Tag Archives: dos attacks

Ukrainian Postal Service Knocked Offline By Repeated DDoS

Ukrposhta, the national postal service in Ukraine, was hit with a two-day DDoS attack that began on Monday, knocking some systems offline. According to the Interfax news agency, the computer systems targeted by the unknown assailants are used to track customer parcels and shipments. Ukrposhta is managed by the Infrastructure Ministry in Ukraine, and employs almost 12,000 postal officers across the country and 76,000 employees in all—meaning that disruptions could have far-reaching effects. The company gave DDoS updates via its Facebook page yesterday. The latest (in translation) reads: “During the first wave of the attack, which began yesterday in the morning, our IT services could normalize the situation, and after 5 p.m., all the services on the site worked properly. But today, hackers are at it again. Due to their actions, both the website and services are working, but slowly and with interruptions.” Igal Zeifman, director of marketing at Imperva for the Incapsula product line, said via email that it sounds like Ukrposhta is dealing with several repeat assaults, occurring in rapid succession. “Recently, such tactics had become more common due to their ability to disrupt some security measures and cause fatigue to the people in charge of the attack mitigation, forcing them to stay alert even in the quiet time between the attacks,” he said. “In the first quarter of the year, we saw the number of such repeat assaults reach an all-time-high, with over 74% of DDoS targets attacked at least twice in the span of that quarter.” This is not the first time that Ukraine’s postal service has faced significant attacks this year. The country was ground zero for the Petya/NotPetya ransomware attacks that proliferated around the globe in June, which affected not just the postal service but also banks and the state-owned power companies, Ukenergo and Kyivenergo. Source: https://www.infosecurity-magazine.com/news/ukrainian-postal-service-repeated/

Read the original:
Ukrainian Postal Service Knocked Offline By Repeated DDoS

The IoT Botnet Wars: How to Harden Linux Devices from DoS Attacks

While fighting botnets like Mirai and BrickerBot with another botnet, Hajime, may help prevent denial-of-service attacks on the IoT, the best defense is a basic system security-hardening plan. An ongoing battle being waged is leveraging insecure Linux-based Internet of Things (IoT) devices. BrickerBot (see “Beware BrickerBot, the IoT Killer”) is a recent malware strain attacking connected devices and causing them to “brick,” making an electronic device completely useless in a permanent denial-of-service (PDoS) attack. It may be a case of grey hat hacking and a direct response to the Mirai botnet distributed denial-of-service (DDoS) attack that enslaved IoT devices. The Mirai botnet consisted of connected printers, IP cameras, residential gateways, and baby monitors that flooded DNS servers. Mirai was behind the largest DDoS attack of its kind ever in October 2016, with an estimated throughput of 1.2 terabits per second. It leveraged these enslaved devices to bring down large portions of the internet, including services such as Netflix, GitHub, HBO, Amazon, Reddit, Twitter, and DIRECTV. BrickerBot’s goal appears to counter Mirai’s: Bricking insecure Linux devices so that malware such as Mirai can’t subjugate these devices in another DDoS attack. An internet service provider in Southern California, Sierra Tel, experienced widespread outages due to this battle. Its Zyxel modems were victim to BrickerBot and another malware, possibly Mirai. It took nearly two weeks to replace all customers’ modems. This was the same modem model that Mirai infected and took out a German ISP’s network, an outage that affected a population size larger than San Francisco. Hajime is another Mirai-like worm that has been spreading during the past several months with similar goals as BrickerBot: Thwarting malware such as Mirai in exploiting poorly secured IoT devices to do their bidding. Hajime accesses devices by scanning the internet and trying a set of default credentials, and then injecting a malicious program. However, Hajime tries to harden the security of these devices by blocking four ports that Mirai is known to attack (23, 7547, 5555, 5358) to deflect further subjugation for DDoS attacks or even Bitcoin mining. Unfortunately, once the Hajime-infected device reboots, it returns to its vulnerable state with these ports open. Thus, Hajime is merely a temporary band-aid. The only real cure is to deploy a software update with new credentials. Leading computer-security expert Gene Spafford said “The only true secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined room with armed guards—and even then I have my doubts.” While this may be true, basic security hardening would have helped protect against many of the attacks from malware targeting Linux devices. We will cover some basic system-hardening concepts in the context of these attacks, including closing unused open network ports , intrusion detection systems , enforcing password complexity and policies , removing unnecessary services , and frequent software updates to fix bugs and patch security vulnerabilities. Basic Security Would Deflect Malicious Mirai Malware The Mirai malware caused major outages across the internet by attacking DNS provider Dyn’s servers. The malware infected vulnerable devices by using open Telnet ports to target ARM, MIPS, PPC, and x86 devices that run on Linux. It scanned the internet for the IP address of IoT devices and identified vulnerable ones by using a table of more than 60 common factory credentials. As the malware is stored in memory, the device remains infected until it’s rebooted. Even if the device is rebooted, it can be re-infected in minutes unless the login credentials are changed immediately. Once the device is infected by Mirai, it tries to remove any competing malware and sits idle long enough as a way to avoid detection from security tools. After an extended period, it contacts its Command and Control server for further instruction. Enforcing complex password policies instead of keeping published factory-default credentials would have helped prevent Mirai from enslaving these devices. The challenge of securing consumer-facing IoT is that manufacturers are relying on consumers to change the password from a factory-default login, which typically requires the process of logging into the admin panel and manually changing the password. Will Dormann, senior vulnerability analyst at the CERT Coordination Center, says “Instead of hard-coding credentials or setting default usernames and passwords that many users will never change, hardware makers should require users to pick a strong password when setting up the device.” The ability to deploy software updates is another mandatory capability to fix bugs and patch known security vulnerabilities. In the software-development book Code Complete , author Steve McConnell states that there are 1-25 bugs and vulnerabilities per 1,000 lines of code, where the variable is determined by the practices of the team. Consumer electronics, such as many of the devices listed on Krebs (see figure) , are at the high end of the scale due to the higher focus on features and time-to-market with little security oversight. Many of these devices are already running on thin margins, so having an over-the-air (OTA) update capability with minimal development effort by the manufacturer is an important consideration. These are the known infected devices by Mirai published on Krebs on Security. “When it comes to software updates, automatic updates are good,” says Dormann. “Simple updates that notify the user and require intervention are okay. Updates that require the user to dig around to find and install manually are next to worthless. Devices that don’t have updates at all are completely worthless.” The software update process itself is complex with many security considerations to take into account to protect against things like man-in-the-middle (MitM) attacks. There is also the danger of a device bricking because it loses power mid-update or has intermittent network connectivity. For this reason, updates need to be atomic, meaning the update fully completes or not at all (no partial updates)—even in cases of power loss at any time during the update process. Manufacturers have open-source options available to deploy software updates to devices. SWUpdate is a well-known and flexible open-source Linux update agent, while Mender.io (disclaimer: the open-source project I am involved with) provides an end-to-end solution (both agent and management server) to deploy OTA updates fleet-wide. Software updates for IoT has become a hot topic, even getting the attention of the U.S. government and Congress. And Bill Woods from the Atlantic Council international think tank noted that two billion IoT devices currently out there have a 12-year-old secure-shell (SSH) flaw that enables them to be turned into a botnet. Vigilante Hacking In the early 2000s, the Blaster worm was spreading on computers running operating systems such as Windows XP and Windows 2000. DDoS attacks were launched in 2003, causing damages totaling hundreds of millions of dollars. The Welchia worm was a response to Blaster, which exploited a vulnerability in Microsoft’s remote procedure call (RPC) service much like Blaster. However, after infecting a system, it would instead delete Blaster if it existed there, and then tried to download and install security patches from Microsoft that would prevent further infection. Similar to Welchia, Hajime is going head-to-head with Mirai and its malicious variants to minimize the damage they can do. Hajime appears to be a much more advanced botnet, taking steps to camouflage its processes and files, making detection of it much more difficult. And it’s much more refined in cycling through credentials as it parses through information to identify the device manufacturer and uses their combinations by default. For example, when it attacked the MikroTik router, Hajime attempted to log in initially with the factory-default according to MikroTik documentation, and reduced the number of invalid passwords as it tried to reduce the chances of being blacklisted. Hajime closes known network ports that Mirai exploits to secure those devices—a strategy that device manufacturers should use: Closing unnecessary ports reduce their attack surface. Intrusion detection systems (IDS) are also helpful in monitoring unusual network activity. There are two types of network IDS: Signature detection and Anomaly detection. Many open-source solutions are available; Snort and Suricata are popular options. BrickerBot is the first malware of its kind whose goal is to cause a PDoS by bricking devices not fully secure, with the seeming goal of removing them as potential victims of malware that will enslave them for DDoS attacks. There have been multiple versions of BrickerBot, and the suspected author of it claims to have bricked over 2 million devices. BrickerBot 1 targets devices running Linux with BusyBox and an exposed Telnet service. They usually have an older version of Dropbear SSH, and most were identified as Ubiquiti network devices running outdated firmware. BrickerBot 2 targets Linux-based devices more widely using a similar tactic of leveraging an exposed Telnet service with a default or hard-coded password. The most secure software is one that is not installed. All services and applications running on your device should have a fundamental reason to be there. Adding unnecessary features increases the attack surface of your device and will, by definition, make it less secure. Applying Basic Security Principles Will Help Some fundamental system hardening can be the deciding factor on whether a device will be an actor in a DDoS attack or bricked. The results of vigilante hacking, like that of Hajime and BrickerBot, to combat the Mirai-driven DDoS attacks has generated much debate. There are arguments on both sides, with many insisting the amount of warnings on the lack of IoT security has fallen on deaf ears to manufacturers and consumers. And they argue that malware such as BrickerBot is a drastic but necessary measure to hit them where it hurts, and in the process, disable insecure devices from being a part of another DDoS attack. There have been discussions online about a scenario where a consumer would be under warranty from the manufacturer if their devices do get bricked. The cost to the manufacturer to replace it would be too high to ignore security, forcing them to take security much more seriously. A common counter-argument of vigilante hacking is “Why should the consumers be punished? Where is the line someone can cross to anonymously take the law into their own hands?” There is neither accountability nor certainty that the authors of BrickerBot or Hajime are completely well-meaning, or if there’s something nefarious the public has yet to discover. They also use the same techniques that black hats use, potentially leading to a proliferation of more malicious hackers. Another potential scenario is a vigilante malware can brick a device that may potentially kill someone despite it being far from the original intent. Something as simple as an IoT refrigerator can be hacked and bricked without the owner’s knowledge. Subsequently, a person could proceed to unknowingly eat spoiled food that may cause illness and even death. And we know there are much more health-sensitive devices than a refrigerator being connected, such as connected cars, insulin pumps, heart implant devices, and much more. In fact, the FDA recently became involved with Abbott Labs and its new acquisition, St. Jude Medical. St. Jude Medical devices had vulnerable software that allowed unauthorized external control, which could run down the battery or deliver a series of shocks at the wrong time (these devices included defibrillators and pacemakers). The latest correspondence indicates the FDA isn’t satisfied with parent company Abbott Labs’ response to the issue, despite St. Jude’s claims they had developed a software patch that could be applied to remove the vulnerability. While we briefly covered some basic security-hardening concepts, it’s not comprehensive. But these should be a start to conform to industry best practice for securing IoT systems. These steps would have helped to protect or at least mitigate the effects of the malware discussed. Although there’s no silver bullet and security can never be “perfect,” it’s clear that implementing existing solutions to cover basic security around credentials, open ports, and enabling automated software updates will have a massive impact. Source: http://www.electronicdesign.com/industrial-automation/iot-botnet-wars-how-harden-linux-devices-dos-attacks

Continue Reading:
The IoT Botnet Wars: How to Harden Linux Devices from DoS Attacks

Former FCC security employee destroys agency’s claims of DDoS Attacks Following John Oliver Net Neutrality Segments

Bombshell story from Gizmodo underscores need for FCC to address serious issues with its public comment process before making any decision on net neutrality. 15,000+ people call on lawmakers to demand that FCC comply with transparency laws In a bombshell story from Gizmodo today, a former FCC security employee lays waste to the agency’s claims that a pair of DDoS attacks took down the FCC comment website at the exact moments when large amounts of pro net neutrality comments would have been flooding into the docket following viral segments from comedian John Oliver in 2014 and 2017. The agency’s inability to maintain a functional way for the public to comment on its net neutrality proceedings has become an issue of concern for members of Congress overseeing the agency, and raises questions about how it can or should move forward with its rulemaking process. The security expert who spoke to Gizmodo reveals that the FCC security team concluded that there had not been a malicious attack after the John Oliver segment in 2014. But until-recent FCC CIO David Bray told reporters that anyway, despite the fact there was no evidence of it, and he did not even have access to the types of logs and information that could have led him to that conclusion. The source also leaked a photo of the FCC’s server room to Gizmodo, revealing a mess of wires that would make any competent IT professional cringe. When pressed, Bray admitted to being the source of news reports about the made up “hacking” attack, but he never reported the incident to the Department of Homeland Security, who require that government agencies notify them of such attacks. With the backing of the FCC press office, Bray fed reporters that exact same story when the agency’s comment system collapsed again this year, preventing large numbers of people from making their voices heard in the agency’s proceeding. Evan Greer, campaign director of Fight for the Future, said: “These latest revelations are outrageous. A senior FCC official intentionally misled the public and invented cyber attacks to cover up the fact that the agency is failing at their responsibility to maintain a functioning system to receive feedback about an issue that affects every single person using the Internet. The FCC must address these serious issues with their comment process before moving forward, or it will be clear that this is a rogue agency that answers only to large telecom companies, and not to the American people.” The news comes after more than 15,000 people have signed a petition calling on their lawmakers to instruct the FCC to comply with transparency laws as the agency moves ahead with its unpopular plan to gut net neutrality protections that prevent ISPs from charging extra fees, throttling, or blocking content online. The agency is currently facing multiple lawsuits for refusing to release information related to the now-debunked DDoS claims, Chairman Ajit Pai’s discussions with telecom companies,  large amounts of fake comments using real people’s names and addresses without their permission. “Members of Congress need to understand that this is not an issue they can ignore or hide from,” Greer added,  “Voters from across the political spectrum overwhelmingly support the current net neutrality rules, and want their Senators and Representatives to do their job and speak out to ensure that the FCC is listening to the will of the public, not just to lobbyists from giant telecom companies. Lawmakers from both sides of the aisle need to exercise their oversight and demand that the FCC act transparently during this proceeding.” Fight for the Future has been working to inform the public about the serious issues surrounding the FCC’s comment process. The group organized a letter from dozens of people whose names and addresses were used to submit anti net neutrality comments without their permission, as well as several petitions garnering tens of thousands of signatures calling on the agency to come clean about the alleged DDoS attack that prevented concerned citizens from submitting comments. Fight for the Future was also one of the leading organizations behind the historic Internet-Wide Day of Action for Net Neutrality on July 12, which drove a record breaking 2 million+ comments to the FCC and Congress in a single day. Learn more at fightforthefuture.org Source: https://www.commondreams.org/newswire/2017/08/07/breaking-former-fcc-security-employee-destroys-agencys-claims-ddos-attacks

Read More:
Former FCC security employee destroys agency’s claims of DDoS Attacks Following John Oliver Net Neutrality Segments

Second Quarter Reported DDoS Attacks Lasting Days, Not Minutes

What would you do if your company was hit with a DDoS attack that lasted 11 days? Perhaps a large organization could withstand that kind of outage, but it could be devastating to the SMB, especially if it relies on web traffic for business transactions. That 11-day – 277 hours to be more exact – attack did happen in the second quarter of 2017. Kaspersky Lab said it was longest attack of the year, and 131 percent longer than the longest attack in the first quarter. And unfortunately, the company’s latest DDoS intelligence report said we should expect to see these long attacks more frequently, as they are coming back into fashion. This is not the news businesses want to hear. Enduring DDoS attacks isn’t new. Igal Zeifman, senior manager at Imperva for the Incapsula product line, told me in an email comment that in 2016, the company tracked a network layer attack that lasted more than 29 days and an application layer assault that persisted for 69 days straight. However, Zeifman argued against the Kaspersky finding, saying that it doesn’t mesh with what his company has seen, despite those extended attacks from last year: For the past four quarters we continued to see a persistent decline in the average attack duration, driven by an increased number of short attack burst of 30 minutes or less. These bursts accounted for over 58 percent of all network layer attacks and more than 90 percent of all assault layer attacks in the first quarter of the year. Interesting to see such disparate results in the length of DDoS attacks . Whether days long or short bursts, one thing is certain – those initiating the attacks have very definite reasons for doing so. As the Kaspersky Lab report stated, financial extortion was a top reason for the attacks in the second quarter: This approach was dubbed “ransom DDoS”, or “RDoS”. Cybercriminals send a message to a victim company demanding a ransom of 5 to 200 bitcoins. In case of nonpayment, they promise to organize a DDoS attack on an essential web resource of the victim. Such messages are often accompanied by short-term attacks which serve as demonstration of the attacker’s power. The victim is chosen carefully. Usually, the victim is a company which would suffer substantial losses if their resources are unavailable. Political hacktivists are hard at work, too, going after news organizations, elections and, in the U.S., the FCC, likely in retaliation for wanting to abolish net neutrality. The FCC has acknowledged the attack, but reports are the agency is making its cybersecurity efforts secret . I’ll be following up more on that story later this week. Source: http://www.itbusinessedge.com/blogs/data-security/second-quarter-reported-ddos-attacks-lasting-days-not-minutes.html

Original post:
Second Quarter Reported DDoS Attacks Lasting Days, Not Minutes

Journalist Sues FCC For Hiding Details About Its Alleged, Phantom DDoS Attack

You might recall that when John Oliver did his latest piece on net neutrality, the FCC’s comment system ground to a halt under the load of viewers pissed to realize that the FCC is trying to kill popular consumer protections protecting them from buffoonery by the likes of Comcast. But the FCC then did something odd: it claimed that a DDoS attack, not HBO’s hit show, resulted in the website’s issues. A statement issued by the FCC proclaimed that extensive “analysis” by the FCC had led the agency to conclude that it had suffered the attack at roughly the same time Oliver’s program had ended: “Beginning on Sunday night at midnight, our analysis reveals that the FCC was subject to multiple distributed denial-of-service attacks (DDoS). These were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host. These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC.” The problem: security experts saw no evidence that claim was true in publicly available logs, and saw none of the usual indicators preceding such an attack. And the FCC ever since has been bizarrely cagey, refusing to provide any evidence whatsoever supporting its claim. The FCC was subsequently prodded by several Senators as to the nature of the attack, but the FCC still refused to share any real data, despite agency boss Ajit Pai repeatedly, breathlessly insisting he would be a stalwart defender of transparency at the agency. And when Gizmodo recently filed a FOIA request for anything regarding the nature of the attack, the FCC first released seventeen pages of nonsense, before admitting it had no documented “analysis” proving an attack as previously claimed. When additional websites began to point out that the FCC’s behavior here was a little odd, the agency sent out a strangely-punchy press release lambasting news outlets for being “irresponsible.” So what’s really happening here? The unsubstantiated journalist guess du jour is that the FCC bizarrely made up a DDoS attack in a feeble attempt to downplay the “John Oliver effect” in the media. “We weren’t inundated by millions of people angry that we’re killing popular consumer protections solely to the benefit of Comcast,” this narrative suggests, “we were unfairly attacked!” The fact that there never actually was a DDoS attack would go a long way toward explaining the Trump FCC’s subsequent inability to provide any evidence supporting the claim, even under pressure from Congress. Hoping to flesh this theory out a bit, journalist Kevin Collier last week filed a lawsuit against the FCC (pdf) not only demanding more data on the agency’s supposed DDoS attack, but also urging the FCC to provide some insight on what it’s doing to address the wave of bogus, bot-produced anti-net neutrality comments flooding the agency’s website in recent months: “Collier said his records request was prompted by the FCC’s “weird and cagey” inclination to obscure details about the incident. “The fact that they gave Gizmodo such a runaround in its own request for internal ‘analysis’ of the attack just goes to show this,” he said. “I want to know the full story.” Sen. Ron Wyden, Democrat of Oregon, told Gizmodo last week the FCC’s actions raised “legitimate questions about whether the agency is being truthful when it claims a DDoS attack knocked its commenting system offline.” Again, the refusal to address fraudulent anti-net neutrality comments being made at the FCC website (like the one made in my name), combined with the FCC’s bizarre, phantom DDoS attack, has many believing the FCC is actively engaged in an intentional, amateurish attempt to downplay the massive backlash to their assault on net neutrality. And while it’s entirely possible the FCC is just being non-transparent and generically stupid here, if it can be proved the agency actively lied about a DDoS attack then covered it up simply to downplay the immense unpopularity of its policies, the inevitable lawsuits against the agency in the wake of its final vote to kill the rules could get very interesting. Source: https://www.techdirt.com/articles/20170803/13582337915/journalist-sues-fcc-hiding-details-about-alleged-phantom-ddos-attack.shtml

Read More:
Journalist Sues FCC For Hiding Details About Its Alleged, Phantom DDoS Attack

DDoS Attacks on the Rise—Here’s What Companies Need to Do

Distributed denial-of-service (DDoS) attacks have been going on for years. But in recent months they seem to have gained much more attention, in part because of high-profile incidents that affected millions of users. For instance, in late October 2016 a massive DDoS assault on Domain Name System (DNS) service provider Dyn temporarily shut down some of the biggest sites on the Internet. The incident affected users in much of the East Coast of the United States as well as data centers in Texas, Washington, and California. Dyn said in statements that tens of millions of IP addresses hit its infrastructure during the attack. Just how much attention DDoS is getting these days is indicated by a recent blog post by the Software Engineering Institute (SEI) at Carnegie Mellon University. The post, entitled, “Distributed Denial of Service Attacks: Four Best Practices for Prevention and Response,” became SEI’s most visited of the year after just two days, said a spokesman for the institute. To help defend against such attacks, organizations need to understand that this is not just an IT concern. “While DDoS attack prevention is partly a technical issue, it is also largely a business issue,” said Rachel Kartch, analysis team lead at the CERT Division of SEI, a federally funded research and development center sponsored by the U.S. Department of Defense and operated by CMU, and author of the DDoS post. Fortunately there are steps organizations can take to better protect themselves against DDoS attacks, and Kartch describes these in the post. In general, organizations should begin planning for attacks in advance, because it’s much more difficult to respond after an attack is already under way. “While DDoS attacks can’t be prevented, steps can be taken to make it harder for an attacker to render a network unresponsive,” Kartch noted. To fortify IT resources against a DDoS attack, it’s vital to make the architecture as resilient as possible. Fortifying network architecture is an important step not just in DDoS network defense, Kartch said, but in ensuring business continuity and protecting the organization from any kind of outage. To help disperse organizational assets and avoid presenting a single rich target to an attacker. organizations should locate servers in different data centers; ensure that data centers are located on different networks; ensure that data centers have diverse paths, and ensure that the data centers, or the networks that the data centers are connected to, have no notable bottlenecks or single points of failure. For those organizations that depend on servers and Internet presence, it’s important to make sure resources are geographically dispersed and not located in a single data center, Kartch said. “If resources are already geographically dispersed, it is important to view each data center as having more than one pipe to [the] Internet, and ensure that not all data centers are connected to the same Internet provider,” she said. While these are best practices for general business continuity and disaster recovery, they will also help ensure organizational resiliency in response to a DDoS attack. The post also describes other practices for defending against DDoS. One is to deploy appropriate hardware that can handle known attack types and use the options in the hardware that can protect network resources. While bolstering resources will not prevent a DDoS attack from happening, Kartch said, doing so will lessen the impact of an attack. Certain types of DDoS attacks have existed for a long time, and a lot of network and security hardware is capable of mitigating them. For example, many commercially available network firewalls, web application firewalls, and load balancers can defend against protocol attacks and application-layer attacks, Kartch said. Specialty DDoS mitigation appliances also can protect against these attacks. Another good practice is to scale up network bandwidth. “For volumetric attacks, the solution some organizations have adopted is simply to scale bandwidth up to be able to absorb a large volume of traffic if necessary,” Kartch said. “That said, volumetric attacks are something of an arms race, and many organizations won’t be able or willing to pay for the network bandwidth needed to handle some of the very large attacks we have recently seen. This is primarily an option for very large organizations and service providers.” It’s likely that DDoS attacks will continue to be a major issue for organizations. A 2016 study by content delivery network provider Akamai said these types of incidents are rising in number as well as in severity and duration. The company reported a 125% increase in DDoS attacks year over year and a 35% rise in the average attack duration. Cyber security executives need to make it a top priority to protect their organizations against DDoS. Source: http://www.itbestofbreed.com/sponsors/bitdefender/best-tech/ddos-attacks-rise-here-s-what-companies-need-do

Originally posted here:
DDoS Attacks on the Rise—Here’s What Companies Need to Do

Tools for DDoS attacks available for free online

Distributed Denial of service or popularly known as DDoS attacks once again came to the limelight in 2016. From the attacks on Dyn servers whose architecture translates domain names into numeric addresses, hacker group Anonymous launching a DDoS campaign against Donald Trump under the banner of #OpTrump, to DDoS-for-hire service called LizardStresser using IoT botnets launching attacks on websites related to the Rio Olympics’ to hackers using 24,000 computers from around 30 countries to launch attacks on five Russian banks in early November. A DDoS attack is perpetrated by people who try and make an organizations website or services temporarily unavailable by suddenly increasing the amount of traffic from various sources to the end server.(read computers or even IoT devices from across the world). Moreover, there are many freely available tools available online for free and many hackers even sell DDoS services on Darkweb marketplaces like Alphabay, Valhalla etc. “You do not have to be a specialized hacker. Anyone nowadays can buy these services and tools by paying a small amount of money to bring down certain websites or completely put a company’s infrastructure in disarray. You can even run the attacks for weeks,” says Rahul Tyagi,Vice President – Training at Lucideus. Some of the common methods used to launch a DDoS attack are TCP connection attacks, volume attacks, fragmented attacks and application based attacks. TCP connection attacks are used against most of the end users available connections which include servers, firewalls and even load balancers. While Fragmented attacks destroy the victims system by sending TCP fragments, app attacks take down a server by using botnets. All of these can enable by tools freely available online. Let’s look at some of them. LOIC (Low Orbit Ion Canon) LOIC or popularly known as Low orbit Ion Canon is one of the more popular tools available on internet. It is primarily used to initiate a DOS attack on servers across the world by sending TCP, UDP requests to the compromised server. Even a beginner can use this tool and all he has to do enter the IP address of the victim server. This tool was earlier used by the infamous hacker group Anonymous for some of their attacks. But before you can get any ideas, just remember, this tool does not protect the hosts IP address so agencies looking out for you can trace the attack’s origin. XOIC This is another easy to use DOS attacking tool for the beginners. You can just input the IP address of or th selected ports and can be used against websites which do not generate a huge amount of traffic. HOIC HOIC or known as High Orbit Ion Cannon is an effective tool which uses booster scripts which allow users to make lists of victim IP addresses and helps the attackers remain anonymous and difficult to tracked down. It is still used by Anonymous for DDoS attacks worldwide. The tool claims it can flood up to 256 websites at once. Slowloris Slowmoris was developed by a gray hat hacker called “RSnake” which creates a slow HTTP request by sending the requests in HTTP requests in small packets in the slowest manner possible so that the victim server is forcefully made to wait for the requests. This way if multiple requests are send to the server, it will not be able to handle genuine requests. Pyloris This uses the same Slowmoris method. This tool directly attacks the service and not the hardware. Apart from these, there are many other tools available online like OWASP Switchblade, DAVOSET, GoldenEye HTTP DoS Tool, THC-SSL-DOS, DDOSIM – Layer 7 DDoS Simulator among others. All these tools are freely available online for downloads for anyone out there. Considering how mundane most cyber secuirty agencies are in dealing with attacks of such nature, there is lots which is needed to be done to defend against such DDoS attacks. Source: http://tech.economictimes.indiatimes.com/news/technology/tools-for-ddos-attacks-available-for-free-online/56297496

More:
Tools for DDoS attacks available for free online

ICIT Finds Healthcare Sector at Great Risk for DDoS Attacks

Healthcare, financial, and energy are the top three sectors facing the highest risk of a DDoS attack, a recent ICIT report found. With its high dependency on digital records, network connectivity, accessible information, and real-time communication, healthcare is one of the sectors at greatest risk for a DDoS attack, the Institute for Critical Infrastructure Technology (ICIT) explained in a recent publication. The financial industry and energy sector are also at high risk for such attacks, ICIT said in “Rise of the Machines: The Dyn Attack Was Just a Practice Run. “Obstructions to even an email server could cause delays in treatment, while widespread attacks that holistically render a critical service unavailable, such as an IoT DDoS attack, would pose a serious risk to patient and staff safety,” wrote ICIT Senior Fellow James Scott and ICIT Researcher Drew Spaniel. Citing research from a previous ICIT brief, the duo explained that healthcare is incorporating, and interacting with connected devices that are often designed without necessary security measures. Previously, this has led to instances such as MRI machines or pacemakers being infected with ransomware. “While there is no indication that healthcare devices have been incorporated into DDoS botnets, it may be only a matter of time before an adversary adapt an IoT malware such as Mirai, to harness the computational resources of medical devices because many lack basic access controls such as multi-factor authentication (or any authentication whatsoever),” the authors maintained. There is also the potential danger of an IoT malware or a worm that would “brick” or kill “infected medical devices in order to cause panic, extort a ransom, or as part of a multi-tiered attack.” Overall, Scott and Spaniel stated that a “perfect storm” is brewing across the nation with regard to private critical infrastructures facing cybersecurity threats. More organizations are utilizing the internet and IoT devices, but device manufacturers will sometimes “negligently avoid incorporating security-by-design into their systems.” This happens because the manufacturers have not been properly incentivized, and instead pass the potential risk onto the end-user. “As the adversarial landscape of nation state and mercenary APTs, hacktivists, cyber-criminal gangs, script kiddies, cyber caliphate actors, and hail-mary threat actors continues to hyperevolve, America’s treasure troves of public and private data, IP, and critical infrastructure continues to be pilfered, annihilated, and disrupted, while an organizational culture of ‘Participation Trophy Winners” managed by tech neophyte executives continue to lose one battle after the next.” A key area of concern is the Mirai malware, which “offers malicious cyber actors an asymmetric quantum leap in capability.” Specifically, Mirai has a strong development platform “that can be optimized and customized according to the desired outcome of a layered attack by an unsophisticated adversary.” While Mirai has forced different industries to review devices that lack security by design and other IoT device vulnerabilities, the authors noted that it “will not forever remain the favorite tool of unsophisticated malicious threat actors.” DDoS attacks on the healthcare industry were addressed earlier this month in the Office for Civil Rights (OCR) latest newsletter. OCR reiterated that healthcare often uses IoT in several ways, such as allowing healthcare facilities to monitor medical devices, patients, and personnel. This can open organizations up to certain cybersecurity threats. “An attacker may be able to deter patients or healthcare personnel from accessing critical healthcare assets such as payroll systems, electronic health record databases, and software-based medical equipment (MRI, EKGs, infusion pumps, etc.),” OCR stated, citing data from US-CERT. For preventing such attacks, OCR advised that organizations continuously monitor and scan for vulnerable and comprised IoT devices on their networks. Entities should also adhere to the necessary remediation actions. “Password management policies and procedures for devices and their users should also be implemented and adhered to. All default passwords need to be switched to strong passwords,” OCR said, adding that default usernames and passwords for most devices can be found online. Source: http://healthitsecurity.com/news/icit-finds-healthcare-sector-at-great-risk-for-ddos-attacks

Read the article:
ICIT Finds Healthcare Sector at Great Risk for DDoS Attacks

Group that attacked Tumblr threatens to DDoS Xbox for Christmas

A new hacking group is taking credit for a distributed denial-of-service (DDoS) attack that took down Tumblr this week. But so far, little is known about R.I.U. Star Patrol other than its motive of attacking for fun. Tumblr went down for more than two hours Wednesday afternoon and R.I.U. Star Patrol contacted Mashable to explain its reason for attacking: “There is no sinister motive,” the group told Mashable.”It’s all for light hearted fun.” The site was first reported offline shortly after 3:15pm ET. The service said on Twitter that some users were experiencing “latency”. Mashable reported that the site was back up for a few minutes around 3:52pm ET but went back down, returning at around 4:22pm ET. Full service was restored around 5:45pm ET. The Mirai connection Some in the security community believe the group carried out the attack using Mirai, malware tied to a record 620Gpbs attack on the website of noted journalist Brian Krebs and the coordinated assault against DNS hosting provider Dyn last fall. That DDoS crippled such major sites as Twitter, Paypal, Netflix and Reddit and shifted the world’s attention to threats against the so-called Internet of Things (IoT) – everyday devices and appliances connected to the web. What happened to Tumblr was a more typical DDoS, but it demonstrates how easy it has become to launch attacks since the source code for Mirai was openly published. In such attacks, a hacker attempts to overload or shut down a service so that legitimate users can no longer access it. Typical DoS attacks target web servers and aim to make websites unavailable. No data is stolen or compromised, but the interruption to the service can be costly for an organization. The most common type of DoS attack involves sending more traffic to a computer than it can handle. There are a variety of methods for DoS attacks, but the simplest and most common is to have a botnet flood a web server with requests. This is called a distributed denial-of-service attack (DDoS). What we know about R.I.U. Star Patrol so far A scouring of the internet produced few details about this hacking group. From what we can tell, its Twitter account (@StarPatrolling) came online on December 13 and that its self-described leader goes by the Twitter handle @ ANTIPEACESP . Gaming news site 7421Max conducted an interview with @StarPatrolling and published it on Youtube. Those interviewed said they plan to launch coordinated attacks against Xbox on Christmas day. Asked about their motive, the hackers said, “We do it because we can.” They claim they are not motivated by money. “We have not been paid a single dollar for what we do,” one of the hackers said. On December 19, 7421Max reported that the group had taken down League of Legends and Warframe servers, and warned in a follow-up tweet that R.I.U. Star Patrol plans to knock down PSN and Xbox Live for Christmas 2016. The group confirmed this in the Youtube video: The threat is going to sting for users who remember the Christmas 2014 DDoS blockage of PlayStation and Xbox systems.   Parents of kids who hope to play their new Christmas presents on Sunday might want to brace themselves for some tears. Source: https://nakedsecurity.sophos.com/2016/12/23/group-that-attacked-tumblr-threatens-to-ddos-xbox-for-christmas/

Excerpt from:
Group that attacked Tumblr threatens to DDoS Xbox for Christmas

Cyber criminals compromising virtual machines in cloud to increase scale of DDoS

The recently released Microsoft’s latest Security Intelligence Report states that cyber-criminals are compromising virtual machines in the cloud as a way to vastly increase the scale of Distributed Denial of Service Attacks (DDoS). Microsoft has warned of many new cyber risks faced by IT companies in the report. It says that hackers have learned how to use compromised virtual machines running in the cloud to launch massive cyber-attacks. The report says: “In the cloud weaponisation threat scenario, an attacker establishes a foothold within a cloud infrastructure by compromising and taking control of a few virtual machines. The attacker can then use these virtual machines to attack, compromise, and control thousands of virtual machines—some within the same public cloud service provider as the initial attack, and others inside other public cloud service providers.” Attackers can easily issue commands to launch DDoS attacks that cripple online services and websites or flood the internet with spam. Microsoft’s cloud computing platform, Azure, has witnessed attempts to exploit the cloud to establish communications with malicious IP addresses and brute force RDP, the Remote Desktop Protocol used by Microsoft to allow users to access their desktops over a network, representing 41% and 25.5% of all outbound attacks, respectively. Spam followed at just over 20% and DDoS attempts made up 7.6% of attacks. The company is also warning IT administrators to be on the lookout for targeted threats aimed at taking control of an email account that has a high probability of containing credentials that can be used to gain access to the public cloud administrator portal. If successful, the threats may open both their on-premises and cloud infrastructures to attack. The attacker, after logging into the administrator portal, can gather information and make changes to gain access to other cloud-based resources, execute ransomware, or even pivot back to the on-premises environment. They are also keeping tabs on GitHub and other public code repositories, hoping that developers will accidentally publish secret keys that can potentially grant access to cloud accounts and services. Microsoft has further warned of “Man in the Cloud” (MitC) attacks wherein victims are tricked into downloading and installing malware, typically with an email containing a malicious link. Once active, the malware searches for a cloud storage folder and replaces the victim’s synchronisation token with that of the attacker’s. After this, whenever a user adds a file to their cloud storage accounts each time, a copy is delivered to the attacker. http://www.cloudcomputing-news.net/news/2016/dec/16/cyber-criminals-compromising-virtual-machines-cloud-increase-scale-ddos/ http://www.eweek.com/security/microsoft-report-says-hackers-weaponizing-cloud-virtual-machines.html Source: https://www.ddosattacks.net/wp-admin/post-new.php

Continue Reading:
Cyber criminals compromising virtual machines in cloud to increase scale of DDoS