Monthly Archives: July 2015

DDoS Wars: The Network Strikes Back

It’s time your IT department rebelled against the cybercrime empire, says Srinivasan CR, VP of global product management, data centre services at Tata Communications Distributed Denial of Service (DDoS) attacks have been making a lot of headlines in the last year – particularly through the work of the Lizard Squad, the cyber criminals behind the attacks that caused major network outages for global corporations such as Microsoft, Sony and Malaysian Airlines. While only the severest attacks affecting some of the highest profile businesses might make the news, cyber criminals are launching new DDoS attacks on a daily basis. Large enterprises such as carriers and online retailers – who rely on the web to sell their products and services and to engage with their customers – are often under relentless bombardment. Furthermore, the financial and reputational implications of DDoS attacks are growing in significance. Companies face the threat of not only losses inflicted by operational downtime, but also of extortion from the more recent phenomenon of ‘ransom attacks’. Attack of the Clones – Forming a Botnet Army DDoS attacks rely on hijacked devices that cyber criminals add to their army, bombarding a weakness in a network. Infected devices are turned into robots, called botnets, which add network traffic to the attack. This is akin to recruiting an army of clones formed by specific computers, ports or services on the target system, entire networks or network and system components. The most common type of DDoS attack involves flooding the target with external communications requests. Eventually, the attack will build enough momentum to bring the network to a standstill, as it can no longer deal with the wave of requests. It is comparable to a global ticketing website crashing on the day Beyoncé tour tickets go on sale due to unmanageable traffic demand. Both scenarios can lead to significant financial losses and damage client and customer relationships, as mission critical systems and business operations grind to a halt. One of the reasons DDoS protection is climbing higher up the IT agenda is that this form of cyber attack is growing in sophistication. By exploiting vulnerabilities in unprotected networks and a range of connected devices, including smartphones and tablets, DDoS attackers are able to grow their botnets at an alarming rate. This increases the scale and power of an attack and reduces the likelihood of an effective counter attack from the victim’s network. This also gives cyber criminals more control over the timing of an attack. For example, staging a successful attack at a crucial time when a business simply cannot afford for its networks to fall over gives attackers far more leverage. Furthermore, while DDoS attacks are not, strictly speaking, to be confused with hacking, which involves infiltrating a network rather than simply choking it into submission, the two can be combined to devastating effect. A successful DDoS attack can render the network operator powerless to protect their systems, making them more susceptible to a full-scale network breach. Consequently, there have recently been examples of companies effectively being held to ransom under the threat of a DDoS attack in exchange for sums of bitcoin and other forms of extortion. Organisations such as carriers, online retailers and financial service platforms are heavily reliant on their global online presence to do their day-to-day business and remain profitable. Therefore, the threat of a powerful DDoS attack, particularly around a significantly busy trading period, gives cyber criminals additional leverage, which may persuade the target organisation to hand over significant sums to avoid being attacked. A New Hope – Scrubbing the Network Clean Given the nature of DDoS attacks, the best form of defence is attack. Rather than waiting for attacks to hit your network and relying on the ability of your security system to stand up to them, best practice is to anticipate them, and deal with them in real-time. This process is known as scrubbing. Designated scrubbing centres take care of the heavy lifting when it comes to mitigating and breaking up attacks. Scrubbing ensures the network layers act as the first line of defence. Incoming traffic is monitored and cleansed in real-time. Clean traffic is then routed into the network, whereas traffic that is considered threatening is routed back to the source. This approach means that legitimate traffic always gets through, and malicious traffic is mitigated at the source rather than near the target network, so it does not choke bandwidth. For example, Tata Communications has 15 scrubbing centres across the globe. A team of skilled engineers monitor attacks close to the botnet and DDoS heatmap. The attack is broken down in manageable chunks rather than tackled when it has gathered too much momentum. Yet, scrubbing should only be considered the first line of defence. IT managers also have monitoring proxy services, network and web application firewalls, VPN protection and securing virtual gateways to think about. Ideally, these should be delivered as part of a comprehensive managed security service. This can be achieved by delivering security services from the cloud, giving IT managers greater flexibility and choice in terms of the services and pricing models available to them. Providing security as a managed service with cloud-based solutions such as Distributed Denial of Service as a Service (DDoSaaS), Firewall as a Service (FwaaS), Virtual Private Network as a Service (VPNaaS) and Security Information and Event Management as a Service (SIEMaaS) has numerous benefits for businesses. As well as the peace of mind of knowing that all aspects of security are being proactively managed by a team of dedicated experts, a managed security service also gives IT managers a single point of contact for their security needs. This removes the administrative strain of multiple contracts, and the prospect of being passed around the houses when trying to solve a problem. Keeping the Peace – Neutralising the DDoS Threat DDoS attacks are becoming increasingly sophisticated and malicious, as cyber criminals hold businesses to ransom, threatening to bring corporate networks down for days or even for weeks. Yet, best practice to fight DDoS follows common security rules of thumb. As with any type of cyber threat, enterprises should expect to be hit by a DDoS attack, so preventative measures are key. Protecting the network is a living, breathing operation – you need to constantly seek out the next DDoS wave on the network and strike back before your business comes under attack. Source: http://www.techweekeurope.co.uk/security/ddos-wars-network-strikes-back-171925

Read More:
DDoS Wars: The Network Strikes Back

BOT-GEDDON coming after ZeusVM leak, hacker warns

Why pay $5k when you can pay $0? Former Kaspersky Japan boss now malware researcher Hendrik Adrian is warning of a boom of ZeusVM botnets, after the trojan source code was leaked online.…

See original article:
BOT-GEDDON coming after ZeusVM leak, hacker warns

Here’s how the NSA spied on UN leaders and targeted DDoS attackers

XKeyscore runs on Linux-based servers across 150 field sites scattered across the globe. No matter what you’ve done on the internet, you can bet the National Security Agency has a record of it. Newly released documents leaked by Edward Snowden shed light on the scale and scope of the XKeyscore program, a program described by one classified document as the “widest-reaching” system for gathering information from the internet. The new batch of documents detail one of the most extensive programs used in the US government’s arsenal on global surveillance, more than two years after it was first revealed by The Guardian . The program, which runs on hundreds of Red Hat Linux-based servers scattered around the globe (likely in US Embassy buildings), allows analysts to filter the vast amount of incidental data created when a user browses the web. The program allows analysts to selectively pick out usernames and passwords, browser history, emails sent and received, social media data, and even locations and detect whether or not a computer is vulnerable to certain kinds of malware or other threats. A single unique identifier, such as a username, password, email fragment, or even images, can be used to trace a person’s online activities with extreme precision. One of the documents said the program was successful in capturing 300 terrorists based on intelligence it had collected. Out of all the programs, XKeyscore may be the largest in scope, with some field sites sifting through more than 20 terabytes of data per day, according to The Intercept , collected from the various fiber cables around the world. The newly-released trove of documents details a broader scope of access to personal information that NSA analysts have. Those include: The NSA was able to acquire talking points UN Secretary General Ban Ki-moon wanted to bring up with US President Barack Obama through the Blarney program, which feeds the XKeyscore program. (Blarney is thought to be a program that taps fiber optic cables at core internet choke points around the US and the world.)   When a group of people overload a server or network with a flood of network traffic (causing a “distributed denial-of-service” or DDoS attack), users can be identified using XKeyscore. One document boasts of how “criminals” can be found through the program.   NSA analysts can plug in queries such as “show me all the exploitable machines in [whichever] country” and have returned to them a list of computers and devices that are vulnerable to the hacking exploits of the NSA’s elite intrusion unit, known as Tailored Access Operations (TAO). That also extends to “find all iPhones in Nigeria,” or “find Germans living in Pakistan.” One of the documents showing how NSA analysts can use XKeyscore Oversight of the program is limited at best. The system is littered with reminders not to breach human rights’ laws or minimization procedures designed to prevent Americans’ data from being used by the program. Yet, not everything is audited. System administrators often log in to the program under one username, “oper,” which is used across multiple people and divisions, making any actions carried out under that name almost impossible to track.   XKeyscore can search other databases, like Nucleon, which “intercepts telephone calls and routes the spoken words” to a database. (So yes, the US government is listening to some people’s phone calls.) One newly-released document showed more than 8,000 people are ensnared by the program, with more than half-a-million voice files recorded each day.   An al-Qaeda operative is said to have searched Google for his own name, among other aliases, which was picked up by the XKeyscore program, another document shows .   The program is able to snoop inside documents attached to emails, one document says . That supposedly can help determine who had authored a Word or PowerPoint document.   NSA has its own internal online newspaper, a document shows , which the agency dubs the “NSA Daily.” It’s a top secret publication, which only agents belonging to UK, US, Australian, Canadian, and New Zealand intelligence agencies can access. The NSA said in a statement (of which portions had been used in previous statements) that its foreign intelligence operations are “authorized by law” and are “subject to multiple layers of stringent internal and external oversight.” Source: http://www.zdnet.com/article/nsa-xkeyscore-spy-united-nations-target-denial-service-more/

Continue Reading:
Here’s how the NSA spied on UN leaders and targeted DDoS attackers

DDoSers call 1988 and want its routing protocol hacked

500 routers whip up colossal DDOS over ye olde RIP protocol Attackers are exploiting an ancient networking protocol to enslave small home and office routers in distributed denial of service attacks, Akamai says.…

Original post:
DDoSers call 1988 and want its routing protocol hacked

‘Zombie’ network protocols become DDoS threats

Attackers won’t let RIPv1 rest in peace. Attackers continue to search for obsolete protocols that are no longer used but still running on networked computer systems in order to abuse them as denial of service amplifiers. Content delivery network firm Akamai’s PLXsert security team discovered that the routing information protocol version 1, introduced in 1988, was used in a denial of service attack against its customers in May this year. RIPv1 was designed for small networks in the early internet era. It broadcasts lists of routes and updates to devices listening for RIPv1 information. A small, 24-byte RIPv1 request with a forged source IP address can result in multiple, 504-byte response payloads, creating a large amount of unsolicited traffic directed towards victims’ networks and flooding them. Attackers were in particular looking for routers that contain large amounts of routes in the RIPv1 database, so as to maximise the traffic volumes and damage done to target networks. Internet luminaries disagree however as to how much of a threat RIPv1 represents. APNIC chief scientist Geoff Huston told iTnews  RIPv1 is late 80s technology that routes the now abandoned Class A/B/C network address structure. “I find it hard to think that RIPv1 is connected to the global internet and that there are enough of them out there to constitute a real threat,” Huston said. Finding even one site in 2015 that is running RIPv1 is “like discovering a Ford Model T on the streets still in working order,” Huston said. Director of architecture for internet performance company Dyn, Joe Abley, pointed out that the problem is not that operators use RIPv1 for routing, it’s that administrators leave RPv1 turned on. The protocol has been unsuitable for the past two decades because it doesn’t work with classless inter-domain routing. “Just because you no longer have any use for a protocol doesn’t mean you always remember to turn it off,” he told iTnews . “What is happening is that ancient systems that have been hidden in dark corners for decades are suddenly jumping out into the sunlight and running amok because someone realised they could provoke them into bad behaviour, from a distance.” He said there are end-systems connected to the internet that support the ancient routing protocol and which have it turned on by default. Old Sun Microsystems Solaris servers are examples of such systems that are now being abused as packet amplifiers in denial of service attacks. RIPv1 does not use authentication, leaving it wide open to anyone on the internet to connect to. The attack is not fundamentally different from reflection attacks using the domain name system, chargen, simple network management protocol, or any one of a variety of user datagram-based protocols, Abley said. “This attack is not new and special really, although the fact that it uses RIP certainly brings a roguish twinkle to this aged network administrator’s eye,” he said. It can however cause large traffic floods. “Akamai’s Prolexic team have seen attacks that delivered over 10 gigabit per second of traffic towards a single victim,” Abley said. “I wouldn’t categorise that as ‘not really a problem’, especially if I was the one on the receiving end.” Abley said as with most amplification attacks, “poking the bear from a great distance relies upon being able to fake the source address of the stick.” There would be fewer opportunities for this happen if network operators followed the advice in Internet Engineering Task Force best current practice documents such as BCP38, which details network ingress filtering and similar texts to protect their networks. Source: http://www.itnews.com.au/News/406090,zombie-network-protocols-become-ddos-threats.aspx#ixzz3eqpq5n9E

Continue reading here:
‘Zombie’ network protocols become DDoS threats

Anonymous DDoS UAE banking websites

Several UAE banks were hit by a co-ordinated cyber attack, known in the trade as a distributed-denial-of-service (DDoS) attack, on Tuesday, crippling e-banking operations and websites, and leaving the unnamed institutions fearing further assaults, Arabian Business’ sister websiteITP.net has reported. German systems integrator Help AG, which played a central role in the clean-up for one of the victims, told the website that the DDoS attack, which has been linked to cyber group Anonymous, happened on the last day of the month as the attackers sought to wreak maximum disruption during the banks’ busiest period. Help AG cited “sources in the market” who report “widespread” incidents in the UAE financial sector. A DDoS attack uses tens, sometimes hundreds, of thousands of computers to synchronise a bombardment of packet-traffic on a server. In the absence of sophisticated mitigation solutions, servers can be brought down and services brought to a halt. “Picking the last day of a month is a very wise choice from the attackers, as it is a widely known fact that the last three days of a calendar month are the busiest ones in the financial industry, as a lot of money is changing hands in the form of salaries, mortgage and loan payments,” Nicolai Solling, director of technology services, Help AG, told ITP.net by email.   Help AG’s systems identified hundreds of thousands of packets per second sustained for a number of hours on one UAE-based financial services institution. The attacks, the company said, were “not sophisticated in form”, but “followed very much the usual pattern of Anonymous, meaning application-level depletion attempts”. “Typically this is in the form of ‘get’ requests on the Web layer, which then tries to exhaust the Web servers, unfortunately something that often is too easy to achieve,” Solling explained. Anonymous is a global movement with no clear leadership, although it has spawned specific cyber groups such as LulzSec that perform co-ordinated campaigns on high-profile targets. This week’s attack was part of what the group calls #OpArabia. At the time of writing, the group listed several targets in Saudi Arabia, Egypt and the UAE on justpaste.it. Help AG did not disclose the identity of any victims, but the National Bank of Abu Dhabi (NBAD) was featured prominently on the list. “Help AG has for a period been aware of a number of threats on the region posed from Anonymous,” Solling said. Source: https://en-maktoob.news.yahoo.com/anonymous-cyber-hackers-hit-uae-banking-websites-112413582.html

View article:
Anonymous DDoS UAE banking websites

Rise in DDoS reflection attacks using abandoned routing protocol

There's been an increase in the use of outdated Routing Information Protocol version one (RIPv1) for reflection and amplification attacks, according to Akamai. RIPv1 is a fast, easy way to dynamica…

Original post:
Rise in DDoS reflection attacks using abandoned routing protocol

Anonymous celebrates Canada Day with DDos attacks

For Canadians, July 1 is Canada Day—but to Anonymous, it’s also the perfect occasion to launch a protest campaign of distributed denial of service (DDos) attacks. The internet activist group announced on Wednesday morning that it had planned #AntiCanadaDay protests in support of its #OpCyberPrivacy campaign, created in opposition to Canada’s controversial, recently-passed anti-terror legislation, Bill C-51. The bill grants the Canadian Security Intelligence Service (CSIS) broad powers—with judicial authoriziation—to do just about anything to “disrupt” and investigate terrorist plots and propaganda, both online and offline. “We protest against the systemic invasion of privacy by government and corperate [sic] entities around the world,” the announcement reads. “We stand ardent in our defiance to all those who would take away our rights and freedoms.” A full list of targets, posted shortly before the #AntiCanadaDay attacks began, lists the websites of Liberal party leader Justin Trudeau, Minister of Justice Peter McKay, the Canadian Security Intelligence Service (CSIS), and the Canadian Senate as “main targets.” A host of other lobbyist groups and senators who voted in favour of Bill C-51 are listed as targets too. “All Canadian government web assests [sic] are fair game,” read the statement. “Lazors free on all federal, provincial and municpal [sic] services.” Shortly after noon, accounts on Twitter associated with the campaign reported that multiple government of Canada websites had been taken offline. When Motherboard attempted to access sites such as Canada.ca and sencanada.ca, for example, pages either loaded slowly, displayed an error, or did not load at all. “Remember hold nothing down for protracted lengths,” said an operation admin in the group’s chat room. “This is after all just a protest.” In a separate chat room interview, members told VICE News reporter Hilary Beaumont that eight people belong to the core #OpCyberPrivacy team. “We all expect blowback for today,” wrote one of the users, but said that it was worth the risk. “This bill violates the charter of rights and freedoms, universal declaration of human rights,” a user said, citing the threat of more invasive spying offline, and the potential to be arrested without a warrant and held without charge. “They make the rules up as they go,” wrote another member. “So if I’m a perfectly law abiding citizen who is impacted greatly by something and I protest I can be arrested [because] criticizing that is terrorism.” By early afternoon, focus had shifted to sites such as the Canadian parliament domain parl.gc.ca, and Conservative party Prime Minister Stephen Harper’s domain pm.gc.ca. The admin said the government was “putting up a good fight.” “They are adding load balancers, moving servers, closing off access,” wrote another user. “Some of the pages up [at the moment] are only cached versions.” The protest is expected to continue until midnight. Source: http://motherboard.vice.com/read/anonymous-is-celebrating-canada-day-in-protest-with-attacks-on-government-sites?utm_source=mbtwitter

Read the original:
Anonymous celebrates Canada Day with DDos attacks

DDoS Attackers Exploiting ’80s-Era Routing Protocol

Latest wave of DDoS attacks abuses small office-home routers via the 27-year-old, outdated Routing Information Protocol Version 1 (RIPv1). An outdated and long-forgotten routing protocol is the latest weapon in a wave of distributed denial of service (DDoS) attacks executed via home and small business routers in the past two months. Akamai Technologies’ Prolexic Security Engineering & Research Team (PLXsert) today issued a threat advisory warning of a surge in DDoS attacks using the Routing Information Protocol version one (RIPv1) to wage DDoS reflection and amplification attacks. The 27-year-old routing protocol, which allows routers in a small network to share route information, has since been updated with a newer more secure version, but the older version 1 remains in use in many small office/home office router models. While some 2,000 SOHO routers so far have been used in this new attack campaign, Akamai also found around 53,000 routers with RIPv1 enabled and vulnerable to the very same attack, mostly Motorola Netopia 2000 and 3000 series devices in the US. The main ISP running those RIPv1-enabled routers was AT&T. Sponsor video, mouseover for sound The biggest attack spotted so far: around 12 gigabits-per-second. “That was just using a limited number of resources [routers],” says Jose Arteaga, senior security researcher with Akamai PLXsert. “We found a good number of devices available with this protocol open. Our concern there is if malicious actors continue to scan or incorporate more devices in this attack, attacks can grow to be quite large. They could reach 100-gig or more.” Artiago says there’s been no specific industry targeted in the attacks at this time, and the attacks are originating mostly out of Europe and most likely a DDoS-for-hire operation, he says. The main sources include the Russian Federation (39%), China (19%), and 15% in Germany and Italy. Unlike its successor RIPv2, RIPv1 doesn’t have an authentication feature, so routers communicating via RIPv1 aren’t vetted and authenticated, leaving them open to abuse. This isn’t the first time RIPv1 has been abused for a DDoS attack. The PLXsert team spotted similar attacks nearly two years ago but those attacks basically exploited it for a query flood, not a reflection attack, where traffic is redirected from an “innocent” device to a target on the network, Arteaga says. RIPv1 Not Resting In Peace The good news is that RIPv1 is not enabled by default on enterprise-grade routers. So why is it left open on some SOHO routers? “Could be an ISP enabling it for some reason or another, but it shouldn’t be” available, he says. It also may be useful in a very small business network, he says, but that comes with this risk of abuse by malicious actors. The common denominator in most of today’s DDoS attacks is the use of the UDP protocol. More than 56% of all DDoS attacks abuse UDP, according to DDoS security vendor Incapsula. Of those, 8% use a protocol popular among Internet of Things devices, SSDP (Simple Service Discovery Protocol) used in gaming consoles and printers, for example. “A common theme with these attacks is they are obviously taking advantage of UDP … there is no way [for a victim router] to refuse that request” because it’s a connectionless protocol, Akamai’s Arteaga says. It’s up to the ISPs offering these devices to block port 520 used by UDP, which then would prevent any reflection attacks, he says. And small businesses should use the more secure RIPv2 instead of version 1. Bottom line: DDoS isn’t going away, and attackers are constantly looking for new ways to abuse equipment on the Internet as weapons to attack their targets. “It has constantly increased in activity,” says David Fernandez, manager of the PLXsert team. “DDoS has not gone away.” Source: http://www.darkreading.com/perimeter/ddos-attackers-exploiting-80s-era-routing-protocol/d/d-id/1321138

Read More:
DDoS Attackers Exploiting ’80s-Era Routing Protocol