Category Archives: DDoS News

Battlefield 1: Are servers up after DDoS attack by The Phantom Squad?

It seems that the servers of popular first-person-shooter game Battlefield 1 have fallen victim to an attack by a hacker group which is said to have resorted to employing the Distributed Denial of Service aka DDoS attack. Plenty of Battlefield 1 gamers have taken to social media forums to report the non-playability of Battlefield 1. Therefore, you can let us know in case the game servers are offline thus momentarily not allowing you play Battlefield 1. It seems that the mastermind of the latest attack on battlefield 1 servers is the Phantom Squad who has claimed responsibility for the attack. “We will be keeping Battlefield 1 servers down. We are waiting for starskids to have an autistic breakdown,” state the hacker group in an official tweet. At this juncture, developers Electronic Arts are yet to issue official comments on the reported DDoS attack on the Battlefield 1 servers by The Phantom Squad. Therefore, you are advised to check for the online game mode in Battlefield 1 and let us know if the game works for you. As soon as the Battlefield 1 servers were ‘attacked’, gamers took to micro-blogging site Twitter to vent their angst. Source: http://www.ibtimes.co.in/are-battlefield-1-servers-after-ddos-attack-by-phantom-squad-can-you-play-game-now-708831

View original post here:
Battlefield 1: Are servers up after DDoS attack by The Phantom Squad?

Parliament website brought down by DDoS attack ‘just ten minutes’

House of Representatives Secretary General Surasak Pianwej Friday expressed confidence that the Parliament website has been effectively guarded against DDoS attack, saying the attack by angry Internet users brought down the site just ten minutes Thursday night. Surasak dismissed claimed by the group of “Citizens Against Single Gateway: Thailand Internet Firewall” that a DDoS attack organized by the group brought the down the webiste for an hour at 8:55 pm Thursday. “The system went down just 10 minutes and it resumed,” Surasak said. The group has urged Thai Internet users to join another DDoS attack at 2 pm Friday. Surasak said the officials will step up measures to prevent the attack. The group staged the attack after the National Legislative Assembly refused to abort the final reading of the new computer crime bill. Source: http://www.nationmultimedia.com/news/breakingnews/30302233

Read the original:
Parliament website brought down by DDoS attack ‘just ten minutes’

DDoS in 2017: Strap yourself in for a bumpy ride

2016 sucked. 2017 won’t be much better, sorry DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing.…

Read more here:
DDoS in 2017: Strap yourself in for a bumpy ride

Bitcoin Exchange BTC-e Is Taken Down By New DDoS Attack

Early on Thursday morning, about 5:30 AM Eastern Standard Time to be exact, the Bitcoin exchange BTC-e is reporting that they are under DDoS attack and their site is currently offline. Going to the btc-e.com website returns a white page saying “DB connect error,” so there is no more information available from BTC-e. This is the second time this year that BTC-e has been taken down in this fashion. On Jan. 7th, they also suffered a distributed denial-of-service attacks, knocking it offline for several hours before returning to full service. Similar attacks have plagued the site since 2014. During Feb. 10-11, 2014 they also suffered a DDoS attack. BTC-e refused to stop the services with their team publishing a disclaimer on Twitter stating that due to the attack the withdrawal of the digital coins during those two days. BTC-e is ranked as a top 10 Bitcoin exchange by transaction volume over the last thirty days by bitcoinity.org, specializing in the use of USD, Russian Rubles, and Euros for the exchange of Bitcoins. We’ll keep you updated on this situation as more information comes in. Source: https://cointelegraph.com/news/bitcoin-exchange-btc-e-is-taken-down-by-new-ddos-attack

Visit site:
Bitcoin Exchange BTC-e Is Taken Down By New DDoS Attack

The DDoS vigilantes trying to silence Black Lives Matter

The Web lets anyone be a publisher—or a vigilante “Through our e-mails and our social media accounts we get death threats all the time,” said Janisha Gabriel. “For anyone who’s involved in this type of work, you know that you take certain risks.” These aren’t the words of a politician or a prison guard but of a Web designer. Gabriel owns Haki Creatives , a design firm that specializes in building websites for social activist groups like Black Lives Matter (BLM)—and for that work strangers want to kill her. When these people aren’t hurling threats at the site’s designer, they’re hurling attacks at the BLM site itself—on 117 separate occasions in the past six months, to be precise. They’re renting servers and wielding botnets, putting attack calls out on social media, and trialling different attack methods to see what sticks. In fact, it’s not even clear whether ‘they’ are the people publicly claiming to perform the attacks. I wanted to know just what it takes to keep a website like BlackLivesMatter.com online and how its opponents try to take it down. What I found was a story that involves Twitter campaigns, YouTube exposés, Anonymous-affiliated hacker groups, and a range of offensive and defensive software. And it’s a story taking place in the background whenever you type in the URL of a controversial site. BlackLivesMatter.com Although the Black Lives Matter movement has been active since 2013, the group’s official website was set up in late 2014 after the shooting of Michael Brown in Ferguson, Missouri. Until that point, online activity had coalesced around the #BlackLivesMatter hashtag, but when the mass mobilizations in Ferguson took the movement into the public eye, a central site was created to share information and help members connect with one another. Since its creation, pushback against BLM has been strong in both the physical and digital world. The BLM website was taken down a number of times by DDoS attacks, which its original hosting provider struggled to deal with. Searching for a provider that could handle a high-risk client, BLM site admins discovered MayFirst , a radical tech collective that specializes in supporting social justice causes such as the pro-Palestinian BDS movement, which has similarly been a target for cyberattacks . MayFirst refers many high-profile clients to eQualit.ie , a Canadian not-for-profit organization that gives digital support to civil society and human rights groups; the group’s Deflect service currently provides distributed denial of service (DDoS) protection to the Black Lives Matter site. In a report published today , eQualit.ie has analyzed six months’ worth of attempted attacks on BLM, including a complete timeline, attack vectors, and their effectiveness, providing a glimpse behind the curtain at what it takes to keep such a site running. The first real attack came only days after BLM signed up with Deflect. The attacker used Slowloris , a clever but dated piece of software that can, in theory, allow a single machine to take down a Web server with a stealthy but insistent attack. Billed as “the low bandwidth yet greedy and poisonous http client,” Slowloris stages a “slow” denial of service attack. Instead of aggressively flooding the network, the program makes a steadily increasing number of HTTP requests but never completes them. Instead, it sends occasional HTTP headers to keep the connections open until the server has used up its resource pool and cannot accept new requests from other legitimate sources. Elegant as Slowloris was when written in 2009, many servers now implement rules to address such attacks. In this case, the attack on BLM was quickly detected and blocked. But the range of attack attempts was about to get much wider. Anonymous “exposes racism” On May 2, 2016, YouTube channel @anonymous_exposes_racism uploaded a video called “ Anonymous exposes anti-white racism . ” The channel, active from eight months before this date, had previously featured short news clips and archival footage captioned with inflammatory statements (“Louis Farrakhan said WHITE PEOPLE DESERVE TO DIE”). But this new video was original material, produced with the familiar Anonymous aesthetic—dramatic opening music, a masked man glitching across the screen, and a computerized voice speaking in a strange cadence: “We have taken down a couple of your websites and will continue to take down, deface, and harvest your databases until your leaders step up and discourage racist and hateful behavior. Very simply, we expect nothing less than a statement from your leadership that all hate is wrong… If this does not happen we will consider you another hate group and you can expect our attention.” The “we” in question was presumably a splinter cell of Anonymous known as the Ghost Squad Hackers. Three days previously, in a series of tweets on April 29, Ghost Sqaud’s self-styled admin “@_s1ege” claimed to have taken the BLM site offline. Ghost Squad had a history of similar claims; shortly before this, it had launched an attack against a Ku Klux Klan website , taking it offline for a period of days. Dr. Gabriella Coleman is an anthropologist and the author of Hacker, Hoaxer, Whistleblower, Spy — considered the foremost piece of scholarship on Anonymous. (She also serves as a board member of eQualit.ie.) She said that Ghost Squad is currently one of the most prolific defacement and DDoS groups operating under the banner of Anonymous, but she also noted that only a few members have ever spoken publicly. “Unless you’re in conversation with members of a group, it’s hard to know what their culture is,” said Coleman. “I could imagine hypothetically that a lot of people who use the Ghost Squad mantle might not be for [attacking Black Lives Matter] but also might not be against it enough to speak out. You don’t know whether they all actively support it or just tolerate it.” Just as with Anonymous as a whole, this uncertainty is compounded by doubts about the identity of those claiming to be Ghost Squad at any given time—a fact borne out by the sometimes chaotic attack patterns shown in the traffic analytics. The April 29 attack announced by S1ege was accompanied by a screenshot showing a Kali Linux desktop running a piece of software called Black Horizon. As eQualit.ie’s report notes, BlackHorizon is essentially a re-branded clone of GoldenEye , itself based on HULK , which was written as proof-of-concept code in 2012 by security researcher Barry Shteiman. All of these attack scripts share a method known as randomized no-cache flood, the concept of which is to have one user submit a high number of requests made to look like they are each unique. This is achieved by choosing a random user agent from a list, forging a fake referrer, and generating custom URL parameter names for each site request. This tricks the server into thinking it must return a new page each time instead of serving up a cached copy, maximizing server load with minimum effort from the attacker. But once details of the Ghost Squad attack were published on HackRead , a flurry of other attacks materialized, many using far less effective methods. (At its most basic, one attack could be written in just three lines of Python code.) Coleman told me that this pattern is typical. “DDoS operations can attract a lot of people just to show up,” she said. “There’ll always be a percentage of people who are motivated by political beliefs, but others are just messing around and trying out whatever firepower they have.” One group had first called for the attack, but a digital mob soon took over. Complex threats Civil society organizations face cyberattacks more often than most of us realize. It’s a problem that these attacks exist in the first place, of course, but it’s also a problem that both successful and failed attempts so often happen in silence. In an article on state-sponsored hacking of human rights organizations, Eva Galperin and Morgan Marquis-Boire write that this silence only helps the attackers . Without publicly available information about the nature of the threat, vulnerable users lack the information needed to take appropriate steps to protect themselves, and conversations around effective defensive procedures remain siloed. When I spoke to Galperin, who works as a global policy analyst at the Electronic Frontier Foundation, she said that she hears of a civil society group being attacked “once every few days,” though some groups draw more fire and from a greater range of adversaries. “[BLM’s] concerns are actually rather complicated, because their potential attackers are not necessarily state actors,” said Galperin. “In some ways, an attacker that is not a nation state—and that has a grudge—is much more dangerous. You will have a much harder time predicting what they are going to do, and they are likely to be very persistent. And that makes them harder to protect against.” By way of illustration, Galperin points to an incident in June 2016 when prominent BLM activist Deray Mckesson’s Twitter account was compromised despite being protected by two-factor authentication. The hackers used social engineering techniques to trick Mckesson’s phone provider into rerouting his text messages to a different SIM card , an attack that required a careful study of the target to execute. Besides their unpredictability, persistence was also a defining feature of the BLM attacks. From April to October of this year, eQualit.ie observed more than 100 separate incidents, most of which used freely available tools that have documentation and even tutorials online. With such a diversity of threats, could it ever be possible to know who was really behind them? Chasing botherders One morning soon after I had started researching this story, a message popped up in my inbox: “Hello how are you? How would you like to prove I am me?” I had put the word out among contacts in the hacking scene that I was trying to get a line on S1ege, and someone had reached out in response. Of course, asking a hacker to prove his or her identity doesn’t get you a signed passport photo; but whoever contacted me then sent a message from the @GhostSquadHack Twitter account, used to announce most of the team’s exploits, a proof that seemed good enough to take provisionally. According to S1ege, nearly all of the attacks against BLM were carried out by Ghost Squad Hackers on the grounds that Black Lives Matter are “fighting racism with racism” and “going about things in the wrong way.” Our conversation was peppered with standard-issue Anon claims: the real struggle was between rich and poor with the media used as a tool to sow division and, therefore, the real problem wasn’t racism but who funded the media. Was this all true? It’s hard to know. S1ege’s claim that Ghost Squad was responsible for most of the attacks on BLM appears to be new; besides the tweets on April 29, none of the other attacks on BLM have been claimed by Ghost Squad or anyone else. To add more confusion, April 29 was also the date that S1ege’s Twitter account was created, and the claim to be staging Op AllLivesMatter wasn’t repeated by the main Ghost Squad account until other media began reporting it, at which point the account simply shared posts already attributing it to them. Despite being pressed, S1ege would not be drawn on any of the technical details which would have proved inside knowledge of the larger attacks. Our conversation stalled. The last message before silence simply read: “The operation is dormant until we see something racist from their movement again.” Behind the mask As eQualit.ie makes clear, the most powerful attacks leveraged against the BLM website were not part of the wave announced back in April by Ghost Squad. In May, July, September, and October, a “sophisticated actor” used a method known as WordPress pingback reflection to launch several powerful attacks on the site, the largest of which made upwards of 34 million connections. The attack exploits an innocuous feature of WordPress sites, their ability to send a notification to another site that has been linked to, informing it of the link. The problem is that, by default, all WordPress sites can be sent a request by a third party, which causes them to give a pingback notification to any URL specified in the request. Thus, a malicious attacker can direct hundreds of thousands of legitimate sites to make requests to the same server, causing it to crash. Since this attack became commonplace, the latest version of WordPress includes the IP address requesting the pingback in the request itself. Here’s an example: WordPress/4.6; http://victim.site.com; verifying pingback from 8.8.4.4 Sometimes these IP addresses are spoofed—for illustration purposes, the above example (8.8.4.4) corresponds to Google’s public DNS server—but when they do correspond to an address in the global IP space, they can provide useful clues about the attacker. Such addresses often resolve to “botherder” machines, command and control servers used to direct such mass attacks through compromised computers (the “botnet”) around the globe. In this case, the attack did come with clues: five IP addresses accounted for the majority of all botherder servers seen in the logs. All five were traceable back to DMZHOST , an “offshore” hosting provider claiming to operate from a “secured Netherland datacenter privacy bunker.” The same IP addresses have been linked by other organizations to separate botnet attacks targeting other groups. Beyond this the owner is, for now, unknown. (The host’s privacy policy simply reads: “DMZHOST does not store any information / log about user activity.”) The eQualit.ie report mentions these details in a section titled “Maskirovka,” the Russian word for military deception, because hacking groups like Ghost Squad (and Anonymous as a whole) can also provide an ideal screen for other actors, including nation-states. Like terrorism or guerrilla combat, DDoS attacks and other online harassment fit into a classic paradigm of asymmetrical warfare, where the resources needed to mount an attack are far less than those needed to defend against it. Botnets can be rented on-demand for around $60 per day on the black market, but the price of being flooded by one can run into the hundreds of thousands of dollars. (Commercial DDoS protection can itself cost hundreds of dollars per month. eQualit.ie provides its service to clients for free, but this is only possible by covering the operating costs with grant funding.) The Internet had long been lauded as a democratizing force where anyone can become a publisher. But today, the cost of free speech can be directly tied to the cost of fighting off the attacks that would silence it. Source: http://arstechnica.com/security/2016/12/hack_attacks_on_black_lives_matter/

Read the article:
The DDoS vigilantes trying to silence Black Lives Matter

The Difference Between Positive VS Negative WAF ?

The resurgence in Positive security of late has been a refreshing change to the security landscape dominated by anti-virus scanners, IDS/IPS, and anti­spam engines. The resurgence is most noticeable in the field of Web Application Security where Web Application Firewalls have been adopting a Positive Security model to combat the fast paced and ever changing threats they face. However even with the rise of Positive Model Security within the field of Web Application Security there are still divergent views on the best security method. Positive Model WAF looks to allow access to specific characters or via specific rules. This means that each rule added provides greater access and conversely having no rules in place will block everything by default. This model has the benefit of severely limiting the vectors an attacker can exploit simply because everything that is not expressly allowed is automatically blocked. The issue with this approach is that it tends to require a high level of care and input from the company implementing it to ensure that legitimate customers are not being blocked by overaggressive rules. This type of confusion can usually be eliminated after a few rounds of “whitelisting” (creating rules for legitimate actions) when the service is first implemented. Negative Model WAF works on the premise that most attackers are using exploits that have already been uncovered. By blocking these exploits and by creating patches or updates for new vulnerabilities that occur, the client will have to do very little besides ensuring that their WAF is up to date to remain secure. This model also alleviates stress over legitimate users being blocked as it is designed to prevent only known illegitimate actions from occurring. The issue with this model is that it depends on the team maintaining the WAF to stay up to date on exploits as they come out and allows attackers much greater freedom to find new vectors as anything that is not being expressly blocked is open for them to try. Given that there are new exploits discovered every day, you could become a victim as this new exploit has not reached your WAF administrator yet and therefore there is no rule in place to protect you. The negative model also referred to as a “Signature based “ WAF, must be constantly updated. In 2014 Symantec stated, after 2 weeks that the majority of anti virus software vendors had yet to update their software for zero day exploits. In other words a zero day attack should be renamed to 14 day attack, that’s scary ! In Summary Positive model: You decide what is valid, everything else is blocked Pros: Much Better protection compared to Negative Model Cons: Requires “Whitelisting” in order to not block legitimate visitors Negative Model: You decide what is not valid and allow everything else Pros: Easier to implement in most cases Cons: You are vulnerable to any vectors(zero day attacks) that don’t have signatures in your WAF. **At DOSarrest we employ a Cloud based Positive WAF model. Most of the other Cloud based WAF providers are using a negative model, whereby they have to manage 10’s of thousands of signatures. Ben Mina-Coull Quality Assurance DOSarrest Internet Security Source: https://www.dosarrest.com/ddos-blog/the-difference-between-positive-vs-negative-waf

Originally posted here:
The Difference Between Positive VS Negative WAF ?

UK police crack down on people paying for DDoS attacks

It’s all part of ‘Operation Tarpit’, a global crackdown co-ordinated by Europol. Distributed Denial of Service (DDoS) attacks are on the rise, affecting individuals, private businesses and government-funded institutions alike. As part of a large warning to cybercriminals, the UK’s National Crime Agency (NCA) has arrested 12 individuals for using a DDoS-for-hire service called Netspoof. “Operation Vulcanialia” targeted 60 citizens in total, and led to 30 cease and desist notices, and the seizure of equipment from 11 suspects. The NCA says it had two focuses: arresting repeat offenders and educating first-time users about the consequences of cybercrime. The work formed part of Operation Tarpit, a larger effort co-ordinated by Europol. Law enforcement agencies from Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Spain, Sweden, the UK and the US targeted users of DDoS tools together, resulting in 34 arrests and 101 suspects being interviewed and cautioned. The UK’s contribution was spearheaded by intelligence gathered by the West Midlands Regional Cyber Crime Unit, and executed by Regional Organised Crime Units under the watchful eye of the NCA. Some of the arrests were detailed in a press release — all but one was under the age of 30. Netspoof allowed anyone to initiate potentially devastating DDoS attacks from as little as £4. Packages soared to as much as £380, however, depending on the user’s requirements. It meant almost anyone, regardless of their technical background, could take down sites and services by flooding them with huge amounts of data. The trend is representative of the increase in cybercrime and how easy it is for people to wield such powers. DDoS attacks aren’t comparable to hacking, but they’re still a worrisome tactic for businesses. Knocking a service offline can affect a company’s finances and reputation, angering customers in the process. Twelve arrests is by no means insignificant, but it almost certainly represents a small number of DDoS users. Still, it’s a warning shot from the NCA — it’s aware of the problem, and officers are putting more resources into tracking those who both use and facilitate such attacks on the internet. Source: https://www.engadget.com/2016/12/13/uk-national-crime-agency-ddos-arrests/

Read More:
UK police crack down on people paying for DDoS attacks

DDoS attacks have gone from a minor nuisance to a possible new form of global warfare

“In principle, most of the denial-of-service attacks we see have no solution,” a security expert, Peter Neumann of SRI International, told the New York Times at the time. “The generic problem is basically unsolvable.” It still is. Twenty years on, DDoS attacks have increased exponentially in size, and vast swathes of the internet remain vulnerable. Experts say the proliferation of new but vulnerable connected devices, such as thermostats and security cameras, as well as the architecture of the internet itself, mean DDoS attacks will be with us for the foreseeable future. And rather than a mere annoyance that takes your favorite websites offline, they are starting to become a serious threat. According to Arbor Networks, an internet monitoring company that also sells DDoS protection, the volume of global DDoS attacks has grown by more than 30 times between 2011 and 2014. The attacks are also getting more intense. A string of them in September and October, which set records in terms of the volume of traffic (in gigabits per second, or Gbps) in each attack, proved that DDoS can overwhelm the internet’s best defenses. Among those they took down or threatened were a hosting service, a domain-name services provider (whose clients, including Twitter and Spotify, thus became inaccessible across entire regions of the US), a major content-delivery network, and the internet’s best-known blogger on security matters, Brian Krebs.  These are the most powerful DDoS attacks each year, by Arbor Networks’ count.   The September and October attacks are thought to have been carried out using Mirai, a piece of malware that allows hackers to hijack internet-connected devices such as security cameras. These are often sold with weak default passwords that their users don’t bother (or know how) to change. Mirai tracks them down, takes them over, and incorporates them into a “botnet” that launches DDoS attacks as well as finding and infecting other devices. Botnets aren’t new, but Mirai takes them to a new level, argues a recent paper (pdf) from the Institute of Critical Infrastructure Technology (ICIT), a research group. It’s a “development platform” for hackers to customize, the researchers say; the code was made public on a hacker forum, and people are free to innovate and build on it. In the past couple of months it’s thought to have been used to cripple the heating systems of two residential buildings in Finland and the online services of several Russian banks. The researchers speculate that hackers could tailor Mirai to do far bigger damage, such as bringing down a power grid. In September, security expert Bruce Schneier pointed to evidence that a large state actor—China or Russia, most likely—has been testing for weak points in companies that run critical parts of American internet infrastructure. It’s not outlandish to imagine that in the future, DDoS attacks powered by something like Mirai, harnessing the vast quantity of weakly secured internet-connected gadgets, could become part of a new kind of warfare. At the moment, the main defense against a DDoS attack is sheer brute force. This is what hosting companies offer. If a client suffers a DDoS attack, the hosting provider simply assigns more servers to soak up the flood of traffic. But as the latest attacks have shown, the power of botnets is simply growing too fast for even the biggest providers to defend against. There is a fix that would prevent a common type of DDoS attack—a “reflection” attack. This is where a hacker sends messages out to a botnet that seem to come from the target’s IP address (like sending an email with a fake reply-to address), causing the botnet to attack that target. The proposed fix, a security standard known as BCP38, which would make such fake return addressing impossible, has been available for 16 years. If all the ISPs on the internet implemented BCP38 on their routers, the most powerful DDoS attacks would be far more difficult to launch.  But the sheer number of networks and ISPs on the internet makes this idea wishful thinking, says Steve Uhlig, of London’s Queen Mary University, who specializes in the internet’s routing protocols.”Remember that the internet is made of more than 50,000 networks,” he says. If the most important and influential networks implement the fix, but the countless smaller operators don’t, DDoS attacks can continue to exploit spoofing. “Larger networks in the [internet core] can and do filter,” he says, “But they reduce the attacks by only a limited amount.” The internet’s decentralized design is what gives it its strength. But it’s also the source of what is rapidly becoming its biggest weakness. Source: http://qz.com/860630/ddos-attacks-have-gone-from-a-minor-nuisance-to-a-possible-new-form-of-global-warfare/

See more here:
DDoS attacks have gone from a minor nuisance to a possible new form of global warfare

Law enforcement operation targets users of DDoS tools

From 5 to 9 December 2016, Europol and law enforcement authorities from Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom and the United States carried out a coordinated action targeting users of DDoS tools, leading to 34 arrests and 101 suspects interviewed and cautioned. Europol’s European Cybercrime Centre (EC3) supported the countries in their efforts to identify suspects in the EU and beyond, mainly young adults under the … More ?

See the article here:
Law enforcement operation targets users of DDoS tools

DDoS script kiddies are also… actual kiddies, Europol arrests reveal

Young ‘uns hire tools to hit infrastructure, info systems Law enforcement bods at Europol have arrested 34 users of Distributed Denial of Service (DDoS) cyber-attack tools and interviewed and cautioned 101 suspects in a global crackdown.…

More:
DDoS script kiddies are also… actual kiddies, Europol arrests reveal