Monthly Archives: April 2014

DDoS attacks target online gaming

Distributed denial of service (DDoS) attacks are not limited to enterprises; we have recently seen a string of DDoS attacks hitting the gaming industry, says senior engineer at F5 Networks, Martin Walshaw. “The attacks have become more frequent, particularly in the professional gaming scene where large sums of money are available,” explains Walshaw, adding that this presents a fresh concern for competitive gamers, as Internet protocol addresses of individual players, as well as servers, being increasingly targeted. DDoS attacks are designed to make a service unavailable to its intended users, according to Walshaw, they typically target banking sites and credit card payment gateways, but lately there has been a marked increase in attacks targeting gaming sites. “InfoSecurity Magazine reports that in February the number of network time protocol (NTP) amplification attacks increased 371.43%. The average peak DDoS attack volume increased a staggering 807.48%, prompting Prolexic Technologies to issue a high alert threat advisory on NTP amplification DDoS attacks – but it was too late for Wurm and League of Legends.” Walshaw cites a recent article on BBC News, which revealed that Wurm is among the latest games to have been hit, with an attack knocking the multiplayer servers offline for two days between 18 and 20 February. For the developer, this is a major inconvenience, he says, as the main selling point of the game is its multiplayer content – the more prolonged the attack, the more damage it does to the brand. “For most gamers, these attacks are frustrating and inconvenient. Wurm’s creators were forced to migrate to new servers and offered a bounty of €10 000 for information that would lead to the perpetrator/s. Also in February, the League of Legends site suffered two DDoS attacks in 24 hours, described as the “biggest [attack] of its kind” against the game since its inception.” However, notes Walshaw, in electronic sports competitions, which offer professional gamers considerable sums of money in tournaments, DDoS attacks are more than just an inconvenience; they can have a significant impact on the results of a game. Last year, several rounds of a popular DOTA 2 tournament had to be postponed after persistent DDoS attacks in qualifying rounds. In competitions where reactions delayed by a fraction of a second can result in failure and lost funds, a slow connection can be a serious issue. “DDoS attacks are increasingly prevalent and show no signs of losing popularity with cyber criminals. Experts expect these enormous volumetric attacks will gain popularity due to the fact that they leverage existing DNS servers on the Internet – there is no need to recruit one’s own botnet, or even rent one,” he states. “Large cyber-attacks are capable of knocking out business-critical applications that generate revenue and facilitate communications, which can have severe business impacts. Organisations that depend on their online presence for survival absolutely need to invest in security solutions that protect themselves, staff, customers and end-users against these attack vectors.” According to John Grady, research manager for security products at IDC, DDoS attack methods have become much stealthier and are increasing in frequency, volume and application specificity. To ensure protection against these threats, he urges organisations to consider a defence-in-depth posture for DDoS defence. Grady adds that one important component is the on-premises appliance, key in detecting and mitigating advanced application, SSL and volumetric attacks. “Whether these kinds of DDoS attacks are the work of mischief makers, sore losers or even attempts to sabotage rivals, is unclear. What is clear is that defending against DDoS attacks is not just the province of private and public sector businesses,” observes Walshaw. He concludes that these attacks have become more prevalent and have amplified over the last year; we can expect to see a lot more of them, with even greater power, across different sectors, throughout this year. Source: http://www.itweb.co.za/index.php?option=com_content&view=article&id=111708:DDoS-attacks-target-online-gaming&catid=218

Continue Reading:
DDoS attacks target online gaming

How a website flaw turned 22,000 visitors into a botnet of DDoS zombies

Researchers have uncovered a recent denial-of-service attack that employed an unusual, if not unprecedented, technique to surreptitiously cause thousands of everyday Internet users to bombard the target with a massive amount of junk traffic. The attack worked by exploiting a Web application vulnerability on one of the biggest and most popular video sites on the Web, according to a blog post published recently by researchers at security firm Incapsula, which declined to identify the site by name. Malicious JavaScript embedded inside the image icons of accounts created by the attackers caused anyone viewing the users’ posts to run attack code that instructed their browser to send one Web request per second to the DoS victim. In all, the technique caused 22,000 ordinary Web users to unwittingly flood the target with 20 million GET requests. “Obviously one request per second is not a lot,” Incapsula researchers Ronen Atias and Ofer Gayer wrote. “However, when dealing with video content of 10, 20, and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.” The novel attack was made possible by the presence of a persistent cross-site scripting (XSS) vulnerability in the video site, which Incapsula didn’t identify except to say it fell in the Alexa top 50 list. XSS exploits effectively allow attackers to store malicious JavaScript on a website that gets invoked each time someone visits. The booby-trapped user icons contained an iframe tag that pulled malicious instructions off an attacker-controlled command and control server. The malicious instructions caused browsers to surreptitiously flood the DDoS target with an unusually high number of GET requests. Incapsula was able to mitigate the effects of the attack using a combination of progressive challenges and behavior-based security algorithms. Remember the Samy Worm? The attack is only the latest to harness the tremendous power of XSS vulnerabilities. The technique came into vogue in 2005 with the advent of the Samy worm. Named after its creator, a hacker named Samy Kamkar, the XSS exploit knocked MySpace out of commission for a day by forcing anyone who viewed his profile to become a MySpace friend. In less than 24 hours, Kamkar, who later served time in jail for the stunt, gained more than one million followers. “The nature and beauty of persistent XSS is that the attacker doesn’t need to target specific users,” Matt Johansen, senior manager of Whitehat Security’s threat research center, told Ars. “The malicious JavaScript is stored on the website and replayed to anybody who visits this in the future. This particular JavaScript forced each browser that was running it to make a request in one-second intervals.” Last year, Johansen and other colleagues from Whitehat Security demonstrated a proof-of-concept ad network that created a browser-based botnet using a technique that’s similar to the one Incapsula observed exploiting the XSS weakness. “The delivery mechanism [in the Incapsula-observed attack] was different as it was from persistent XSS in the site instead of an ad network,” Johansen explained. “The only difference there was how the malicious JavaScript was rendered in the user’s (bot’s) browser. The code that is quoted in the [Incapsula] article is using a very similar technique to the code we wrote for our talk. Instead of using (image) tags like we did, this attacker is using tags which then make one request per second. We were just loading as many images as possible in the time our JavaScript was running.” Incapsula’s discovery comes three months after criminals were observed using another novel technique to drastically amplify the volume of DDoS attacks on online game services and other websites. Rather than directly flooding the targeted services with torrents of data, an attack group sent much smaller sized data requests to time-synchronization servers running the Network Time Protocol. By manipulating the requests to make them appear as if they originated from one of the gaming sites, the attackers were able to vastly increase the firepower at their disposal. The technique abusing the Network Time Protocol can result in as much as a 58-fold increase or more. Miscreants have long exploited unsecured domain name system servers available online to similarly amplify the amount of junk traffic available in DDoS attacks. Incapsula’s finding underscores the constantly evolving nature of online attacks. It also demonstrates how a single weakness on one party’s website can have powerful consequences for the Internet at large, even for those who don’t visit or otherwise interact with the buggy application. Source: http://arstechnica.com/security/2014/04/how-a-website-flaw-turned-22000-visitors-into-a-botnet-of-ddos-zombies/

Visit site:
How a website flaw turned 22,000 visitors into a botnet of DDoS zombies

Media hacking continues as Czech news sites suffer DDoS attacks

Media websites continue to be attacked by cyber criminals with reports now emerging that titles in the Czech Republic have been targeted. Three of the country’s most widely-read sites – ihned.cz, idnes.cz, and novinky.cz – have confirmed the slowing or crashing of their web pages according to Reuters, though it is not clear who is responsible for the hacks at present. Indicating the use of commonly-deployed Distributed Denial of Service (DDoS) attacks, Lucie Tvaruzkova, the head of business daily ihned.cz, said, “We are receiving great numbers of requests at our servers, which is a typical way to attack.” The incident follows other well-documented cyber-assaults on major media outlets this year, with both the New York Times and Wall Street Journal revealing their networks were breached in attacks they believed originated in China. Elsewhere, security researchers said last week that hackers have been targeting government agencies across a number of European countries, including the Czech Republic, Ireland, and Romania. A flaw in Adobe Systems ADBE.O software has apparently been exploited in the attacks. Source: http://www.itproportal.com/2013/03/04/media-hacking-continues-as-czech-news-sites-suffer-ddos-attacks/#ixzz2yBakJKEu

Week in review: AET costs, Windows XP deadline, routers expose ISPs to DNS-based DDoS attacks

Here's an overview of some of last week's most interesting news, reviews and articles: Cost of Advanced Evasion Techniques in recent data breaches A new report by McAfee examines the controversy…

DDoS Attack on Ellie Mae site Suspects Attackers Had Industry Knowledge

The distributed denial-of-service attack that crashed Ellie Mae’s loan origination system was cleverly disguised and could have been carried out by individuals with mortgage industry expertise, the vendor says. The March 31-April 1 attack overwhelmed the company’s servers with data requests that had the look and feel of legitimate communications. Specifically, the attack flooded the servers with requests to a URL that is used to download an XML file containing a list of third-party technology vendors that integrate with the Encompass LOS via the Ellie Mae Network. “It was a massive number of requests that came in and consumed the full capacity of one set of our servers around a specific URL,” Ellie Mae President and Chief Operating Officer Jonathan Corr says in his first interview since the attack was disclosed. “Where a classic denial-of-service attack would be a request that comes in that is not valid and would just create a lot of failed attempts, this was a valid request with a normal signature.” The investigation into the incident is ongoing, but the manner in which the attack was carried out may indicate that it was carried out by people familiar with the mortgage industry. “I find it very coincidental that this was using a valid request and a normal signature, which if you look at just a random attack, that’s not typically the case,” Corr says. “And it occurred on the last day of the month and the quarter, starting first thing in the morning” — a critical time for loan closings. “That could be coincidence, I don’t have evidence otherwise, but we find it very disturbing and we’re trying to figure it out. It seems like that could be a possibility,” he adds. The XML file contains no sensitive data and is accessible through a so-called open request, which doesn’t require the type of authentication needed to access actual loan files in the system. The attack resembled data requests that would come from the smart client application used to access Encompass and the Ellie Mae Network. This similarity initially made the communications difficult to identify as a threat. “Because of the way it came in, it looked just like a request that we would expect and it wasn’t something that someone out there randomly could do,” Corr says. “Somebody obviously understood a basic public request that would come from an Encompass system.” Ellie Mae has hired Stroz Friedberg, a cyber-security and digital forensics investigation firm, to piece together evidence and trace the attack, evaluate Ellie Mae’s response to the incident, as well as validate that the vendor did not suffer a data or security breach. “We’re asking them to validate that so we can provide a third-party perspective to our customers so that they can turn around and let their regulators know,” Corr says. Ellie Mae, based in Pleasanton, Calif., has put protocols in place to defend against an attack of this nature, and Corr says the company will make additional investments “to further harden the walls” of its infrastructure. “We’re really focused on how to get even better at dealing with anybody that might try to affect the livelihood of our customers,” he says. Source: http://www.americanbanker.com/issues/179_65/ellie-mae-suspects-attackers-had-industry-knowledge-1066689-1.html

Visit site:
DDoS Attack on Ellie Mae site Suspects Attackers Had Industry Knowledge

24 million reasons to lock down DNS amplification attacks

Research from Nominum, a US security consultancy that supplies ISPs with DNS-based analytics and revenue advice, claims to show that 24 million home and small office broadband routers around the world are vulnerable to being tapped as part of a massive DDoS attack. Distributed-denial-of-service (DDoS) swarm attacks have been around for years, but hijacking routers is a relatively recent trend, driven largely by the fact that very few users actively update the firmware of their legacy routers. Rather than hack the host computer, Nominum says that the hackers can now manipulate DNS (Domain Name System) traffic lookups – the technology that translates alphabetic domain names (e.g. www.bbc.co.uk) into its numeric identifier (e.g. 987.65.43.21). By spoofing the target’s IP address and generating a small IP request (ICMP) to a vulnerable router, the router will then generate a larger IP data packet to the real IP address. Nominum claims that this `amplification’ effect can be tapped to turn a few megabits of data bandwidth into many tens of gigabits of bandwidth hogging IP streams. This is no theoretical analysis, as the consultancy claims to have spotted over 5.3 million home and office routers being hijacked during February to generate IP attack traffic – with as much as 70 per cent of total DNS traffic being attributed to one attack seen during January. Nominum says the effect on ISP traffic is immense, with trillions of bytes of attack data disrupting ISP networks, websites and individuals. In the longer term, the consultancy says there is a network impact generated by malicious traffic saturating the available bandwidth and a consequent loss of revenue as users migrate to other ISPs due to an apparently poor experience. Sanjay Kapoor, the SVP of strategy with Nominum, said that existing DDoS defences do not work against today’s amplification attacks, which can be launched by any criminal who wants to achieve maximum damage with minimum effort. “Even if ISPs employ best practices to protect their networks, they can still become victims, thanks to the inherent vulnerability in open DNS proxies,” he said. Peter Wood, CEO of pen-testing specialist First Base Technologies, says that the problem identified by Nominum is often found by his research team where remote branch offices and staff working from home are involved. “We’ve recently been testing a Draytek Vigor router in this regard, and the good news is that most of the attack ports that could be used are turned off by default. Conversely, we also tested a Buffalo router, where the exact reverse was true,” he explained. “This is the joy of OpenDNS proxies. It’s also not that obvious how to configure a fixed IP on many routers,” he said, adding that some clients are – thankfully – becoming more aware of the security risks from the amplification attacks identified by Nominum’s research. Sven Schlueter, a senior consultant with Context Information Security, said that DNS application attacks mean that only minimal resources are required to conduct an attack against the availability of a larger system or network. “This type of attack is then often performed from different sources, all spoofing the source ‘to origin from the target’, resulting in a DDoS against the available bandwidth of the targeted hosts and networks when content is returned from the legitimate DNS,” he said, adding that a number of mitigation solutions are now possible. “For example, a DNS server administrator can ensure that the resolver is not open to the Internet. Very rarely – usually only for service providers – is a resolver required to be open to the Internet. However, if necessary, rate limiting and monitoring can be applied to slow down, detect and mitigate attacks,” he said. “ISPs can also enforce restrictions so that spoofing of addresses is not possible. Service owners, such as a Web site administrator, can only slightly mitigate the issue by dynamically allocating more bandwidth and filtering the attack at the border/ISP core, to the network affected,” he added. Jag Bains, CTO of DDoS remediation specialist DOSarrest, said that is a need for focused DDoS protection services as his firm is seeing more and more attack vectors and agents emerge – something that he says is only going to increase as the `Internet of Things’ gains further traction. “Strategic decision makers will need to understand what specific assets need protection and in what specific manner, and ensure they buy the right solution,” he noted. Lamar Bailey, director of security research with Tripwire, said that home and small office modems, gateways and routers are a generally the second weakest link in a home/small office network behind printers. “Internet providers do update or use current technology for home user gateways and the end user is generally stuck with what every the provider gives them. The routers are generally on very old technology and not easy or possible to secure. DDoS and other attacks are very successful on these old routers,” he said. Bailey went on to say that the ISPs need to take security more seriously and help protect their consumers. “In the US each region has limited options for ISPs which is almost a monopoly. This is bad for consumers and great for attackers and bot herders,” he explained. “Internet providers do update or use current technology for home user gateways and the end user is generally stuck with what every the provider gives them. The routers are generally on very old technology and not easy or possible to secure. DDoS and other attacks are very successful on these old routers,” he said. Bailey went on to say that the ISPs need to take security more seriously and help protect their consumers. “In the US each region has limited options for ISPs which is almost a monopoly. This is bad for consumers and great for attackers and bot herders,” he explained. Source: http://www.scmagazineuk.com/24-million-reasons-to-lock-down-dns-amplification-attacks/article/341026/

More here:
24 million reasons to lock down DNS amplification attacks

Millions of home routers expose ISPs to DDoS attacks

DNS software specialist Nominum has revealed that DNS-based DDoS amplification attacks have significantly increased in the recent months, targeting vulnerable home routers worldwide. The research reveals that more than 24 million home routers have open DNS proxies which potentially expose ISPs to DNS-based DDoS attacks. In February of this year more than 5 million of these routers were used to generate attack traffic. DNS is the most popular protocol for launching amplification attacks and during an attack in January more than 70 percent of total DNS traffic on one provider’s network was associated with amplification. The attraction for the attacker is that DNS amplification requires little skill or effort but can cause major damage. Using home routers helps mask the attack target making it harder for ISPs to trace the ultimate recipient of the waves of amplified traffic. The amount of amplified traffic can amount to trillions of bytes every day, disrupting networks, websites and individuals and leading to additional costs. “Existing in-place DDoS defenses do not work against today’s amplification attacks, which can be launched by any criminal who wants to achieve maximum damage with minimum effort,” says Sanjay Kapoor, CMO and SVP of Strategy at Nominum. “Even if ISPs employ best practices to protect their networks, they can still become victims, thanks to the inherent vulnerability in open DNS proxies”. To address the gap in defenses Nominum has launched its Vantio ThreatAvert product to enable ISPs to neutralize attack traffic. Kapoor says, “ISPs today need more effective protections built-in to DNS servers. Modern DNS servers can precisely target attack traffic without impacting any legitimate DNS traffic. ThreatAvert combined with ‘best in class’ GIX portfolio overcomes gaps in DDoS defenses, enabling ISPs to constantly adapt as attackers change their exploits, and precision policies surgically remove malicious traffic”. Source: http://betanews.com/2014/04/02/millions-of-home-routers-expose-isps-to-ddos-attacks/

View article:
Millions of home routers expose ISPs to DDoS attacks

24 million routers expose ISPs to DNS-based DDoS attacks

DNS-based DDoS amplification attacks have significantly increased in the recent months, targeting vulnerable home routers worldwide. A simple attack can create 10s of Gbps of traffic to disrupt provid…

Continued here:
24 million routers expose ISPs to DNS-based DDoS attacks

Blizzard games still suffering after DDoS attack

Blizzard has confirmed that some of its games are being affected by distributed denial of service attacks (DDoS attacks) on its European online services. Diablo , World of Warcraft , StarCraft and Hearthstone may all be affected by the attacks, suffering disconnections and high latency — a longer gap between the time when you click or press a button and the effect of that action, which makes the game can feel laggy. According to Blizzard’s official update, the attacks aren’t focusing on the company’s infrastructure, however the ripples of the DDoS attacks are still being felt by some of the playerbase. The issue may also be causing problems with the Blizzard authentication servers, which in turn leads to failed or slow login attempts. The company stated: “while we are closely monitoring the situation we wanted to thank you for your patience and apologise for any inconvenience this may cause.” On a lighter note, here’s the trailer for Blizzard’s new game Outcasts: Vengeance of the Vanquished . Blizzard Outcasts — Vengeance of the VanquishedBlizzard Entertainment What with it being an April Fool’s Day joke (despite Blizzard’s protestation that they “have no idea why you would doubt us, but yes, we are indeed making this game. For realsies.”) the game is unlikely to be affected by disconnections and latency. Silver linings and all that… Source: http://www.wired.co.uk/news/archive/2014-04/01/blizzard-ddos

Follow this link:
Blizzard games still suffering after DDoS attack

DDoS Trends Report Reveals Spike in Botnet Activity

A new study documenting distributed denial of service (DDoS) trends found an average of more than twelve million unique botnet-driven DDoS attacks are occurring weekly in the last 90 days, representing a 240% increase over the same period in 2013. “Unlike network DDoS attacks, Layer 7 attack sources can’t hide behind spoofed IPs. Instead they resort to using Trojan infected computers, hijacked hosting environments and Internet-connected devices,” the report stated “Large groups of such compromised resources constitute a botnet; a remotely controlled “zombie army” that can be used for DDoS attacks and other malicious activities.” Key findings on network (Layer 3 & 4) DDoS attacks included: Large SYN Floods account for 51.5% of all large-scale attacks Almost one in every three attacks is above 20Gbps 81% of attacks are multi-vector threats Normal SYN flood & Large SYN flood combo is the most popular multi-vector attack (75%) NTP reflection was the most common large-scale attack method in February 2014 Key findings on application (Layer 7) DDoS attacks included: DDoS bot traffic is up by 240% More than 25% of all Botnets are located in India, China and Iran USA is ranked number 5 in the list of “Top 10” attacking countries 29% of Botnets attack more than 50 targets a month 29.9% of DDoS bots can hold cookies 46% of all spoofed user-agents are fake Baidu Bots (while 11.7% are fake Googlebots) “2013 was a game-changing year for DDoS attacks, with higher-than-ever attack volumes and rapid evolution of new attack methods,” the report states. “Now, the perpetrators are looking to raise the stakes even higher by introducing new capabilities, many of which are specifically designed to abuse the weaknesses of traditional anti-DDoS solutions. As a result, in 2014, many IT organizations will need to re-think their security strategies to respond to latest Layer 3-4 and Layer 7 DDoS threats.” Source: http://www.tripwire.com/state-of-security/top-security-stories/ddos-trends-report-reveals-spike-botnet-activity/

Continued here:
DDoS Trends Report Reveals Spike in Botnet Activity