Tag Archives: ddos-attacks

DDoS attacks threatens New Zealand organisations

The New Zealand Internet Task Force (NZITF) advises that an unknown international group has this week begun threatening New Zealand organisations with Distributed Denial of Service (DDoS) attacks. DDoS attacks are attempts to make an organisation’s Internet links or network unavailable to its users for an extended length of time. This latest DDoS threat appears as an email threatening to take down an organisation’s Internet links unless substantial payments in the digital currency Bitcoin are made. New Zealand Internet Task Force (NZITF) Chair Barry Brailey warns the threat is not an idle one and should be taken extremely seriously as the networks of some New Zealand organisations have already been targetted. “The networks of at least four New Zealand organisations that NZITF knows of have been affected, so far. A number of Australian organisations have also been affected,” he says. “This unknown group of criminals have been sending emails to a number of addresses within an organisation. Sometimes these are support or helpdesk addresses, other times they are directed at individuals. The emails contain statements threatening DDoS, such as: “Your site is going under attack unless you pay 25 Bitcoin.”, “We are aware that you probably don’t have 25 BTC at the moment, so we are giving you 24 hours.” or “IMPORTANT: You don’t even have to reply. Just pay 25 BTC to [bitcoin address] – we will know it’s you and you will never hear from us again.” The emails may also provide links to news articles about other attacks the group has conducted. NZITF urges New Zealand firms and organisations to be on the alert. They also suggest that targeted entities don’t pay as even if this stops a current attack, it makes your organisation a likely target for future exploitation as you have a history of making payments. It is also advisable staff be educated and be on the lookout for any emails matching the descriptions above. Have them alert appropriate security personnel within the organisation as soon as possible. Source: http://www.geekzone.co.nz/content.asp?contentid=18336

See the original post:
DDoS attacks threatens New Zealand organisations

FBI investigating Rutgers University in DDoS attack

The FBI is working with Rutgers University to identify the source of a series of distributed denial-of-service (DDoS) attacks that have plagued the school this week. The assault began Monday morning and took down internet service across the campus according to NJ.com. Some professors had to cancel classes and students were unable to enroll, submit assignments or take finals since Wi-fi service and email have been affected as has an online resource called Sakai. This is the second DDoS attack on the university this month and the third since November. Authorities and the Rutgers Office of Information and Technology (OIT) haven’t released any details thus far about the possible source of the attacks. Currently, only certain parts of the university have internet service. The school will make frequent updates on to the Rutgers website about its progress in restoring service. Source: http://www.scmagazine.com/the-fbi-is-helpign-rutger-inveigate-a-series-of-ddos-attack/article/412149/

See the original post:
FBI investigating Rutgers University in DDoS attack

One fifth of DDoS attacks last over a day

Some 20 per cent of DDoS attacks have lasting damage that can see them taking a site down for 24 hours or more, according to research by Kaspersky. In fact, almost a tenth of the companies surveyed said their systems were down for several weeks or longer, while less than a third said they had disruption lasting less than an hour. The investigation revealed that the majority of attacks (65 per cent) caused severe delays or complete disruption, while only a third caused no disruption at all. Evgeny Vigovsky, head of Kaspersky DDoS Protection, said: “For companies, losing a service completely for a short time, or suffering constant delays in accessing it over several days, can be equally serious problems. “Both situations can impact customer satisfaction and their willingness to use the same service in the future. Using reliable security solutions to protect against DDoS attacks enables companies to give their customers uninterrupted access to online services, regardless of whether they are facing a powerful short-term assault or a weaker but persistent long-running campaign.” The company highlighted an attack on Github at the end of March when Chinese hackers brought the site down. That attack lasted 118 hours and demonstrated that even large communities are at risk. Last month, another study by Kaspersky revealed that only 37 per cent of companies were prepared for a DDoS attack, despite 26 per cent of them being concerned the problems caused by such attacks were long-term, meaning they could lose current or prospective clients as a result. Source: http://www.itpro.co.uk/security/24514/one-fifth-of-ddos-attacks-last-over-a-day

More:
One fifth of DDoS attacks last over a day

Featured article: How to use a CDN properly and make your website faster

Its one of the biggest mysteries to me I have seen in my 15+ years of Internet hosting and cloud based services. The mystery is, why do people use a Content Delivery Network for their website yet never fully optimize their site to take advantage of the speed and volume capabilities of the CDN. Just because you use a CDN doesn’t mean your site is automatically faster or even able to take advantage of its ability to dish out mass amounts of content in the blink of an eye. At DOSarrest I have seen the same mystery continue, this is why I have put together this piece on using a CDN and hopefully help those who wish to take full advantage of a CDN. Most of this information is general and can be applied to using any CDN but I’ll also throw in some specifics that relate to DOSarrest. Some common misconceptions about using a CDN As soon as I’m configured to use a CDN my site will be faster and be able to handle a large amount of web visitors on demand. Website developers create websites that are already optimized and a CDN won’t really change much. There’s really nothing I can do to make my website run faster once its on a CDN. All CDN’s are pretty much the same. Here’s what I have to say about the misconceptions noted above In most cases the answer to this is…. NO !! If the CDN is not caching your content your site won’t be faster, in fact it will probably be a little slower, as every request will have to go from the visitor to the CDN which will in turn go and fetch it from your server then turn around and send the response back to the visitor. In my opinion and experience website developers in general do not optimize websites to use a CDN. In fact most websites don’t even take full advantage of a browsers’ caching capability. As the Internet has become ubiquitously faster, this fine art has been left by the wayside in most cases. Another reason I think this has happened is that websites are huge, complex and a lot of content is dynamically generated coupled with very fast servers with large amounts of memory. Why spend time on optimizing caching, when a fast server will overcome this overhead. Oh yes you can and that’s why I have written this piece…see below No they aren’t. Many CDN’s don’t want you know how things are really working from every node that they are broadcasting your content from. You have to go out and subscribe to a third party service, if you have to get a third party service, do it, it can be fairly expensive but well worth it. How else will you know how your site is performing from other geographic regions. A good CDN should let you know the following in real-time but many don’t. Number of connections/requests between the CDN and Visitors. Number of connections/requests between the CDN and your server (origin). You want try and have the number of requests to your server to be less than the number of requests from the CDN to your visitors. *Tip- Use HTTP 1.1 on both “a” & “b” above and try and extend the keep-alive time on the origin to CDN side Bandwidth between the CDN and Internet visitors Bandwidth between the CDN and your server (origin) *Tip – If bandwidth of “c” and “d” are about the same, news flash…You can make things better. Cache status of your content (how many requests are being served by the CDN) *Tip – This is the best metric to really know if you are using your CDN properly. Performance metrics from outside of the CDN but in the same geographic region *Tip- Once you have the performance metrics from several different geographic regions you can compare the differences once you are on a CDN, your site should load faster the further away the region is located from your origin server, if you’re caching properly. For the record DOSarrest provides all of the above in real-time and it’s these tools I’ll use to explain on how to take full advantage of any CDN but without any metrics there’s no scientific way to know you’re on the right track to making your site super fast. There are five main groups of cache control tags that will effect how and what is cached. Expires : When attempting to retrieve a resource a browser will usually check to see if it already has a copy available for reuse. If the expires date has past the browser will download the resource again. Cache-control : HTTP 1.1 this expands on the functionality offered by Expires. There are several options available for the cache control header: – Public : This resource is cacheable. In the absence of any contradicting directive this is assumed. – Private : This resource is cachable by the end user only. All intermediate caching devices will treat this resource as no-cache. – No-cache : Do not cache this resource. – No-store : Do not cache, Do not store the request, I was never here – we never spoke. Capiche? – Must-revalidate : Do not use stale copies of this resource. – Proxy-revalidate : The end user may use stale copies, but intermediate caches must revalidate. – Max-age : The length of time (in seconds) before a resource is considered stale. A response may include any combination of these headers, for example: private, max-age=3600, must-revalidate. X-Accel-Expires : This functions just like the Expires header, but is only intended for proxy services. This header is intended to be ignored by browsers, and when the response traverses a proxy this header should be stripped out. Set-Cookie : While not explicitly specifying a cache directive, cookies are generally designed to hold user and/or session specific information. Caching such resources would have a negative impact on the desired site functionality. Vary : Lists the headers that should determine distinct copies of the resource. Cache will need to keep a separate copy of this resource for each distinct set of values in the headers indicated by Vary. A Vary response of “ * “ indicates that each request is unique. Given that most websites in my opinion are not fully taking advantage of caching by a browser or a CDN, if you’re using one, there is still a way around this without reviewing and adjusting every cache control header on your website. Any CDN worth its cost as well as any cloud based DDoS protection services company should be able to override most website cache-control headers. For demonstration purposes we used our own live website DOSarrest.com and ran a traffic generator so as to stress the server a little along with our regular visitor traffic. This demonstration shows what’s going on, when passing through a CDN with respect to activity between the CDN and the Internet visitor and the CDN and the customers server on the back-end. At approximately 16:30 we enabled a feature on DOSarrest’s service we call “Forced Caching” What this does is override in other words ignore some of the origin servers cache control headers. These are the results: Notice that bandwidth between the CDN and the origin (second graph) have fallen by over 90%, this saves resources on the origin server and makes things faster for the visitor. This is the best graphic illustration to let you know that you’re on the right track. Cache hits go way up, not cached go down and Expired and misses are negligible. The graph below shows that the requests to the origin have dropped by 90% ,its telling you the CDN is doing the heavy lifting. Last but not least this is the fruit of your labor as seen by 8 sensors in 4 geographic regions from our Customer “ DEMS “ portal. The site is running 10 times faster in every location even under load !

Follow this link:
Featured article: How to use a CDN properly and make your website faster

How startup GitHub survived a massive five-day DDoS attack

The collaborative coding site scrambled to withstand the opening salvo from what researchers dubbed China’s Great Cannon. But CEO Chris Wanstrath says that was just the beginning. To survive, startups must surmount challenges like product development, funding negotiations and cash flow. GitHub CEO Chris Wanstrath can add a very different challenge to his list: a sustained five-day network attack that some say marked the beginning of a new, more aggressive chapter in China’s relations with the outside computing world. GitHub’s business, founded in 2008, is all about letting programmers work together. It offers a place where individual coders can contribute to each other’s software projects, and where companies like Google, Facebook and Twitter can share work through the collaborative open-source movement. But on March 26, two organizations with GitHub accounts came under attack. Attacks on GitHub are common, though it can be nearly impossible to figure out their origins, Wanstrath said during an interview here at the company’s Merge conference. Even teenagers flexing their online muscles can launch an attack by buying access to a collection of machines. But this recent GitHub attack one was the worst in the company’s history. The company’s seven-person response team worked around the clock in a cat-and-mouse game to keep GitHub running even as the attackers shifted from one type of attack to another. Those two targeted GitHub sites were GreatFire.org, a nonprofit organization that tries to help people bypass Chinese censorship, and the Chinese New York Times, according to an analysis of the attack by network security software firm Netresec. But it hurt all of GitHub’s operations. That’s because it was a distributed denial-of-service (DDOS) attack, where countless computers around the world overwhelmed GitHub’s servers to the point where they couldn’t provide the online service they’re supposed to provide. Researchers dubbed the attack the Great Cannon. The Great Firewall of China has been around for years, letting the government block access to sites it doesn’t want its Chinese residents seeing, but the Great Cannon serves an offensive rather than defense purpose, the researchers at the University of Toronto, University of California and Princeton University wrote. When people visited innocent Web pages, the attacker’s servers would replace website code with malicious code that would direct their browsers to ceaselessly reload the GitHub pages. “The Cannon manipulates the traffic of bystander’ systems outside China, silently programming their browsers to create a massive DDOS attack,” the researchers said. The Chinese system could work similarly to one run by the US National Security Agency and its British counterpart, Government Communications Headquarters, according to documents leaked by former NSA contractor Edward Snowden. These programs, called Quantum and Foxacid, appeared to target the anonymous communication technology called Tor and employees at Belgian telecommunications company Belgacom, according to security expert Bruce Schneier and Der Spiegel, a German news publication. Wanstrath sat down with CNET’s Stephen Shankland to discuss the GitHub attack. The following is an edited transcript of their conversation. What was your first inkling that you were under attack? Wanstrath: A traffic spike. We started to get an unusual amount of traffic. It was coming from all over the world — were we on Oprah? Then we realized people’s phones or computers were getting hijacked to load GitHub. We saw the man-on-the-side attack. But that was just was the first attack of a series. Wanstrath: Yes. It was a mix of new stuff and boring stuff. The nature of the first attack was novel. After that we saw other attacks that were traditional, like SYN floods. In five days, we saw 18 or 20 attacks. How often are you attacked ordinarily? Wanstrath: Once a month, if not more. We’ve got monitoring. We have a good incident response program set up. When there’s an attack profile, you get paged. The main event of a DDOS is overwhelming the network with traffic. When you get a million requests and they’re exactly the same in one second, that’s a DDOS. We have automated systems, then an ops team on the network around the clock. So was somebody trying to send a message? Wanstrath: Of course. I just don’t know who the message was for. I’m not even sure the message is to us. You don’t need to be a state government to run this sort of attack. Sometimes it’s teenagers fighting over message boards. If it was from China, is there an easier way to target GreatFire and the New York Times than launching a five-day attack? Wanstrath: Sure. That’s why it’s confusing to conclude it came from China. In China, the New York Times is blocked, the Wall Street Journal is blocked. China blocks [lots] of websites. And after five days they chose to disengage? Did you vanquish the enemy? Wanstrath: It was an ongoing battle. We successfully mitigated some of their attacks. Even though we were winning, we were fighting the whole time. There was a lot of press about it, which may have contributed to the disengagement. What’s frustrating is there was no ransom note — no request for anything. Just an attack. What did it do to your business? Wanstrath: The outages are frustrating. We never went totally down, but people had errors. It interrupted people’s workflows. At GitHub, people were up all weekend. So is this a badge of honor? A sign that you’ve arrived? Wanstrath: It’s hard to feel that way when there are real people trying to do real work with GitHub. If this is what arriving is like, this isn’t what we signed up for. We’ve been attacked for awhile. We have defenses. But GitHub two or three years ago would not have successfully mitigated this attack. You can imagine a smaller company just falling over. What did you learn? Have you changed any technology or policies? Wanstrath: We learned a lot on a technical level. The DDOS is such a cat-and-mouse game. We can’t share broadly with the technology community to say here’s how to protect yourselves, though. It’s like bacteria. If the attackers know what we do, then they’ll stop doing that attack. Now, they don’t know what we know. Did you talk to the US government about the attack? Wanstrath: We can’t say it really has a China component because we can’t prove anything. We can’t really ask for help for anyone. I’m not sure what would have happened if this had lasted a month. Source: http://www.cnet.com/au/news/how-startup-github-survived-a-massive-five-day-network-attack-q-a/

Original post:
How startup GitHub survived a massive five-day DDoS attack

Borg routers open to repeat remote DoS attack

Patches cooked for five versions of Cisco’s IOS Remote attackers can send some Cisco routers into a continuous denial of service funk by rebooting network processor chips with a crafted attack. The high-severity hole (CVE-2015-0695) affects the IOS XR software in Cisco ASR 9000 Series Aggregation Services routers running Typhoon-based cards, the second-generation of line cards. The Borg says exploitation could cause “a lockup and eventual reload of a network processor chip and a line card that is processing traffic, leading to a denial of service condition”. “The vulnerability is due to improper processing of packets that are routed via the bridge-group virtual interface when any of the following features are configured: Unicast Reverse Path Forwarding, policy-based routing, quality of service, or access control lists,” Cisco says in an advisory. “An attacker could exploit this vulnerability by sending IPv4 packets through an affected device that is configured to route them via the BVI interface.” Users should apply the patches for five versions as there are no workarounds for the flaw. Software newer than version 4.3.0 are unaffected. The Borg does not know of any in-the-wild attacks using the vulnerabilities and has offered some techniques for admins to identity exposure. Source: http://www.theregister.co.uk/2015/04/16/borg_routers_open_to_repeat_remote_dos_attack/ http://whitepapers.theregister.co.uk/paper/view/3715/cyber-risk-report-2015.pdf

Read More:
Borg routers open to repeat remote DoS attack

Asia-Plus’s website hit with DDoS attack again

The website of the Media Holding Asia-Plus has been hit with distributed denial-of-service (DDoS) attack again. The Asia-Plus’s website was hit with the DDoS attack on April 14.  Over the past ten days, it has already been the third attempt to make the website unavailable to its subscribers. The first DDoS attack o the Asia-Plus’s website was conducted on April 3 and it was conducted practically from all domestic Internet service providers.  Restoration of a stable work of the web-resource took nearly three days. The reasons for these DDoS attacks are still unknown because it is not clear who is behind these DDoS attacks.  However, it cannot be ruled out that a group of hackers has appeared who want to “test” steadiness of the site. In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users. A DoS attack generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. As clarification, distributed denial-of-service attacks are sent by two or more people, or bots, and denial-of-service attacks are sent by one person or system.  As of 2014, the frequency of recognized DDoS attacks had reportedly reached an average rate of 28 per hour. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name servers. Denial-of-service threats are also common in business, and are sometimes responsible for website attacks. This technique has now seen extensive use in certain games, used by server owners, or disgruntled competitors on games. Denial-of-service attacks are considered violations of the Internet Architecture Board’s Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers.  They also commonly constitute violations of the laws of individual nations. Source: news.tj/en/news/asia-plus-s-website-hit-ddos-attack-again

More:
Asia-Plus’s website hit with DDoS attack again

Online gambling sites taken out by DDoS attacks

Customer of Betfair and PokerStars have been left enraged after the software of both gambling giants suffered from major connectivity issues over the weekend. Betfair’s sportsbook, betting exchange and websites were unavailable for more of April 13 after the firm’s servers came under attack from a Distributed Denial-of-Service (DDoS) attack . Betfair’s customer service team, manning the @BetfairHelpDesk Twitter account, confirmed to customers that a DDoS attack was the cause of the problems and reassured worried punters that their details and funds were safe. The attack seems to be either over or under control as I was able to log into all Betfair products on April 14. A DDoS attack is designed to temporarily or indefinitely interrupt or suspend the services offered by the targeted website. One way of achieving this is to bombard the site’s servers with so much bogus information and requests that it is overloaded and cannot respond to legitimate traffic requests. This appears to be what happened to Betfair on April 13. You may recall that partypoker was targeted by numerous DDoS attacks in October 2014 that resulted in some of its Pokerfest events being cancelled. The attacks at partypoker resurfaced in early December 2014 and saw the site effectively taken offline for several hours while its technicians and its Internet Service Provider (ISP) in Gibraltar combated the problem. Around the same time, 888poker was suffering similar connectivity problems – its servers are also in Gibraltar – but the London Stock Exchange (LSE) listed company refused to comment on whether or not it had been targeted by the same DDoS attacks that plagued partypoker. Poker sites are often reluctant to announce they are suffering from a hacker’s attempt to cause a DDoS because of the possible widespread panic the mention of a hacker could and would cause. Usually, the so-called hacker isn’t interested in attempting to obtain information – major online poker and gambling sites have these details secure under state-of-the-art systems – they are attempting to disrupt the targeted site’s business. Although neither confirmed or denied by its management team, rumours of PokerStars being under a DDoS attack have been doing the rounds on various forums, including Two Plus Two. Players have been reporting major lag (low response when clicking buttons etc) and connectivity problems when attempting to play at PokerStars since April 9. The problems seem to be global, although resident of Belgium seem to be more severely affected judging by tweets from various Belgians including Friend of PokerStars Pierre Neuville and PokerStars’ Belgian Twitter account on April 12, although a more recent update claims all problems Pokerstars.be were facing are now resolved. While PokerStars does appear to be on top of the problems now, its Network Status panel shows it has Very Good connection at five of the six listed hosts, although Manx Telecom, Isle of Man has 0% connection and all packets of data being sent to it are currently being lost.   Source: http://uk.pokernews.com/news/2015/04/betfair-and-pokerstars-suffer-major-connectivity-problems-17360.htm?utm_medium=feed&utm_campaign=homefeed&utm_source=rss

See the article here:
Online gambling sites taken out by DDoS attacks

The “Great Cannon”: How China Turns Its Web-sites Into Cyberweapons

When anti-Chinese censorship services got hit with a crippling distributed-denial-of-service attack last month, researchers promptly pegged China as the culprit. Now, Citizen Lab has pinpointed the Chinese tool that produced this attack occur. They’re calling… When anti-Chinese censorship services got hit with a crippling distributed-denial-of-service attack last month, researchers promptly pegged China as the culprit. Now, Citizen Lab has pinpointed the Chinese tool that produced this attack occur. They’re calling it the Fantastic Cannon. Separate from but positioned within China’s Wonderful Firewall, this “Great Cannon” injects malicious code as a way to enforce state censorship, by working with cyberattacks to damage solutions that help folks inside China see banned content. The Excellent Cannon is not merely an extension of the Fantastic Firewall, but a distinct attack tool that hijacks website traffic to (or presumably from) person IP addresses, and can arbitrarily replace unencrypted content material as a man-in-the-middle. With this most recent DDoS attack, the Wonderful Cannon worked by weaponizing the internet site visitors of visitors to Baidu or any website that utilised Baidu’s comprehensive ad network. This suggests any one visiting a Baidu-affiliated from anyplace in the planet was vulnerable to obtaining their internet visitors hijacked and turned into a weapon to flood anti-censorship internet sites with too a lot targeted traffic. This distinct attack had a narrow target: Particular web sites recognized to circumvent Chinese censorship. But Citizen Lab thinks the Terrific Cannon could be utilised in a substantially broader way. Due to the fact it is capable of making a complete-blown man-in-the-middle attack, it could be made use of to intercept unencrypted emails, for example. The attack launched by the Good Cannon seems somewhat apparent and coarse: a denial-of-service attack on services objectionable to the Chinese government. However the attack itself indicates a far far more significant capability: an potential to “exploit by IP address”. This possibility, not yet observed but a function of its architecture, represents a potent cyberattack capability. As Citizen Lab’s researchers note, it’s fairly strange that China would show off this strong weapon by applying it in such a pointed attack. Conducting such a widespread attack clearly demonstrates the weaponization of the Chinese Online to co-opt arbitrary computer systems across the net and outside of China to obtain China’s policy ends. The only silver lining here is that this could prompt a far more urgent push to switch to HTTPS, given that the Good Cannon only operates on HTTP. This attack tends to make it painfully apparent that utilizing HTTPS isn’t just a smart safeguard— it is a required precaution against effective state-sponsored cyberattacks. Source: http://www.eaglecurrent.com/technology/the-quotgreat-cannonquot-how-china-turns-its-web-sites-into-cyberweapons-h4121.html

Read more here:
The “Great Cannon”: How China Turns Its Web-sites Into Cyberweapons

NH State Website Knocked Out

Company that hosts site dealing with “distributed denial of service” attack on its servers New Hampshire’s state government website was inaccessible to some users for several hours because the outside company that hosts it was dealing with another “distributed denial of service” attack on its servers. The governor’s office says the main state government website, nh.gov, and websites for at least several state agencies were disrupted Thursday morning. On March 23, the state’s tourism website, visitnh.gov, was briefly inaccessible for the same reason. State officials and others are working to determine more details about what caused the problem, but say no information was compromised. Source: http://www.necn.com/news/new-england/NH-State-Website-Knocked-Out–299194531.html

Originally posted here:
NH State Website Knocked Out