Category Archives: DDoS Criminals

Businesses receive another warning over the threat of DDoS attacks

We have all heard the stories of businesses which have suffered debilitating DDoS attacks and, in some cases, succumbing altogether. Take Code Spaces, the web-based SVN and Git hosting provider which suffered such an attack in June 2014 that it was forced to wave the white flag and cease trading after recovering all the data lost would cost too much. Now, a new piece of research from A10 Networks argues businesses face ‘sudden death’ from DDoS if caught unawares. The average company was hit by an average of 15 DDoS attacks per year, according to the survey of 120 IT decision makers, with larger organisations more badly affected. One in three (33%) respondents said they had encountered DDoS attacks of more than 40 Gbps, while one in five had suffered downtimes of more than 36 hours due to the attack. The average attack of those polled lasted 17 hours. More than half (54%) of respondents said they would increase their DDoS budgets in the coming six months, while multi-vector attacks were seen by the majority of those polled (77%) as the most dangerous form of DDoS threat in the future. “DDoS attacks are called ‘sudden death’ for good reason. If left unaddressed, the costs will include business, time to service restoration and a decline in customer satisfaction,” said A10 Networks CTO Raj Jalan. He added: “The good news is our findings show that security teams are making DDoS prevention a top priority. With a better threat prevention system, they can turn an urgent business threat into an FYI-level notification.” Previous research has examined the growing sophistication of DDoS threats. In April, Neustar argued that such DDoS issues were “unrelenting”, with more than seven in 10 global brands polled having been subject to an attack. Source: http://www.appstechnews.com/news/2016/jun/16/businesses-receive-another-warning-over-threat-ddos-attacks/

Continue reading here:
Businesses receive another warning over the threat of DDoS attacks

Flaw in Juniper’s JunOS router software could cause DDoS flood

Juniper has disclosed that that a problem with the Junos router could enable DDoS attacks Juniper has admitted that a vulnerability in IPv6 processing on its Junos router OS could allow malicious packets to be sent to networks resulting in a DDoS attack on infrastructure. In an advisory, the firm said the flaw could enable a specially crafted “IPv6 Neighbor Discovery” (ND) packet to be accepted by the router rather than discarded. “The crafted packet, destined to the router, will then be processed by the routing engine (RE). A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the RE CPU to spike, or cause the DDoS protection ARP protocol group policer to engage. When this happens, the DDoS policer may start dropping legitimate IPv6 neighbors as legitimate ND times out,” the firm said. The firm added that this is similar to the router’s response to any purposeful malicious IPv6 ND flood destined to the router. “The difference is that the crafted packet identified in the vulnerability is such that the forwarding controllers/ASICs should disallow this traffic from reaching the RE for further processing,” according to the advisory. It said that following investigations, only its MX, PTX, and QFX products have been confirmed to experience this behaviour. Juniper added that no fix was presently available at the time of writing and neither was a complete workaround. “Security best current practices (BCPs) of filtering all ND traffic at the edge, destined to network infrastructure equipment, should be employed to limit the malicious attack surface of the vulnerability,” the firm advised. Rich Barger, chief intelligence officer at ThreatConnect, told SCMagazineUK.com that organisations should look to either filter the protocol or packet (if possible). “It looks as if Juniper has included edge firewall rules that can block the neighbour discovery packets as a means to buffer any vulnerable devices,” he said. Richard Cassidy, technical director EMEA at Alert Logic, said that this flaw represents a serious issue for organisations that “Dual Stack” networking with IPv6 and IPv4. He told SC that the issue was “essentially a DDoS attack, through a specially crafted IPv6 ND packet, that can be targeted at JunOS routers from remote attackers. It is fairly simple to identify router OS versions through scanning techniques, which of course leaves most organisations at risk at some level, given the prevalence of Juniper in networking infrastructures globally.” Alex Cruz Farmer, VP of cloud at Nsfocus, told SC that almost every network around the world is considering or planning IPv6 if they have not already. “With this in mind, it’s crucial that the protection is implemented now, to avoid this security hole being exploited in future.” Source: http://www.scmagazineuk.com/flaw-in-junipers-junos-router-software-could-cause-ddos-flood/article/501681/

Visit link:
Flaw in Juniper’s JunOS router software could cause DDoS flood

Retail, gaming industries hardest hit with web application and DDoS attacks

Akamai published the Q1 2016 State of the Internet – Security Report, which provides a detailed view of the global cloud security threat landscape and in-depth analysis and insight into malicious activity. Multi-vector attacks accounted for 59% of DDoS activity in Q1 2016, reflecting a slight increase compared with last quarter (56%) During Q1, Akamai mitigated more than 4,500 DDoS attacks, a 125 percent increase compared with Q1 2015. As in recent quarters, the vast … More ?

See more here:
Retail, gaming industries hardest hit with web application and DDoS attacks

Massive DDoS attacks reach record levels as botnets make them cheaper to launch

Nineteen attacks that exceeded 100Gbps were recorded during the first three months of 2016 There were 19 distributed denial-of-service (DDoS) attacks that exceeded 100 Gbps during the first three months of the year, almost four times more than in the previous quarter. Even more concerning is that these mega attacks, which few companies can withstand on their own, were launched using so-called booter or stresser botnets that are common and cheap to rent. This means that more criminals can now afford to launch such crippling attacks. “In the past, very few attacks generated with booter/stresser tools exceeded the 100 Gbps mark,” researchers from Akamai said in the company’s State of the Internet security report for the first quarter of 2016 that was released Tuesday. By comparison, only five DDoS attacks over 100 Gbps were recorded during the fourth quarter of 2015 and eight in the third quarter. Nineteen such attacks in a single quarter is a new high, with the previous record, 17, set in the third quarter of 2014. But high bandwidth is not the only aspect of DDoS attacks that can cause problems for defenders. Even lower-bandwidth attacks can be dangerous if they have a high packet rate. A large number of packets per second poses a threat to routers because they dedicate RAM to process every single packet, regardless of its size. If a router serves multiple clients in addition to the target and exhausts its resources, that can cause collateral damage. According to Akamai, in the first quarter there were six DDoS attacks that exceeded 30 million packets per second (Mpps), and two attacks that peaked at over 50 Mpps. DDoS reflection and amplification techniques continue to be used extensively. These involve abusing misconfigured servers on the Internet that respond to spoofed requests over various UDP-based protocols. Around one-in-four of all DDoS attacks seen during the first three months of 2016 contained UDP (User Datagram Protocol) fragments. This fragmentation can indicate the use of DDoS amplification techniques, which results in large payloads. The four next most common DDoS attack vectors were all protocols that are abused for DDoS reflection: DNS (18 percent), NTP (12 percent), CHARGEN (11 percent) and SSDP (7 percent). Another worrying trend is that an increasing number of attacks now use two or more vectors at the same time. Almost 60 percent of all DDoS attacks observed during the first quarter were multivector attacks: 42 percent used two vectors and 17 percent used three or more. “The continued rise of multi-vector attacks suggests that attackers or their attack tools are growing more sophisticated,” the Akamai researchers said in their report. “This causes problems for security practitioners, since each attack vector requires unique mitigation controls.” China, the U.S. and Turkey were the top three countries from where DDoS attack traffic originated, but this indicates where the largest number of compromised computers and misconfigured servers are located, not where the attackers are based. The most-hit industry was gaming, accounting for 55 percent of all attacks. It was followed by software and technology (25 percent), media and entertainment (5 percent), financial services (4 percent) and Internet and telecommunications (4 percent). Being hit by one isn’t the only way DDoS attacks can affect businesses: They can also be blackmailed with the threat of one, an increasing trend over the past year. In some cases attackers don’t even have to deliver on their threats. Researchers from CloudFlare reported recently that an extortion group earned $100,000 without ever launching a single DDoS attack. Source: http://www.itnews.com/article/3079988/massive-ddos-attacks-reach-record-levels-as-botnets-make-them-cheaper-to-launch.html

See original article:
Massive DDoS attacks reach record levels as botnets make them cheaper to launch

Anonymous DDoS and shutdown London Stock Exchange for two hours

Anonymous hacktivists take down the London Stock Exchange website for more than two hours as part of protest against world’s banks The online hacktivist group, Anonymous reportedly shut down the London Stock Exchange (LSE) website last week for more than two hours as part of a protest against world’s banks and financial institutions. According to the Mail on Sunday, the attack was carried out by Philippines unit of Anonymous on June 2 at 9am. Previous targets have included the Bank of Greece, the Central Bank of the Dominican Republic and the Dutch Central Bank. The newspaper says: “Anonymous claims the incident was one of 67 successful attacks it has launched in the past month on the websites of major institutions, with targets including the Swiss National Bank, the Central Bank of Venezuela and the Federal Reserve Bank of San Francisco.” A spokesperson for the LSE declined to comment on the incident, however, the attack most likely took the form of a distributed denial of service (DDoS) attack, meaning trading would not have been affected and no sensitive data would have been compromised. In the 24 hours before the LSE site went down, the group also claims that the attack on the LSE was the latest in a series that has also seen it target the websites of NYSE Euronext, the parent company of the New York Stock Exchange and the Turkey Stock Exchange, as part of a campaign called Operation Icarus. According to the newspaper, City of London Police said it was not informed that the LSE website had gone down and had no knowledge of the attack. However, the latest attack may not be a complete surprise. In a video posted to YouTube on May 4, a member of the amorphous group announced in that “central bank sites across the world” would be attacked as part of a month-long Operation Icarus campaign. The video statement said: “We will not let the banks win, we will be attacking the banks with one of the most massive attacks ever seen in the history of Anonymous.” By using a distributed-denial-of-service (DDoS) cyberattack, the group also successfully disrupted the Greek central bank’s website. In light of that event, a separate video was posted to YouTube on May 2. The masked individual representing Anonymous group said: “Olympus will fall. How fitting that Icarus found his way back to Greece. Today, we have continuously taken down the website of the Bank of Greece. Today, Operation Icarus has moved into the next phase.” The Anonymous spokesperson added: “Like Icarus, the powers that be have flown too close to the sun, and the time has come to set the wings of their empire ablaze, and watch the system their power relies on come to a grinding halt and come crashing down around them. We must strike at the heart of their empire by once again throwing a wrench into the machine, but this time we face a much bigger target – the global financial system.” Source: http://www.techworm.net/2016/06/anonymous-ddos-shutdown-london-stock-exchange-two-hours.html

Continue reading here:
Anonymous DDoS and shutdown London Stock Exchange for two hours

Russia’s top 3 banks were target of world’s largest DDoS attack

Russia’s three largest Russian banks – VTB, Sberbank and Bank of Moscow – came under a massive DDoS-attack in the fall of 2015, a top manager at VTB has said. Claiming the attackers demanded a bitcoin payment for stopping the attack. A senior official from one of Russia’s largest banks has revealed that the lender became the target of the most extensive DDoS-attack in the entire history of monitoring in the fall of 2015. “A certain group of perpetrators” carried out a series of “the strongest DDoS-attacks” against Sberbank, VTB and Bank of Moscow for several days, Dmitry Nazipov, senior vice president of VTB, told the Russian media on June 1. According to him, the bank received a “fairly typical letter” in English at that time demanding a bitcoin payment in return for stopping the attacks. “Obviously, we did not agree to pay, but that attack was generally localized in three days, and was not repeated on such a scale thereafter,” said Nazarov. He pointed out that to solve the problem, VTB collaborated with police, telecom service providers and the Central Bank’s information security center, FinCert. In September 2015, the deputy head of the Central Bank’s main security and information protection directorate, Artyom Sychev, said that the websites of five major Russian banks had been subjected to a DDoS-attack. He did not disclose the names of the banks. Sychev said that after the end of the attacks, some of the banks attacked received letters from extortionists who demanded that 50 bitcoins (the average value of a bitcoin was around $230 in September 2015 – RBTH) be transferred to them for not repeating such attacks. He noted that the banks did not suffer damage as a result of the attack. Earlier on June 1, the Federal Security Service and the Interior Ministry reported the detention of 50 suspects in a theft of 1.7 billion rubles ($25 million) from financial institutions. The police also said that they could prevent 2.2 billion rubles’ ($32.5 million) worth of possible damage. The law enforcement agencies turned to security software producer Kaspersky Lab for help in identifying the suspects. According to the company, the hackers stole 3 billion rubles ($44.5 million). Six Russian banks, including Metallinvestbank, the Russian International Bank, Metropol and Regnum, were victims of the hackers. Source: https://rbth.com/business/2016/06/02/russias-top-3-banks-were-target-of-worlds-largest-ddos-attack_599743

Hacker imprisoned for stealing Bitcoin, selling botnet on Darkode

A Louisiana man was sentenced to 12 months and one day in prison for using a computer to steal money, hacking computers to obtain passwords, and attempting to sell information on the online hacking forum known as Darkode. Rory Stephen Guidry, aka k@exploit.im was sentenced by US District Judge Dee D. Drell on one count of obtaining information by computer from a protected computer. He was also sentenced to three years of supervised release. According … More ?

Visit site:
Hacker imprisoned for stealing Bitcoin, selling botnet on Darkode

Darkode Bitcoin bot bandit gets year and a day in US cooler

Cops find 5000 stolen active credit cards at carder’s crib Darkode bot bandit Rory Stephen Guidry has been sentenced to a year and a day in prison for selling a botnet containing 5000 enslaved machines, and stealing US$80,000 (£72,069, A$111,728) in Bitcoins and 5000 active credit cards.…

View article:
Darkode Bitcoin bot bandit gets year and a day in US cooler

Major DNS provider hit by mysterious, focused DDoS attack

Attack on NS1 sends 50 million to 60 million lookup packets per second. Unknown attackers have been directing an ever-changing army of bots in a distributed denial of service (DDoS) attack against NS1, a major DNS and traffic management provider, for over a week. While the company has essentially shunted off much of the attack traffic, NS1 experienced some interruptions in service early last week. And the attackers have also gone after partners of NS1, interrupting service to the company’s website and other services not tied to the DNS and traffic-management platform. While it’s clear that the attack is targeting NS1 in particular and not one of the company’s customers, there’s no indication of who is behind the attacks or why they are being carried out. NS1 CEO Kris Beevers told Ars that the attacks were yet another escalation of a trend that has been plaguing DNS and content delivery network providers since February of this year. “This varies from the painful-but-boring DDoS attacks we’ve seen,” he said in a phone interview. “We’d seen reflection attacks [also known as DNS amplification attacks] increasing in volumes, as had a few content delivery networks we’ve talked to, some of whom are our customers.” In February and March, Beevers said, “we saw an alarming rise in the scale and frequency of these attacks—the norm was to get them in the sub-10 gigabit-per-second range, but we started to see five to six per week in the 20 gigabit range. We also started to see in our network—and other friends in the CDN space saw as well—a lot of probing activity,” attacks testing for weak spots in NS1’s infrastructure in different regions. But the new attacks have been entirely different. The sources of the attacks shifted over the week, cycling between bots (likely running on compromised systems) in eastern Europe, Russia, China, and the United States. And the volume of the attacks increased to the 30Gbps to 50Gbps range. While the attacks rank in the “medium” range in total volume, and are not nearly as large as previous huge amplification attacks, they were tailored specifically to degrading the response of NS1’s DNS structure. Rather than dumping raw data on NS1’s servers with amplification attacks—where an attacker sends spoofed DNS requests to open DNS servers that will result in large blocks of data being sent in the direction of the target—the attackers sent programmatically generated DNS lookup requests to NS1’s name servers, sometimes at rates of 50 million to 60 million packets per second. The packets looked superficially like genuine requests, but they were for resolution of host names that don’t actually exist on NS1’s customers’ networks. NS1 has shunted off most of the attack traffic by performing upstream filtering of the traffic, using behavior-based rules that differentiate the attacker’s requests from actual DNS lookups. Beevers wouldn’t go into detail about how that was being done out of concern that the attackers would adapt their methods to overcome the filtering. But the attacks have also revealed a problem for customers of the major infrastructure providers in the DNS-based traffic management space. While the DNS specification has largely gone unchanged since it was created from a client perspective, NS1 and other providers have carried out a lot of proprietary modification of how DNS works behind the scenes, making it more difficult to use multiple DNS providers for redundancy. “We’ve moved a bit away from the interoperable nature of DNS,” Beevers said. “You can’t slave one DNS service to another anymore. You’re not seeing DNS zone transfers, because features and functionality of the [DNS provider] networks have diverged so much that you can’t transfer that over the zone transfer mechanism.” To overcome that issue, Beevers said, “people are pulling tools in-house to translate configurations from one provider to another—that did work very well for some of our customers [in shifting DNS during the attack].” NS1, like some of its competitors, also provides a service that allows customers to run the company’s DNS technology on dedicated networks. “so if our network gets hit by a big DDoS attack, they can still have access.” Fixing the interoperability problem will become more urgent as attacks like the most recent one become more commonplace. But Beevers said that it’s not likely that the problem will be solved by a common specification for moving DNS management data. “DNS has not evolved since the ’80s, because there’s a spec,” he said. “But I do believe there’s room for collaboration. DNS is done by mostly four or five companies— this is one of those cases where we have a real opportunity because community is small enough and because the traffic management that everyone uses needs a level of interoperability.” As companies with big online presences push for better ways to build multi-vendor and multi-network DNS systems to protect themselves from outages caused by these kinds of attacks, he said, the DNS and content delivery network community is going to have to respond. Source: http://arstechnica.com/information-technology/2016/05/major-dns-provider-hit-by-mysterious-focused-ddos-attack/

Visit site:
Major DNS provider hit by mysterious, focused DDoS attack

Devices Infected With New Ransomware Versions Will Execute DDoS Attacks

A combination of Ransomware and DDoS attacks is heralding a new wave of cyber attacks against consumers and enterprises around the world. Security experts are concerned this may become a standard practice going forward; this is not good news by any means. Ransomware And DDoS Is A Potent Mix Over the past few years, ransomware attacks have become the norm rather than an exception. But the people responsible for these attack continue to improve their skills, and infected machines will now start executing distributed denial of service attacks as well. Not only will users not be able to access their files, but the device will also become part of a botnet attacking other computers and networks around the world. KnowBe4 CEO Stu Sjouwerman stated: “ Adding DDoS capabilities to ransomware is one of those ‘evil genius’ ideas. Renting out DDoS botnets on the Dark Web is a very lucrative business, even if prices have gone down in recent years. You can expect [bundling] it to become a fast-growing trend.” One of the first types of ransomware to embrace this new approach is Cerber, a Bitcoin malware strain which has been wreaking havoc for quite some time now. Attacks have been using “weaponized” Office documents to deliver malware to computers, which would then turn into a member of a botnet to DDoS other networks. While some people see this change as a logical evolution of ransomware attacks, this is a worrying trend, to say the least. Assailants can come up with new ways to monetize their ransomware attacks, even if the victim decides not to pay the fee. As long as the device is infected, it can be used to execute these DDoS attacks, which is a service worth the money to the right [wrong] people. A recent FireEye report shows how the number of Bitcoin ransomware attacks will exceed 2015 at the rate things are going right now. Now that DDoS capabilities are being added to the mix, it is not unlikely the number of infections will increase exponentially over the next few months. Moreover, removing the ransomware itself is no guarantee computer systems will not be used for DDoS purposes in the future, and only time will tell if both threats can be eliminated at the same time. Source: http://themerkle.com/devices-infected-with-new-ransomware-versions-will-execute-ddos-attacks/

View post:
Devices Infected With New Ransomware Versions Will Execute DDoS Attacks