Tag Archives: ddos-attacks

Canadian Government Websites Inaccessible Following DDoS attack

Around 1:30 pm ET on Tuesday afternoon, Canadian government websites became inaccessible due to a denial-of-service attack, The Globe and Mail reported. The attack affected industry, employment, national resources, fisheries and oceans, justice, labor, foreign affaisr, environment and transportation related websites. A denial-of-service attack, sometimes called a DOS attack, occurs when hackers flood a website with traffic, essentially leaving it unusable to normal users hoping to browse the site. It is unclear why Canada’s government websites faced this attack or who the hackers are. Source: http://www.newsweek.com/canadian-government-websites-inaccessible-following-denial-service-attack-344002

Link:
Canadian Government Websites Inaccessible Following DDoS attack

DDoS Attack on Voat due to Reddit

Voat was just a small Reddit knock-off before last week — but now it’s becoming overloaded as people threaten to leave the bigger site So many people are leaving Reddit that its closest competitor crashed and had to ask for donations to stay up. Many users of the site protested and left when last week it banned five subreddits for harassment. And since, users have been making good on threats to leave the site — going instead to a Swiss clone of the site, Voat. That site look almost exactly the same as Reddit, and features many of the same communities. But it is committed to a rule of “no censorship” — previously Reddit’s attitude, but one that it has moved away from as it has attempted to reduce the harassment and abuse on the site. So many people have moved to the Swiss knock-off that it has been down entirely many times since the Reddit bans. In response, the site asked for donations in bitcoin to pay for extra technology to keep the site up. That doesn’t seem to have worked, and the site says that it is now under a distributed denial of service attack, where users send a flood of requests to a website to take it down. But despite the problems, the site now has more than twice as many users as it did late last mnth, according to the site’s Twitter account. It had over 96,000 registered users last night, it said — far from the 172 million unique visitors that went to Reddit in the last month, but up many times over recent weeks. Voat’s founder said that the site was “not ready for such a huge influx of new users” and that it hadn’t “prepared for such a large and sudden increase either”. “We are sorry to see Reddit change like this, in this way, in such an accelerated fashion,” Atko wrote. “We would have never anticipated such events.” Source: http://www.independent.co.uk/life-style/gadgets-and-tech/news/reddit-alternative-breaks-because-so-many-people-leave-site-after-harassment-scandal-10321474.html

Anonymous Hijacks Thousands of Insecure Routers to Power Its DDoS Tools

Lack of some elementary security measures can risk your router’s security and this has stemmed to grow into a large-scale denial-of-service (DDoS) attacks using these hacker-controlled routers. A web security firm Incapsula has discovered a new router based botnet Mr Black while investigating some DDoS attacks against its customers since this December. Hackers exploited routers’ negligent security measures to launch these attacks all over the world. According to this report published by the security firm, the routers made by Ubiquiti Networks had DDoS malware installed on them. The routers were not hacked due to some vulnerability in the hardware. Instead, it happened because of the deployment of the router in an insecure manner that exposed their management interfaces using the default credentials over SSH and HTTP. The routers that were inspected were found to have 4 versions of Mr Black, a DDoS program and altogether thirty-seven variations of Mr Black were detected. Other DDoS programs included DoFloo, Mayday and Skynet (a remote sensing tool). In some earlier versions of the report, Incapsula said that it believed that the hacktivist group Anonymous was one of the few groups those used the compromised routers. It is yet not clear that why Anonymous was highlighted in the report, but it is certain that few people who call themselves “Anonymous” were using the routers. The original article on the Daily Dot was edited to remove the fact that botnet directs to irc (dot) anonops (dot) com. Total 40,269 different IP addresses were detected from 1,600 ISPs spread across 109 countries. The main affected countries were Thailand (64%), Brazil (21%), United States (4%) and India (3%). To control these routers, 60 servers were hacked and majority of these were in China and the U.S. To save themselves from the DDoS attacks, users must make sure that their routers’ management interfaces aren’t exposed over HTTP or SSH to the internet. They can also use some tools available to scan their router’s IP for open ports and change their default login credentials. With inputs from Anon.hq Source: http://omdpatel.blogspot.tw/2015/06/anonymous-hijacks-thousands-of-insecure.html

Cost to launch DDoS attack from botnets for hire

Could you pass up a $40,000 return on a $20 investment? Odds are you couldn’t if you enjoy wreaking havoc on a business. New research released today by Incapsula shows distributed denial of service (DDoS) assaults continue to be expensive nuisances for online businesses — and that the attacks can be launched from botnets-for-hire for around $38 a month. A DDoS attack costs a business $40,000 per hour in terms of lost business opportunities, loss of consumer trust, data theft, intellectual property loss and more, Incapsula estimates. When you consider top attacks last for days and that half of all targets are repeatedly hit, it’s easy to see how quickly costs escalate. A Lot for a Little “What is most disconcerting is that many of these smaller assaults are launched from botnets-for-hire for just tens of dollars a month. This disproportion between attack cost and damage potential is the driving force behind DDoS intrusions for extortion and vandalism purposes,” the security firm noted in its 2015 DDoS Threat Landscape Report (registration required). Last year Incapsula reported a 240 percent increase in DDoS activity. This year, although DDoS activity is still rising, Incapsula highlighted shifts in the methods, length and types of attacks. Incapsula defines an attack as a persistent DDoS event against the same target (IP address or domain). It is preceded by a quiet (attack free) period of at least 10 minutes and succeeded by another such period of the same duration or longer. The study differentiates between network layer and application layer attacks. These definitions refer to the Open Systems Interconnection model (OSI Model), which conceptualizes the process of data transmission by segmenting packets into seven layers. Network layer attacks target the network and transport layers (OSI layers 3 and 4), while application layer attacks target OSI layer 7. The analysis is based on data from 1,572 network layer and 2,714 application layer DDoS attacks on websites using Imperva Incapsula services from March 1 through May 7. “Assaults against network infrastructures continue to grow in size and duration. Those aimed at applications are both long in duration and likely to be repetitive. The upshot for organizations of all sizes is that simply weathering the storm is no longer a viable strategy — the impact will be big, durable and likely recurring,” the report notes. On That Depressing Note Here are a few of the report’s key findings: Once a target, always a target: 20 percent of websites are attacked more than five times DDoS attacks can last a long time: While 71 percent of all network layer attacks last under three hours, more than 20 percent last more than five days Some attacks are exceptionally long: The longest attack was 64 days DDoS for hire is more readily available than ever: Botnet-for-hire fingerprints are on roughly 40 percent of all attacks Five countries create most DDoS botnet traffic : 56 percent of DDoS bot traffic emerged from China, Vietnam, US, Brazil and Thailand What’s a Botnet-for-Hire? Opportunistic cybercriminals have the botnet-for-hire business model, a subscription scheme that provides each user with limited access to the botnet resources (usually for a cumulative duration of no more than 60 minutes per month). “During these short periods, individuals with little or no DDoS skill are able to execute assaults using one of the few available scripts (which are reminiscent of our definition of attack vectors),” the report notes. The average cost to rent-a-botnet for an hour each month through a DDoS subscription package is around $38, with fees as low as $19.99. The takeaway: It costs very little to bring down a website. “Perhaps putting a price tag on the damage caused by such services will bring more public attention to their activity, and to the danger posed by the shady economy behind DDoS attacks,” the report notes. Source: http://www.cmswire.com/information-management/you-can-bring-down-a-website-for-38/

Continue Reading:
Cost to launch DDoS attack from botnets for hire

How Visual Basic Broke Modern Python: Welcome to the World of High Orbit Ion Cannon

In 2012, Anonymous introduced HOIC (high orbit ion cannon) as a replacement to LOIC (low orbit ion cannon). Unlike its predecessors, that were built upon C#, and later java. This new DDoS player was built upon the unsuspecting language of Visual Basic. Taught in high school classrooms, Visual Basic was largely seen by the programming community as a means for kids and young programmers to get their feet wet in the experience of programming. Considered by many programmers as grossly inefficient and a memory hog; Visual Basic was an unsuspected carrier for what would become one of the most powerful means of DDoS. One of the popular notions of HOIC has been its ability to randomize variables such as: user agent, referrer and URI, during an attack. In the same manner, an attack tool known as HULK (developed by: Barry Shteiman, 2012), written in Python, was developed in recent history. Within a controlled environment we tested these DDoS tools to judge their effectiveness and total output. In controlled trials the DDoS output of LOIC (Visual Basic on Windows) outperforms the DDoS output HULK (Python on Linux) by +40%. Figure 1: HOIC Test in Stable Windows Environment Figure 2: HULK Test While many of us in the Internet security industry ridicule and downplay the “kiddie hacker;” it is clear that it sometimes only takes a kiddie to build an empire. Lessons in open source economics teach us that in an open access environment, it takes only a small few to bring about radical change and innovation. Today HOIC has become one of the primary tools of groups such as anonymous. From this lesson, we can expect that challenges and sudden changes, will not come from those paid hundreds of thousands a year; but from those small few kiddies, whom are politically motivated and are paid nothing. Source: http://www.dosarrest.com/ddos-blog/how-visual-basic-broke-modern-python-welcome-to-the-world-of-high-orbit-ion-cannon/

Continued here:
How Visual Basic Broke Modern Python: Welcome to the World of High Orbit Ion Cannon

South Africa a target for DDoS

South Africa is the most targeted country in Africa when it comes to distributed denial-of-service (DDOS) attacks. This was revealed by Vernon Fryer, chief technology security officer at Vodacom, in a keynote address during ITWeb Security Summit 2015, in Midrand, this morning. In computing, a DDOS attack is an attempt to make a machine or network resource unavailable to its intended users. Such an attack generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. Fryer was speaking with reference to statistics from the Vodacom Cyber Intelligence Centre, which the company established eight years ago to analyse the threat landscape on the African continent. He revealed over the past 18 months, there has been a marked increase in DDOS attacks on the continent, with a typical attack averaging 9Gbps. “There has been about a 150% increase in the number of DDOS [attacks] in the last 18 months in Africa,” he said. In terms of the number of attacks, Kenya, Uganda, Algeria, Nigeria and Tanzania respectively come after SA, said Fryer, pointing to the analysis done by the Vodacom Cyber Intelligence Centre last Thursday. According to Fryer, the majority of in-bound traffic to SA emanated mainly from China, Germany, Brazil, Vietnam, Russia, Cyprus, Turkey, Switzerland, Canada and the US. However, he noted, it was surprising Switzerland and Canada were featuring on the list this year, something never witnessed previously. Another unexpected trend showed traffic coming from Swaziland, he added, pointing out the growing number of Chinese communities in the country could be a reason for this spike. Describing some of the attack vectors cyber criminals were making use of in the region, Fryer pointed to scareware, ransomware, fake anti-virus, as well as TDSS Rootkit, among others. The trending malware included KINS Trojan, Skypot, VirRansom, SpyEye Trojan and the Chameleon Botnet. With regard to ransomware attacks in Africa, Tanzania is the most attacked on the African continent, Fryer said. He also noted the trending hacker groups in Africa include Anonymous, also known as the Lizard Squad, the Syrian Electronic Army, as well as the Yemen Cyber Army. Faced with the rise in the level and sophistication of attacks, Fryer said organisations need to constantly monitor the behaviour of their firewalls. Typically, he said, organisations take about five years without monitoring their firewall. “We need to understand if our firewalls are capable of handling today’s threats. Thus, the performance of firewalls needs to be constantly monitored,” he concluded. Source: http://www.itweb.co.za/index.php?option=com_content&view=article&id=143446:SA-a-target-for-DDOS&catid=234

Taken from:
South Africa a target for DDoS

Teen hires attacker to DDoS his school district

A high school boy might have to face state and federal charges for allegedly hiring a third party and launching a DDoS attack against the West Ada school district, Idaho, US. A 17-year old high school student (the name cannot be disclosed because of him being a minor) might be accused of launching a distributed denial of service (DDoS) attack after hiring a third party. The attack crippled operations at more than 50 schools of the district for a week previously this month. DDoS is a type of attack in which the servers of a particular online service are slowed to such an extent that their processing ability gets clogged up. According to KTVB report , the West Ada students suffered assorted misery due to the attack such as they lost their data on the Idaho Standard Achievement tests. Some of the students also had taken the tests multiple times. The attack lasted around a week and during this phase the online classes and textbooks could not be accessed. Moreover, the faculty and staff also experienced problems in accessing business and administrative systems such as payroll. The IP address from where the attack was launched was finally traced by the school district’s IT staff, which led them to the high schooler. The boy has been suspended from Eagle High but school administration suggested that he should be expelled. According to the Sheriff’s Office, the seventeen year old will most likely be charged with computer crime felony, which can send him to a juvenile detention facility for up to 180 days as the teenager paid someone to overwhelm the system with traffic from multiple sources. Additionally, the boy’s family will also be held responsible for a financial restitution for covering the losses since operations at around 50 schools got disrupted due to the attack. This is not the first time when a teenager attacked an educational institution. In April 12, 2015, Domanik Green, a 14-year-old student studying at Florida’s Paul R. Smith Middle School managed to bypass the school’s computer security network using just his computer skills and gained access to the server that contained FCAT (Florida Comprehensive Assessment Test) data. Source: https://www.hackread.com/teen-ddos-attack-school-district/

View the original here:
Teen hires attacker to DDoS his school district

TRD Admin On The Ransom DDoS That Is Hitting The Dark Net Markets

The admin of Therealdeal market ( http://trdealmgn4uvm42g.onion/ ) provided us with some insights about the recent DDo’s attacks that are hitting all the major DNM’s in the past week: In the past few days, it seems like almost every DN market is being hit by DDoS attacks. Our logs show huge amounts of basic http requests aiming for dynamic pages, probably in attempt to (ab)use as many resources as possible on the server side, for example by requesting for pages that execute many sql queries or generate captcha codes. As we are security oriented we manged to halt the attack on our servers the moment it showed up in the logs. Although this required fast thinking, due to the fact that dealing with this kind of attack over tor is not the same as dealing with such attack over clearnet. New addresses? Shifting Pages? Waiting? All these did not work for other markets… Here you can see the beginning and failure, as caught by Dnstats: As you can see, our market’s response time spiked to almost 70 seconds while our market’s usual response time is insanely fast, almost like most clearnet sites. But also, you can see that the response time was back to 2-3 seconds a little after. Here is an example of a darknet market that didn’t know how to combat this problem: The flat line at 0 seconds meaning there was no response from the server. The Problem As opposed to cleanet attacks, where mitigation steps could be taken by simply blocking the offending IP addresses,when it comes to tor, the requests are coming from the localhost (127.0.0.1) IP address as everything is tunneled through tor. Another problem is the fact that the attackers are using the same user-agent of tor browser – hence we cannot drop packets based on UA strings. The attackers are also aiming for critical pages of our site – for example the captcha generation page. Removing this page will not allow our users to login, or will open the site to bruteforce attempts. Renaming this page just made them aim for the new url (almost instantly, seems very much automated). One of the temporary solutions was to run a script that constantly renamed and re-wrote the login page after 1 successful request for a captcha… Attacks then turned into POST requests aiming for the login page. Solutions If you are a DNM owner or just the security admin, check your webserver logs. There is something unique in the HTTP requests, maybe a string asking you to pay to a specific address. (assuming these are the same offenders). Otherwise there might be something else … Hint: you might need to load tcpdump during an attack. Hopefully, you are not using some kind of VPS and have your own dedicated servers and proxy servers. Or if you are using some shit VPS, then hopefully you are using KVM or XEN. (first reason being the memory is leakable and accessible by any other user of the same service). The other reason is – control on the kernel level. You can drop packets containing specific strings by using iptables, or use regex too. This is one example of a commad that we executed (amongst others) to get rid of the offenders, we cannot specify all of them, so be creative! iptables -A INPUT -p tcp –dport 80 -m string –algo bm –string “(RANSOM_BITCOIN_ADDRESS)” -j DROP Where (RANSOM_BITCOIN_ADDRESS) is the unique part of the request… To Other Market Admins: There are additional things to be done, but if we expose them, this will only start a cat and mouse game with these attackers. If you are a DNM admin feel free to sign up as a buyer at TheRealDeal Market and send us a message (including your commonly used PGP), since at the end of the day even though you might see us a competitor in a way, there are some things (like people stuck without their pain medication from mexico) that are priceless… Source: http://www.deepdotweb.com/2015/05/11/this-is-the-ransom-ddos-that-is-hitting-the-dark-net-markets/

Enterprises must be proactive in DDoS mitigation

DDoS attacks are more prevalent than ever and enterprises can’t always rely on their service providers for protection. Learn what enterprises should do for effective DDoS mitigation. Moving unified communications applications to the cloud can simplify business operations. But cloud infrastructure can present vulnerabilities that attract malicious attacks like distributed denial of service (DDoS). And with many enterprises using service providers for their UC applications, DDoS attacks can be more damaging than ever. As the threat of DDoS attacks loom, there is a disconnect between enterprises and their service providers taking responsibility during an attack, according to a report from DDoS mitigation service provider Black Lotus Communications, which surveyed 129 service providers and the impact of DDoS on their business. According to the report, many organizations believe they can rely on their service provider to manage a DDoS attack and its impact on their business. But the reality is most providers believe they are solely responsible for making sure their infrastructure remains intact during an attack and that the direct impact of an attack is the customer’s responsibility. “Service providers with undeveloped DDoS mitigation strategies may choose to sacrifice a customer by black hole routing their traffic or recommending a different service provider in order to protect the service of other customers,” said Chris Rodriguez, network security senior analyst at Frost & Sullivan. Enterprises can lose anywhere from $100,000 to tens of millions of dollars per hour in an attack, the report found. Just over one-third of service providers reported being hit with one or more DDoS attacks weekly, according to the report. Managed hosting services, VoIP and platform as a service were the three industries most affected by DDoS. During an attack, 52% of service providers reported temporarily blocking the targeted customer, 34% reported removing the targeted customer, 32% referred customers to a partner DDoS mitigation provider and 26% encouraged an attacked customer to find a new service provider. But by removing or blocking a customer, service providers have effectively helped the attackers achieve their goal and leave enterprises suffering the consequences, according to the report. Communicating DDoS concerns Three-quarters of service providers reported feeling very to extremely confident they could withstand a catastrophic DDoS attack, and 92% of providers have protections in place. But the report found that the majority of providers use traditional protections that have become less effective in mitigating DDoS. To maximize DDoS protection, Nemertes Research CEO Johna Till Johnson offered four questions that enterprises should ask when evaluating service provider security and DDoS protection. What protections does the service provider have in place in the event of an attack? Don’t be afraid to ask service providers questions regarding the DDoS mitigation products and services they use, what their DDoS track record is or how many clients have been victims of an attack. “If they refuse to answer, it tells you something about the vendor,” Johnson said. “Any legitimate provider has this information and will share it with customers.” Is the service provider willing to put DDoS mitigation in a service-level agreement ( SLA )? The provider may already include DDoS protection or may require the enterprise to buy a service. But if a provider won’t include DDoS mitigation in an SLA, find out why. “If you’re not going to put it in black and white, you’re at risk,” she said. What third-party services does the provider recommend? Service providers may have third-party partnerships that can deliver DDoS protection. What is your organization’s stance on security? Johnson recommends having a line item in the budget for DDoS that covers a DDoS mitigation service or product. Making DDoS mitigation plans If a service provider is hit with a DDoS attack, there are two issues facing enterprises, Johnson said. The first issue is if the enterprise experienced a small hit in the attack. “If you’ve gotten a gentle probe, then attackers may be coming after you,” she said. Just like when a credit card number is stolen and the thief spends a small amount of money to test the number before making the large, fraudulent charges, attackers are testing for vulnerabilities. Enterprises should immediately figure out where they’re at risk and what they can do to protect themselves now, Johnson said. The second issue, she said, is that DDoS isn’t just an attack, it’s an earthquake. A disaster recovery plan is required so enterprises know what to do if a core application is suddenly unavailable. “DDoS attack techniques continue to change, and enterprises must be proactive in their defenses,” Rodriguez said. He said a hybrid approach to DDoS mitigation has emerged as an effective strategy. Hybrid DDoS mitigation requires an on-premises DDoS mitigation appliance to protect an enterprise’s infrastructure and a cloud-based DDoS mitigation service that routes traffic to a scrubbing center and returns clean traffic. The on-premises appliance is used during smaller attacks; and when attacks reach a certain size, the appliance can signal for the cloud-based service to take over. “This allows the organization to use the DDoS services sparingly and only when necessary, with a seamless transition between the two services,” he said. Source: http://searchunifiedcommunications.techtarget.com/news/4500245890/Enterprises-must-be-proactive-in-DDoS-mitigation

View the original here:
Enterprises must be proactive in DDoS mitigation

Dukascopy Server Crash on Wednesday Caused by DDoS Attack

The company has contracted a third party specializing in such threats in order to prevent further attacks from happening S wiss Dukascopy Bank was a target of a distributed denial-of-service (DDoS) attack yesterday, a company spokesperson shared with Finance Magnates’ reporters. The server crash prompted a number of the brokerage’s clients to take to social media in order to establish what the issues were with the website and the demo and real accounts servers of the firm. Additionally, the company detailed that the outage lasted an hour and thirteen minutes. A company spokesperson stated to Finance Magnates reporters, “As you may know yesterday starting from 12:31 GMT to 13:44 GMT Dukascopy servers were down due to a DD0S attack.” The DDoS attack was successfully mitigated and we expect that it will not be repeated “The DDoS attack was successfully mitigated and we expect that it will not be repeated. Protection measures have been implemented, including enabling third party services specializing on such kind of threats.” As stated above, the company has turned to a third party contractor in order to alleviate the risks associated with any further DDoS attack. Financial services institutions are frequent targets of DDoS attacks, however the companies most frequently suffering are banks or credit card payment gateways. In the earlier stages of online business, threats about DDoS attacks have been unlawfully used by some outfits to blackmail their competitors. Our reporters have heard about similar criminal practices remaining in play in more recent cases in the industry. Both binary options providers and brokers have been targets of similar attacks in recent years. As for Dukascopy, it is business as usual on the company’s platforms today, while the euro is hitting fresh 1-month highs against the U.S. dollar and the British pound. Source: http://www.financemagnates.com/forex/brokers/dukascopy-server-crash-on-wednesday-caused-by-ddos-attack/

Follow this link:
Dukascopy Server Crash on Wednesday Caused by DDoS Attack