Category Archives: Security Websies

Are you Ready for These 26 Different Types of DDoS Attacks?

The scourge of distributed denial-of-service (DDoS) attacks has been a major concern for businesses and governments for more than two decades. First reported in 1996, this is a destructive and ever-evolving vector of cyber raids that knocks electronic networks offline by flooding them with the traffic they can’t handle. Not only is DDoS a way for hacktivists to manifest protest against Internet censorship and controversial political initiatives, but it’s also a goldmine of opportunities for achieving strictly nefarious goals. For instance, the latest tweak in this epidemic is what’s called “ransom DDoS,” a technique used to extort money from organizations in exchange for discontinuing a massive incursion. A big hurdle to thwarting the DDoS phenomenon is that it’s heterogeneous and spans a variety of different tactics. To begin with, there are three overarching categories of these attacks that form the backbone of this ecosystem: Volume-based (volumetric) attacks are the “classic” ones that congest a target network’s bandwidth with a hefty amount of traffic packets. Protocol attacks are aimed at exhausting server or firewall resources. Application layer (layer 7 DDoS) attacks zero in on specific web applications rather than the whole network. These ones are particularly hard to prevent and mitigate while being relatively easy to orchestrate. Furthermore, there are dozens of sub-types that fall into either one of the above generic groups but exhibit unique characteristics. Here’s a complete breakdown of the present-day DDoS attack methods. 1. SYN Flood This attack exploits the TCP three-way handshake, a technique used to establish any connection between a client, a host, and a server using the TCP protocol. Normally, a client submits a SYN (synchronize) message to the server to request a connection. When a SYN Flood attack is underway, criminals send a plethora of these messages from a spoofed IP address. As a result, the receiving server becomes incapable of processing and storing so many SYN packets and denies service to real clients. 2. LAND attack To perform a Local Area Network Denial (LAND) attack, a threat actor sends a fabricated SYN message in which the source and destination IP addresses are the same. When the server tries to respond to this message, it gets into a loop by recurrently generating replies to itself. This leads to an error scenario, and the target host may eventually crash. 3. SYN-ACK Flood The logic of this attack vector is to abuse the TCP communication stage where the server generates a SYN-ACK packet to acknowledge the client’s request. To execute this onslaught, crooks inundate the CPU and RAM resources of the server with a bevy of rogue SYN-ACK packets. 4. ACK & PUSH ACK Flood Once the TCP three-way handshake has resulted in establishing a connection between a host and a client, ACK or PUSH ACK packets are sent back and forth until the session is terminated. A server targeted by this type of a DDoS attack cannot identify the origin of falsified packets and wastes all of its processing capacity trying to determine how to handle them. 5. Fragmented ACK Flood This attack is a knockoff of the above-mentioned ACK & PUSH ACK Flood technique. It boils down to deluging a target network with a comparatively small number of fragmented ACK packets that have a maximum allowed size, usually 1500 bytes each. Network equipment such as routers ends up running out of resources trying to reassemble these packets. Furthermore, fragmented packets can slip below the radar of intrusion prevention systems (IPS) and firewalls. 6. Spoofed Session Flood (Fake Session Attack) In order to circumvent network protection tools, cybercriminals may forge a TCP session more efficiently by submitting a bogus SYN packet, a series of ACK packets, and at least one RST (reset) or FIN (connection termination) packet. This tactic allows crooks to get around defenses that only keep tabs on incoming traffic rather than analyzing return traffic. 7. UDP Flood As the name suggests, this DDoS attack leverages multiple User Datagram Protocol (UDP) packets. For the record, UDP connections lack a handshaking mechanism (unlike TCP), and therefore the IP address verification options are very limited. When this exploitation is in full swing, the volume of dummy packets exceeds the target server’s maximum capacity for processing and responding to requests. 8. DNS Flood This one is a variant of UDP Flood that specifically homes in on DNS servers. The malefactor generates a slew of fake DNS request packets resembling legitimate ones that appear to originate from a huge number of different IP addresses. DNS Flood is one of the hardest denial-of-service raids to prevent and recover from. 9. VoIP Flood This is a common form of UDP Flood that targets a Voice over Internet Protocol (VoIP) server. The multitude of bogus VoIP requests sent from numerous IP addresses drain the victim server’s resources and knock it offline at the end of the day. 10. NTP Flood (NTP Amplification) Network Time Protocol (NTP), one of the oldest networking protocols tasked with clock synchronization between electronic systems, is at the core of another DDoS attack vector. The idea is to harness publicly-accessible NTP servers to overload a target network with a large number of UDP packets. 11. CHARGEN Flood Similarly to NTP, the Character Generator Protocol (CHARGEN) is an oldie whose emergence dates back to the 1980s. In spite of this, it is still being used on some connected devices such as printers and photocopiers. The attack comes down to sending tiny packets containing a victim server’s fabricated IP to devices with CHARGEN protocol enabled. In response, the Internet-facing devices submit UDP packets to the server, thus flooding it with redundant data. 12. SSDP Flood Malefactors can exploit networked devices running Universal Plug and Play (UPnP) services by executing a Simple Service Discovery Protocol (SSDP) reflection-based DDoS attack. On a side note, SSDP is embedded in the UPnP protocol framework. The attacker sends small UDP packets with a spoofed IP address of a target server to multiple devices running UPnP. As a result, the server is flooded with requests from these devices to the point where it goes offline. 13. SNMP Flood (SNMP Amplification) Tasked with harvesting and arranging data about connected devices, the Simple Network Management Protocol (SNMP) can become a pivot of another attack method. Cybercriminals bombard a target server, switch, or router with numerous small packets coming from a fabricated IP address. As more and more “listening” devices reply to that spoofed address, the network cannot cope with the immense quantity of these incoming responses. 14. HTTP Flood When executing an HTTP Flood DDoS attack, an adversary sends ostensibly legitimate GET or POST requests to a server or web application, siphoning off most or all of its resources. This technique often involves botnets consisting of “zombie” computers previously contaminated with malware. 15. Recursive HTTP GET Flood To perpetrate this attack, a malicious actor requests an array of web pages from a server, inspects the replies, and iteratively requests every website item to exhaust the server’s resources. The exploitation looks like a series of legitimate queries and can be difficult to identify. 16. ICMP Flood Also referred to as Ping Flood, this incursion aims to inundate a server or other network device with numerous spoofed Internet Control Message Protocol (ICMP) echo requests or pings. Having received a certain number of ICMP pings, the network responds with the same number of reply packets. Since this capability to respond is finite, the network reaches its performance threshold and becomes unresponsive. 17. Misused Application Attack Instead of using spoofed IP addresses, this attack parasitizes legitimate client computers running resource-intensive applications such as P2P tools. Crooks reroute the traffic from these clients to the victim server to bring it down due to excessive processing load. This DDoS technique is hard to prevent as the traffic originates on real machines previously compromised by the attackers. 18. IP Null Attack This one is carried out by sending a slew of packets containing invalid IPv4 headers that are supposed to carry transport layer protocol details. The trick is that threat actors set this header value to null. Some servers cannot process these corrupt-looking packets properly and waste their resources trying to work out how to handle them. 19. Smurf Attack This one involves a malware strain called Smurf to inundate a computer network with ICMP ping requests carrying a spoofed IP address of the target. The receiving devices are configured to reply to the IP in question, which may produce a flood of pings the server can’t process. 20. Fraggle Attack This DDoS technique follows a logic similar to the Smurf Attack, except that it deluges the intended victim with numerous UDP packets rather than ICMP echo requests. 21. Ping of Death Attack To set this raid in motion, cybercrooks poison a victim network with unconventional ping packets whose size significantly exceeds the maximum allowed value (64 bytes). This inconsistency causes the computer system to allocate too many resources for reassembling the rogue packets. In the aftermath of this, the system may encounter a buffer overflow or even crash. 22. Slowloris This attack stands out from the crowd because it requires very low bandwidth and can be fulfilled using just one computer. It works by initiating multiple concurrent connections to a web server and keeping them open for a long period of time. The attacker sends partial requests and complements them with HTTP headers once a while to make sure they don’t reach a completion stage. As a result, the server’s capability to maintain simultaneous connections is drained and it can no longer process connections from legitimate clients. 23. Low Orbit Ion Cannon (LOIC) Originally designed as a network stress testing tool, LOIC can be weaponized in real-world DDoS attacks. Coded in C#, this open-source software deluges a server with a large number of packets (UPD, TCP, or HTTP) in an attempt to disrupt a target’s operation. This onslaught is usually backed by a botnet consisting of thousands of machines and coordinated by a single user. 24. High Orbit Ion Cannon (HOIC) HOIC is a publicly accessible application that superseded the above-mentioned LOIC program and has a much bigger disruptive potential than its precursor. It can be used to submit a plethora of GET and HTTP POST requests to a server concurrently, which ends up knocking a target website offline. HOIC can affect up to 256 different domains at the same time. 25. ReDoS ReDoS stands for “regular expression denial-of-service.” Its goal is to overburden a program’s regular expression implementation with instances of highly complex string search patterns. A malicious actor can trigger a regular expression processing scenario whose algorithmic complexity causes the target system to waste superfluous resources and slow down or crash. 26. Zero-Day DDoS This term denotes an attack that takes advantage of uncatalogued vulnerabilities in a web server or computer network. Unfortunately, such flaws are surfacing off and on, making the prevention a more challenging task.   A Serious Threat Although distributed denial-of-service is an old school attack vector, it continues to be a serious threat to organizations. The   monthly number of such attacks exceeds 400,000. To top it off, cybercriminals keep adding new DDoS mechanisms to their repertoire and security providers aren’t always prepared to tackle them. Another unnerving thing is that some techniques, including Low and High Orbit Ion Cannon, are open source and can be leveraged by wannabe criminals who lack tech skills. Such an attack may get out of hand and go way beyond the intended damage. To prevent DDoS attacks and minimize the impact, businesses should learn to proactively identify the red flags; have an appropriate response plan in place; make sure their security posture has no single point of failure, and continuously work on strengthening the network architecture. Source: https://www.securitymagazine.com/articles/92327-are-you-ready-for-these-26-different-types-of-ddos-attacks

Read the original:
Are you Ready for These 26 Different Types of DDoS Attacks?

You’re a botnet, you;ve got a zero-day, so where do you go? After fiber, because that’s where the bandwidth is

Two-step attack seen on core systems Researchers are warning owners of fiber routers to keep a close eye on their gear and check for firmware updates following the discovery an in-the-wild zero-day attack.…

See original article:
You’re a botnet, you;ve got a zero-day, so where do you go? After fiber, because that’s where the bandwidth is

Are your MS SQL servers part of a cryptomining botnet? Check now!

For the last two years or so, attackers have been infecting and reinfecting poorly secured MS SQL servers, booting other criminals’ malware from them and exploiting their compute power to mine Vollar and Monero cryptocurrency. 61.5 percent of the infected machines get cleaned up by administrators and IT security teams within two days, and the rest between three to 14 days but, according to Guardicore Labs researchers, 10 percent of the victims end up reinfected, … More ? The post Are your MS SQL servers part of a cryptomining botnet? Check now! appeared first on Help Net Security .

More:
Are your MS SQL servers part of a cryptomining botnet? Check now!

Cyber Warfare Doesn’t Take a Break During Coronavirus Season

US Health Agencies Are Fending off DDoS Attacks and Disinformation Campaigns in the Midst of a Pandemic Unfettered by social distancing measures or economic concerns, cyber threat actors are taking full advantage of opportunities created by the coronavirus pandemic. United States health agencies are being tested by distributed denial of service (DDoS) attacks and social media disinformation campaigns as they scramble to respond to an unprecedented viral outbreak, and these attacks are thought to be backed by a hostile foreign government. Federal health agency hit with DDoS attack A large-scale DDoS attack was directed at the U.S. Health and Human Services Department sometime around March 15. A spokesperson for the National Security Council stated that the attack did not do any substantial damage and that the networks are being “continuously monitored” to mitigate any future attempts. The DDoS attack involved millions of requests on the health agency’s servers over a period of several hours. A Health and Human Services spokesperson indicated that the government does not know who was behind the attack, but suspects a foreign government. The DDoS attack did not involve any network compromise, nor did it significantly slow down operations. The spokesperson indicated that the agency has put unspecified “extra protections” in place going forward. Fake texts and tweets part of organized disinformation campaign In addition to the DDoS attack, the National Security Council indicated that there is an ongoing disinformation campaign intended to sow fear and confusion in the American public that focuses on the health agencies. This is also believed to be backed by a foreign government. The agency warns about fake text messages that claim a mandatory national quarantine or lockdown is imminent. This disinformation campaign is also circulating widely on social media platforms such as Twitter and Facebook, and usually involves someone claiming they heard about imminent National Guard mobilization for a lockdown from some sort of friend or family member with inside information. The most damaging aspect of the disinformation campaign was a hack that managed to penetrate emergency MMS and SMS text-messaging systems used in a number of different cities in the US, which occurred just after Italy opted to lock down the entire country. The attackers sent out a bogus “warning” message claiming that public and emergency services were about to be shut down due to the coronavirus. These messages did not initially get out to the general public on a large scale, but did make their way to various emergency services personnel in a number of major cities including Boston, Washington DC and New York City. There is no indication at present that a national quarantine or lockdown is being considered. Such a move would be logistically difficult and extremely unpopular politically. While President Trump has mentioned that the possibility has been discussed, he has also signaled a desire to avoid action of this sort by the federal government on several occasions. During his March 21 briefing, Trump indicated that the government is focusing on action in coronavirus “hot zones” and that a national shutdown was not being seriously considered at the time. Perpetrators, motives and methods The assumption that a foreign government is behind these cyber incidents is primarily based on the lack of any sort of profit motive behind shutting down health agency servers or spreading false rumors on social media. While the rumors could potentially be used to manipulate stock prices in an indirect way, it seems more likely that this is a coordinated effort given that the DDoS attack and the disinformation campaign emerged at about the same time. Anonymous officials told ABC News that they believe Russia or China are the most likely perpetrators. This would not at all be a surprising move by either of these American adversaries, but particularly not for Russia. Russian “troll farms” that use fake social media accounts to pose as Americans and stir up dissent and division have been making the news since the widespread interference in the 2016 election, but have likely been working for over a decade now. This sort of disinformation campaign is precisely their MO. Any state-sponsored threat actor is capable of using a botnet, but DDoS attacks against other countries have been the hallmark of two particular hacking groups in recent years: APT 28, aka Russia’s infamous “Fancy Bear” group, and APT 33 (Elfin Team) out of Iran. Greg Wendt, Executive Director of Appsian, points out that though these health agencies have been successfully able to mitigate DDoS attacks they may be ripe for more targeted and sophisticated breach attempts: ” … government institutions such as the HHS are key targets for cyberattacks, and given that the government has many applications and systems that were written and developed 35-40 years ago, the process to modernize and transform the critical nature of data is a lengthy one and not a process that can be successfully done overnight.” New challenges for both government and private industry The cyber challenges posed by the coronavirus outbreak are not limited to health agencies. Private industry and individuals can also expect online predators to attempt to take advantage of the situation. Thomas Hatch, CTO and Co-Founder at SaltStack, a Lehi, Utah-based provider of intelligent IT automation software, foresees an inevitable increase in attacks on certain business sectors: “Petty thieves will assume that classical attacks are going to be more effective because cyber defense staffing is likely distracted right now dealing with the influx of issues that come from a demand shift for specific services. Organized groups are likely empowered by the situation and will want to take advantage of it. They can attack specific services, particularly financial institutions because of the overall distracted nature of the defenders.” Leading security firm Crowdstrike is reporting a significant increase in activity in phishing campaigns concurrent with global implementation of coronavirus restrictions. Early examples that have been spotted in the wild have promised free vaccines or offers of charity relief. Some targeted attacks on health care organizations have claimed to be related to shipments of ventilators or personal protective equipment. Hackers are also commonly attempting to pose as a legitimate health agency such as the WHO or CDC. In addition to targeted cyber attacks, everyone should be on heightened alert for messages tied to disinformation campaigns being spread throughout all sorts of public forums online. Source: https://www.cpomagazine.com/cyber-security/cyber-warfare-doesnt-take-a-break-during-coronavirus-season-us-health-agencies-are-fending-off-ddos-attacks-and-disinformation-campaigns-in-the-midst-of-a-pandemic/

Read the original post:
Cyber Warfare Doesn’t Take a Break During Coronavirus Season

Zyxel NAS, firewalls and LILIN DVRs and IP cameras conscripted into IoT botnets

A wide variety of Zyxel and LILIN IoT devices are being conscripted into several botnets, researchers have warned. Users are advised to implement the provided firmware updates to plug the security holes exploited by the botmasters or, if they can’t, to stop using the devices altogether or to put them behind network firewalls. Zyxel devices affected According to Palo Alto Networks’ Unit 42, botmasters using a new Mirai strain dubbed Mukashi are exploiting CVE-2020-9054, a … More ? The post Zyxel NAS, firewalls and LILIN DVRs and IP cameras conscripted into IoT botnets appeared first on Help Net Security .

Continue Reading:
Zyxel NAS, firewalls and LILIN DVRs and IP cameras conscripted into IoT botnets

DDoS attacks could affect next generation 911 call systems

Despite a previous warning by Ben-Gurion University of the Negev (BGU) researchers, who exposed vulnerabilities in 911 systems due to DDoS attacks, the next generation of 911 systems that now accommodate text, images and video still have the same or more severe issues. In the study the researchers evaluated the impact of DDoS attacks on the current (E911) and next generation 911 (NG911) infrastructures in North Carolina. The research was conducted by Dr. Mordechai Guri, … More ? The post DDoS attacks could affect next generation 911 call systems appeared first on Help Net Security .

View original post here:
DDoS attacks could affect next generation 911 call systems

Microsoft nukes 9 million-strong Necurs botnet after unpicking domain name-generating algorithm

Takedown should (in theory) see spam volumes shrink rapidly Microsoft has bragged of downing a nine million-strong Russian botnet responsible for vast quantities of email spam.…

Read More:
Microsoft nukes 9 million-strong Necurs botnet after unpicking domain name-generating algorithm

Hackers are getting hacked via trojanized hacking tools

Someone has been trojanizing a wide variety of hacking tools to compromise the machines of hackers who want to use the tools for free, Cybereason researcher Amit Serper has revealed. “We have found a widespread hacking campaign that uses the njRat trojan to hijack the victim’s machine, giving the threat actors complete access that can be used for anything from conducting DDoS attacks to stealing sensitive data,” he shared. About the trojanized hacking tools The … More ? The post Hackers are getting hacked via trojanized hacking tools appeared first on Help Net Security .

Continue Reading:
Hackers are getting hacked via trojanized hacking tools

Ransomware getting more fearsome, but there’s reason for optimism

Cybercriminals continued a barrage of attacks in 2019, spurred on by botnets of infected IoT devices and by attacker interest in the Eternal Blue vulnerability. A report from F-Secure documents a steep increase in attack traffic in 2019 that was unmatched by previous years. There have been 2.8 billion attack events in the second half of the year. After 2.9 billion in the first half of the year, the yearly total rings in at 5.7 … More ? The post Ransomware getting more fearsome, but there’s reason for optimism appeared first on Help Net Security .

More:
Ransomware getting more fearsome, but there’s reason for optimism

Week in review: The future of DNS security, acquiring cyber talent in 2020, new issue of (IN)SECURE

Here’s an overview of some of last week’s most interesting news and articles: Shadow IT accounts with weak passwords endanger organizations 63% of enterprise professionals have created at least one account without their IT department being aware of it, and two-thirds of those have created two or more, the results of a recent 1Password survey have revealed. 12,000+ Jenkins servers can be exploited to launch, amplify DDoS attacks A vulnerability (CVE-2020-2100) in 12,000+ internet-facing Jenkins … More ? The post Week in review: The future of DNS security, acquiring cyber talent in 2020, new issue of (IN)SECURE appeared first on Help Net Security .

More:
Week in review: The future of DNS security, acquiring cyber talent in 2020, new issue of (IN)SECURE