Category Archives: DDoS Vendors

New DDoS attack method called BlackNurse lets hackers take down firewalls and servers from a single laptop

Security researchers have discovered a new attack technique that requires less effort to launch large-scale attacks. A new DDoS attack method called BlackNurse has been discovered by security researchers, which allows hackers to launch large-scale attacks with less effort than is required for traditional DDoS attacks. BlackNurse also provides attackers with the ability to take down severs and firewalls with just a single laptop. According to researchers at TDC SOC (Security Operations Centre of the Danish telecom operator TDC), BlackNurse leverages low-volume ICMP (Internet Control Message Protocol)-based attacks to launch attacks capable of overloading firewalls and shutting them down. BlackNurse targets vulnerable firewalls made by Cisco, PaloAlto and others, in a “ping flood attack” reminiscent of those popular in the 1990s. TDC researchers said: “The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack. “Based on our test, we know that a reasonable sized laptop can produce approx a 180 Mbit/s DoS attack with these commands.” Researchers at security firm Netresec, clarified how and why the new technique was dubbed BlackNurse, which according to the firm has caused “some confusion/amusement/discussion”. Netresec also cautioned about googling the term, which they claimed “might not be 100% safe-for-work, since you risk getting search results with inappropriate videos that have nothing to do with this attack”. Netresec said: “The term ‘BlackNurse’, which has been used within the TDC SOC for some time to denote the ‘ICMP 3,3? attack, is actually referring to the two guys at the SOC who noticed how surprisingly effective this attack was. One of these guys is a former blacksmith and the other a nurse, which was why a colleague of theirs jokingly came up with the name ‘BlackNurse’. However, although it was first intended as a joke, the team decided to call the attack ‘BlackNurse’ even when going public about it.” How does BlackNurse work? DDoS attacks ideally require a large volume of traffic to successfully cripple targets. Traditionally, large-scale attacks involve hoards of devices and numerous IP addresses working collectively to bombard a targeted server with massive volumes of traffic, in efforts to stop it from functioning. However, BlackNurse does not need an army of compromised devices; neither does it require high volumes of traffic. Instead, BlackNurse issues out low volume ICMP error messages to servers and firewalls, which can fairly easily overload the main processors, rendering them useless. ESET security researcher Mark James told  IBTimes UK:  “BlackNurse uses ICMP flooding to achieve its goal. ICMP is also known as Ping and is predominantly used to test the connectivity between two computers. An ICMP (ping) echo request is sent from one machine and awaits an ICMP echo reply from the receiving machine. “The time of the round trip is measured which would normally indicate how good the connection route is based on errors and or packet loss. If you take that same technology and send lots of requests without waiting for any replies, it’s possible to overload the destination server. It works two-fold, as often the receiving server will attempt to reply to the incoming requests and try to send replies thus increasing its activity and helping the initial attack. Also BlackNurse uses a different technique that is slower than traditional ICMP flood attacks utilising some firewall vulnerabilities or misconfiguration.” Mitigation for such an attack is possible. “Disabling ICMP Type 3 Code 3 on the WAN interface can mitigate the attack quite easily,” the TDC researchers said. “This is the best mitigation we know of so far.” Source: http://www.ibtimes.co.uk/new-ddos-attack-method-called-blacknurse-lets-hackers-take-down-firewalls-servers-single-laptop-1592214

Read the article:
New DDoS attack method called BlackNurse lets hackers take down firewalls and servers from a single laptop

Web attacks increase 71% in third quarter

Dubai: After a slight downturn in the second quarter of this year, the average number of Distributed Denial of Service (DDoS) attacks increased to an average of 30 attacks per target. Fact Box description starts here Fact Box description ends here This reflects that once an organisation has been attacked, there is a high probability of additional attacks, a cyber security expert said. Fact Box description starts here Fact Box description ends here “Cybercriminals have found new attack channels to disable resources as the total DDoS attacks increased by 71 per cent year over year in the third quarter. During the third quarter, we mitigated a total of 4,556 DDoS attacks, an eight per cent decrease from second quarter,” Dave Lewis, Global Security Advocate at Akamai Technologies, told Gulf News. Fact Box description starts here Fact Box description ends here DDoS attack means an attacker sends too much traffic to a server beyond it can handle and the server goes offline. Fact Box description starts here Fact Box description ends here “We are seeing more and more of short-based attacks with limited bandwidth and consequence. There were 19 mega attacks mitigated during the quarter that peaked at more than 100Gbps, matching the first quarter high point,” he said. It’s interesting that while the overall number of attacks fell by eight per cent quarter over quarter, he said the number of large attacks, as well as the size of the biggest attacks, grew significantly. Fact Box description starts here Fact Box description ends here In contrast to previous quarters, when reflection attacks generated the traffic in the largest attacks, a single family of botnets, Mirai, accounted for the traffic during these recent attacks. Rather than using reflectors, he said that Mirai uses compromised internet of Things systems and generates traffic directly from those nodes. Fact Box description starts here Fact Box description ends here The Mirai botnet was a source of the largest attacks Akamai mitigated to date, an attack that peaked at Fact Box description starts here Fact Box description ends here 623Gbps. Mirai did not come out of nowhere. What makes Mirai truly exceptional is its use of IoT devices and several capabilities that aren’t often seen in botnets. Fact Box description starts here Fact Box description ends here The two largest DDoS attacks this quarter, both leveraging the Mirai botnet, were the biggest observed by Akamai to-date — recorded at 623Gbps and 555Gbps. Fact Box description starts here Fact Box description ends here “Attackers are generally not looking for vulnerable systems in a specific location, they are scanning the entire internet for vulnerable systems. The Mirai botnet is especially noisy and aggressive while scanning for vulnerable systems,” he said. Fact Box description starts here Fact Box description ends here He said that some clients are almost always under attack. The top target organisations saw three to five attacks every day of the quarter. However, without defences in place, these attacks could have a “substantial cumulative effect” on an organisation’s’ reputation. Fact Box description starts here Fact Box description ends here “It is becoming easier for hackers to launch attacks on commoditised platforms for lesser price than a coffee cup. The internet of Things are very good at what they are good at but security is often left out. We see these devices like DVRs with default credentials with an insecure protocol,” he said. Fact Box description starts here Fact Box description ends here According to Akamai Technologies’ Third Quarter, 2016 State of the internet/Security Report, majority of web application attacks continued to take place over http (68 per cent) as opposed to https (32 per cent), which could afford attackers some modicum of protection by encrypting traffic in transit. Fact Box description starts here Fact Box description ends here The US remained the top target for web application attacks as many organisations are headquartered in the US, with the resultant infrastructure also hosted in-country, it is expected that the US will continue to be the top target for some time. Fact Box description starts here Fact Box description ends here Brazil, the top country of origin for all web application attacks in the second quarter, experienced a 79 per cent decrease in attacks this quarter. The United States (20 per cent) and Netherlands (18 per cent) were the countries with the most web application attacks. Source: http://gulfnews.com/business/sectors/technology/web-attacks-increase-71-in-third-quarter-1.1930487

See the original post:
Web attacks increase 71% in third quarter

The big data era for DDoS protection has arrived

Avi Freedman discusses the use of big data to cope with the increasingly large scale DDoS attacks. If you weren’t aware of just how “big” DDoS has gotten, the recent attack on Dyn (hopefully) serves as a wake-up call. Within the last month we’ve seen multiple 500 Gbps+ attacks launched by competing IoT botnets. DDoS is now hyperscale! So if DDoS is so big, why are defensive solutions so small? By small, I mean based on relatively limited, single server architectures, rather than on cloud-scale technology. After all, if you search today for any sort of DDoS defence solution, you’re going to be looking nearly exclusively at a set of physical appliances. Even cloud-based DDoS services are based on stacks of appliances, just operated at service provider PoPs. One reason is there’s no practical way around using ASICs and network processors to perform the variety of packet and traffic flow inspections needed to “scrub” IP traffic clean of DDoS packets at high bit rates. However, scrubbing internet traffic of the bad stuff is just one half of the DDoS defence story.  Before you scrub, first you have to find the bad stuff . And the detection layer is where the “smallness” of traditional DDoS protection approaches has reached the end of the road. Appliance-based DDoS detection has hit its ceiling In the out of band DDoS protection architectures which are most common today, a detection appliance receives traffic summaries (NetFlow, sFlow, IPFIX) and BGP routing data detects attacks based on that inbound data, then signals to mitigation layers to scrub the traffic in question. The problem with this isn’t necessarily the overall architecture, but the detection appliance’s compute and storage limitations. A multi-core CPU with NxGB of RAM and some TB of storage is a lot of power for a laptop, but not so much when dealing with huge volumes of traffic flow data. It takes most of the compute power just converting binary wire to text/numeric data. So a ton of compromises must be made in analysing the data to detect attacks, leading to fairly substantial inaccuracies. Big data helps DDoS detection sccuracy The application of big data to DDoS detection is transformative for accuracy, based on two factors. The first factor is how comprehensively the data is examined. For example, to perform any kind of baselining, it’s common for appliances to have to segment traffic flow data based on which router exported the flow records. So let’s say a host IP is being hit by a DDoS attack, but it’s coming in via multiple routers. Instead of seeing a large bump of network-wide traffic going to that host, the detection appliance will see a small bump of traffic across several routers — none of which will trigger any alert or mitigation. A big data approach doesn’t have the computing constraints, so it can always look at network-wide traffic, and so it will naturally notice attacks that would otherwise get missed. The second factor has to do with automation. With compute-constrained appliances, administrators either have to manually configure and maintain many individual IP addresses to baseline, or worse, configure cumulative baselining against a CIDR block, which severely dilutes accuracy. With big data scale, it’s possible to have an adaptive approach to baselining, where the system continuously figures out the set of IPs that are “interesting” based on how much total traffic they’re receiving within a given segment of time, then baselines and evaluates them for anomalies. Overall, big data capabilities have proven to increase DDoS detection and mitigation accuracy by 30 percent or more. Of course, just knowing that big data helps doesn’t mean it’s necessarily easy to achieve. Not all of the many big data platforms and technologies are suitable for DDoS detection, and not all IT or network teams have time and expertise to build a system. Some keys to building big data-powered DDoS detection are to ensure that the system can ingest streaming flow data at high rates; plan sufficient storage to retain data for a relatively long period of time to allow for network-wide anomaly detection; and allow for ad-hoc queries so that there is flexibility both in detection policies as well as forensic analyses to cope with both known and zero-day exploits.  Despite these challenges, the good news is that big data technology, platforms and expertise are proliferating. DDoS is hyperscale, but big data can help defensive strategies scale to meet the challenge. Source: http://www.scmagazineuk.com/the-big-data-era-for-ddos-protection-has-arrived/article/569500/

See the article here:
The big data era for DDoS protection has arrived

Insufficient security measures still hinder cloud adoption

Security and privacy of data and systems in the cloud remains a top worry for 70% of IT professionals worldwide, up from 63% in 2015, according to a new Cloud Security Survey by Netwrix. The top three cloud security concerns in 2016 are unauthorized access (69%), malware (37%) and denial of service (DoS) attacks (34%). Cloud security concerns (up to 5) Even though cloud service providers make security a top priority, cloud computing is still … More ?

More:
Insufficient security measures still hinder cloud adoption

Analyzing the latest wave of mega attacks

A new report, using data gathered from the Akamai Intelligent Platform, provides analysis of the current cloud security and threat landscape, including insight into two record?setting DDoS attacks caused by the Mirai botnet. Nineteen DDoS attacks exceeded 100 Gbps, with six exceeding 200 Gbps DDoS attacks The two largest DDoS attacks this quarter, both leveraging the Mirai botnet, were the biggest observed by Akamai to-date – recorded at 623 Gbps and 555 Gbps. Compared to … More ?

See the article here:
Analyzing the latest wave of mega attacks

BlackNurse Attack Lets Lone Computers Take Down Whole Networks

DDoS attacks generally rely on big numbers to get results. Hundreds of thousands of devices, millions of IP addresses all unleashing coordinated blasts of data at another device to bring it to its knees. A BlackNurse denial-of-service attack doesn’t need a massive army of zombies to be effective. The BlackNurse attack is much more efficient than the DDoS attacks that crippled security researcher Brian Krebs’ website and the DNS servers at Dyn. Some recent DDoS attacks have seen traffic peak at more than 1 Tbps. A BlackNurse attack has the ability to disrupt by sending just a fraction of that volume. As little as 21 Mbps can be enough to take down a firewall, according to security firm Netresec. What’s different about BlackNurse that allows it to inflict so much damage with so little effort? It’s the type of traffic it utilizes. BlackNurse directs Internet Control Message Protocol (ICMP) packets, which have been used in other DDoS attacks in the past. BlackNurse uses a specific type — ICMP type 3 code 3. An attack from a single laptop could, theoretically, knock an entire business offline, though it’s not likely to be a very  large  business. In their blog post, Netresec calls out firewalls made by Cisco, Palo Alto Networks, Sonicwall, and Zyxel as being at risk. Most of the devices Netresec reports as being vulnerable to a BlackNurse attack (like the Cisco ASA 5506 and Zyxel Zywall USG50) were designed for small office or home office use. That said, TDC, a Denmark-based company that offers DDoS protection services to businesses, has seen enterprise-grade gear impacted. “We had expected that professional firewall equipment would be able to handle the attack,” they wrote, adding that they’ve seen around 100 of these attacks launched against their customers. TDC also notes that BlackNurse has the potential to create a lot of havoc. In Denmark’s IP space alone they discovered 1.7 million devices that respond to the ICMP requests that the BlackNurse attack leverages. If even a small percentage of those 1.7 million devices are vulnerable, the effects of a coordinated, large-scale attack could be disastrous. And that’s just Denmark. Source: http://www.forbes.com/sites/leemathews/2016/11/14/blacknurse-attack-lets-lone-computers-take-down-whole-networks/#6d27bd961999

More:
BlackNurse Attack Lets Lone Computers Take Down Whole Networks

5 major Russian banks repel massive DDoS attack

At least five Russian major banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries. The attack began Tuesday afternoon, and continued for two days straight, according to a source close to Russia’s Central Bank quoted by RIA Novosti. Sberbank confirmed the DDoS attack on its online services. “The attacks are conducted from botnets, consisting of tens of thousands computers, which are located in tens of countries,”  Sberbank’s press service told RIA. The initial attack was rather massive and its power intensified over the course of the day. “We registered a first attack early in the morning … the next attack in the evening involved several waves, each of them was twice as powerful as the previous one. Bank’s cybersecurity noticed and located the attack in time. There have been no problems in client online services,”  Sberbank representative said. Alfabank has also confirmed the fact of the attack, but called it a  “weak”  one. “There was an attack, but it was relatively weak. It did not affect Alfabank’s business systems in any way,”  the bank told RIA Novosti. According to Russian computer security company Kaspersky Lab, more than a half of the botnet devices were situated in the US, India, Taiwan and Israel, while the attack came from 30 countries. Each wave of attack lasted for at least one hour, while the longest one went on for 12 hours straight. The power of the attacks peaked at 660 thousands of requests per second. Some of the banks were attacked repeatedly. “Such attacks are complex, and almost cannot be repelled by standard means used by internet providers,”  the news agency quoted Kaspersky Lab’s statement as saying. According to a source in Central Bank, the botnet behind the attack consists not only of computers, but also of the so-called Internet of Things (IoT) devices. Computer security experts note, that various devices ranging from CCTV cameras to microwaves, are prone to hacking and pose a significant threat when assembled into a botnet. Owners of such devices underestimate the risks and often do not even bother to change a default password. A massive botnet, able to send more than 1.5Tbps and consisting of almost 150 thousands of CCTV cameras has been reportedly uncovered in September. According to Kaspersky Lab, it was the first massive attack on Russian banks this year. The previous attack of such a scale came in October 2015, when eight major banks were affected. Source: https://www.rt.com/news/366172-russian-banks-ddos-attack/

Read More:
5 major Russian banks repel massive DDoS attack

How to avoid DDoSing yourself

Google engineers offer guidance to keep application developers from shooting themselves in the foot. In the wake of the last month’s distributed denial of service (DDoS) attack against Dyn, a DNS management service, Google engineers want to remind application developers that self-harm represents a more realistic risk.…

More here:
How to avoid DDoSing yourself

How hackers could wreak havoc on the US election

AS VOTES are counted and polls close across America, security experts have warned that hackers could disrupt the presidential election process. “Anything that unsettles the election process would be a complete disaster,” explained Stephen Gates, chief research intelligence analyst at security specialist NSFOCUS. “Misinformation on exit polls, widespread internet and media outages, and delays in reporting could seriously impact people’s desire to vote and even worse — trust the results.” Mr Gates pointed to the mysterious cyber attacks that recently snarled East Coast Web traffic as evidence of hackers’ ability to cause disruption. A number of major sites including Twitter, Netflix, Spotify and Reddit were impacted by the October 21 distributed denial of service attacks (DDoS), on internet services company Dyn. DDoS attacks, which often occur when a hacker “floods” a network with information, are a popular method for disrupting websites and services. Mr Gates warned that, in addition to large DDoS attacks on internet infrastructure, online news and media outlets, attackers could target voter registration systems by launching smaller attacks on individual polling centres. “Many of these verification systems are likely online and need to access state databases where voter registration and verification is required to cast a vote,” he said. “Attacks against registered voter databases themselves would also be highly likely.” DDoS attacks and bogus election posts could also flood social media sites and spread misinformation, he warned, noting that so-called ‘man-in-the-middle’ attacks against polling centres as they report their final numbers to collection centres are also possible. In a man-in-the-middle attack a hacker secretly intercepts, and potentially alters, information as it is sent between two parties.  Roger Kay, president of Endpoint Technologies Associates, also sees a potential DDoS threat. “I have considered it a real possibility, not only are the cyber tools available, but the motivation is there as well, from anyone — they could be state actors, they could be malicious hackers.” Hackers, for example, could use the internet of Things, where even household devices are web-enabled, as a launch pad for their attacks, according to Mr Kay. The analyst, however, notes that major DDoS attacks are difficult for hackers to sustain, and also cites the low-tech nature of some US election infrastructure. “If you look at the safety of the democratic structure, there’s all these decentralised activities, many of which are paper[-based].” Nonetheless, a Department of Homeland Security report obtained by FoxNews.com warns that parts of America’s election infrastructure are vulnerable to cyber attack. While the risk to computer-enabled election systems varies from county to county, targeted attacks against individual voter registration databases are possible, it said. One technology being touted as a potential solution to cyber threats and voter fraud is blockchain. Blockchain, which uses a decentralised security protocol, could be used to safely record and transmit votes. Because blockchain messages are distributed and not kept in one central location, they are very difficult to tamper with, say experts. “The technology could be used to prevent voter fraud (e.g., multiple votes by a single person) through use of private keys for each voter and storage of votes on an immutable blockchain ledger,” Joe Guagliardo, chair of the Blockchain Technology Group at law firm Pepper Hamilton, in an email to FoxNews.com. “Once the vote has been cast and verified, it cannot be changed without verification by all of the nodes in the network (potentially millions or more) — fraudulent activity would require computational power to overcome the resources of the collective nodes in the net.” Source: http://www.ntnews.com.au/technology/how-hackers-could-wreak-havoc-on-the-us-election/news-story/4f732c684f8f14eeee46e82641bcd5f8

More:
How hackers could wreak havoc on the US election