Tag Archives: denial of service

Bot masters in cut-throat DDoS fight

DDoS reaches 300,000 connections a minute. Botnet operators in the criminal underground are launching large denial of service attacks against each other in a bid to knock out rivals in the race to compromise computers. Security researchers have discovered command and control servers owned by operators of Zeus botnets were blasted by those running a rival Cutwail botnet in a distributed denial of service attack reaching 300,000 connections a minute. The infamous Zeus malware was a trojan often used to steal banking information and install cyrptolocking software. The Zeus family was considered to be the largest botnet operating on the internet. Cutwail is also an established botnet which is typically involved in sending spam via the Pushdo trojan, at its peak pushing out millions of emails a day. University researchers said in a paper that Cutwail, known to spammers as ’0bulk Psyche Evolution’, was rented to spam affiliates who pay fees to the botmasters totalling hundreds of thousands of dollars, in order to launch spam campaigns (pdf). RSA researchers found a hit list of new dynamically generated domain names within a Cutwail botnet which served as infrastructure targets of the operator’s rivals. A senior threat researcher that runs under the handle ‘Fielder’ wrote he was surprised to find evidence of the continual fighting. “This is an incredibly interesting finding as it suggests some fierce competition within the criminal underground,” Fielder said. “This was quite literally a live action view of botmasters attacking one another.” The research team examined the attacked IP addresses and found that each was related to Zeus and Zbot (Zeus) command and control hosts. The attacker’s IP addresses were tracked since August and linked to Zeus and kryptik trojans and variants, as well as Bitcoin mining activity. These addresses were also embroiled in a “long history” of malware campaigns including those foisting the formerly infamous BlackHole exploit kit, spam campaigns and an effort to serve malware over IRC and BitTorrent. Source: http://www.itnews.com.au/News/382411,bot-masters-in-cut-throat-ddos-fight.aspx?utm_source=feed&utm_medium=rss&utm_campaign=editors_picks

More:
Bot masters in cut-throat DDoS fight

Over 160,000 legitimate WordPress sites used for DDoS attack

Distributed Denial of Service (DDoS) attacks aren’t new and 2013 was one of the worst years when it comes to such attacks that too through the use of large botnets and / or specialised DDoS tools; however, use of legitimate WordPress blogs and sites to carry out such attacks is something that isn’t widespread, but is becoming a trend lately. According to Sucuri Research over 162,000 legitimate WordPress blogs and sites were a part of huge DDoS attacks on one of its client’s website. The attacker(s) used WordPress websites as indirect amplification vectors through a simple one line command. “Any WordPress site with XML-RPC enabled (which is on by default) can be used in DDOS attacks against other sites”, notes Sucuri CTO and OSSEC Founder Daniel Cid in a blog post. Cid explained that the DDoS attack was a large layer 7 HTTP-based distributed flood attack through which the perpetrators forced legit WordPress sites to send out thousands of requests per second to the victim’s servers. All the GET requests being sent to victim’s servers had a random value that bypassed their caching mechanism thereby forcing to load the whole page on every request, which killed the server quickly. “One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file” revealed Cid. Cid provides a couple of workarounds to ensure that your WordPress site isn’t DDoSing someone else’s site. First is to disable the XML-RPC (pingback) functionality from your site. This can be done by removing the xmlrpc.php or disabling the notifications in your blog’s settings. However, the thing is as soon as you upgrade your WordPress, the file come right back. Another solution is that users use some cloud based security solution or proxy site that will ensure that such misuse is prohibited. “This is a well known issue within WordPress and the core team is aware of it, it’s not something that will be patched though. In many cases this same issue is categorized as a feature, one that many plugins use, so in there lies the dilemma”, concludes Cid. Source: http://www.techienews.co.uk/977737/160000-legitimate-wordpress-sites-used-ddos/

Read this article:
Over 160,000 legitimate WordPress sites used for DDoS attack

Mt. Gox hit by massive DDoS attacks

Mt. Gox K.K., the collapsed trading platform for the bitcoin digital currency, came under so-called distributed denial of service (DDoS) attacks aimed at shutting its servers by overloading them with massive volumes of data in early February, it has been learned. Also between February and earlier this month, bitcoin exchanges in Canada and Slovenia were hit by similar attacks, indicating such cyber-attacks have been launched on a global scale. According to sources, the Tokyo-based Mt. Gox was struck by cyber-attacks aimed at stealing bitcoins beginning Feb. 7 by exploiting security shortfalls in its system. Separately, it came under major DDoS attacks, with the system accessed 150,000 times per second. The attacks mostly from servers in the United States and Europe continued for several days. The company suspended bitcoin withdrawals on Feb. 10. DDoS attacks often hijack a large number of computers with viruses. According to the sources, perpetrators often launch such attacks to steal data when a company tries to mend defects in its system. Although the DDoS attacks failed to shut down Mt. Gox’s system, subsequent attacks targeted flaws in its system, stealing a massive amount of bitcoins. In mid-February, a Slovenian bitcoin exchange temporarily suspended trading due to a system glitch caused by cyber-attacks. A Canadian bitcoin exchange announced that it has lost 896 bitcoins, the equivalent of ¥60 million, due to cyber-attacks, while another exchange reported that more than 12 percent of its bitcoin holdings was stolen. “[The attacks] are probably launched by multiple hackers who want to boast they broke into the bitcoin systems,” said Tetsutaro Uehara, a professor of information security at Ritsumeikan University. “DDoS attacks can be done without high-level hacking techniques. It is possible that copycats turned their eyes on other exchanges after weaknesses in Mt. Gox’s system were found.” One week after Mt. Gox filed for bankruptcy protection, the bitcoin community is still puzzled over what exactly caused the company to go under. What are believed to be in-house documents of Mt. Gox, including a draft detailing the purported theft, are circulating on the Internet. Around Feb. 25, before the company suspended business, English documents titled “Crisis Strategy Draft” reporting 744,408 bitcoins had been stolen were posted on the Internet. The damage was almost the same as the figure cited by the company when it collapsed. Earlier this month, a self-proclaimed Russian hacker posted audio recordings of alleged conversations between Mt. Gox Chief Executive Officer Mark Karpeles and a Japanese megabank official, who urged him to close the company’s account in the bank. According to sources, the recordings are believed to be genuine. The “Russian hacker” also posted the design chart of the Mt. Gox computer system. A ‘genuine geek’ Source: http://the-japan-news.com/news/article/0001103726

More:
Mt. Gox hit by massive DDoS attacks

Second Anonymous member sentenced for role in DDoS attack

The U.S. District Court, Eastern District of Wisconsin, has sentenced Jacob Wilkens to 24 months of probation and ordered him to pay $110,932.71 in restitution for his role in a distributed denial-of-service (DDoS) attack against Koch Industries. Wilkens pled guilty to intentionally causing damage to a protected computer by assisting other members of the hacktivist collective Anonymous in launching a DDoS attack on the servers of Angel Soft bathroom tissue, based in Green Bay, in February and March of 2011. The attacks against Koch Industries were said to have lasted three days and resulted in several hundred-thousand dollars in losses. For his role in the same attack, Christopher Sudlik was ordered earlier this month to pay the same in restitution, as well as being sentenced to 36 months of probation and 60 hours of community service. Source: http://www.scmagazine.com/second-anonymous-member-sentenced-for-role-in-ddos-attack/article/334490/

More:
Second Anonymous member sentenced for role in DDoS attack

Education sector is fastest growing for DDoS mitigation

The education sector is the fastest growing segment in taking up distributed denial of service (DDoS) mitigation, according to DDoS protection services firm DOSarrest. The firm’s CTO Jag Bains told Computing that many companies -not just e-commerce firms – are deploying DDoS protection. “If their website goes down as a result of an attack, they can lose their SEO ranking or it could have an effect on their brand, there is a lot at stake aside from revenues,” he said. And despite there not being a particular industry that looks at DDoS protection as a must, DOSarrest’s general manager, Mark Teolis claimed that the education sector is one area which has grown significantly. “Our fastest growing segment in the last six months is the education sector believe it or not,” he said. Teolis explained that the firm was getting business from “schools from the UK, the US and international universities” but said he couldn’t identify a specific reason as to why the sector has shown a sudden interest. Bains believes that it may be as a result of educational institutes guarding themselves against their own students. “Students have easy access to DDoS tools, so they may want to try it against their own [school or university]. They could be motivated because they’re failing in something, and there are enough smart kids around to access tools – it is easy to Google them anyway,” he said. But Teolis said that the tools have been available on the internet for a long time, so questioned why there was a sudden surge in interest from educational institutes. Bains suggested that it could be because the school and university websites have become an integral part of the education system. “We’ve been talking about e-commerce and gaming [as being key industries for DDoS protection], but web presence itself is very important and schools and universities need to make their websites accessible. They need a website to give out grades, information and schedules – five years ago they weren’t really using the web page apart from explaining where the school is located,” he said. But while the education sector may be taking a keen interest, Teolis claims that there is not one segment that is “taking up 30 per cent of the market”. He said that “10 or 15 per cent of the market is as good as it gets”. As for a particular industry that has not taken DDoS as seriously as others, Teolis believes many e-commerce firms haven’t contemplated being the victim of a DDoS attack. “There are still the odd e-commerce guys out there [who haven't taken it as seriously]. Money is rolling in and they’re just focused on that; DDoS for them is somebody else’s problem. A lot of it is ‘my ISP will deal with it’, the fact of the matter is, it is difficult to stop all of the attacks,” he said. Source: http://www.computing.co.uk/ctg/news/2325009/education-sector-is-fastest-growing-for-ddos-mitigation-dosarrest

See the original article here:
Education sector is fastest growing for DDoS mitigation

Could Cross-site scripting (XSS) be the chink in your website’s armour?

Sean Power, security operations manager for DOSarrest Internet Security , gives his advice on how businesses that rely heavily on their web presences can avoid (inadvertently) making their users susceptible to malicious attackers. Cross-site scripting, otherwise commonly known as XSS, is a popular attack vector and gets its fair share of the limelight in the press, but why is it such a problem and how is it caused? Essentially, XSS is a code vulnerability in a website that allows an attacker to inject malicious client-side scripts into a web page viewed by a visitor. When you visit a site that has been compromised by a XSS attack, you will be inadvertently executing the attacker’s program in addition to viewing the website. This code could be downloading malware, copying your personal information, or using your computer to perpetuate further attacks. Of course, most people don’t look at the scripting details on the website, but with popular wikis and web 2.0 content that is constantly updated and changed, it’s important to understand the ramifications from a security stand point. In order for modern websites to be interactive, they require a high degree of input from the user, this can be a place for attackers to inject content that will download malware to a visitor or enslave their computer, and therefore it is hard to monitor an ‘open’ area of the website and continually update and review their websites. XSS code can appear on the web page, in banner ads, even as part of the URL; and if it’s a site that is visited regularly, users will as good as submit themselves to the attacker.  In addition, as XSS is code that runs on the client side, it has access to anything that the JavaScript has access to on the browser, such as cookies that store information about browsing history. One of the real concerns about XSS is that by downloading script on a client-side computer, that endpoint can become enslaved into a botnet, or group of computers that have been infected with malware in order to allow a third party to control them, and used to participate in denial of service attacks. Users might not even be aware that they are part of an attack. In a recent case, we identified how a popular denial of service engine called ‘JSLOIC’ was used as script in a popular website, making any visitor an unwitting participant in a denial of service attack against a third party for as long as that browser window remained open. The range of what can be accomplished is huge- malware can be inserted into a legitimate website, turning it into a watering hole that can infect a visitor’s computer; and this can impact anyone. Once the XSS is put into a website, then the user becomes a victim and the attacker has is all of information that the browser has. In terms of preventing it; firstly, the hole in the website that has been exploited has to be closed.  The main tactic to prevent XSS code running on your website is to make sure you are ‘locking all the doors’ and reviewing your website code regularly to remove bugs and any vulnerabilities. If you are doing it properly, it should be a continual process. If a website has malware on it due to the owner not reviewing it regularly, then attackers will be able alter the malicious code to dominate the page and infect more visitors. You can limit the chances of getting malicious code on your website by routinely auditing the website for unintended JavaScript inclusions. But with XSS, especially non-persistent XSS, the best thing is to validate all data coming in, don’t include any supporting language and make sure what is coming in is sanitised, or checked for malicious code. This is especially true for parts of your website that get regular updates, like comment sections. It is not enough to just assume that because it clean before, new updates will also be also be clear. Even if you are following proper security coding and go through code reviews, websites are sometimes up for six months with no changes made, that is why vulnerability testing is important as new bugs come up. Remember, HTTP and HTML are full of potential vulnerabilities as the HTML protocol was written in the 1960s; it was never imagined it to be what it has become. So when writing website code, if you do not consider SQL Injection or XSS, then you will write a website full of holes. Top three tips: – Review your website and sanitise your code regularly to ensure there is no malicious code or holes where code can be inserted. – Consider not allowing comments to host external links, or even approve those links before they are published to prevent  code from being inserted easily. – View your web traffic in and out of your website for signs of unusual behaviour. Source: http://www.information-age.com/technology/security/123457575/could-xss-be-the-chink-in-your-website-s-armour-

See original article:
Could Cross-site scripting (XSS) be the chink in your website’s armour?

DDoS attacks costly for online companies

Distributed denial of service, or DDoS, attacks can be hugely damaging to companies that rely on their online presence for sales and new business, says DDoS mitigation provider, Prolexic. “All businesses are potentially vulnerable as there are no advance warnings of DDoS attacks, and no way to know if and when your business could be targeted,” says sales and innovation director at DRS, Jayson O’Reilly. “However, if your business is dependent on its Web site to service customers, you should have protocols in place to defend against an attack, should it happen.” O’Reilly states that some businesses are more vulnerable, or more likely to be a target, than others, which is largely industry dependent. Retail, financial services and gaming sites are popular targets. “Businesses should establish the likelihood of attack, or if they have already been a target, what sort of volume of attacks they have experienced. If they have experienced attacks, were these prolonged, or particularly strong? These questions can help a business select a suitable level of DDoS protection,” he says. He adds that businesses that find themselves regular targets, and which have a high dependency on their Web sites for business, should consider a level of protection that comes with high service level agreements. “They should select a DDoS mitigation provider that can have a site back up almost instantaneously, and guarantee uptime. However, this is not a cheap exercise.” There are other, less expensive, options too, according to O’Reilly, which come with a choice of protection levels, guaranteeing protection up to a certain level. “This sort of protection is suitable for businesses that experience low level, less lengthy attacks. However, should an attack happen that is above the protection level the company has paid for, they would be on their own,” O’Reilly says. He says smaller businesses which haven’t yet been hit by a DDoS attack can also follow several steps to better prepare themselves in the event of an attack, adding that companies which use dedicated servers have the option of setting up a backup connection, called an out-of-band (OOB) connection, which is essentially a backup path in case of network communication failure. “In the event of the usual network becoming inaccessible, the businesses can use the OOB connection to access the server instead. A hosting provider can add an OOB connection, and at a price that won’t break the bank.” O’Reilly says network monitoring can also be a big help. “A network monitoring system that can pick up anomalous behaviour, such as sudden spikes, can act as an early warning system for a DDoS attack.” Additionally, he advises companies to be aware of where they are most vulnerable, in order to keep an eye on those points, and strengthen them wherever possible. “Add alerts for your weak points, and put plans in place to upgrade the security on these points,” he concludes. Source: http://www.itweb.co.za/index.php?option=com_content&view=article&id=69922:DDoS-attacks-costly-for-online-companies&catid=69

View article:
DDoS attacks costly for online companies

NatWest hit by Distributed Denial of Service (DDoS) Attack

NatWest has been hit by a ‘cyber attack’, leaving customers unable to access online accounts. The bank’s online banking service was disrupted after it was deliberately bombarded with internet traffic. Twitter users tweeted to say they could not access their bank accounts to pay bills or transfer money. @TomGilchrist wrote: “Do other banks computer systems/services go down as much as NatWest? I assume not. Time to move banks I think.” @AleexReid tweeted: “Just joined Santander. Fed up with NatWest. Another computer failure tonight. #welldone.” A NatWest spokesperson said: “Due to a surge in internet traffic deliberately directed at the NatWest website, some of our customers experienced difficulties accessing our customer web sites this evening. “This deliberate surge of traffic is commonly known as a distributed denial of service (DDoS) attack. “We have taken the appropriate action to restore the affected web sites. At no time was there any risk to customers. We apologise for the inconvenience caused.” At the beginning of December  all of RBS and NatWest’s systems went down for three hours on one of the busiest shopping days of the year. The group chief executive Ross McEwan described that glitch as “unacceptable” and added: “For decades, RBS failed to invest properly in its systems. “We need to put our customers’ needs at the centre of all we do. It will take time, but we are investing heavily in building IT systems our customers can rely on.” RBS and NatWest also came under fire in March after a “hardware fault” meant customers were unable to use their online accounts or withdraw cash for several hours. A major computer issue in June last year saw payments go awry, wages appear to go missing and home purchases and holidays interrupted for several weeks, costing the group £175m in compensation. This latest problem is the fourth time in 18 months RBS and NatWest customers have reported problems with the banks’ services. Source: http://news.sky.com/story/1187653/natwest-hit-by-fourth-online-banking-glitch

Continue Reading:
NatWest hit by Distributed Denial of Service (DDoS) Attack

7 Security Trends to Expect in 2014

Computer systems, in many peoples’ eyes, are there to be hacked — and that means fraudsters are always working on new ways to exploit vulnerabilities. So what does 2014 have in store? Here are seven security predictions for the New Year. DDoS Attacks Get Sneaky DDoS attackers will go from simple volumetric attacks to ones which take advantage of a site’s specific performance characteristics. That’s the prediction of security researchers at Neohapsis, a security and risk management consulting company. DDoS attacks that intelligently target bottlenecks in performance, such as pages with a high server load (like database writes) or specific network bottlenecks (like login and session management), can magnify the impact over attacks which are simply volume-based and request the homepage of a site. So it’s likely that we will begin to see the spread of tools which profile specific targets. The result? DDoS attacks that have more impact, and involve less network traffic, than the ones enterprises have become accustomed to mitigating against. Insider Threats Remain Major Security Problem According to a CyberSecurity Watch survey insiders were found to be the cause in 21 percent of security breaches, and a further 21 percent may have been due to the actions of insiders. More than half of respondents to another recent survey said it’s more difficult today to detect and prevent insider attacks than it was in 2011, and 53 percent were increasing their security budgets in response to insider threats. While a significant number of breaches are caused by malicious or disgruntled employees – or former employees – many are caused by well-meaning employees who are simply trying to do their job. BYOD programs and file sharing and collaboration services like Dropbox mean that it will be harder than ever to keep corporate data under corporate control in the face of these well-meaning but irresponsible employees. Defending against insider threats requires a multi-layered use of technological controls, including system-wide use of data encryption and establishment of policies stressing prevention of data loss. Security Worries Drive Cloud Consolidation Organizations will look to buy more solutions from a single vendor and demand greater integration between solutions to automate security, according to Eric Chiu, president of HyTrust, a cloud security company. The fact that securing cloud environments is very different from securing traditional physical environments will drive greater consolidation in the market, he says. Legacy Systems Cause More Security Headaches The spate of IT failures in banks and other high profile companies highlights a simple fact: Many of them are running legacy systems which are so old and out of date that they are becoming almost impossible to maintain. That’s because there are few people with the skills and expert knowledge that would be needed to run them securely – even if they were updated to eliminate know vulnerabilities, which they frequently are not. They often aren’t updated because no-one knows what impact that would have. It’s inevitable that we’ll see hackers going after such systems, exploiting vulnerabilities that can’t easily be fixed. Encryption Will Be Revisited In the wake of revelations about the NSA, many companies are realizing that encryption many be the only thing that is protecting their data, and it may not be as strong as they imagined. What’s more, if hackers are led to believe there is a weakness in a particular system – either accidental or intentional – they will pound on it until they find it. As a result, many companies will look to improve the way they use encryption. Look for particular attention to be paid to cryptographic block modes like CBC and OFB, and authenticated modes like EAX, CCM and GCM, advise the experts at Neohapsis. In addition to the encryption methods themselves, look for insights and innovations around key management and forward security. ‘Stuxnets’ Become More Common State-sponsored malware like Stuxnet – which is widely attributed to the United States, Israel or both – has proved to be far more sophisticated and effective than anything that a couple of hackers can develop. Expect more of this type of malware from the likes of China, Russia, Iran, India, Brazil and Pakistan. It’s probably already out there, even if it hasn’t yet been detected. 2014 could be the year that its prevalence becomes apparent. Bitcoin Drives New Malware The Bitcoin virtual currency is growing in popularity with legitimate businesses, and that’s likely to continue. That’s because Bitcoin payments offer significant attractions: They are quick and cheap, and there is no possibility of a chargeback. But Bitcoin wallets make attractive targets for criminals, because stolen coins can be cashed out instantly, without a middleman or launderer taking a cut. And many Bitcoin users are relatively unsophisticated, protecting their wallets with very little security. So expect Trojans and other malware that specifically look for and target Bitcoin stashes, as well as ransomware that demands Bitcoins in return for decrypting data. Source: http://www.esecurityplanet.com/network-security/7-security-trends-to-expect-in-2014.html

View article:
7 Security Trends to Expect in 2014

RBS hit by DDoS attack that takes down online services again

UK BANKING GROUP Royal Bank of Scotland (RBS) has been hit by a distributed denial of service (DDoS) attack that took down its online services for the second time this week. Earlier this week, RBS irked customers when an IT systems failure shut down its websites and caused its customers’ bank cards to fail. On Friday it admitted that it has been struck by a DDoS attack affecting its online services once again. RBS took to Twitter to reveal news of the DDoS attack. It said, “Due to a surge in internet traffic directed at the Natwest website, customers experienced difficulties accessing some of our sites today. “This deliberate surge of traffic is known as a distributed denial of service (DDoS) attack. We have taken action to restore affected sites. “At no time was there any risk to customers. We apologise for the inconvenience caused.” RBS has yet to comment further, so it’s still unclear which websites were downed in the attack, although the tweet suggested that the RBS, Natwest and Ulster Bank websites were all affected. It is also still unclear who was responsible for the DDoS attack. However, it seems that the problems have not reached as far as those experienced by RBS customers earlier this week, when an IT systems failure struck the entire banking group. Speaking about the system failure on Monday evening, RBS CEO Ross McEwan said on Tuesday, “Last night’s systems failure was unacceptable. Yesterday was a busy shopping day and far too many of our customers were let down, unable to make purchases and withdraw cash. “For decades, RBS failed to invest properly in its systems. We need to put our customers’ needs at the centre of all we do. It will take time, but we are investing heavily in building IT systems our customers can rely on. “I’m sorry for the inconvenience we caused our customers. We know we have to do better. I will be outlining plans in the New Year for making RBS the bank that our customers and the UK need it to be. This will include an outline of where we intend to invest for the future.” Source: http://www.theinquirer.net/inquirer/news/2317692/rbs-hit-by-ddos-attack-that-takes-down-online-services-again

View article:
RBS hit by DDoS attack that takes down online services again