Monthly Archives: July 2013

Malicious JavaScript flips ad network into rentable botnet

Enslaved machines helplessly press Apache’s buttons Black Hat 2012   Security researchers have shown how hackers can use ad networks to create ephemeral, hard-to-trace botnets that can perform distributed-denial-of-service attacks at the click of a button.…

See the original post:
Malicious JavaScript flips ad network into rentable botnet

DDoS attacks getting bigger but shorter in duration

Distributed Denial of Service (DDoS) attacks are getting bigger, but their duration are getting shorter, according to an analysis released this week by Arbor Networks. During the first six months of 2013, the average size of DDoS attacks remained solidly over the 2Gbps, Arbor reported — something the company has never seen before. Although the average may have been skewed during the period by the massive attack on Spamhaus in March, which reached 300Gbps at its zenith, large attacks in general have been going up too, Arbor found. From January to June this year, it said attacks exceeding 20Gbps more than doubled over 2012. Several security experts agreed with Arbor’s analysis. Michael Smith, CSIRT director for Akamai Technologies, cited two factors affecting DDoS numbers during the period. “It’s just easier to do these days,” he said in an interview. “You can rent a botnet for $20.” He added that a hacktivist group known as the Izz ad-Dim al-Qassam Cyber Fighters (QCF) has adopted a strategy that is also driving up the raw number of attacks and depressing their duration. “They attack multiple targets during the course of a day,” Smith explained. Not only do they attack multiple sites, but they don’t prolong an attack if they don’t see immediate results. “They’ll move from target to target after 10 or 20 minutes until they find one they can cause an immediate impact on,” Smith noted. Attacks are becoming bigger because hackers have more resources to mount attacks than ever before, said Marc Gaffan, founder of Incapsula. “There’s more ammunition for hackers in the wild which is why attacks have grown in size,” he said. New techniques have also contributed to the size of the attacks. For example, in the Spamhaus attack, hackers exploited openings in DNS servers to amplify the magnitude of their attacks on the website. They do that by sending a request to a server with an open DNS resolver. In the request, they spoof the address of their target so when the server answers the request, it sends its answer to the target. “When the resolver sends back the answer, which is larger than the question, it’s amplifying the attacker’s request,” Gaffan said. “Sometimes the answer can be as much as 50 times larger than the request,” he continued. “So an attack can be 50 times the original firepower used for the request.” In addition to improving their techniques, hackers have also increased their efficiencies by shortening their attacks. They will hit a site long enough to bring it down, disappear into the ether, then return to take it down again just as it’s recovering from the initial attack. “When a website goes down, it takes time to bring it back up,” Gaffan said. “There’s no point continuing to fire at that target when it’s down. You want to conserve your ammunition and fly under the radar, because the more you fire the greater the chances of someone identifying you as the source of the fire.” The technique also allows the attackers to get better mileage from their resources. “They could hit multiple targets with a single piece of infrastructure as opposed to hitting one target for an hour,” Gaffan said. Part of the reason attackers are sharpening their skills of deception is that defenders are getting better at blunting DDoS attacks. “The Internet as a whole is getting better at responding to these attacks,” said Cisco Technical Leader for Threat Research, Craig Williams. “We’ve seen DNS amplification shoot through the roof, but I suspect that’s going to start dropping with the addition of RPZs that can mitigate queries and people getting better at closing down open resolvers,” Williams told CSOonline . Source: http://www.networkworld.com/news/2013/073113-ddos-attacks-getting-bigger-but-272389.html?page=2

Taken from:
DDoS attacks getting bigger but shorter in duration

DDoS is Back; 3 Banks Attacked

A week after the self-proclaimed hacktivist group Izz ad-Din al-Qassam Cyber Fighters announced plans to launch a fourth phase of attacks against U.S. banks it’s still not clear whether the group has resumed its distributed-denial-of-service activity. DDoS attacks appear to have targeted three banks July 24 through July 27, according to Keynote, an online and mobile cloud testing and traffic monitoring provider, and other sources. But security vendors that track attacks linked to al-Qassam’s botnet, known as Brobot, say they’re uncertain exactly who was behind those attacks. While some attack evidence suggested a link to Brobot, nothing was definitive. The online banking sites of JPMorgan Chase, U.S. Bancorp and Regions Financial Corp. all experienced intermittent outages last week, Keynote says, and the outages appear to be DDoS-related. All three banking institutions have previously been targeted by al-Qassam. Those three banks all declined to comment about the outages, although Chase did acknowledge intermittent online issues July 24 on Twitter , in response to customer complaints. Detecting those online glitches, however, took some digging, says Aaron Rudger, Keynote’s Web performance marketing manager. The online traffic patterns were different from what Keynote has recorded in the past for activity believed to be related to DDoS, he says. “Normally with DDoS attacks, we see a ramping decline in a site’s performance as the load against it builds,” Rudger says. “Eventually, the site falls over when overwhelmed.” But in all three online outages tracked last week, that pattern was not present, he says. “It seems they were hit very hard, very fast – so fast, our agents did not observe the typical ‘ramping’ effect of an attack,” he says. The pattern divergence could signal a different type of DDoS approach, or merely be a byproduct of the steps the affected banking institutions were taking to mitigate their outages, or a combination of the two, he says. And while all three banks suffered slightly different types of attacks – Chase hit by DNS lookup errors, U.S. Bank hit by TCP connection errors and Regions hit by traffic that allowed access to its homepage but kept eBanking inaccessible – Rudger says they all were, at least in part, linked to external issues. Bot Activity The outages linked to Chase began during the morning of July 24, stopped and then picked back up in the afternoon, says one DDoS mitigation expert, who asked to remain anonymous. The first wave of attacks had no commands linked to Brobot, but the second wave did, the source says. The outages at U.S. Bank, which began during the very early morning hours of July 24, also stopped for a while and picked back up in the afternoon, Rudger says. And the outages at Regions showed similar patterns, though the outages spanned two days and eBanking remained inaccessible throughout the duration, he adds. John LaCour, CEO of cybersecurity and intelligence firm PhishLabs, declined to comment about any particular banks affected by DDoS activity, but he confirmed that his company had tracked new attacks. He did not say, however, if those attacks were linked to Brobot. Tracking Attacks Several other DDoS mitigation providers would not comment about last week’s three apparent DDoS attacks. But the anonymous source says no one is certain whether al-Qassam is connected to those attacks. After al-Qassam’s announcement that it planned to launch a fourth phase of attacks, copycats may have decided to take advantage, launching attacks of their own hoping to be mistaken as al-Qassam, the source says. The group hasn’t attacked since the first week of May, when it announced it was halting its DDoS strikes in honor of Anonymous’ Operation USA , bringing an end to its third phase of attacks, which began March 5 (see New Wave of DDoS Attacks Launched ). al-Qassam has repeatedly stated it’s waging its attacks against U.S. banking institutions in protest of a Youtube movie trailer deemed offensive to Muslims. “Other DDoS actors have started their hostilities, trying to blame (or at least be confused with) them on QCF,” the source says. “We saw similar activity from the middle of Phase 2 onward, where fraudsters were attacking known [Operation] Ababil targets in order to straphang on the chaos that QCF was bringing.” Several security vendors tracking the group’s Brobot say that the botnet is growing. “The huge number of servers controlled by the attackers shows that this campaign was fully planned, intentionally organized and deliberate,” says Frank Ip, vice president of U.S. operations for NSFOCUS, which tracks DDoS activity. “This leads us to wonder whether the attack campaign is supported or backed by a country or financially well-off organization behind the scenes. We expect that similar DDoS attack events will occur in the wake of the recent activity, employing more diversified and varying methods.” Source: http://www.govinfosecurity.com/ddos-back-3-banks-attacked-a-5951/p-2

Visit site:
DDoS is Back; 3 Banks Attacked

Security complexity and internal breaches are key concerns

Growth in external hacking attempts, DDoS and malware attacks, and internal threats to data are the key security concerns for UK businesses. 64% of respondents to a Check Point survey said that ext…

View the original here:
Security complexity and internal breaches are key concerns

Regions Bank Hit with New DDoS Attack

Regions Bank was the victim of cyber attackers that shuttered the bank’s website and interrupted its customers’ debit cards, reported AL.com. The bank’s website was hit Friday with a distributed-denial-of-service attack. Customers may have also not been able to use their debit cards at ATMs and merchants, according to a statement released to the website. “Access to regions.com and online banking were disrupted intermittently today by a distributed denial of service (DDoS) attack,” a spokesman told AL.com on Friday. “Some customers may have also been unable to use their CheckCards at ATMs or at merchants. We apologize for the difficulties this has caused and are working to resolve the issues as quickly as possible.” The attack comes on the heels of recent threats by from the hactivist group Izz ad-Din al-Qassam Cyber Fighters. Since last September, al-Qassam has taken responsibility for a series of cyber assaults that have plagued some of the nation’s largest banks — shuttering the online banking operations of Wells Fargo, PNC and dozens of others. Regions Bank was among those hit in early October. The Regions outage and debit card issues that occurred Friday reportedly lasted for nearly two hours. Source: http://www.americanbanker.com/issues/178_145/regions-bank-hit-with-new-ddos-attack-1060942-1.html

Read more here:
Regions Bank Hit with New DDoS Attack

DDoS: Lessons From U.K. Attacks

While U.S. banking institutions brace for the next wave of distributed-denial-of-service attacks by Izz ad-Din al-Qassam, new cyberthreat research reminds us that no industry or global market is immune to DDoS. A new study from online security provider Neustar shows that DDoS attacks are up in the United Kingdom, just as they are in the U.S., and they’re targeting everything from e-commerce sites to government. It’s not just banking institutions that DDoS attackers want to take down – a truth we’ve been preaching for several months. But now, data proves it. Of the 381 U.K. organizations polled between May and June by Neustar, 22 percent said they suffered from some type of DDoS attack in 2012. By comparison, a survey of 704 North American organizations released in April 2012 showed that 35 percent had been targeted by DDoS within the last year. While the financial services sector has been the primary DDoS target in the U.S., telecommunications companies are the No. 1 target in the U.K., according to the Neustar survey, with 53 percent reporting attacks. Half of U.K. e-commerce companies and 43 percent of online retailers surveyed reported attacks. But only 17 percent of the U.K. financial-services organizations say they had been targeted, compared with 44 percent in the North American survey. The North American data is a bit out of date, so the percentage of financial institutions hit by DDoS is now probably even higher. And attacks aimed at U.K. organizations have been nowhere as fierce as those waged against U.S. banks since September 2012. More Attacks on Way Now that al-Qassam has just announced plans for a fourth phase of attacks, we’re all bracing for more strikes against U.S. banks (see DDoS: Attackers Announce Phase 4 ). But the new survey sends a clear message: No organization is safe from DDoS. “As in North America, U.K. companies face serious challenges as they decide on DDoS protection and attempt to mitigate losses,” Neustar writes in its survey study. “While many companies are hoping traditional defenses will suffice, given the frequency of attacks, their growing complexity and the impact when sites go dark, such hopes are badly misplaced.” U.K. organizations could learn quite a bit from the example U.S. banks have set. Experts have noted time and time again that European banks and others are not well-prepped for DDoS. Despite the fact that the attacks waged against U.S. banks have been among the largest the industry has ever seen, the percentage of U.S. organizations that experienced extended outages was much smaller than that of U.K. organizations, the surveys showed. The defenses U.S. banking institutions have put in place have set a new bar. We already knew that, but now Neustar’s survey results support it. According to Neustar, while online outages lasting about 24 hours affected about 37 percent of both North American and U.K. organizations surveyed, outages lasting more than a week affected 22 percent in the U.K. and only 13 percent in North America. Having a site down for more than a week is an embarrassment, and costly. Can you even imagine a major banking institution’s site being down that long? Banks in the U.S. are prepared for DDoS. But what about other organizations? Are non-banks getting ready for DDoS, or do they still see this as only a threat to banking institutions? What you think? Let us know in the comment section below. Source: http://www.bankinfosecurity.com/blogs/ddos-no-industry-safe-p-1524

Visit link:
DDoS: Lessons From U.K. Attacks

Increase in malicious DNS request traffic

With regard to the OpUSA hacktivist campaign, Solutionary discovered that attackers responsible for previous DDoS attacks on the financial sector leveraged a variety of techniques to execute the campa…

Link:
Increase in malicious DNS request traffic

Network Solutions Recovers After DDoS Attack

Network Solutions said it’s fully mitigated a distributed denial of service (DDoS) attack that compromised some services last week, and that attack volumes against the company had returned to normal. “We experience DDoS attacks almost daily, but our automatic mitigation protocols usually handle the attacks without any impact to our customers,” said John Herbkersman, a spokesman for Network Solutions’ parent company, Web.com, via email. Network Solutions manages more than more than 6.6 million domains, provides hosting services, registers domain names and also sells SSL certificates, among other services. But Monday, some customers reported still experiencing domain name server (DNS) and website updating difficulties that dated to the start of the DDoS attacks. The company, however, disputed those claims. “Some customers may be experiencing issues, but they are not related to last week’s DDoS attack,” said Herbkersman. The DDoS attacks began last week, with Network Solutions at first reporting that “some Network Solutions hosting customers are reporting latency issues,” according to a “notice to customers who are experiencing hosting issues” posted to the company’s website on Tuesday, July 16. “Our technology team is aware of the problem, and they’re working to resolve it as quickly as possible. Thank you for your patience,” it said. As the week continued, the company posted updates via Twitter and to its Facebook page. By Wednesday, it said that the outages were due to a DDoS attack “that is impacting our customers as well as the Network Solutions site.” It said that the company’s technology staff were “working to mitigate the situation.” Later on Wednesday the company declared via Twitter: “The recent DDOS attack affecting customers has now been mitigated. Customer websites should be resolving normally. Thanks for your patience.” The Network Solutions website wasn’t available or updateable for the duration of the attacks. But that wasn’t apparent to all customers, who might not have turned to Facebook and Twitter seeking updates about the company’s service availability. One InformationWeek reader, who emailed Friday, accused Network Solutions of being less than forthcoming about the fact that the outages were being caused by a DDoS attack, “which they acknowledged only when calling them,” after he found only the “notice to customers who are experiencing hosting issues” post on the company’s site. “They have been trying to bury it,” he alleged. “Some sites were down for the entire day.” Herbkersman brushed off the criticism. “In addition to Facebook, we communicated via the Network Solutions’ website and via Twitter,” he said. “We also responded directly to customers who called our customer service team and those who contacted us via social media channels.” Friday, the company did publish a fuller accounting of the outage to its website. “Earlier this week, Network Solutions experienced a distributed denial of service (DDoS) attack on its servers that affected our customers. The Network Solutions technology team quickly identified the issue and implemented measures to mitigate the attack,” read a statement posted to the company’s site and cross-referenced on its Facebook page. “We apologize to our customers who were impacted.” “Are we getting refunded some money because of your 99.99% uptime guarantee?” responded one member via Facebook. “Feel free to call our support team and they will be happy to discuss,” came a reply from Network Solutions. Customers might have had to contend with more than just the DDoS attack. A Tuesday Facebook post — since deleted, which the company said it made to help direct customers to more recent information about the DDoS-driven outages — drew comments from customers reporting DNS issues. “There were multiple reports on the July 16, 2013 Facebook thread that appear to indicate customer DNS records were corrupted before the DDoS induced outage,” Craig Williams, a technical leader in the Cisco Systems threat research group, said in a blog post. The one-two punch of domain name resolution difficulties and a DDoS attack could have left numerous sites inaccessible not just during the attack, but in subsequent days, as the company attempted to identify the extent of the damage and make repairs in subsequent days. Last week’s DDoS attack was the second such attack for Network Solutions customers in less than a month. “In [the] previous outage, domain name servers were redirected away from their proper IP addresses,” said Williams. In that case, however, at least some of the DNS issues appeared to be “a result of a server misconfiguration while Network Solutions was attempting to mitigate a DDoS attack.” Herbkersman, the Web.com spokesman, said last week’s outages were entirely driven by the DDoS attacks, rather than the company’s response to those attacks. Source: http://www.informationweek.com/security/attacks/network-solutions-recovers-after-ddos-at/240158685

Read the original:
Network Solutions Recovers After DDoS Attack