Tag Archives: denial of service

Register for DDoS Protection and Response Strategies Webinar!

  As cyber-criminals innovate and develop new techniques to tackle defensive methods, it has never been more important for information security professionals to have strong, proactive defense and remediation strategies in place. During this webinar, the speakers will share insight on how to address the risks and respond to attacks. Hear about the evolution of and motivations behind DDoS attacks and the attack vectors exploited Discover how to implement multi-layered DDoS defense Identify best practice detection and classification techniques Discover how to implement resilient DDoS incident response practices Date: November 12th 2014 Time: 10:00AM EST/15:00 GMT Click here to register !

See more here:
Register for DDoS Protection and Response Strategies Webinar!

Report on China’s underground services for DDoS Attacks

After analyzing trends in the Chinese underground, Trend Micro found that activity in the marketplace doubled between 2012 and 2013. Upon an even closer look, researchers at the firm also found that the most coveted tools and services in the underground were compromised hosts, remote access trojans (RATs) and distributed denial-of-service (DDoS) attack services. Trend Micro’s new research paper, “The Chinese Underground in 2013,”(PDF) detailed criminal activity facilitated in the space, and in a Thursday interview with SCMagazine.com, Christopher Budd, global threat communication manager at the company, said that, among the products, compromised hosts were most sought after. In the report, Trend Micro defined “compromised hosts” as client workstations or servers that cybercriminals “have gained command and control of” without the owners’ consent. “That makes sense, because the compromised host is a multi-tasker,” Budd said. “It’s kind of a like a Swiss army knife – you can do multiple things with it.” The report also highlighted the going rate last year for popular black market services. Distributed denial-of-service (DDoS) offerings, for instance, were offered for anywhere from $16 per day to nearly $500 for a “lifetime” DDoS toolkit rental, the report revealed. Researchers also monitored underground activity centered around mobile attacks. Trend Micro found that the most in demand offerings were SMS spamming services, SMS servers and premium service numbers. Overall, the report noted that the increased activity in the China’s underground took into account, both the number of participants and the number of product and services offerings in 2013. In his interview, Rudd also noted that attacks, facilitated through shady transactions in China’s underground market, were most often aimed at other users in the country – an ongoing trend that will likely continue. “The participants in the Chinese underground looking inward, and the Russian underground looking outward [in attacks], has been a consistent trend,” Budd said. “And partly, that’s linguistic, because the people in the Chinese underground market [products and services] in Chinese as opposed to English – [but] it’s a combination of cultural and linguistic factors,” he said. Source: http://www.scmagazine.com/report-chinas-underground-activity-doubled-last-year/article/369849/

See the original article here:
Report on China’s underground services for DDoS Attacks

Amazon cloud infested with DDoS botnets

Security researchers have found yet another exploit on the Amazon cloud computing platform through the Elasticsearch distributed search engine tool. According to analysis, hackers are able to gain access to the search engine to deploy a battalion of botnets on Amazon cloud. The vulnerability should be a cause of alarm and, therefore, merits the attention of enterprises because it could manipulate Amazon cloud platforms in an attempt to launch distributed denial of service attacks against hundreds of thousands of websites. Amazon cloud users can a representational state transfer API to search various documents through Elasticsearch, an open-source search engine server built based on Java. It is more popular among cloud environments for its distributed architecture that enables multiple nodes. Researchers found security issues on the versions 1.1.x of Elasticsearch because its API scripting lacks a mechanism to authenticate access and a sandbox security infrastructure. Therefore, anyone, including hackers, can penetrate Elasticsearch just so easy. After that, attackers could carry out several malicious activities using Elasticsearch’s scripting capability such as carrying out arbitrary code on the server. As of now there is no patch coming from the developers of Elasticsearch. Nonetheless, versions 1.2.0 and up are safe from being exploited by hackers. New offshoots of Mayday Trojan for Linux has been spotted over the past week and the malware already launched DDoS attacks against targets DNS amplification. A Mayday variant was reported to be running on an Amazon server that has been compromised through the Elasticsearch exploit, though there are other platforms that could have been potentially manipulated. However, the Mayday variant did not resort to DNS amplification on the compromised EC2 instances. Instead it was used to launch attacks by flooding several websites with UDP traffic. As a result, many regional banking institutions in the United States and electronics companies in Japan had to transfer their IP addresses to DDoS mitigation service vendors. The Amazon EC2-run virtual machines were also reported to have been attacked by hackers through a CVE-2014-3120 exploit in the 1.1.x versions of Elasticsearch. Researchers observed that many commercial enterprises still use those versions. According also to security researchers, attackers have changed proof-of-concept exploit code for CVE-2014-3120 to install a Web shell developed based on Perl. A Web shell is a script that enables hackers to deploy Linux shell commands backdoor through the Web. The script was then further manipulated to download a fresh variant of the Mayday DDoS botnet. Amazon has already notified its customers about the issue. Source: http://www.techwalls.com/amazon-cloud-infested-ddos-botnets/

See more here:
Amazon cloud infested with DDoS botnets

17-Year-Old Behind Norway DDoS Attacks This Week

On Thursday, the Norwegian police have arrested and charged a 17-year-old in connection to the recent massive distributed denial-of-service (DDoS) attacks directed at major financial institutions and other businesses in the country. The teen, from the city of Bergen, on Norway’s west coast, claimed to be part of the hacktivist group Anonymous Norway, who, in a Twitter message, dismissed any connection to him or the DDoS incidents. On the day of the attack, the teenager sent a letter to the media, claiming to be part of Anonymous and saying that “the motivation behind the current attacks and the next attacks in the future is to get the community to wake up. The number of major IT security attacks is increasing and there is nothing being done to prevent such events.” Evidence that Anonymous Norway was not involved in the incidents is the fact that the boy joined the group’s Facebook page on the same day of the attack. Furthermore, the hacker outfit provided a Pastebin link in a new tweet, pointing to the identity of the perpetrator; they did not create the post, just scooped it up. Initially, the youngster was charged with gross vandalism, which carries a maximum prison sentence of six years in Norway. However, since he has no record and is still a minor, this should be greatly reduced. According to News in English, Frode Karlsen of the Bergen police told Norwegian Broadcasting that the authorities are taking the matter seriously because this sort of attack can have significant impacts on society, like individuals not being able to reach emergency services in case they needed help. After his arrest, the teen cooperated in the investigation and clarified the nature of his actions. His defense lawyer stated that “he’s sorry for having caused all this and has laid his cards on the table.” The DDoS attack, which occurred on Tuesday, was considered among the largest ever seen in Norway and leveraged the vulnerable “pingback” WordPress feature. Its increased significance is due to the fact that it targeted layers three (network) and four (transport) of the OSI model, as well as layer seven (application), at the same time. Mitigating an application layer DDoS attack is not too easy, because the requests are directed at the application interface and mimic legitimate behavior, which makes filtering out the bad traffic more difficult. The attack aimed at disrupting the online services of major financial institutions in Norway (Norges Bank, Sparebank 1, Storebrand, Gjensidige, Nordea, Danske Bank), as well as other business, like Scandinavian Airlines (SAS) and Norwegian Air. The website of the largest telecommunications company in Norway, Telenor, was also affected. Source: http://news.softpedia.com/news/17-Year-Old-Behind-Norway-DDoS-Attacks-this-Week-450391.shtml

Read the article:
17-Year-Old Behind Norway DDoS Attacks This Week

‘Political’ DDoS Attacks Skyrocket in Russia

Commercial hackers in Russia are giving way to politically motivated cyber criminals targeting ideological enemies, a new study said Wednesday. The most powerful DDoS attacks on Russian websites in the first six months of 2014 were triggered by the political crisis in Ukraine, digital security company Qrator Labs revealed. February’s Olympic Games in Sochi also prompted a spike in DDoS attacks, said the study, as reported by Bfm.ru news website. Hacker attacks in Russia have generally decreased in quantity, but have become more powerful compared with the first six months of 2013, the report said. About 2,700 distributed denial-of-service (DDoS) attacks occurred during the first six months of 2014, compared with 4,400 over the same period last year, Bfm.ru said. But the number of powerful attacks upward of 1 Gbps increased five times to more than 7 percent of the total, the report said, citing Qrator Labs digital security company. Some of the attacks peaked at 120 to 160 Gbps, the report said. Attack time also grew significantly, with DDoS strikes lasting up to 91 days, compared with 21 days in the first half of 2013. Average botnet size tripled from 136,000 to 420,000 machines per attack. This indicates ideological motivation on behalf of the attackers, who, unlike criminal hackers attacking websites for money, have more time at their disposal, Qrator Labs was quoted as saying. The media made the list of prime DDoS targets along with payment systems and real estate websites. Last season, Forex websites and online stock exchanges accounted for the “absolute majority” of the attacks, the study said, without providing exact figures. Source: http://www.themoscowtimes.com/news/article/political-ddos-attacks-skyrocket-in-russia/503226.html

Read More:
‘Political’ DDoS Attacks Skyrocket in Russia

Are DDoS attacks becoming more sophisticated?

If you’ve taken the time to read the various security articles over the last few months, you’ll quickly realise that the relatively nascent Bitcoin is well acquainted with DDoS. Initially, this was to undermine and influence Bitcoin currency, but now it is actually being used to steal Bitcoin funds in the millions of dollars. Of course, the very nature of a “”virtual currency”” is going to be attractive to cyber criminals who see it as an easy target; after all, they only have to steal digital information from a computer. At the end of the day, the attackers are winning with what is all too often considered a crude tool. It begs the question: Is DDoS still to be considered a blunt instrument? From what I have seen, the answer is a resounding no. Here’s why: Unconventional DDoS DDoS is getting more sophisticated – DDoS in its simplest form attempts to bombard a server with so many requests that it can’t handle the volume and therefore just shuts down, making a website inaccessible. The conventional understanding of DDoS is that it is typically massive in terms of bandwidth, packets per second and connection, and the latest attacks on BitStamp suggest there was indeed a high volume aspect to the attack. The more important aspect to this attack was how the attackers were able to masquerade the hash of a user transaction and essentially bombard the exchanges with it- in the hope it would be processed before the actual legitimate sessions. In effect, this was not your typical ‘clog the pipe’ DDoS strategy, which is usually touted in articles detailing a huge DDoS attack. The attackers had quite specific knowledge and did their homework when it came to how best to take advantage of DDoS tools and bring down the exchange. Blurring the lines between DDoS and hacking DDoS and hacking have traditionally been seen as two mutually exclusive security initiatives, each requiring its own set of mitigating strategies. While we have seen the two used in tandem – where the DDoS is the ‘feint’ used to cover backend attempts for data theft – the Bitstamp situation stands apart from these experiences in that the DDoS was the actual tool used to carry out the theft. The spoofing of a digital signature/hash to modify the blockchain record was within the payload of the actual DDoS attack. It’s an alarming development considering that more and more ‘conventional’ companies are implementing public facing tools to carry out transactions, which could be hijacked in a similar manner as seen here. There’s no doubt that the stakes are high when it comes to Bitcoin- on the one hand, there could be a lot to gain as adoption and popularity rises; and on the other, there is the regulatory uncertainty and likely insurance issues to consider. When it comes to protecting yourself, realise that by accepting virtual currency, you also become a target for Bitcoin miners and make sure you have appropriate technology in place to protect yourself from DDoS attacks – whether it is a hardware solution that takes days to install and requires a higher up-front cost; or a provider who offers DDoS protection services that can be up and running in as little as a few hours for a monthly cost. Source: http://www.techradar.com/news/software/security-software/are-ddos-attacks-becoming-more-sophisticated–1254382

Read the original post:
Are DDoS attacks becoming more sophisticated?

World Cup websites struck down by DDoS attacks

Various websites associated to the World Cup have been struck by a distributed denial of service (DDoS) attack ahead of the tournament’s opening match on Thursday. The official government World Cup website has been down for more than a day, as well as the websites of some host states. Hacking collective Anonymous has claimed responsibility for the attacks. The hacker group has published a list of over 60 websites that have successfully taken down and are still offline at the time of writing, including as the Brazil website of recording giant Universal Music. Public figures that are perceived by the hackers as supportive of the government and the World Cup are also being targeted. Various performers such as Caetano Veloso, Mariana Aydar, and Filipe Catto have had the content of their websites replaced by anti-FIFA messages or taken down. Last month, the internal communications system of the Brazilian Ministry of External Relations was also hacked, with a possible leak of confidential information. Even though Anonymous has not claimed direct responsibility for the attack, it has released a YouTube video justifying it and citing general dissatisfaction with the World Cup. Back in February, the hackers said they were preparing for a string of cyberattacks to FIFA and sponsor websites during the World Cup, including DDoS attacks, as well as website defacement and data theft. The Anonymous group has vowed to continue the attacks and is posting regular updates on Twitter under the hashtags #OpHackingCup and #OpWorldCup. Source: http://www.zdnet.com/world-cup-websites-struck-down-by-ddos-attacks-7000030479/#ftag=RSSbaffb68

See the article here:
World Cup websites struck down by DDoS attacks

Anonymous takes aim at World Cup sponsors

Hactivist group Anonymous has announced plans to launch a DDoS attack on the sponsors of the football World Cup, which opens in Brazil later this month. Reuters – interviewing Che Commodore, a masked member of Anonymous – says that preparations for the distributed denial of service attack are now under way. “We have a plan of attack. We have already conducted late-night tests to see which of the sites are more vulnerable – this time we are targeting the sponsors of the World Cup,” he said. The main sponsors of the World Cup include Adidas, Budweiser, Coca Cola and Emirates Airlines. Reuters quotes Che Commodore as claiming that a test attack earlier this week allowed Anonymous to break into the Brazilian Foreign Ministry’s server and access dozens of confidential documents, as well as steal several email accounts. The newswire adds that in response to the claims, a Foreign Ministry official told Reuters that 55 email accounts were accessed and the only documents that were obtained were attached to emails and those from the ministry’s internal document archive. Can Anonymous carry out its threat? Tim Keanini, CTO with Lancope, says that, regardless of threat profile, an event of this magnitude must have a heightened level of readiness to a physical or cyber security related event. “By the time a group like this makes a public announcement, much of the infiltration phase has already been done. These threat actors are smart and they don’t start to show their cards until they are well into the operational phase of their campaign,” he explained. Keanini said that events like the World Cup require hundreds of interconnected businesses and every one of those businesses need to be prepared. “If your business is connected to the Internet you should be prepared for cyber security events because it is likely to have already happened, you just don’t have the tools and technique to detect it,” he noted. Sean Power, security operations manager with DOSarrest, meanwhile, said that Anonymous is a face that any hacktivist can masquerade behind. “The composition of a team from one OP to the next will vary greatly – with a predictable effect on the sophistication of the attack. That being said, under normal operation any event as much in the public eye should be wary of DoS attacks, if threats have already been levied, that concern should be increased, not dismissed out of hand,” he explained. Ryan Dewhurst, a senior engineer and web security specialist with RandomStorm, told SCMagazineUK.com that Anonymous has already stated that they used targeted phishing emails to install malware on victim’s machines and gain access to government documents. “I believe they will use a mixture of both sophisticated and non-sophisticated attacks. However, they have also stated that they will be carrying out Distributed Denial of Service (DDoS) attacks against the World Cup sponsors,” he said. “Anonymous’ DDoS attacks, in the past, have worked by getting many Anonymous members to run software, most likely their infamous Low Orbit Ion Cannon (LOIC) tool, which attempts to flood their target with an overwhelming amount of traffic. The LOIC tool is most likely being run by the majority of the group members who have less technical skill, whereas the more sophisticated attacks are most likely carried out by the most skilled members of the group which would be fewer in number,” he added. Dewhurst says that Anonymous – if indeed it is this group and not another group of hacktivists using its name – are always going to go for the easiest targets, as these are also the least risky for them to attack, while still achieving their goals. “If their less risky methods are unsuccessful they will begin to increase the sophistication of the attack, however this also increases the risk of them eventually being caught,” he explained. David Howorth, Alert Logic’s vice president, say there are lessons that can be learned from Anonymous’ latest campaign, which means that companies should review their security practices assuming an attack could take place. IT security professionals, he advises, must be vigilant and ensure that all employees are aware of the company’s internal security policy and best practices, practice good password security, as well as making sure that all systems and applications are up-to-date and patched. “Make sure you have expertise that can monitor, correlate and analyse the security threats to your network and applications across your on-premise and cloud infrastructure 24×7 for continuous protection – this should be done now, as the hackers are already testing the vulnerabilities in the infrastructure in preparation for their attacks,” he went on to say. Source: http://www.scmagazineuk.com/anonymous-takes-aim-at-world-cup-sponsors/article/349934/

Read the article:
Anonymous takes aim at World Cup sponsors

DDoS attacks using SNMP amplification on the rise

Attackers are increasingly abusing devices configured to publicly respond to SNMP (Simple Network Management Protocol) requests over the Internet to amplify distributed denial-of-service attacks. This amplification technique, which is also known as reflection, can theoretically work with any protocol that is vulnerable to IP (Internet Protocol) address spoofing and can generate large responses to significantly smaller queries. Attackers can craft requests that appear to originate from the IP address of their intended victim in order to trick servers that accept requests over such protocols from the Internet to flood the victim with data. Many DDoS attacks in the past year have used misconfigured DNS (Domain Name System) and NTP (Network Time Protocol) servers for amplification. However, devices that support SNMP, a protocol designed to allow the monitoring of network-attached devices by querying information about their configuration, can also be abused if the SNMP service is directly exposed to the Internet. SNMP-enabled devices with such configurations can be found both in home and business environments and include printers, switches, firewalls and routers. Since April 11, the Prolexic Security Engineering Response Team (PLXsert), which is now part of Akamai Technologies, has identified 14 separate DDoS campaigns that used SNMP reflection. Almost half of the malicious SNMP reflected traffic came from IP addresses in the U.S. and 18 percent from China, PLXsert said in a threat advisory published Thursday. “The attacks targeted clients in the following industry verticals: consumer goods, gaming, hosting, non-profits and software-as-a-service (SaaS).” One of the tools used to launch the recent attacks was created in 2011 by a hacker group called Team Poison and can send spoofed SNMP GetBulk requests to publicly accessible SNMP-enabled devices to trigger responses that can be more than 1,700 times larger than the requests, the Prolexic team said. The attackers crafted their requests to have a source port of 80—usually assigned to HTTP—so that vulnerable devices return their SNMP responses to the victims on the same port, flooding their HTTP services. “Until approximately three years ago, SNMP devices were manufactured using SNMP version 2 and were commonly delivered with the SNMP protocol openly accessible to the public by default,” PLXsert said. “Devices using SNMP v3 are more secure. To stop these older devices from participating in attacks, network administrators need to check for the presence of this protocol and turn off public access.” Information over SNMP is controlled by a so-called community string, which in the case of SNMP v2c is “public” by default, PLXsert said. SNMP amplification attacks are not really new, said Sean Power, security operations manager at DDoS protection vendor DOSarrest Internet Security, Friday via email. “Legitimate SNMP traffic has no need to leave your network and should be prevented from doing so. This attack exists because many organizations fail to prevent this.” It’s important for network owners to lock down services that can be used for DDoS reflection and amplification like DNS, SNMP, NTP and voice over IP. This “is part of being a good citizen of the Internet,” said Tom Cross, director of security research for network security and performance monitoring vendor Lancope, via email. Source: http://www.pcworld.com/article/2159060/ddos-attacks-using-snmp-amplification-on-the-rise.html

View original post here:
DDoS attacks using SNMP amplification on the rise

Point DNS blitzed by mystery DDoS attack assault

Domain hosts Point DNS has been hammered with a high intensity DDoS attack on Friday, knocking servers out for hours. The size of the attack and techniques used – much less who might be behind the attack – remains unclear. Several Reg readers got in touch to notify us about the issue and the company confirmed the attack online. “We’re experiencing a DDoS attack on all DNS servers we are working hard mitigate the attack,” Point DNS said in a update to its Twitter profile. “We’re still working through a massive DDoS. We’re adding more nameservers and working with our network providers,” it added. The firm, whose services are used by more than 220,000 domains, was badly affected by the attack. This had a knock-on effect on firms who used its services – while websites were up and running as normal attempts to reach them by typing in a name to a browser would not resolve as normal. The snafu also means email won’t be delivered as normal to affected sites, with early indications suggesting clients clustered in Asia and Europe were worst affected. Security specialists Incapsula spotted a similar attack, which peaked at 25 million packets per second. It reported seeing floods of non-spoofed IP data coming from two DDoS protection services as the cause of the outage. “DNS flood have been around for a while but now the modern high-capacity servers take the attack to a new level,” Incapsula product evangelist Igal Zeifman told El Reg in a statement. “Unlike amplification attacks, that could be easily spotted and filtered on-edge, DNS flood queries can’t be dismissed before they could be allowed to be processed by the server. With powerful botnet machines pumping millions of malicious request each second, and aiming them directly and the most vulnerable server resources (eg CPU), the old threat is now making a comeback in a very dangerous manner.” Source: http://www.theregister.co.uk/2014/05/09/point_dns_ddos/

More:
Point DNS blitzed by mystery DDoS attack assault