Category Archives: DDoS News

Russian telecom giant repels DDoS attacks on country’s 5 largest financial institutions

Russian telecom giant Rostelecom has thwarted DDoS-attacks on the five largest banks and financial institutions in the country, the company said in a statement. All the attacks were recorded on December 5, 2016, the longest of them lasting for over two hours, Rostelecom said on Friday. “The analysis of the attack sources carried out by Rostelecom specialists revealed that the traffic was generated from the home routers of users who are usually referred to IoT devices,” Muslim Medzhlumov, director of the Cybersecurity Center for Rostelecom, said in a statement , published on the company’s website. “A distinctive feature of the attacks was that they were organized with the help of devices that support the CWMP Management Protocol (TR-069). A few weeks ago, a serious vulnerability was revealed in the implementation of this protocol on a number of devices from different manufacturers, which allows attackers [to] organize DDoS-attacks. At the beginning of last week, the largest German operator Deutsche Telecom was subjected to an attack on users’ home devices, as well as the Irish provider Eircom,” he explained. The Russian Federal Security Service (FSB) reported on December 2 that it had received intelligence of foreign intelligence services preparing large-scale cyber-attacks in Russia in the period starting from December 5, 2016, aimed at destabilizing Russia’s financial system and the activities of a number of major Russian banks. A RIA Novosti source close to the Central Bank reported that the Bank of Russia recorded several attacks on December 5 on the site of VTB Bank Group. On Tuesday, Russian President Vladimir Putin signed into effect an updated doctrine on information security. It states that the limitless flow of information has a negative impact on international security, as it can be employed to pursue geopolitical and military goals, thus favoring organized crime, extremists and terrorists. The doctrine notes that Russian government agencies, scientific centers, and military industries are being targeted by foreign intelligence services by means of electronic and cyber surveillance. To counter threats and challenges in the information environment, Russia will build “strategic deterrents” and step up efforts to “prevent armed conflicts that stem from the use of IT.” The doctrine also instructs government agencies to strengthen critical information infrastructure to protect against cyber and computer network attacks. Source: https://www.rt.com/news/369738-ddos-attacks-russia-banks/

Excerpt from:
Russian telecom giant repels DDoS attacks on country’s 5 largest financial institutions

Mirai variant turns TalkTalk routers into zombie botnet agents

Infosec folk spot web of compromised British devices Hundreds of Mirai-infected home routers across the UK are currently acting as DDoS bots.…

Visit link:
Mirai variant turns TalkTalk routers into zombie botnet agents

New botnet launching daily massive DDoS attacks

CloudFlare spotted a new botnet in the wild which launched massive DDoS attacks aimed at the US West Coast for 10 days in a row. A new monster botnet, which hasn’t been given a name yet, has been spotted in the wild launching massive DDoS attacks. Security experts at CloudFlare said the emerging botnet is not related to Mirai, but it is capable of enormous distributed denial-of-service attacks. If this new botnet is just starting up, it could eventually be as powerful as Mirai. The company has so far spent 10 days fending off DDoS attacks aimed at targets on the US West Coast; the strongest attacks peaked at over 480 gigabits per second (Gbps) and 200 million packets per second (Mpps). CloudFlare first detected the new botnet on November 23; peaking at 400 Gbps and 172 Mpps, the DDoS attack hammered on targets “non-stop for almost exactly 8.5 hours” before the attack ended. CloudFlare’s John Graham-Cumming noted, “It felt as if an attacker ‘worked’ a day and then went home.” The botnet DDoS attacks followed the same pattern the next day, like the attacker was “someone working at a desk job,” except the attacks began 30 minutes earlier. On the third day, the attacks reached over 480 Gbps and 200 Mpps before the attacker decided to knock off a bit early from ‘work.’ Once Thanksgiving, Black Friday and Cyber Monday were over, the attacker changed patterns and started working 24 hours a day. The attacks continued for 10 days; each day the DDoS attacks “were peaking at 400 Gbps and hitting 320 Gbps for hours on end.” That’s not as powerful as the Mirai botnet made up of insecure IoT devices, but this botnet is presumably just getting started. It’s already plenty big enough to bring a site to its knees for hours on end unless it has some decent form of DDoS protection. If it were to be combined with other botnet strains, it might be capable of beating the unprecedented records set by the Mirai attacks. Although CloudFlare never elaborated on what devices the new botnet was abusing for its attacks, the company said it uses different attack software then Mirai. The emerging botnet sends very large Layer 3 and Layer 4 floods aimed at the TCP protocol. Hopefully it’s not using poorly secured internet of things devices as there seems to be an endless supply of IoT devices with pitiful-to-no security waiting to be added to botnets. That’s likely going to get worse, since IoT gadgets are expected to sell in record-breaking numbers this holiday season. It’s just a guess, but it does seem likely that the new botnet is aimed at such devices. CloudFlare posted the new botnet information on Friday, so it is unknown if the attacks have continued since the article was published. Last week, a modified version of the Mirai IoT malware was responsible for creating chaos in Germany and other worldwide locations; the hackers reportedly responsible for attempting to add routers to their botnet apologized for knocking Deutsche Telekom customers offline as it was allegedly not their intention. DDoS attacks may give a blue Christmas to gamers Regarding DDoS attacks, the most recent Akamai State of the Internet/Security Report suggested that gamers might not have the best holiday season. For the past several years, hackers have attacked and sometimes taken down Microsoft’s Xbox and Sony’s PlayStation networks, even Steam, making it impossible for seasoned gamers as well as those who received new gaming platforms for Christmas to enjoy new games and consoles. “Thanksgiving, Christmas, and the holiday season in general have long been characterized by a rise in the threat of DDoS attacks,” the Akamai report stated. “Malicious actors have new tools – IoT botnets – that will almost certainly be used in the coming quarter.” As first pointed out by Network World’s Tim Greene, Akamai added, “It is very likely that malicious actors are now working diligently to understand how they can capture their own huge botnet of IoT devices to create the next largest DDoS ever.” Let’s hope the newly discovered botnet isn’t an example of Akamai’s prediction. Source:http://www.computerworld.com/article/3147081/security/new-botnet-launching-daily-massive-ddos-attacks.html

View article:
New botnet launching daily massive DDoS attacks

New Mirai Worm Knocks 900K Germans Offline

More than 900,000 customers of German ISP Deutsche Telekom (DT) were knocked offline this week after their Internet routers got infected by a new variant of a computer worm known as Mirai. The malware wriggled inside the routers via a newly discovered vulnerability in a feature that allows ISPs to remotely upgrade the firmware on the devices. But the new Mirai malware turns that feature off once it infests a device, complicating DT’s cleanup and restoration efforts. Security experts say the multi-day outage is a sign of things to come as cyber criminals continue to aggressively scour the Internet of Things (IoT) for vulnerable and poorly-secured routers, Internet-connected cameras and digital video recorders (DVRs). Once enslaved, the IoT devices can be used and rented out for a variety of purposes — from conducting massive denial-of-service attacks capable of knocking large Web sites offline to helping cybercriminals stay anonymous online. This new variant of Mirai builds on malware source code released at the end of September. That leak came a little more a week after a botnet based on Mirai was used in a record-sized attack that caused KrebsOnSecurity to go offline for several days. Since then, dozens of new Mirai botnets have emerged, all competing for a finite pool of vulnerable IoT systems that can be infected. Until this week, all Mirai botnets scanned for the same 60+ factory default usernames and passwords used by millions of IoT devices. But the criminals behind one of the larger Mirai botnets apparently decided to add a new weapon to their arsenal, incorporating exploit code published earlier this month for a security flaw in specific routers made by Zyxel and Speedport. These companies act as original equipment manufacturers (OEMs) that specialize in building DSL modems that ISPs then ship to customers. The vulnerability exists in communications protocols supported by the devices that ISPs can use to remotely manage all of the customer-premises routers on their network. According to BadCyber.com, which first blogged about the emergence of the new Mirai variant, part of the problem is that Deutsche Telekom does not appear to have followed the best practice of blocking the rest of the world from remotely managing these devices as well. “The malware itself is really friendly as it closes the vulnerability once the router is infected,” BadCyber noted. “It performs [a] command which should make the device ‘secure,’ until next reboot. The first one closes port 7547 and the second one kills the telnet service, making it really hard for the ISP to update the device remotely.” [For the Geek Factor 5 readership out there, the flaw stems from the way these routers parse incoming traffic destined for Port 7547using communications protocols known as TR-069]. DT has been urging customers who are having trouble to briefly disconnect and then reconnect the routers, a process which wipes the malware from the device’s memory. The devices should then be able to receive a new update from DT that plugs the vulnerability. That is, unless the new Mirai strain gets to them first. Johannes Ullrich , dean of security research at The SANS Technology Institute , said this version of Mirai aggressively scans the Internet for new victims, and that SANS’s research has shown vulnerable devices are compromised by the new Mirai variant within five to ten minutes of being plugged into the Internet. Ullrich said the scanning activity conducted by the new Mirai variant is so aggressive that it can create hangups and crashes even for routers that are are not vulnerable to this exploit. “Some of these devices went down because of the sheer number of incoming connections” from the new Mirai variant, Ullrich said. “They were listening on Port 7547 but were not vulnerable to this exploit and were still overloaded with the number of connections to that port.” FEEDING THE CRIME MACHINE Allison Nixon , director of security research at Flashpoint, said this latest Mirai variant appears to be an attempt to feed fresh victims into one of the larger and more established Mirai botnets out there today. Nixon said she suspects this particular botnet is being rented out in discrete chunks to other cybercriminals. Her suspicions are based in part on the fact that the malware phones home to a range of some 256 Internet addresses that for months someone has purchased for the sole purpose of hosting nothing but servers used to control multiple Mirai botnets. “The malware points to some [Internet addresses] that are in ranges which were purchased for the express purpose of running Mirai,” Nixon said. “That range does nothing but run Mirai control servers on it, and they’ve been doing it for a while now. I would say this is probably part of a commercial service because purchasing this much infrastructure is not cheap. And you generally don’t see people doing this for kicks, you see them doing it for money.” Nixon said the criminals behind this new Mirai variant are busy subdividing their botnet — thought to be composed of several hundred thousand hacked IoT devices — among multiple, distinct control servers. This approach, she said, addresses two major concerns among cybercriminals who specialize in building botnets that are resold for use in huge distributed denial of service (DDoS) attacks. The first is that extended DDoS attacks which leverage firepower from more bots than are necessary to take down a target host can cause the crime machine’s overall bot count to dwindle more quickly than the botnet can replenish itself with newly infected IoT devices — greatly diminishing the crime machine’s strength and earning power. “I’ve been watching a lot of chatter in the DDoS community, and one of the topics that frequently comes up is that there are many botnets out there where the people running them don’t know each other, they’ve just purchased time on the botnet and have been assigned specific slots on it,” Nixon said. “Long attacks would end up causing the malware or infected machines to crash, and the attack and would end up killing the botnet if it was overused. Now it looks like someone has architected a response to that concern, knowing that you have to preserve bots as much as you can and not be excessive with the DDoS traffic you’re pushing.” Nixon said dividing the Mirai botnet into smaller sections which each answer to multiple control servers also makes the overall crime machine more resistant to takedown efforts by security firms and researchers. “This is an interesting development because a lot of the response to Mirai lately has been to find a Mirai controller and take it down,” Nixon said. “Right now, the amount of redundant infrastructure these Mirai actors have is pretty significant, and it suggests they’re trying to make their botnets more difficult to take down.” Nixon said she worries that the aggressive Mirai takedown efforts by the security community may soon prompt the crooks to adopt far more sophisticated and resilient methods of keeping their crime machines online. “We have to realize that the takedown option is not going to be there forever with these IoT botnets,” she said. Source: https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/

View article:
New Mirai Worm Knocks 900K Germans Offline

4 sectors vulnerable to IoT attacks in 2017

2017 is set to feature new attacks on internet infrastructure and advancements in Internet of Things security One of 2016’s key events in the tech world was the massive distributed denial of service (DDoS) attack in October that brought many of the internet’s most heavily trafficked sites to their knees. There were two main takeaways from the event. Firstly, DNS infrastructure is highly vulnerable. And secondly, the growing proliferation of cheap, connected Internet of Things (IoT) devices – webcams, Wi-Fi speakers, wearables etc. – is making it far easier for cybercriminals to launch massive DDoS attacks. Why? Because many of these devices are shipped with default usernames and passwords, which are never changed by the enduser, and so are easily taken over. Earlier in October, the Mirai botnet malware was made public, and it evidently played a role in the attack. In 2017 businesses are sure to suffer more DDoS attacks and internet shutdowns powered by cheap, insecure IoT devices. But while these attacks could become more common, they’re also likely to become less lethal as backbone providers harden their defenses and device manufacturers adopt identity-based security to close vulnerabilities. However, the sheer number of cheap AND insecure IoT devices deployed globally will ensure DDoS attacks continue sporadically through 2017. Catastrophic DDoS attacks might dominate tech media coverage, but the failure of IoT device, service and infrastructure to adopt and scale robust security and privacy tactics will play out in several ways. Here are four sectors that will face the brunt of this as digital transformation takes hold in 2017. 1. Healthcare In 2017, the distinction between in-home and clinical healthcare devices will continue to erode. To date, smart wearables and exercise devices like Fitbits and Apple Watches have been perceived as a means to track exercise in order to further fitness goals – distinct from clinical medical devices like heart monitors, blood pressure cuffs or insulin pumps. At the same time, it’s become common for patients with high blood pressure to monitor their levels at home by capturing them on a mobile app on their phone – exactly how fitness trackers work. The wealth of data available to clinicians flowing from such devices is leading to expectations that individuals can and perhaps should play much more active roles in preventative care. But the ease with which personal health data can now be gathered and shared will increase pressure on healthcare IT decision-makers to turn to identity management and authentication as the technology most effective for achieving security objectives. The proliferation of digital systems and devices in healthcare settings creates more vulnerabilities where personal data can get exposed or stolen. By adding contextual authentication and authorisation through strong digital identity, hacking these systems becomes more difficult. For example, adding presence, geo-location and or persistent authentication. 2. Financial services In 2017, commercial banks and investment houses will continue the race to avoid having their business models disrupted by fintech innovation such as Bitcoin and emerging artificial intelligence technologies. Banks are already co-opting these disruptive technologies and incorporating them into their own IT mix. Somewhat ironically, having established relationships with their customers, many legacy banks could be very well positioned to not just weather the digital transformation storm, but emerge even more stable and profitable in the years ahead. This is especially true for those that embrace omnichannel techniques and technologies to create seamless experiences that delight customers across devices. Banks in 2017 will work on allaying customer privacy concerns as they cope with regulations regarding data protection and sharing. There will be a continued effort to eliminate internal data silos that create impersonal customer experiences across channels, and fragmented systems that can’t support digital customer demands and business requirements. 3. Retail The race toward omnichannel will accelerate in 2017 as many retailers and B2C organisations find themselves doing more business via mobile than they’re doing on the conventional laptop and online channel. Delivering convenience and seamless experiences will depend heavily on providing customers with experiences that are not just secure but also personalised to their needs and tastes. In order to do this, they must securely connect the digital identities of people, devices and things. This requires solving complex identity challenges and creating solutions that enhance and improve customer experiences and at the same time maximise revenue opportunities. 4. Communications and media AT&T’s proposed acquisition of Time Warner at the end of 2016 highlights exactly how vulnerable legacy media and telecommunications firms perceive themselves to be to disruptive forces like cord cutting. ‘Digital pipe’ companies feel like they need to lock in content providers in order to lock in audiences and preserve value. However, regulators may frown on such industry consolidation, and independent players like Netflix and semi-independent players like Hulu and independent cable TV producers continue to find ways to directly insert successful content into the entertainment bloodstream. Here again, making content easily accessible through the full array of channels is key to locking in loyalty and preserving lifetime value (LTV). Source: http://www.information-age.com/protect-internet-unsecured-everything-123463392/

Read this article:
4 sectors vulnerable to IoT attacks in 2017

WikiLeaks website suffers mysterious outage sparking Rule 41 hacking conspiracy

The website was offline for roughly four hours on 1 December. Whistleblowing website WikiLeaks suffered a mysterious outage on the morning of 1 December for roughly four hours, two days after posting its release of a searchable database of 60,000 emails from US government contractor HBGary. The website reportedly went down at around 4:00am (GMT), with some social media users quickly speculating it was the result of yet another distributed-denial-of-service (DDoS) assault – a form of cyberattack that sends waves of traffic at a web server in order to force it offline. By 9:00am (GMT) the website had fully resurfaced. “WikiLeaks is offline. Page no longer exists?!” one user wrote. Another said: “@WikiLeaks is down right now. Could be DDoS attack.” Meanwhile, a well-known account linked with Anonymous added: “Rule 41 happens and the first thing that goes down? WikiLeaks, of course, is currently unreachable.” Rule 41 is the newly-passed law in the US that permits the FBI and other agencies to conduct hacking-based investigations on multiple computers with a single warrant. Despite the claims of Anonymous, there is nothing to suggest it was related to any problems with WikiLeaks’ website. IBTimes UK contacted WikiLeaks for comment however had received no response at the time of publication. The outage comes after a slew of politically-charged leaks from the Democratic National Committee (DNC) and the personal email inbox of John Podesta, a close aide to Hillary Clinton. In October, Julian Assange, the founder of the organisation, claimed that unknown forces within the “DC establishment” had attempted to disrupt WikiLeaks’ operations via cyberattack after it released a collection of emails from the DNC. “The US DC establishment – which believes that Hillary Clinton will be the winner of the election – tried to find different ways to distract from our publications,” he said at the time, adding: “They started attacking our servers with DDoS attacks and attempted hacking attacks.” Later, on the morning of 7 November, after publishing 8,000 more DNC emails, WikiLeaks issued a series of updates to its four million-strong follower base about yet another attack. It said: “ WikiLeaks.org was down briefly. That’s rare. We’re investigating.” Later, it added: “Our email publication servers are under a targeted DoS attack.” Most recently, Assange renewed his effort to be allowed to exit the Ecuadorian embassy in London after a United Nations (UN) panel reinforced an earlier ruling that he was being arbitrarily detained. The decision came down after an appeal by the UK government. “Now that all appeals are exhausted I expect that the UK and Sweden will comply with their international obligations and set me free,” Assange said in a statement. “It is an obvious and grotesque injustice to detain someone for six years who hasn’t even been charged with an offence.” Source: http://www.ibtimes.co.uk/wikileaks-website-suffers-mysterious-outage-sparking-rule-41-hacking-conspiracy-1594392

Read the article:
WikiLeaks website suffers mysterious outage sparking Rule 41 hacking conspiracy

DDoS often used as a diversion tactic

While businesses are preoccupied solving DDoS attacks, hackers go in the back door to do some looting. Distributed denial of service (DDoS) attacks make a lot of noise, and according to a new Kaspersky Lab report, that’s exactly what hackers are using them for. As businesses are preoccupied solving DDoS attacks, hackers use the opportunity for another, more targeted and more deadly type of attack. Basically, DDoS is nothing more than a smokescreen. The conclusion comes in Kaspersky Lab’s report which polled businesses about their cybersecurity experiences, and more than half (56 per cent) say DDoS is being used as a smokescreen. In more than a quarter (29 per cent) of attacks, DDoS has been part of the tactics. Another quarter (26 per cent) said when they lost data due to a targeted attack, they were also hit by DDoS. “DDoS prevents a company from continuing its normal activities by putting either public or internal services on hold,” said Kirill Ilganaev, Head of Kaspersky DDoS Protection. “This is a real problem to businesses and it is often ‘all hands on deck’ in the IT team to try and fix the problem quickly so the business can carry on as before. DDoS can therefore be used not only as an easy way to stop the activity of a company, but also as a decoy to distract IT staff from another intrusion taking place through other channels.” The usual tactics include exploiting mobile devices, phishing scams, or even malicious activity from insiders. “The research shows us that DDoS attacks are often aligned with other threats. Businesses therefore need to be aware of the full threat landscape and prepared to deal with multiple types of criminal activity at any one time,” Ilganaev continued. “Failure to do this could increase the collateral damage, on top of already significant losses caused by downtime and the resulting impact on reputation. Businesses need to use a reliable DDoS protection service to reduce the risk of DDoS and help staff concentrate their efforts on protecting the business from any threats that can be hidden as a result.” Source: http://www.itproportal.com/news/ddos-often-used-as-a-diversion-tactic/

More:
DDoS often used as a diversion tactic

Why you should have a DDoS defence

Duncan Hughes explains the best methods to use to effectively protect businesses and ensure networks can stand up to a DDoS attack. The latest headlines have shown that distributed denial of service (DDoS) attacks have been growing in both size and complexity. In the last month, two high-profile DDoS attacks reached more than 600 Gbps and 1 Tbps. The most recent attacks have ranked among the largest DDoS attacks on record. The ferocity and frequency of these attacks has suggested that this trend is only set to upsurge in the near future. With the most recent DDoS attack targeting the service provider, rather than a specific website, resulting in Twitter, Netflix, Reddit, Spotify and others being severely affected, it is clear to see how DDoS attackers are increasing their capability. In my opinion, this most recent DDoS incident is a new spin on an old attack, as the bad guys are finding new and innovative ways to cause further discontent. It was an interesting point to see that the bad guys are moving upstream for DDoS attacks on the DNS providers, instead of just on sites or applications. What is also interesting to see is that threat actors are leveraging unsecure Internet of Things (IoT) devices to launch some of these large DDoS attacks. The immediate solution is for manufacturers to eliminate the use of default or easy passwords to access and manage smart or connected devices. That said, consumer adoption will be tricky, but this change is critical for the greater security of all. This response will hinder many of the global botnets that are created and deployed for malicious use. DDoS attacks can impact businesses of all types and sizes. Retail stores, enterprises and service providers can all find themselves at threat of the DDoS crosshairs. According to a recent report commissioned by A10 Networks in its A10 Networks IDG Connect report – everyone is a target, but some types of businesses come under fire more frequently. Entertainment and gambling are targeted the most targetted, with 33 percent of DDoS attacks aimed at that industry, followed by advertising media and web content (28 percent), and traditional and online retail (22 percent). The financial impact of DDoS attacks for businesses can be severe and a recent Ponemon Institute study revealed that between 2011 and 2016, the costs associated with a DDoS attack swelled by 31 percent, with some larger attacks exceeding US$2 million (£1.6 million) due to lost revenue, business disruption and other hard costs. Brand and reputation damage, can also have a lasting effect which cannot be financially measured. The IDG Connect report found the average company suffers 15 DDoS attacks per year (some averaging as many as 25 DDoS attacks annually), and the average attack causes at least 17 hours of disruption, whether that’s downtime, latency, denied customer access or crashes. That’s 255 hours of disruption a year, can businesses afford this level of interruption? I would suggest that the answer is probably not. So to be properly prepared, businesses must brace for the worst-case scenario. The following points below outline four main steps in prevention to ensure networks can stand up to a DDoS attack: Be proactive. Do not wait for a major crash. You may already be experiencing attacks with slowed or blocked customer access, which can result in lost sales or dissatisfied customers. Beware of the “world of denial.” Ask tough questions. What do your customer satisfaction metrics reveal? Do you see indicators of lost sales? What’s the real cost of service restoration? Hope for the best, but prepare for the worst. Invest in sufficient DDoS protection and mitigation solutions early, before a major attack strikes. Defend against all vectors. Consider dedicated multi-vector DDoS protection using in-path mitigation, coupled with integrated threat intelligence, for the best accuracy. Include hybrid protection with a cloud-bursting service as an extra precaution to combat volumetric attacks. Businesses of all sizes need to be able to detect and mitigate DDoS attacks particularly ‘multi-vector’ ones that simultaneously attack the bandwidth, application and network layers. This is all the more important because we have all seen that major DDoS attacks are taking place – and growing exponentially in size. Not only are the implications of this profound but these attacks are leveraging botnets comprising hundreds of thousands of unsecured IoT devices. With industry analysts expecting IoT usage to grow substantially the issue is coming into ever more sharper focus. Referring back to the Ponemon research, some of the main findings really bring to light the extent of the problem. From the research in which over 1000 IT and IT security practitioners in North America and EMEA participated, one of the most frightening takeaways was that organisations are highly concerned that they aren’t able to detect and stop encrypted attacks, but aren’t sure where to start or how best to defend their business. Clearly a lot needs to be done within the industry to protect against cyber-security threats. The one key thing that should be reflected from this is to not let your network remain unprotected against such attacks that are noticeably increasing and could end up being more costly for your business in the long run. Source: http://www.scmagazineuk.com/why-you-should-have-a-ddos-defence/article/570782

View post:
Why you should have a DDoS defence

Last month’s botnet DDoS happened because a gamer was mad at PSN

Remember last month, when a Mirai botnet attack brought down half the internet? On October 21, a Distributed Denial of service attack that employed swarms of unsecured “Internet of Things” devices was laser focused on a global DNS provider, making much of the internet unusable for many. Here’s what Dyn, the targeted DNS provider, said of the attack then: “At this point we know this was a sophisticated, highly distributed attack involving 10s of millions of IP addresses. We are conducting a thorough root cause and forensic analysis, and will report what we know in a responsible fashion. The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations. We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.” 10 million devices, flooding networks with garbage traffic. Why? According The Wall Street Journal, it’s because one angry gamer was pissed about Sony’s PlayStation Network. Says Dale Drew, CSO of Level 3 Communications: “We believe that in the case of Dyn, the relatively unsophisticated attacker sought to take offline a gaming site with which it had a personal grudge and rented time on the IoT botnet to accomplish this.” While Drew hasn’t said which gaming site, The Wall Street Journal has, saying that the entire outage was brought about because somebody was mad at Sony. According to Forbes, all it took was buying the attack on the deep, dark web for $7500. The attack lasted for less than a full day. Is that worth over R100 000? That’s money that could have been spent on – materialistically – moving to another platform. Source: http://www.lazygamer.net/gaming-news/last-months-botnet-ddos-happened-gamer-mad-psn/

Visit site:
Last month’s botnet DDoS happened because a gamer was mad at PSN

New DDoS attack method called BlackNurse lets hackers take down firewalls and servers from a single laptop

Security researchers have discovered a new attack technique that requires less effort to launch large-scale attacks. A new DDoS attack method called BlackNurse has been discovered by security researchers, which allows hackers to launch large-scale attacks with less effort than is required for traditional DDoS attacks. BlackNurse also provides attackers with the ability to take down severs and firewalls with just a single laptop. According to researchers at TDC SOC (Security Operations Centre of the Danish telecom operator TDC), BlackNurse leverages low-volume ICMP (Internet Control Message Protocol)-based attacks to launch attacks capable of overloading firewalls and shutting them down. BlackNurse targets vulnerable firewalls made by Cisco, PaloAlto and others, in a “ping flood attack” reminiscent of those popular in the 1990s. TDC researchers said: “The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack. “Based on our test, we know that a reasonable sized laptop can produce approx a 180 Mbit/s DoS attack with these commands.” Researchers at security firm Netresec, clarified how and why the new technique was dubbed BlackNurse, which according to the firm has caused “some confusion/amusement/discussion”. Netresec also cautioned about googling the term, which they claimed “might not be 100% safe-for-work, since you risk getting search results with inappropriate videos that have nothing to do with this attack”. Netresec said: “The term ‘BlackNurse’, which has been used within the TDC SOC for some time to denote the ‘ICMP 3,3? attack, is actually referring to the two guys at the SOC who noticed how surprisingly effective this attack was. One of these guys is a former blacksmith and the other a nurse, which was why a colleague of theirs jokingly came up with the name ‘BlackNurse’. However, although it was first intended as a joke, the team decided to call the attack ‘BlackNurse’ even when going public about it.” How does BlackNurse work? DDoS attacks ideally require a large volume of traffic to successfully cripple targets. Traditionally, large-scale attacks involve hoards of devices and numerous IP addresses working collectively to bombard a targeted server with massive volumes of traffic, in efforts to stop it from functioning. However, BlackNurse does not need an army of compromised devices; neither does it require high volumes of traffic. Instead, BlackNurse issues out low volume ICMP error messages to servers and firewalls, which can fairly easily overload the main processors, rendering them useless. ESET security researcher Mark James told IBTimes UK: “BlackNurse uses ICMP flooding to achieve its goal. ICMP is also known as Ping and is predominantly used to test the connectivity between two computers. An ICMP (ping) echo request is sent from one machine and awaits an ICMP echo reply from the receiving machine. “The time of the round trip is measured which would normally indicate how good the connection route is based on errors and or packet loss. If you take that same technology and send lots of requests without waiting for any replies, it’s possible to overload the destination server. It works two-fold, as often the receiving server will attempt to reply to the incoming requests and try to send replies thus increasing its activity and helping the initial attack. Also BlackNurse uses a different technique that is slower than traditional ICMP flood attacks utilising some firewall vulnerabilities or misconfiguration.” Mitigation for such an attack is possible. “Disabling ICMP Type 3 Code 3 on the WAN interface can mitigate the attack quite easily,” the TDC researchers said. “This is the best mitigation we know of so far.” Source: http://www.ibtimes.co.uk/new-ddos-attack-method-called-blacknurse-lets-hackers-take-down-firewalls-servers-single-laptop-1592214

Read the article:
New DDoS attack method called BlackNurse lets hackers take down firewalls and servers from a single laptop