwalls.com/amazon-cloud-infested-ddos-botnets/

See more here:
Amazon cloud infested with DDoS botnets

17-Year-Old Behind Norway DDoS Attacks This Week

On Thursday, the Norwegian police have arrested and charged a 17-year-old in connection to the recent massive distributed denial-of-service (DDoS) attacks directed at major financial institutions and other businesses in the country. The teen, from the city of Bergen, on Norway’s west coast, claimed to be part of the hacktivist group Anonymous Norway, who, in a Twitter message, dismissed any connection to him or the DDoS incidents. On the day of the attack, the teenager sent a letter to the media, claiming to be part of Anonymous and saying that “the motivation behind the current attacks and the next attacks in the future is to get the community to wake up. The number of major IT security attacks is increasing and there is nothing being done to prevent such events.” Evidence that Anonymous Norway was not involved in the incidents is the fact that the boy joined the group’s Facebook page on the same day of the attack. Furthermore, the hacker outfit provided a Pastebin link in a new tweet, pointing to the identity of the perpetrator; they did not create the post, just scooped it up. Initially, the youngster was charged with gross vandalism, which carries a maximum prison sentence of six years in Norway. However, since he has no record and is still a minor, this should be greatly reduced. According to News in English, Frode Karlsen of the Bergen police told Norwegian Broadcasting that the authorities are taking the matter seriously because this sort of attack can have significant impacts on society, like individuals not being able to reach emergency services in case they needed help. After his arrest, the teen cooperated in the investigation and clarified the nature of his actions. His defense lawyer stated that “he’s sorry for having caused all this and has laid his cards on the table.” The DDoS attack, which occurred on Tuesday, was considered among the largest ever seen in Norway and leveraged the vulnerable “pingback” WordPress feature. Its increased significance is due to the fact that it targeted layers three (network) and four (transport) of the OSI model, as well as layer seven (application), at the same time. Mitigating an application layer DDoS attack is not too easy, because the requests are directed at the application interface and mimic legitimate behavior, which makes filtering out the bad traffic more difficult. The attack aimed at disrupting the online services of major financial institutions in Norway (Norges Bank, Sparebank 1, Storebrand, Gjensidige, Nordea, Danske Bank), as well as other business, like Scandinavian Airlines (SAS) and Norwegian Air. The website of the largest telecommunications company in Norway, Telenor, was also affected. Source: http://news.softpedia.com/news/17-Year-Old-Behind-Norway-DDoS-Attacks-this-Week-450391.shtml

Read the article:
17-Year-Old Behind Norway DDoS Attacks This Week

‘Political’ DDoS Attacks Skyrocket in Russia

Commercial hackers in Russia are giving way to politically motivated cyber criminals targeting ideological enemies, a new study said Wednesday. The most powerful DDoS attacks on Russian websites in the first six months of 2014 were triggered by the political crisis in Ukraine, digital security company Qrator Labs revealed. February’s Olympic Games in Sochi also prompted a spike in DDoS attacks, said the study, as reported by Bfm.ru news website. Hacker attacks in Russia have generally decreased in quantity, but have become more powerful compared with the first six months of 2013, the report said. About 2,700 distributed denial-of-service (DDoS) attacks occurred during the first six months of 2014, compared with 4,400 over the same period last year, Bfm.ru said. But the number of powerful attacks upward of 1 Gbps increased five times to more than 7 percent of the total, the report said, citing Qrator Labs digital security company. Some of the attacks peaked at 120 to 160 Gbps, the report said. Attack time also grew significantly, with DDoS strikes lasting up to 91 days, compared with 21 days in the first half of 2013. Average botnet size tripled from 136,000 to 420,000 machines per attack. This indicates ideological motivation on behalf of the attackers, who, unlike criminal hackers attacking websites for money, have more time at their disposal, Qrator Labs was quoted as saying. The media made the list of prime DDoS targets along with payment systems and real estate websites. Last season, Forex websites and online stock exchanges accounted for the “absolute majority” of the attacks, the study said, without providing exact figures. Source: http://www.themoscowtimes.com/news/article/political-ddos-attacks-skyrocket-in-russia/503226.html

Read More:
‘Political’ DDoS Attacks Skyrocket in Russia

Are DDoS attacks becoming more sophisticated?

If you’ve taken the time to read the various security articles over the last few months, you’ll quickly realise that the relatively nascent Bitcoin is well acquainted with DDoS. Initially, this was to undermine and influence Bitcoin currency, but now it is actually being used to steal Bitcoin funds in the millions of dollars. Of course, the very nature of a “”virtual currency”” is going to be attractive to cyber criminals who see it as an easy target; after all, they only have to steal digital information from a computer. At the end of the day, the attackers are winning with what is all too often considered a crude tool. It begs the question: Is DDoS still to be considered a blunt instrument? From what I have seen, the answer is a resounding no. Here’s why: Unconventional DDoS DDoS is getting more sophisticated – DDoS in its simplest form attempts to bombard a server with so many requests that it can’t handle the volume and therefore just shuts down, making a website inaccessible. The conventional understanding of DDoS is that it is typically massive in terms of bandwidth, packets per second and connection, and the latest attacks on BitStamp suggest there was indeed a high volume aspect to the attack. The more important aspect to this attack was how the attackers were able to masquerade the hash of a user transaction and essentially bombard the exchanges with it- in the hope it would be processed before the actual legitimate sessions. In effect, this was not your typical ‘clog the pipe’ DDoS strategy, which is usually touted in articles detailing a huge DDoS attack. The attackers had quite specific knowledge and did their homework when it came to how best to take advantage of DDoS tools and bring down the exchange. Blurring the lines between DDoS and hacking DDoS and hacking have traditionally been seen as two mutually exclusive security initiatives, each requiring its own set of mitigating strategies. While we have seen the two used in tandem – where the DDoS is the ‘feint’ used to cover backend attempts for data theft – the Bitstamp situation stands apart from these experiences in that the DDoS was the actual tool used to carry out the theft. The spoofing of a digital signature/hash to modify the blockchain record was within the payload of the actual DDoS attack. It’s an alarming development considering that more and more ‘conventional’ companies are implementing public facing tools to carry out transactions, which could be hijacked in a similar manner as seen here. There’s no doubt that the stakes are high when it comes to Bitcoin- on the one hand, there could be a lot to gain as adoption and popularity rises; and on the other, there is the regulatory uncertainty and likely insurance issues to consider. When it comes to protecting yourself, realise that by accepting virtual currency, you also become a target for Bitcoin miners and make sure you have appropriate technology in place to protect yourself from DDoS attacks – whether it is a hardware solution that takes days to install and requires a higher up-front cost; or a provider who offers DDoS protection services that can be up and running in as little as a few hours for a monthly cost. Source: http://www.techradar.com/news/software/security-software/are-ddos-attacks-becoming-more-sophisticated–1254382

Read the original post:
Are DDoS attacks becoming more sophisticated?

World Cup websites struck down by DDoS attacks

Various websites associated to the World Cup have been struck by a distributed denial of service (DDoS) attack ahead of the tournament’s opening match on Thursday. The official government World Cup website has been down for more than a day, as well as the websites of some host states. Hacking collective Anonymous has claimed responsibility for the attacks. The hacker group has published a list of over 60 websites that have successfully taken down and are still offline at the time of writing, including as the Brazil website of recording giant Universal Music. Public figures that are perceived by the hackers as supportive of the government and the World Cup are also being targeted. Various performers such as Caetano Veloso, Mariana Aydar, and Filipe Catto have had the content of their websites replaced by anti-FIFA messages or taken down. Last month, the internal communications system of the Brazilian Ministry of External Relations was also hacked, with a possible leak of confidential information. Even though Anonymous has not claimed direct responsibility for the attack, it has released a YouTube video justifying it and citing general dissatisfaction with the World Cup. Back in February, the hackers said they were preparing for a string of cyberattacks to FIFA and sponsor websites during the World Cup, including DDoS attacks, as well as website defacement and data theft. The Anonymous group has vowed to continue the attacks and is posting regular updates on Twitter under the hashtags #OpHackingCup and #OpWorldCup. Source: http://www.zdnet.com/world-cup-websites-struck-down-by-ddos-attacks-7000030479/#ftag=RSSbaffb68

See the article here:
World Cup websites struck down by DDoS attacks

Anonymous takes aim at World Cup sponsors

Hactivist group Anonymous has announced plans to launch a DDoS attack on the sponsors of the football World Cup, which opens in Brazil later this month. Reuters – interviewing Che Commodore, a masked member of Anonymous – says that preparations for the distributed denial of service attack are now under way. “We have a plan of attack. We have already conducted late-night tests to see which of the sites are more vulnerable – this time we are targeting the sponsors of the World Cup,” he said. The main sponsors of the World Cup include Adidas, Budweiser, Coca Cola and Emirates Airlines. Reuters quotes Che Commodore as claiming that a test attack earlier this week allowed Anonymous to break into the Brazilian Foreign Ministry’s server and access dozens of confidential documents, as well as steal several email accounts. The newswire adds that in response to the claims, a Foreign Ministry official told Reuters that 55 email accounts were accessed and the only documents that were obtained were attached to emails and those from the ministry’s internal document archive. Can Anonymous carry out its threat? Tim Keanini, CTO with Lancope, says that, regardless of threat profile, an event of this magnitude must have a heightened level of readiness to a physical or cyber security related event. “By the time a group like this makes a public announcement, much of the infiltration phase has already been done. These threat actors are smart and they don’t start to show their cards until they are well into the operational phase of their campaign,” he explained. Keanini said that events like the World Cup require hundreds of interconnected businesses and every one of those businesses need to be prepared. “If your business is connected to the Internet you should be prepared for cyber security events because it is likely to have already happened, you just don’t have the tools and technique to detect it,” he noted. Sean Power, security operations manager with DOSarrest, meanwhile, said that Anonymous is a face that any hacktivist can masquerade behind. “The composition of a team from one OP to the next will vary greatly – with a predictable effect on the sophistication of the attack. That being said, under normal operation any event as much in the public eye should be wary of DoS attacks, if threats have already been levied, that concern should be increased, not dismissed out of hand,” he explained. Ryan Dewhurst, a senior engineer and web security specialist with RandomStorm, told SCMagazineUK.com that Anonymous has already stated that they used targeted phishing emails to install malware on victim’s machines and gain access to government documents. “I believe they will use a mixture of both sophisticated and non-sophisticated attacks. However, they have also stated that they will be carrying out Distributed Denial of Service (DDoS) attacks against the World Cup sponsors,” he said. “Anonymous’ DDoS attacks, in the past, have worked by getting many Anonymous members to run software, most likely their infamous Low Orbit Ion Cannon (LOIC) tool, which attempts to flood their target with an overwhelming amount of traffic. The LOIC tool is most likely being run by the majority of the group members who have less technical skill, whereas the more sophisticated attacks are most likely carried out by the most skilled members of the group which would be fewer in number,” he added. Dewhurst says that Anonymous – if indeed it is this group and not another group of hacktivists using its name – are always going to go for the easiest targets, as these are also the least risky for them to attack, while still achieving their goals. “If their less risky methods are unsuccessful they will begin to increase the sophistication of the attack, however this also increases the risk of them eventually being caught,” he explained. David Howorth, Alert Logic’s vice president, say there are lessons that can be learned from Anonymous’ latest campaign, which means that companies should review their security practices assuming an attack could take place. IT security professionals, he advises, must be vigilant and ensure that all employees are aware of the company’s internal security policy and best practices, practice good password security, as well as making sure that all systems and applications are up-to-date and patched. “Make sure you have expertise that can monitor, correlate and analyse the security threats to your network and applications across your on-premise and cloud infrastructure 24×7 for continuous protection – this should be done now, as the hackers are already testing the vulnerabilities in the infrastructure in preparation for their attacks,” he went on to say. Source: http://www.scmagazineuk.com/anonymous-takes-aim-at-world-cup-sponsors/article/349934/

Read the article:
Anonymous takes aim at World Cup sponsors

DDoS attacks using SNMP amplification on the rise

Attackers are increasingly abusing devices configured to publicly respond to SNMP (Simple Network Management Protocol) requests over the Internet to amplify distributed denial-of-service attacks. This amplification technique, which is also known as reflection, can theoretically work with any protocol that is vulnerable to IP (Internet Protocol) address spoofing and can generate large responses to significantly smaller queries. Attackers can craft requests that appear to originate from the IP address of their intended victim in order to trick servers that accept requests over such protocols from the Internet to flood the victim with data. Many DDoS attacks in the past year have used misconfigured DNS (Domain Name System) and NTP (Network Time Protocol) servers for amplification. However, devices that support SNMP, a protocol designed to allow the monitoring of network-attached devices by querying information about their configuration, can also be abused if the SNMP service is directly exposed to the Internet. SNMP-enabled devices with such configurations can be found both in home and business environments and include printers, switches, firewalls and routers. Since April 11, the Prolexic Security Engineering Response Team (PLXsert), which is now part of Akamai Technologies, has identified 14 separate DDoS campaigns that used SNMP reflection. Almost half of the malicious SNMP reflected traffic came from IP addresses in the U.S. and 18 percent from China, PLXsert said in a threat advisory published Thursday. “The attacks targeted clients in the following industry verticals: consumer goods, gaming, hosting, non-profits and software-as-a-service (SaaS).” One of the tools used to launch the recent attacks was created in 2011 by a hacker group called Team Poison and can send spoofed SNMP GetBulk requests to publicly accessible SNMP-enabled devices to trigger responses that can be more than 1,700 times larger than the requests, the Prolexic team said. The attackers crafted their requests to have a source port of 80—usually assigned to HTTP—so that vulnerable devices return their SNMP responses to the victims on the same port, flooding their HTTP services. “Until approximately three years ago, SNMP devices were manufactured using SNMP version 2 and were commonly delivered with the SNMP protocol openly accessible to the public by default,” PLXsert said. “Devices using SNMP v3 are more secure. To stop these older devices from participating in attacks, network administrators need to check for the presence of this protocol and turn off public access.” Information over SNMP is controlled by a so-called community string, which in the case of SNMP v2c is “public” by default, PLXsert said. SNMP amplification attacks are not really new, said Sean Power, security operations manager at DDoS protection vendor DOSarrest Internet Security, Friday via email. “Legitimate SNMP traffic has no need to leave your network and should be prevented from doing so. This attack exists because many organizations fail to prevent this.” It’s important for network owners to lock down services that can be used for DDoS reflection and amplification like DNS, SNMP, NTP and voice over IP. This “is part of being a good citizen of the Internet,” said Tom Cross, director of security research for network security and performance monitoring vendor Lancope, via email. Source: http://www.pcworld.com/article/2159060/ddos-attacks-using-snmp-amplification-on-the-rise.html

View original post here:
DDoS attacks using SNMP amplification on the rise

Point DNS blitzed by mystery DDoS attack assault

Domain hosts Point DNS has been hammered with a high intensity DDoS attack on Friday, knocking servers out for hours. The size of the attack and techniques used – much less who might be behind the attack – remains unclear. Several Reg readers got in touch to notify us about the issue and the company confirmed the attack online. “We’re experiencing a DDoS attack on all DNS servers we are working hard mitigate the attack,” Point DNS said in a update to its Twitter profile. “We’re still working through a massive DDoS. We’re adding more nameservers and working with our network providers,” it added. The firm, whose services are used by more than 220,000 domains, was badly affected by the attack. This had a knock-on effect on firms who used its services – while websites were up and running as normal attempts to reach them by typing in a name to a browser would not resolve as normal. The snafu also means email won’t be delivered as normal to affected sites, with early indications suggesting clients clustered in Asia and Europe were worst affected. Security specialists Incapsula spotted a similar attack, which peaked at 25 million packets per second. It reported seeing floods of non-spoofed IP data coming from two DDoS protection services as the cause of the outage. “DNS flood have been around for a while but now the modern high-capacity servers take the attack to a new level,” Incapsula product evangelist Igal Zeifman told El Reg in a statement. “Unlike amplification attacks, that could be easily spotted and filtered on-edge, DNS flood queries can’t be dismissed before they could be allowed to be processed by the server. With powerful botnet machines pumping millions of malicious request each second, and aiming them directly and the most vulnerable server resources (eg CPU), the old threat is now making a comeback in a very dangerous manner.” Source: http://www.theregister.co.uk/2014/05/09/point_dns_ddos/

More:
Point DNS blitzed by mystery DDoS attack assault

DDoS attacks: half of targeted firms get hit again

Two new reports reveal that DDoS attacks are not only getting bigger- now logged between 250 and 325 Gbps, but that these attacks often target the same organisation more than once. The business challenge presented by DDoS attacks hit the spotlight once again this morning, after a research analytics firm revealed that 35 per cent more firms were hit by attacks during 2013 than in 2012 – and with 28 per cent of logged attacks seen last years lasting two days or more.   The most revealing takeout from the Neustar analysis – the firm’s second annual report, entitled `DDoS Attacks & Impact Report – 2014: The Danger Deepens’ – is that once attacked, there is an estimated 69 percent chance of a repeat attack.   And whilst 31 per cent of these companies were DDoS-attacked once, over 48 percent said they had been targeted between two to 10 times.   Neustar’s figures confirm Arbor Networks’ report – released last week – which saw a record 325 Gbps attack hit a French organisation earlier this year, with a massive spike logged by the research division of the DDoS remediation firm on the first quarter of this year.   Arbor says that it 72 attacks larger than 100 Gbps in size and volume, as well as 50 percent more attacks in the first quarter of 2014 than the entirety of 2013.   Back at Neustar, the research company claims that 32 percent companies hit by a DDoS attack last year estimated the events had cost them more than £240,000 per day during the outage. Additionally, the reports notes larger DDoS attacks are becoming more frequent with a 200 percent increase in attacks affecting bandwidth of between 1 and 20 Gbps.   For its research, Neustar took in response from 331 companies in the UK, across a range of public and private sector organisations. The company says its results show that DDoS attacks disrupt multiple business units – with public-facing areas like call centres, customer service and marketing operations absorbing more than 40 per cent of DDoS-attack related costs.   This high cost may because these business functions are key revenue earners in most commercial companies, SCMagazineUK.com notes, but the report also cautions that DDoS attacks are now being used as smokescreens for other attacks – an attack vector that security researcher Brian Krebs has reported on several times over the last 12 months.   Rodney Joffe, Neustar’s senior VP and technology fellow, said that organisations must remain constantly vigilant and abreast of the latest threats.   “As an example, Neustar’s UltraDNS network suffered an attack just last week peaking at over 250 Gbps – a massive attack by industry standards. Even with proper mitigations in place, the attack caused an upstream ripple. It is a constantly changing threat landscape,”he noted.   According to Mark Teolis, general manager with DOSarrest, a DDoS remediation specialist, the key problem with the latest generation of attacks is not just the volume and bandwidth used, but their general sophistication, with Layer 7 attacks now being seen in the mainstream.   Layer 7 is the highest of the seven IP layers defined under the OSI (Open System Interconnection) model and represents the application layer – the location on the computing resource where data both originates and returns.   Speaking with SCMagazineUK.com last week at the Infosecurity Europe show, Teolis said his firm’s latest software has been enhanced to deal with these latest Layer 7 attacks, by combining IDS (intrusion detection systems), load balancing, WAF (web application firewall) and DDoS mitigation under a single IT umbrella.   Using an IDS, he explained, allows security professionals to pinpoint sophisticated layer 7 attacks, as well as provide cloud based WAF services.   “Using these approaches – coupled with spreading the load across multiple cloud resources – significantly mitigates the effects of even the highest volume DDoS attack,” he said.   Keith Bird, UK managing director with Check Point, told SCMagazineUK.com that DDoS attacks have been used as a hacktivist weapon for several years – and, as this research illustrates, now the net is widening to businesses at large.   “We are seeing smokescreen-type attacks, and also more complex, multi-vector attacks on Web sites that combine DDoS with account tampering and fraud attempts,” he said adding, that, whilst these are difficult to defend against, firms should consider contingency and remediation plans in the event of such attacks. Source: http://www.scmagazineuk.com/ddos-attacks-half-of-targeted-firms-get-hit-again/article/345878/

See original article:
DDoS attacks: half of targeted firms get hit again

France Getting Battered By DDoS Attacks

France is seeing massive amounts of DDoS traffic going through its networks, thanks to sizeable hits on the country’s popular hosting providers As the UK enjoys a relatively low volume of distributed denial of service (DDoS) attacks, France is seeing deluges of traffic hitting organisations frequently, according to research. Major hosting providers, including the hugely-polular, OVH have attracted DDoSers to France, which was only outdone by the US in terms of the amount of DDoS traffic passing through the countries’ networks, according to Arbor Networks. A record 325Gbps attack hit France this year, but it is not known who was involved. DDoS threat getting bigger and bigger Darren Anstee, director of solutions architects at Arbor, said France was being attacked largely because of the popularity of those hosting providers. “They’ve got a lot of big hosting providers and some of those are used by the gaming industry [which is subject to significant sized attacks],” he told TechWeekEurope . Arbor spotted an unprecedented rise in DDoS attacks over the first quarter of 2014. It saw 72 attacks larger than 100Gbps and 1.5 times the number of attacks over 20Gbps as in the whole of 2013. The epic increase in attack size has come as a result of what’s known as amplification. Protocols such as Network Time Protocol can be used to generate massive DDoS attacks with relatively little effort on behalf of the offenders. They can abuse vulnerable NTP servers by spoofing the IP address of a target, sending small requests and getting massive responses. The target IP is then flooded with that traffic. Even protocols used by popular gaming services, from Quake to the Steam protocol, can be abused for amplification purposes. Source: http://www.techweekeurope.co.uk/news/ddos-france-gaming-hosting-companies-144777

View the original here:
France Getting Battered By DDoS Attacks