Monthly Archives: February 2015

How The Great Firewall Of China Caused A DDoS Attack In France

Many people outside China know about the country’s Great Firewall, but probably assume it will have little, if any, impact on their own online activities. However, a fascinating post on Benjamin Sonntag’s blog explains how one of the servers of La Quadrature du Net, the Paris-based digital freedom association he co-founded, and for which his company provides free hosting, was hit by distributed denial of service attacks (DDOS) caused directly by the Great Firewall’s policies. His blog post provides all the technical details: it turned out that the vast majority of the attacks were coming from Chinese IP addresses. Here’s what seems to have happened: China is censoring its Internet, that’s well known to do this, this country censors (among others) DNS [Domain Name System] queries in its network (and also censoring as a side effect, the rare Japanese, Korean or Taiwanese queries going through China) when it answers a DNS query to a censored website, it answers with “any incorrect IP address” instead. That is, instead of letting Chinese Net users access “forbidden” content, the Great Firewall generally re-directs them to some random, presumably harmless, site. But that wasn’t happening here: we see spikes of requests to websites censored in China coming to IP addresses such as those of La Quadrature du Net. Other people had this same issue : http://furbo.org/2015/01/22/fear-china/ So, the end story is that we just saw censored websites requests coming to La Quadrature du Net’s IP address from China, due to how the Chinese Internet censorship is working! Rather than pushing limited traffic to lots of sites, the Great Firewall was sending lots of traffic to just a few. Among the possible explanations for this new behavior, Sonntag offers two that are equally worrying: Maybe one of the system administrator of the great firewall of China is gaining some small and quick money selling DDOS, selling Internet attacks to the highest bidder (in bitcoin? ) and using that censorship system as a weapon Maybe China chose a precise list of targets to send censored traffic to, adding to this technical “useful” process (the censorship) a “nice” one (putting down foreign opponents’ websites)… La Quadrature du Net, as a digital freedom association, seems to be too nice a target (among others of course). Neither is good news for sites in the West. Whatever the real reason for this DDOS attack on La Quadrature, it certainly shows that the operation of the Great Firewall of China can have very direct effects outside that country. Another reason, perhaps, for those in the West to pay closer attention to China’s increasingly harsh approach to online censorship. Source: https://www.techdirt.com/articles/20150204/09454829910/how-great-firewall-china-caused-ddos-attack-france.shtml

More:
How The Great Firewall Of China Caused A DDoS Attack In France

Anonymous loose cannon admits DDoSing social services and housing websites

51-yr-old Liverpudlian cuffed after bragging on social media A middle-aged Briton has admitted running a series of debilitating denial of service attacks against social services, social housing and crime prevention websites.…

More:
Anonymous loose cannon admits DDoSing social services and housing websites

Anonymous-linked hacker admits to DDoS of public services

Merseyside resident disrupted more than 300 sites with bogus traffic. A hacker with links to Anonymous has admitted conducting distributed-denial-of-service (DDoS) attacks against social services, crime prevention bodies and businesses. Ian Sullivan, a 51-year-old from Bootle in Merseyside, flooded more than 300 websites with bogus traffic in 2013, rendering them unusable for legitimate visitors, though the police said no data was stolen. Steven Pye, senior operations manager at the National Crime Agency’s (NCA) cybercrime unit, said: “Many DDoS attacks are little more than a temporary inconvenience, but in this case Sullivan’s actions are likely to have deprived vulnerable people of access to important information, ranging from where to get support on family breakup, to reporting crime anonymously.” “This multi-agency operation illustrates the commitment of the NCA and its partners to pursuing people who think they can criminally disrupt important public services or legitimate businesses.” Sullivan was arrested on July 29, 2013 by the Police Central e-Crime Unit after the DDoS attacks were referenced by a Twitter account. Investigators found software on his computer capable of taking websites offline, as well as documents linking him to other campaigns run by hacking collective Anonymous. He will be sentenced at Liverpool Crown Court on May 1. Source: http://www.cbronline.com/news/security/anonymous-linked-hacker-admits-to-ddos-of-public-services-4507312

View article:
Anonymous-linked hacker admits to DDoS of public services

New multi-purpose backdoor targets Linux servers

A new multi-purpose Linux Trojan that opens a backdoor on the target machine and can make it participate in DDoS attacks has been discovered and analyzed by Dr. Web researchers, who believe that the C…

View the original here:
New multi-purpose backdoor targets Linux servers

Massive DDoS Brute-Force Campaign Targets Linux Rootkits

A brute force campaign looking to set up a distributed denial of service (DDoS) botnet using a rare Linux rootkit malware has been launched, emanating from the servers of a Hong Kong-based company called Hee Thai Limited. The malware, known as XOR.DDoS, was first spotted in September by security research firm Malware Must Die. But security firm FireEye says that new variants have been making their way into the wild, as recently as Jan.20. XOR.DDoS is installed on targeted systems via SSH (Secure Shell) brute-force attacks that target both servers and network devices. And these are being carried out using complex attack scripts to serve the malware through a sophisticated distribution scheme that allows the attackers to compile and deliver tailored rootkits on-demand, to infect x86 and mobile ARM systems alike. Once infected, the hosts are enlisted to launch DDoS attacks. “While typical DDoS bots are straightforward in operation and often programmed in a high-level script such as PHP or Perl, the XOR.DDoS family is programming in C/C++ and incorporates multiple persistence mechanisms including a rare Linux rootkit,” FireEye researchers noted in an analysis. What’s notable about the Hee Thai attack is the sheer scale of the operation. Within 24 hours of first sighting back in November, FireEye had observed well over 20,000 SSH login attempts, per server. By the end of January, each server had seen nearly 1 million login attempts. During this time period, traffic from 103.41.124.0/24 accounted for 63% of all observed port 22 traffic. “Someone with a lot of bandwidth and resources really wanted to get into our servers,” FireEye researcher noted. They also said that the campaign has been evolving. At the beginning, each IP address would attempt more than 20,000 passwords before moving on. It then dropped to attempting a few thousand passwords before cycling to the next, and repeat attacks also began to occur. Now, a new stage of the Hee Thai campaign is more chaotic than the previous two. “The attacks now occur en masse and at random, frequently with multiple IPs simultaneously targeting the same server,” FireEye explained. The Hee Thai campaign also features an on-demand malware build system. Using a sophisticated set of build systems, the malware harvests kernel headers and version strings from victims to deliver customized malware that may be compiled on-demand to deliver XOR.DDoS to the target machine. This strategy makes hash signature-based detection systems ineffective for detecting XOR.DDoS. “Brute force attacks are one of the oldest types of attacks,” FireEye researchers said. “Due to its ubiquity, there are numerous solutions available for defending against them. However a great many systems are vulnerable. Even in enterprise settings, network devices and servers in forgotten branch offices could be exposed to this threat.” Source: http://www.infosecurity-magazine.com/news/massive-ddos-bruteforce-targets/

Read the article:
Massive DDoS Brute-Force Campaign Targets Linux Rootkits

Home Routers and IoT Devices Set to Drive DNS DDoS Attacks

The volume of DNS-based DDoS attacks will see another sharp rise this year as increasing numbers of home routers and IoT devices are compromised, according to Nominum. The network infrastructure and security firm claimed there was a 100-fold rise in such attacks during 2014 with a major spike in December thanks to malware in home gateways. The trend is likely to continue in 2015, with the volume of exploitable home and IoT devices set to soar. According to Nominum, just 100 compromised devices managed to take down one million subscriber networks last year. In such DDoS campaigns, the attackers send specially crafted queries to ISP DNS resolvers and authoritative DNS servers, making the websites reliant upon them unreachable. Nominum claims that many DDoS prevention services are unable to counter these attacks as they’re either deployed in the wrong part of the network or lack accuracy. The firm added that last year, 24 million home routers with open DNS proxies were compromised and used to launch DDoS attacks. The volume of vulnerable devices has decreased since then, but with more than 100 million routers shipped every year and IoT devices set to reach tens of billions over the coming years, there’ll be plenty of opportunity for attackers to strike, it claimed. “The recent shift to bot-based DNS DDoS dramatically changes the threat landscape and these attacks will likely grow worse as the number of connected devices increases,” said Craig Sprosts, vice president product management at Nominum, in a statement. “These attacks are continuously changing and increasingly targeting legitimate domains, requiring rapid response and making simple domain or IP-based blocking approaches too risky to deploy in service provider networks.” However, David Stubley, CEO of security consultancy 7 Elements, argued that firms shouldn’t focus all their defensive efforts on DNS-related DDoS. “We have been dealing with bots and DDoS for the last 15 years and have seen a number of new techniques, such as BitTorrent as a delivery method for DDoS attacks,” he told Infosecurity . “While DNS amplification attacks will make DDoS attacks larger, this is just one of a number of approaches used and doesn’t dramatically change the threat landscape. Organizations need to assess the overall impact on their business that a DDoS attack could have and take appropriate measures to ensure that they can meet their business objectives.” Source: http://www.infosecurity-magazine.com/news/home-routers-iot-devices-drive-dns/

Read the original post:
Home Routers and IoT Devices Set to Drive DNS DDoS Attacks

Hackers ransoming encryption keys from website owners

Hackers are finding even more ways to harm website owners, in a new report from security firm High-Tech Bridge hackers are switching encryption keys and then ransoming website owners for money. The attack—known as “RansomWeb”—manages to take the current encryption keys and swap them with non-working numbers. In order for the website owner to regain control, they are forced to pay the hackers. Encryption is the basis of modern internet security, but with this new hack it locks the website owner out and gives no way to get back in, without having even more security latched on top. Even if the website owner sends payment over, there is no guarantee they will get the website back, or any guarantee that the attacker will not launch the same attack later. “We are probably facing a new emerging threat for websites that may outshine defacements and DDoS attacks.” Ilia Kolochenko, chief executive of High-Tech Bridge said. “RansomWeb attacks may cause unrepairable damage, they are very easy to cause and pretty difficult to prevent.” These hackers wait for months until new patches of encryption keys are added, before locking out the website owner. This gives them full control over the website and allows them to implement old keys that are invalid. Kolochenko claims this is a change in hacker identity, moving from chaos to financial motives. He believes the next slew of hackers will always look for ransoms and lock owners out, instead of simply defacing a website. This was first seen on the Sony Pictures hack, when the apparent hackers sent ransom messages to Sony executives three days before taking the entire system offline. The ever changing world of encryption makes it hard for security firms to properly defend customers, especially with this new RansomWeb attack. It may lead to firms like Google and Facebook offering security help for smaller sites, offering new encryption and security tools. Source: http://www.itproportal.com/2015/02/03/hackers-ransoming-encryption-keys-website-owners/

Read More:
Hackers ransoming encryption keys from website owners

Tidal waves of spoofed traffic: DDoS attacks

While massive retail breaches dominated headlines in 2014, with hacks involving state-sponsored threats coming in a strong second, distributed denial-of-service (DDoS) attacks continued to increase, both in the volume of malicious traffic generated and the size of the organizations falling victim. Recently, both the Sony PlayStation and Xbox Live gaming networks were taken down by Lizard Squad, a hacking group which is adding to the threat landscape by offering for sale a DDoS tool to launch attacks. The Sony and Xbox takedowns proved that no matter how large the entity and network, they can be knocked offline. Even organizations with the proper resources in place to combat these attacks can fall victim. But looking ahead, how large could these attacks become? According to the “Verisign Distributed Denial of Service Trends Report,” covering the third quarter of 2014, the media and entertainment industries were the most targeted during the quarter, and the average attack size was 40 percent larger than those in Q2. A majority of these insidious attacks target the application layer, something the industry should be prepared to see more of in 2015, says Matthew Prince, CEO of CloudFlare, a website performance firm that battled a massive DDoS attack on Spamhaus early last year. Of all the types of DDoS attacks, there’s only one Price describes as the “nastiest.” And, according to the “DNS Security Survey,” commissioned by security firm Cloudmark, more than 75 percent of companies in the U.S. and U.K. experienced at least one DNS attack. Which specific attack leads that category? You guessed it. “What is by far the most evil of the attacks we’ve seen…[are] the rise of massive-scale DNS reflection attacks,” Prince said. By using a DNS infrastructure to attack someone else, these cyber assaults put pressure on DNS resolver networks, which many websites depend on when it comes to their upstream internet service providers (ISP). Believing these attacks are assaults on their own network, many ISPs block sites in order to protect themselves, thus achieving the attacker’s goal, Prince said. By doing so “we effectively balkanize the internet.” As a result, more and more of the resolvers themselves will be provided by large organizations, like Google, OpenDNS or others, says Prince. Source: http://www.scmagazine.com/tidal-waves-of-spoofed-traffic-ddos-attacks/article/393059/

Originally posted here:
Tidal waves of spoofed traffic: DDoS attacks