Category Archives: DDoS Vendors

RangeAmp DDoS attacks can take down websites and CDN servers

A team of Chinese academics has found a new way to abuse HTTP packets to amplify web traffic and bring down websites and content delivery networks (CDNs). Named RangeAmp, this new Denial-of-Service (DoS) technique exploits incorrect implementations of the HTTP “Range Requests” attribute. HTTP Range Requests are part of the HTTP standard and allow clients (usually browsers) to request only a specific portion (range) of a file from a server. The feature was created for pausing and resuming traffic in controlled (pause/resume actions) or uncontrolled (network congestion or disconnections) situations. The HTTP Range Requests standard has been under discussion at the Internet Engineering Task Force (IETF) for more than half a decade, but, due to its usefulness, has already been implemented by browsers, servers, and CDNs. Two RangeAmp attacks discovered Now, a team of Chinese academics says that attackers can use malformed HTTP Range Requests to amplify how web servers and CDN systems react when having to deal with a range request operation. The team says two different RangeAmp attacks exist. The first is called a RangeAmp Small Byte Range (SBR) attack. In this case [see (a) in the image below], the attacker sends a malformed HTTP range request to the CDN provider, which amplifies the traffic towards the destination server, eventually crashing the targeted site. The second is called a RangeAmp Overlapping Byte Ranges (OBR) attack. In this case [see b) in the image below], the attacker sends a malformed HTTP range request to a CDN provider, and in the case, the traffic is funneled through other CDN servers, the traffic is amplified inside the CDN networks, crashing CDN servers and rendering both the CDNs and many other destination sites inaccessible. Image: Weizhong et al. Academics said they tested RangeAmp attacks against 13 CDN providers and found that all were vulnerable to the RangeAmp SBR attack, and six were also vulnerable to the OBR variant when used in certain combinations. Researchers said the attacks were very dangerous and required a minimum of resources to carry out. Of the two, RangeAmp SBR attacks could amplify traffic the most. The research team found that attackers could use a RangeAmp SBR attack to inflate traffic from 724 to 43,330 times the original traffic. Image: Weizhong et al. RangeAmp OBR attacks were a little harder to carry out, as the six vulnerable CDNs needed to be in specific (master-surrogate) configurations, but when conditions were met, reserchers said OBR attacks could also be used to inflate traffic inside a CDN network with amplification factors of up to nearly 7,500 times the initial packet size. Image: Weizhong et al. Of the two, OBR attacks were considered more dangerous, as attackers could take down entire chunks of a CDN provider’s network, bringing down connectivity for thousands of websites at a time. CDN vendors notified seven months ago Academics said that for the past few months they have been silently contacting the affected CDN providers and disclosing the details of the RangeAmp attack. Of the 13 CDN providers, researchers said that 12 responded positively and either rolled out or said they planned to roll out updates to their HTTP Range Request implementation. The list includes Akamai, Alibaba Cloud, Azure, Cloudflare, CloudFront, CDNsun, CDN77, Fastly, G-Core Labs, Huawei Cloud, KeyCDN, and Tencent Cloud. “Unfortunately, although we have sent them emails several times and have tried to reach out to their customer services, StackPath did not provide any feedback,” the research team said. “In general, we have tried our best to responsibly report the vulnerabilities and provide mitigation solutions. The related CDN vendors have had nearly seven months to implement mitigation techniques before this paper was published.” Each CDN provider’s reply, along with technical details about the RangeAmp attacks, are available in the research team’s paper, entitled “CDN Backfired: Amplification Attacks Based on HTTP Range Requests,” available for download in PDF format from here. Source: https://www.zdnet.com/article/rangeamp-attacks-can-take-down-websites-and-cdn-servers/

See original article:
RangeAmp DDoS attacks can take down websites and CDN servers

Oh cool, tech service prices are plummeting. And by tech services, we mean botnet rentals and stolen credit cards

Supply and demand in action Crime has never been cheaper to pull off, so long as you’re not particular about quality.…

Excerpt from:
Oh cool, tech service prices are plummeting. And by tech services, we mean botnet rentals and stolen credit cards

NXNSAttack technique can be abused for large-scale DDoS attacks

New vulnerability in DNS server software can be leveraged for DDoS attacks with an 1620x amplification factor. A team of academics from Israel has disclosed today details about NXNSAttack, a vulnerability in DNS servers that can be abused to launch DDoS attacks of massive proportions. According to the research team, NXNSAttack impacts recursive DNS servers and the process of DNS delegation. Recursive DNS servers are DNS systems that pass DNS queries upstream in order to be resolved and converted from a domain name into an IP address. These conversions take place on authoritative DNS servers, the servers that contain a copy of the DNS record, and are authorized to resolve it. However, as a safety mechanism part of the DNS protocol, authoritative DNS servers can also “delegate” this operation to alternative DNS servers of their choosing. New NXNSAttack explained In a research paper published today, academics from the Tel Aviv University and The Interdisciplinary Center in Herzliya, Israel, said they found a way to abuse this delegation process for DDoS attacks. The NXNSAttack technique has different facets and variations, but the basic steps are detailed below: 1) An attacker sends a DNS query to a recursive DNS server. The request is for a domain like “attacker.com,” which is managed through an attacker-controlled authoritative DNS server. 2) Since the recursive DNS server is not authorized to resolve this domain, it forwards the operation to the attacker’s malicious authoritative DNS server. 3) The malicious DNS server replies to the recursive DNS server with a message that equates to “I’m delegating this DNS resolving operation to this large list of name servers.” The list contains thousands of subdomains for a victim website. 4) The recursive DNS server forwards the DNS query to all the subdomains on the list, creating a surge in traffic for the victim’s authoritative DNS server. Image: NIC.CZ NXNSAttack has a huge amplification factor The research team says that an attacker using NXNSAttack can amplify a simple DNS query from 2 to 1,620 times its initial size, creating a massive spike in traffic that can crash a victim’s DNS server. Once the DNS server goes down, this also prevents users from accessing the attacked website, as the site’s domain can’t be resolved anymore. The research team says the NXNSAttack packet amplification factor (PAF) depends on the DNS software running on a recursive DNS server; however, in most cases, the amplification factor is many times larger than other DDoS amplification (reflection) attacks, where the PAF is usually between lowly values of 2 and 10. This large PAF implies that NXNSAttack is one of the most dangerous DDoS attack vectors known to date, having the ability to launch debilitating attacks with only a few devices and automated DNS queries. Patches available for DNS software The Israeli researchers said they’ve been working for the past few months with the makers of DNS software, content delivery networks, and managed DNS providers to apply mitigations to DNS servers across the world. Impacted software includes the likes of ISC BIND (CVE-2020-8616), NLnet labs Unbound (CVE-2020-12662), PowerDNS (CVE-2020-10995), and CZ.NIC Knot Resolver (CVE-2020-12667), but also commercial DNS services provided by companies like Cloudflare, Google, Amazon, Microsoft, Oracle (DYN), Verisign, IBM Quad9, and ICANN. Image: Shafir et al. Patches have been released today and over the previous weeks. They include mitigations that prevent attackers from abusing the DNS delegation process to flood other DNS servers. Server administrators who run their own DNS servers are advised to update DNS resolver software to the latest version. The research team’s work has been detailed in an academic paper entitled “ NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities ,” available for download in PDF format . Source: https://www.zdnet.com/article/nxnsattack-technique-can-be-abused-for-large-scale-ddos-attacks/

View the original here:
NXNSAttack technique can be abused for large-scale DDoS attacks

Are you Ready for These 26 Different Types of DDoS Attacks?

The scourge of distributed denial-of-service (DDoS) attacks has been a major concern for businesses and governments for more than two decades. First reported in 1996, this is a destructive and ever-evolving vector of cyber raids that knocks electronic networks offline by flooding them with the traffic they can’t handle. Not only is DDoS a way for hacktivists to manifest protest against Internet censorship and controversial political initiatives, but it’s also a goldmine of opportunities for achieving strictly nefarious goals. For instance, the latest tweak in this epidemic is what’s called “ransom DDoS,” a technique used to extort money from organizations in exchange for discontinuing a massive incursion. A big hurdle to thwarting the DDoS phenomenon is that it’s heterogeneous and spans a variety of different tactics. To begin with, there are three overarching categories of these attacks that form the backbone of this ecosystem: Volume-based (volumetric) attacks are the “classic” ones that congest a target network’s bandwidth with a hefty amount of traffic packets. Protocol attacks are aimed at exhausting server or firewall resources. Application layer (layer 7 DDoS) attacks zero in on specific web applications rather than the whole network. These ones are particularly hard to prevent and mitigate while being relatively easy to orchestrate. Furthermore, there are dozens of sub-types that fall into either one of the above generic groups but exhibit unique characteristics. Here’s a complete breakdown of the present-day DDoS attack methods. 1. SYN Flood This attack exploits the TCP three-way handshake, a technique used to establish any connection between a client, a host, and a server using the TCP protocol. Normally, a client submits a SYN (synchronize) message to the server to request a connection. When a SYN Flood attack is underway, criminals send a plethora of these messages from a spoofed IP address. As a result, the receiving server becomes incapable of processing and storing so many SYN packets and denies service to real clients. 2. LAND attack To perform a Local Area Network Denial (LAND) attack, a threat actor sends a fabricated SYN message in which the source and destination IP addresses are the same. When the server tries to respond to this message, it gets into a loop by recurrently generating replies to itself. This leads to an error scenario, and the target host may eventually crash. 3. SYN-ACK Flood The logic of this attack vector is to abuse the TCP communication stage where the server generates a SYN-ACK packet to acknowledge the client’s request. To execute this onslaught, crooks inundate the CPU and RAM resources of the server with a bevy of rogue SYN-ACK packets. 4. ACK & PUSH ACK Flood Once the TCP three-way handshake has resulted in establishing a connection between a host and a client, ACK or PUSH ACK packets are sent back and forth until the session is terminated. A server targeted by this type of a DDoS attack cannot identify the origin of falsified packets and wastes all of its processing capacity trying to determine how to handle them. 5. Fragmented ACK Flood This attack is a knockoff of the above-mentioned ACK & PUSH ACK Flood technique. It boils down to deluging a target network with a comparatively small number of fragmented ACK packets that have a maximum allowed size, usually 1500 bytes each. Network equipment such as routers ends up running out of resources trying to reassemble these packets. Furthermore, fragmented packets can slip below the radar of intrusion prevention systems (IPS) and firewalls. 6. Spoofed Session Flood (Fake Session Attack) In order to circumvent network protection tools, cybercriminals may forge a TCP session more efficiently by submitting a bogus SYN packet, a series of ACK packets, and at least one RST (reset) or FIN (connection termination) packet. This tactic allows crooks to get around defenses that only keep tabs on incoming traffic rather than analyzing return traffic. 7. UDP Flood As the name suggests, this DDoS attack leverages multiple User Datagram Protocol (UDP) packets. For the record, UDP connections lack a handshaking mechanism (unlike TCP), and therefore the IP address verification options are very limited. When this exploitation is in full swing, the volume of dummy packets exceeds the target server’s maximum capacity for processing and responding to requests. 8. DNS Flood This one is a variant of UDP Flood that specifically homes in on DNS servers. The malefactor generates a slew of fake DNS request packets resembling legitimate ones that appear to originate from a huge number of different IP addresses. DNS Flood is one of the hardest denial-of-service raids to prevent and recover from. 9. VoIP Flood This is a common form of UDP Flood that targets a Voice over Internet Protocol (VoIP) server. The multitude of bogus VoIP requests sent from numerous IP addresses drain the victim server’s resources and knock it offline at the end of the day. 10. NTP Flood (NTP Amplification) Network Time Protocol (NTP), one of the oldest networking protocols tasked with clock synchronization between electronic systems, is at the core of another DDoS attack vector. The idea is to harness publicly-accessible NTP servers to overload a target network with a large number of UDP packets. 11. CHARGEN Flood Similarly to NTP, the Character Generator Protocol (CHARGEN) is an oldie whose emergence dates back to the 1980s. In spite of this, it is still being used on some connected devices such as printers and photocopiers. The attack comes down to sending tiny packets containing a victim server’s fabricated IP to devices with CHARGEN protocol enabled. In response, the Internet-facing devices submit UDP packets to the server, thus flooding it with redundant data. 12. SSDP Flood Malefactors can exploit networked devices running Universal Plug and Play (UPnP) services by executing a Simple Service Discovery Protocol (SSDP) reflection-based DDoS attack. On a side note, SSDP is embedded in the UPnP protocol framework. The attacker sends small UDP packets with a spoofed IP address of a target server to multiple devices running UPnP. As a result, the server is flooded with requests from these devices to the point where it goes offline. 13. SNMP Flood (SNMP Amplification) Tasked with harvesting and arranging data about connected devices, the Simple Network Management Protocol (SNMP) can become a pivot of another attack method. Cybercriminals bombard a target server, switch, or router with numerous small packets coming from a fabricated IP address. As more and more “listening” devices reply to that spoofed address, the network cannot cope with the immense quantity of these incoming responses. 14. HTTP Flood When executing an HTTP Flood DDoS attack, an adversary sends ostensibly legitimate GET or POST requests to a server or web application, siphoning off most or all of its resources. This technique often involves botnets consisting of “zombie” computers previously contaminated with malware. 15. Recursive HTTP GET Flood To perpetrate this attack, a malicious actor requests an array of web pages from a server, inspects the replies, and iteratively requests every website item to exhaust the server’s resources. The exploitation looks like a series of legitimate queries and can be difficult to identify. 16. ICMP Flood Also referred to as Ping Flood, this incursion aims to inundate a server or other network device with numerous spoofed Internet Control Message Protocol (ICMP) echo requests or pings. Having received a certain number of ICMP pings, the network responds with the same number of reply packets. Since this capability to respond is finite, the network reaches its performance threshold and becomes unresponsive. 17. Misused Application Attack Instead of using spoofed IP addresses, this attack parasitizes legitimate client computers running resource-intensive applications such as P2P tools. Crooks reroute the traffic from these clients to the victim server to bring it down due to excessive processing load. This DDoS technique is hard to prevent as the traffic originates on real machines previously compromised by the attackers. 18. IP Null Attack This one is carried out by sending a slew of packets containing invalid IPv4 headers that are supposed to carry transport layer protocol details. The trick is that threat actors set this header value to null. Some servers cannot process these corrupt-looking packets properly and waste their resources trying to work out how to handle them. 19. Smurf Attack This one involves a malware strain called Smurf to inundate a computer network with ICMP ping requests carrying a spoofed IP address of the target. The receiving devices are configured to reply to the IP in question, which may produce a flood of pings the server can’t process. 20. Fraggle Attack This DDoS technique follows a logic similar to the Smurf Attack, except that it deluges the intended victim with numerous UDP packets rather than ICMP echo requests. 21. Ping of Death Attack To set this raid in motion, cybercrooks poison a victim network with unconventional ping packets whose size significantly exceeds the maximum allowed value (64 bytes). This inconsistency causes the computer system to allocate too many resources for reassembling the rogue packets. In the aftermath of this, the system may encounter a buffer overflow or even crash. 22. Slowloris This attack stands out from the crowd because it requires very low bandwidth and can be fulfilled using just one computer. It works by initiating multiple concurrent connections to a web server and keeping them open for a long period of time. The attacker sends partial requests and complements them with HTTP headers once a while to make sure they don’t reach a completion stage. As a result, the server’s capability to maintain simultaneous connections is drained and it can no longer process connections from legitimate clients. 23. Low Orbit Ion Cannon (LOIC) Originally designed as a network stress testing tool, LOIC can be weaponized in real-world DDoS attacks. Coded in C#, this open-source software deluges a server with a large number of packets (UPD, TCP, or HTTP) in an attempt to disrupt a target’s operation. This onslaught is usually backed by a botnet consisting of thousands of machines and coordinated by a single user. 24. High Orbit Ion Cannon (HOIC) HOIC is a publicly accessible application that superseded the above-mentioned LOIC program and has a much bigger disruptive potential than its precursor. It can be used to submit a plethora of GET and HTTP POST requests to a server concurrently, which ends up knocking a target website offline. HOIC can affect up to 256 different domains at the same time. 25. ReDoS ReDoS stands for “regular expression denial-of-service.” Its goal is to overburden a program’s regular expression implementation with instances of highly complex string search patterns. A malicious actor can trigger a regular expression processing scenario whose algorithmic complexity causes the target system to waste superfluous resources and slow down or crash. 26. Zero-Day DDoS This term denotes an attack that takes advantage of uncatalogued vulnerabilities in a web server or computer network. Unfortunately, such flaws are surfacing off and on, making the prevention a more challenging task.   A Serious Threat Although distributed denial-of-service is an old school attack vector, it continues to be a serious threat to organizations. The   monthly number of such attacks exceeds 400,000. To top it off, cybercriminals keep adding new DDoS mechanisms to their repertoire and security providers aren’t always prepared to tackle them. Another unnerving thing is that some techniques, including Low and High Orbit Ion Cannon, are open source and can be leveraged by wannabe criminals who lack tech skills. Such an attack may get out of hand and go way beyond the intended damage. To prevent DDoS attacks and minimize the impact, businesses should learn to proactively identify the red flags; have an appropriate response plan in place; make sure their security posture has no single point of failure, and continuously work on strengthening the network architecture. Source: https://www.securitymagazine.com/articles/92327-are-you-ready-for-these-26-different-types-of-ddos-attacks

Read the original:
Are you Ready for These 26 Different Types of DDoS Attacks?

Client-side web security

To address attacks such as XSS, Magecart and other card skimming exploits found in modern eCommerce environments, the use of client-side web security methods is beginning to emerge as a particularly useful practice. Obviously, enterprise teams should integrate client-side protections with desired server-side countermeasures to ensure a full risk management profile (e.g., the client-side is a poor selection point to stop denial of service). Several standards-based client-side security approaches have begun to mature that are … More ? The post Client-side web security appeared first on Help Net Security .

Read More:
Client-side web security

Average bandwidth of DDoS attacks increasing, APIs and applications under attack

The volume and complexity of attacks continued to grow in the first quarter of 2020, according to Link11. There has been an increasing number of high-volume attacks in Q1 2020, with 51 attacks over 50 Gbps. The average bandwidth of attacks also rose, reaching 5,0 Gbps versus 4,3 Gbps in the same quarter in 2019. Key findings Maximum bandwidth nearly doubles: In Q1 2020, the maximum bandwidth nearly doubled in comparison to the previous year; … More ? The post Average bandwidth of DDoS attacks increasing, APIs and applications under attack appeared first on Help Net Security .

View post:
Average bandwidth of DDoS attacks increasing, APIs and applications under attack

You’re a botnet, you;ve got a zero-day, so where do you go? After fiber, because that’s where the bandwidth is

Two-step attack seen on core systems Researchers are warning owners of fiber routers to keep a close eye on their gear and check for firmware updates following the discovery an in-the-wild zero-day attack.…

See original article:
You’re a botnet, you;ve got a zero-day, so where do you go? After fiber, because that’s where the bandwidth is

Dutch Police Shut Down 15 DDoS-for-Hire Services

Dutch law enforcement has shut down 15 DDoS-for-hire services that were used to run cyberattacks aimed at knocking websites and networks offline. Although they did not reveal the names of the DDoS-for-hire booters that they stopped, Police in The Netherlands were able to arrest a 19-year-old man from The Netherlands, who is suspected of orchestrating a DDoS attack against two websites that provide information on the coronavirus. The affected websites, MijnOverheid.nl and Overheid.nl, were unavailable for several hours on March 19 after being bombarded with traffic, according to the Dutch police. “We want to protect people and companies and make it increasingly difficult for cyber criminals to carry out a DDoS attack,” the head of the cyber crime team of the Central Netherlands police, Jeroen Niessen, said in a statement on the takedown. Dutch citizens may have found the interruptions to Overhead.nl particularly exasperating because the site is used as a “digital letterbox” to receive communications, including information about the pandemic, from the government. “The availability of this site to citizens is crucial for the country, especially during these times,” the Dutch police said. “By flattening a website like this, you are denying citizens access to their personal data and important government information. We take this very [seriously], especially now that the corona[virus] crisis is causing additional uncertainty and a great need for information for many people,” Niessen added. Dutch police have been pushing in recent years to stop Distributed Denial of Service attacks, which can overload computers with so much traffic that they become inaccessible. Last year, for example, Dutch police took down a hosting company that helped cybercriminals propagate hundreds of thousands of DDoS attacks. The year prior, the U.S. Department of Justice, in concert with the Dutch police and the U.K.’s National Crime Agency, knocked down 15 internet domains used to launch DDoS attacks. The Dutch police will continue to tackle new services, companies, and individuals involved in making DDoS attacks easier to operate moving forward, according to Niessen. “If they pop up elsewhere, we will immediately work on it again,” Niessen said. “Our goal is to seize more and more booters.” In the meantime, the Dutch police advised victims against paying cybercriminals behind DDoS attacks in the hopes that they call the police to investigate and hold them accountable instead. “Don’t give the cyber criminals money, as this may seem like a quick fix to get your site back up and running, you run the risk of getting rid of them,” the police advised. Source: https://www.cyberscoop.com/dutch-police-ddos-shutdown/

See more here:
Dutch Police Shut Down 15 DDoS-for-Hire Services

Across-the-board increase in DDoS attacks of all sizes

There has been a 168% increase in DDoS attacks in Q4 2019, compared with Q4 2018, and a 180% increase overall in 2019 vs. 2018, according to Neustar. The company saw DDoS attacks across all size categories increase in 2019, with attacks sized 5 Gbps and below seeing the largest growth. These small-scale attacks made up more than three quarters of all attacks the company mitigated on behalf of its customers in 2019. DDoS attacks … More ? The post Across-the-board increase in DDoS attacks of all sizes appeared first on Help Net Security .

Original post:
Across-the-board increase in DDoS attacks of all sizes

Healthcare cybersecurity in the time of coronavirus

Brno University Hospital, in Brno, Czech Republic, which is one of the country’s Covid-19 testing centers, has recently been hit by a cyberattack. The nature of the attack has yet to be shared, but looks like it might be ransomware. The result? Some surgeries have been postponed and some patients redirected to nearby hospitals. On Sunday, the US Health and Human Services Department was hit by a distributed denial of service (DDoS) attack that, luckily, … More ? The post Healthcare cybersecurity in the time of coronavirus appeared first on Help Net Security .

See the original post:
Healthcare cybersecurity in the time of coronavirus