Tag Archives: ddos-attacks

Extra Life DDoS Attack: Children’s Charity Extra Life Website Hit By DDoS During Annual Gaming Marathon

Extra Life — a charity organization dedicated helping Children’s Miracle Network Hospitals through an annual gaming marathon — has been hit with a Distributed Denial of Service (DDoS) attack. According to Escapist Magazine, Extra Life raises money for Children’s Miracle Network Hospitals by taking pledges and then playing games — anything from video games to board games and tabletop miniatures — for 25 hours straight. Extra Life was in the middle of this year’s event, which began at 8 a.m. today and ends at 8 a.m. on November 3, when their website suddenly went down. As a result, pledges could not be taken. News of the DDoS attack was confirmed with a statement on the Extra Life Facebook page by founder Jeromy “Doc” Adams: “We’ve discovered that the Extra Life website experienced a DDoS attack against our datacenter,” the statement reads. “I am not sure what kind of person would DDoS a charitable initiative. I am so sorry that you are going through this frustration today. Our entire team is purely heartbroken that someone would do this. But it has happened. As frustrating as this is for everyone involved, it pales in comparison to what the kids we’re trying to save go through. That reality, for me personally, is about the only thing keeping me somewhat calm right now. “I am very angry and very sorry,” the statement continues. “You deserve better than this. The kids deserve better than this. Extra Life has given a lot of us some of the happiest moments in our lives. This is not one of those moments. Please hang with us through this. It is important that we spread the word. Please get on every form of social media you can and tell your friends what happened. We can overcome this together.” After a few of hours of downtime, the Extra Life website was back online. Many took to Facebook to vent their outrage that hackers would choose to DDoS a charity organization. “I understand DDoS’ing a website of a corrupt business or government, but…Why would someone DDoS this?” one user wrote. “May whoever did this lose their shoes and have every child in their neighborhood strew Legos in their path forever,” another user commented. A DDoS attack takes place when hackers use an army of infected computers to send traffic to a server, causing a shutdown in the process. Source: http://www.ibtimes.com/extra-life-ddos-attack-childrens-charity-extra-life-website-hit-ddos-during-annual-gaming-marathon

Originally posted here:
Extra Life DDoS Attack: Children’s Charity Extra Life Website Hit By DDoS During Annual Gaming Marathon

Google Project Shield protects “free expression” sites hit by DDoS

Before you ask: this Google’s Project Shield has nothing to do with NVIDIA SHIELD, the two being completely different elements – the Google iteration is all about protecting sites that’d otherwise have little to no protection. Google Project Shield makes with the barrier around a website to stop DDoS (Distributed Denial of Service) attacks to keep sites active. This project has been used to keep up all manner of sites that – before this project – had been taken down by the likes of governments and unfriendly hacker groups. This project has been used for several impressive sites in the recent past, Google aiming to make a much bigger deal of it in the near future. One example is the Persian-language social and political blog Balatarin. Another is quick-access site Aymta, kept up by Google in the face of DDoS attacks recently. This site provides early-warning (somehow or another) of scud missiles to people in Syria. Another example of this project is action is the keeping up of election monitoring service iebc.or.ke during a recent election cycle. Project Shield was responsible for keeping this site up for the first time – it’s stayed up for the entire cycle, that is – in history. Google is currently inviting sites in the following categories to join the initiative – webmasters serving: Independent News Human Rights Elections-Related Content Small independent sites in need of the infrastructure and resources Google is able to supply will be able to apply for help through the main Google Project Shield portal where some very, very simple information is required. Though the site says “invite only”, in this case, Google means that you’ll be invited if your application is accepted. There is also an “Other” category in the “type of content you host on your site” portion of the page in addition to those categories listed above. Source: http://www.slashgear.com/google-project-shield-protects-free-expression-sites-hit-by-ddos-21302260/

London schoolboy secretly arrested over ‘world’s biggest cyber attack’

A London schoolboy has been secretly arrested over the “world’s biggest cyber attack” as part of an international swoop against a suspected organised crime gang. The 16-year-old was detained by detectives at his home in south-west London after “significant sums of money” were found to be “flowing through his bank account”. He was also logged on to what officials say were “various virtual systems and forums” and had his computers and mobiles seized as officers worked through the night to secure potential evidence. The boy’s arrest, by detectives from the National Cyber Crime Unit, followed an international police operation against those suspected of carrying out a cyber attack so large that it slowed down the internet. The “distributed denial of service” or “DDoS” attack was directed at the Dutch anti-spam group Spamhaus which patrols the web to stop prolific spammers filling inboxes with adverts for counterfeit Viagra, bogus weight-loss pills and other illegal products. Details of the arrest, which happened in April, had been kept secret, but have been disclosed to the Evening Standard ahead of the formation of the Government’s new National Crime Agency. It will take over the National Cyber Crime Unit as part of a drive against offending carried out over the internet, now seen as one of the most serious crime-fighting challenges. More than half of the 4,000 officers who will form the new agency next month will be trained in combating cyber crime. The arrest of the London schoolboy, whose identity has not been disclosed, came during a series of coordinated raids with international police forces. Others detained included a 35-year-old Dutchman living in Spain. A briefing document seen by this newspaper on the British investigation, codenamed Operation Rashlike, states that the attack was the “largest DDoS attack ever seen” and that it had a “worldwide impact” on internet exchanges. The document says services affected included the London Internet Exchange and that although the impact was eventually “mitigated” it managed to cause “worldwide disruption of the functionality” of the internet. Giving details of the schoolboy’s alleged involvement, the briefing note states: “The suspect was found with his computer systems open and logged on to various virtual systems and forums. The subject has a significant amount of money flowing through his bank account. Financial investigators are in the process of restraining monies.” The boy has been released on bail until later this year. The disclosure of his arrest follows two cyber attacks on banks. Four men have appeared in court over the first, involving an alleged plot to take over Santander computers by fitting a device during maintenance work. Another eight were arrested over a £1.3?million theft by a gang who took control of a Barclays computer. Meanwhile, security minister James Brokenshire said the creation National Crime Agency would bolster efforts to combat organised criminals operating on the internet and ensure that “cyber gangsters” were left with no hiding place. “The new National Crime Agency’s Cyber Crime Unit will pursue the organised crime gangs behind the online crimes that blight people’s lives and cost the economy millions,” he added. Source: http://www.standard.co.uk/news/crime/london-schoolboy-secretly-arrested-over-worlds-biggest-cyber-attack-8840766.html

Continue reading here:
London schoolboy secretly arrested over ‘world’s biggest cyber attack’

DDoS: The Need for Updated Defenses Lessons Learned from a Year of Attacks Against Banks

In the wake of a year of attacks waged against banking institutions by Izz ad-Din al-Qassam Cyber Fighters, the FS-ISAC’s Bill Nelson and the ABA’s Doug Johnson say the need to regularly update DDoS preparedness is a critical lesson learned. As the one-year anniversary of the start of the hacktivists’ distributed-denial-of-service attacks against U.S. banks approaches, banks need to avoid complacency and leverage new mitigation tools to ensure protection against any DDoS attack from any group, the two experts say. By taking advantage of cyber-intelligence and DDoS mitigation toolkits provided by the Financial Services Information Sharing and Analysis Center and others, banking institutions of all sizes can help prevent online outages and mimimize risk for fraud , says Nelson, who heads the FS-ISAC in the U.S. FS-ISAC’s DDoS toolkit, which has been updated three times in the last year, is available to all institutions, not just FS-ISAC members. “We’ve worked to get this out to associations and third-party banking service providers, which really have a very important role as far as DDoS,” Nelson says in an interview with Information Security Media Group. “The Web hosting environment can impact numerous institutions.” A DDoS preparedness plan should address hardware security risks, ensure sufficient bandwidth and outline collaboration with third-party service providers, Nelson says. “Setting up in advance, not just waiting to see your name on a Pastebin post, is critical,” he says. Johnson, who oversees risk management for the American Bankers Association, says institutions have to band together to ensure they have the right plans in place. “It does take that village to ensure the institutions are asking the right questions,” he says. “The threat environment is substantially different than it was before these attacks.” Beyond al-Qassam On Sept. 18, 2012, Izz ad-Din al-Qassam Cyber Fighters announced the launch of its first wave of attacks against U.S. institutions to protest a movie trailer deemed offensive to Muslims. These attacks have forever changed the way the online world approaches DDoS, Nelson says. “When we realized this DDoS attack was different … we realized quickly that we needed to stand up and create an incident response team,” he says. “The reaction was really effective, and it proved how effective information sharing could be.” But Johnson says one lesson the industry has learned over the last year is that DDoS is not just about hacktivism, and banking institutions need to be concerned about attacks from any number of players. “It’s about the broad number of DDoS attacks that the industry is suffering [attacks] from a variety of parties,” he says. For community banks, the greatest concern is not online disruption, but the threat of DDoS attacks being waged to mask fraud, Johnson says. Source: http://www.bankinfosecurity.com/interviews/ddos-need-for-updated-defenses-i-2059

Read the original:
DDoS: The Need for Updated Defenses Lessons Learned from a Year of Attacks Against Banks

Threat of the Week: Sept. 11 Quiet But DDoS On The Rise (Again)

September 11 came, it went and despite the FBI warning to credit unions to be ready for a bump in hostile activities on that anniversary date, multiple experts said they saw absolutely no traffic increase. But they also had worrisome news: There has been a sharp rise in low-grade Distributed Denial of Service (DDoS) attacks aimed at financial institutions, often in association with attempted fraud, but sometimes apparently simply an angry act by a rejected loan applicant or a terminated employee. First, the 9/11 news: “Nothing unusual happened on September 11. The reason there is nothing to report is that the volume is the same as the day before,” said Ashley Stephenson, CEO of Corero, a Hudson, Mass.-based DDoS mitigation firm. “Every day there are attacks.” Chris Novak of the Verizon Risk Team said likewise: “We saw no spike in activity on 9/11.” Rich Bolstridge, a DDoS expert with Cambridge, Mass-based network traffic firm Akamai, made it three: “We saw no increase in activity on September 11. We had expected to see activity. But it was very quiet.” The big DDoS guns fired by al Qassam and other actors usually said to be connected to nation states in the Middle East may not have been out on 9/11, but the bad news is the jump in low-grade attacks that may be small compared to the giant attacks unleashed by al Qassam are plenty large enough to knock an unprepared credit union off line and, said the experts, most credit unions remain unprepared to adequately deflect DDoS assaults of just about any magnitude. “We are surprised how naive CUs are about DDoS,” said Kirk Drake, CEO of Hagerstown, Md.-based CUSO Ongoing Operations. “They don’t realize how easy it has become for just about anyone to aim DDoS at a target.” That is the rub, Terrence Gareau, principal research scientist for DDoS mitigation firm Prolexic in Hollywood, Fla., explained: “There is a very low barrier to entry for DDoS. We are talking $5 that will buy you 600 seconds of DDoS.” That may only be 10 minutes, but the plunger who can come up with $50 could put a credit union down for an afternoon. A chilling factoid via a report from Santa Clara, Calif.-based NSFOCUS, a DDoS mitigation firm: “Based on traffic analysis, there are 1.29 DDoS attacks occurring worldwide every two minutes, on average.” The company added, “Most attacks are short and small. The report found that 93.2% of DDoS attacks were less than 30 minutes in duration and 80.1% did not surpass a traffic rate of 50 Mbps.” By contrast, the data throughput in al Qassam attacks has sometimes exceeded 45 Gbps, meaning it is vastly larger. Van Abernethy, an NSFOCUS spokesperson, elaborated, “The main news – the press focuses on the big DDoS – but the reality is that unreported DDoS goes on all the time. There are a lot of small attacks.” And then it gets worse still: “Small attacks are often accompanied by data exfiltration attempts, especially at financial institutions,” said Abernethy. Verizon’s Novak agreed: “We are seeing where DDoS is used to distract a medium-size financial institution. While they are busy fighting off the DDoS. they don’t see that terabytes of data just walked out the door. That’s scary.” A similar warning was issued a few weeks ago by respected Gartner analyst Avivah Litan who said she knew of three instances where DDoS was used to distract financial institution security as fraud was committed. She declined to offer specific details. At CUNA Mutual, risk expert Ken Otsuka said that in the past year one loss associated with a DDoS attack had been filed. He also offered no specifics. Add it up, however, and the situation is grim. DDoS as a service – available for hire by those with a grudge or with criminal intent – is increasingly available, it is cheap, and at least some providers happily accept Bitcoin, the virtual currency with some anonymity built in. Importantly, just about no technical skill is required, just a few dollars and a willingness to name a target. On the credit union front, the sense among experts is that the largest institutions – perhaps the top 25 or 50 – may have credible DDoS mitigation tools in place. As for the many thousands of others, the collective opinion is that probably most are unprotected. That could paint an attractive bull’s-eye for crooks. “There’s a trend where we see attacks going down market,” said Novak, “where the criminals are attacking smaller financial institutions because they don’t have the same defenses as the big banks.” Source: http://www.cutimes.com/2013/09/13/threat-of-the-week-sept-11-quiet-but-ddos-on-the-r

Read the article:
Threat of the Week: Sept. 11 Quiet But DDoS On The Rise (Again)

SatoshiDice hit by DDoS attack, but bets continue

Bitcoin gambling site SatoshiDice has recovered after being felled for several days by a DDoS attack. The site went down several days ago, and was inaccessible from the Internet. Erik Voorhees, who created the site and sold it for $11.5 million in July, no longer runs the site, but naturally still has insights into how it operates. DDoS attacks happen a lot to bitcoin gambling sites, he said. “They largely wasted their money,” he said of the attackers, pointing out that the website isn’t needed for the placing of bets. It simply provides information about bet statistics, and bitcoin addresses to send to. These addresses are constant, available outside of the main site, and can easily be retained by regular gamblers even when the site goes down, meaning that bets can still be processed. “They’d have to launch an attack against the whole bitcoin network,” Voorhees said. There is a back-end computer processing the bets, but this isn’t the same computer that hosts the website. Attackers could potentially disrupt betting if they were able to find that machine, but Voorhees points out that it could easily be moved. The attack didn’t seem to affect the site’s popularity in the long term. SatoshiDice vanity addresses made up eight of the most popular bitcoin addresses used on the network overnight. Source: http://www.coindesk.com/satoshidice-hit-by-ddos-attack-but-bets-continue/

Visit site:
SatoshiDice hit by DDoS attack, but bets continue

DDoS Attacks Strike Three Banks

Izz ad-Din al-Qassam Cyber Fighters’ so-called Phase 4 of distributed-denial-of-service attacks against major U.S. banks hasn’t stalled, it’s just been ineffective at disrupting online availability, security experts say The latest attacks have been sporadic and seemingly less targeted. U.S. banking institutions, which have been under attack since September 2012, have adapted their defenses, making their online-banking sites hard to take down, experts say. But Brobot , the botnet used by al-Qassam Cyber Fighters, is still active; it targeted banking institutions as recently as last week, says John LaCour, CEO of cybersecurity and intelligence firm PhishLabs. “PhishLabs can confirm that we detected QCF [Qassam Cyber Fighters] related DDoS attacks on Wednesday [Aug. 14] and Thursday [Aug. 15],” LaCour says. “Three large banks were attacked that we have seen targeted previously.” LaCour would not name the banks that were hit. He did say, however, attacks last week were linked to Brobot, and that Brobot still appears to be controlled by al-Qassam. Experts say they don’t feel Brobot has been leased out for hire, and that al-Qassam is still the group using the botnet against banks. Disruptions at 2 Banks JPMorgan Chase and Citigroup suffered intermittent online disruptions last week, according to Fox Business . Neither one of those banking institutions responded to Information Security Media Group’s request for comment. But according to tweets posted last week, Chase and Citi both acknowledged suffering site issues Aug. 15. “We’re experiencing issues with our website and Chase mobile,” Chase tweeted. “We apologize for the inconvenience. Please stay tuned for updates.” In its tweet, Citi said: “We are aware of system issues at this time. We are working to get the issue resolved.” Keynote, an online and mobile cloud testing and traffic monitoring provider, confirms both banks’ online banking sites did experience intermittent issues Aug. 15. But the cause of those online interruptions is not known, says Keynote’s Aaron Rudger. “The Chase banking website appears to have been unavailable from 8:55 a.m. ET until 10:21 a.m. ET,” he says. “Our monitoring agents reported DNS [Domain Naming System] lookup errors throughout that period, across the U.S.” DNS is the system that translates a website’s name, such as www.chase.com, into an Internet protocol address that’s assigned to a Web server for that site, Rudger explains. “Our monitoring agents did observe only a very small number of errors trying to download the Citibank homepage, starting at 12:52 p.m. ET,” he adds. “But that only lasted until 1:09 p.m. ET.” But other experts who asked to remain anonymous say the outage at Citi was not linked to Brobot; it was an internal technical issue. What’s Next for Brobot? Because attacks against banks are increasingly ineffective, some question what’s next for Brobot. Rodney Joffe, senior technologist at DDoS-mitigation provider Neustar, believes the attacks against banks are nearing an end. What’s next is anyone’s guess, he adds. But Joffe and others have suggested Brobot will likely soon be used to target other industries, especially those impacting critical infrastructure. The attackers will take aim at other targets to avoid admitting their campaign has been a failure, some suggest. “We’ll start to see disruptions that cause a little more fear in the U.S. public,” Joffe says. “We have heard about the compromise of water systems in small towns. I wouldn’t be surprised if we really start to see attacks like that.” Source: http://www.bankinfosecurity.com/ddos-attacks-strike-three-banks-a-6006

Continued here:
DDoS Attacks Strike Three Banks

Analysis: Who’s Really Behind DDoS?

Now that Izz ad-Din al-Qassam Cyber Fighters has launched its fourth phase of distributed-denial-of-service attacks against U.S. banks, many observers are continuing to ask: Who’s behind this group, and what are the real motives? Is al-Qassam really an independent hacktivist group, as it claims? Does it have connections to a nation-state, such as Iran? Or does it have ties to organized crime? And is there a possibility that it has leased out its botnet to multiple groups? In this analysis, Information Security Media Group weighs the evidence. al-Qassam has been waging DDoS attacks against leading U.S. banking institutions and a handful of smaller ones since last September. The attacks, designed to disrupt online banking service, have, so far, proven to be more of a nuisance than a malicious threat. But the launch of this new phase, which was announced July 23, raises new questions about just who is behind Izz ad-Din al-Qassam The Group’s Message Since the beginning, al-Qassam has positioned itself as a group of hacktivists – independent attackers who are waging online war against U.S. banking institutions to make a social statement. The group claims the catalyst for the attacks is a movie trailer on YouTube that it deems offensive to Muslims. And because YouTube has not removed links to this trailer, as al-Qassam has asked, al-Qassam is focusing its attack energies on America’s core – it’s financial foundation. In an Oct. 23 post on the open forum Pastebin, al-Qassam restated its purpose, and noted that the attacks are not being waged to perpetrate fraud . “We have already stressed that the attacks launch only to prevent banking services temporarily throughout the day and there is no stealing or handling of money in our agenda,” the group states. “So if others have done such actions, we don’t assume any responsibility for it. Every day we are giving a compulsive break to all employees of one of the banks and its customers.” The post also takes issue with statements made in October by U.S. Defense Secretary Leon Panetta, who during a speech about cybersecurity noted that industries touching critical infrastructure were at risk. “Mr. Panetta has noted in his remarks to the potential cyberthreats such as attacking on power and water infrastructures, running off trains from the tracks and etc.,” the post states. “In our opinion, Panetta’s remarks are for distracting the public opinion and in support of the owners of the banks’ capital. … This is capitalism’s usual trick.” Then, in November, an alleged member of al-Qassam told ABC News that its attacks were not backed by anyone, nor were they connected to the August 2012 attack on Aramco, a Saudi oil firm, which involved the deletion of data from tens of thousands of computers. “No government or organization is supporting us, and we do not wait for any support as well,” the self-proclaimed al-Qassam member wrote in an e-mail, ABC News reported. “Do you think that the massive protests in the world are done with support? [In] the same manner [that] millions of Muslims in the world protested, hackers are also part of this protest” But many experts have questioned the protest motive and have expressed doubt that al-Qassam is what it says it is. Experts’ Views Financial fraud analyst Avivah Litan has repeatedly argued these attacks are actually being backed by a nation-state, namely Iran, not independent hacktivists. Others, such as Bill Wansley of the consultancy Booz Allen Hamilton, have shared similar opinions. “There are indications that it’s an Iranian group,” Wansley told BankInfoSecurity in late September 2012. “There are a lot of indicators it’s from that region of the world. But these hacktivist groups, frankly, can operate from a number of different locations and give the impression of being from one time zone when they’re really not. So it’s not conclusive. But there certainly have been some indicators, such as the use of Arabic names, Iranian names and the time zone [and the time of day when the first attacks struck] that would indicate something from that part of the world.” An unnamed source within the U.S. government quoted in the New York Times in May suggested Iran is backing attacks against the U.S. in retaliation for economic sanctions the U.S. has imposed on Iran. Many security experts, however, have been reluctant to attribute these attacks to any one type of actor. That’s because any attribution could only be based on circumstantial evidence in the online world, says Alan Brill, cybercrime investigator and senior managing director at investigations and risk-consulting firm Kroll. “You can’t accept crowd opinion for verified fact,” he says. “I think it’s still very difficult to attribute things like this, simply because the Internet was never designed to make that easy.” Although Brill admits he has not carefully reviewed the evidence linked to these attacks, he says attributing these types of attacks is challenged by attackers’ abilities to mask their points of origination with throw-away IP addresses and anonymous networks. “Unlike other forms of evidence, such as a fingerprint at a crime scene, which does not change, this stuff is just so fluid,” he says. “It’s very difficult to put all of the pieces together. And in the case of state actors, you’re not going to get a lot beyond circumstantial evidence.” Reviewing Patterns But what can the industry glean from the most recent attacks? Many experts say the more they learn about al-Qassam, the more confused they are. The group’s Pastebin announcements, attack schedules and breaks between attack campaigns have been inconsistent. Just as soon as the industry thinks it’s outlined a pattern, the pattern changes, as shown again in this fourth wave of attacks. Here, Information Security Media Group spells out some important factors. Are They Really Hacktivists? Support for the notion that al-Qassam is a hacktivist group stems from the fact that it claims itself to be one – and so far, no financial fraud or other type of data compromise has been linked to an al-Qassam attack. Banking regulators have warned of the potential for DDoS to be used as a mode of distraction for fraud to be perpetrated in the background But so far, no account compromises have been associated with al-Qassam attacks. The group claims it’s waging its attacks for social reasons – outrage over a YouTube video deemed offensive to Muslims. That purpose would suggest this is just a group of hacktivists out for attention. Is a Nation-State Involved? But none of the industry experts interviewed for this analysis believes that is truly the motive. Hacktivists typically want attention. “There’s usually some bragging about what was accomplished,” Wansley said last year. “That’s the typical pattern of some of the hacktivist groups.” While al-Qassam bragged on Pastebin in the early weeks of its attacks, the bragging has waned over time. Hacktivists also often name their targets in advance. Al-Qassam did this early on, but as the attacks became less effective, that stopped. During the second and third campaigns, al-Qassam took credit after the attacks. Now, most of that post-attack bragging has stopped as well. And experts note that these DDoS strikes have been hitting U.S. banking institutions for nearly a year; a hacktivist group would need substantial funding to run an attack campaign that long. That’s why many believe al-Qassam is actually a front for a nation-state, a criminal network – or even a mix of both. “In this case, there’s a group that has an Arabic name that has never been associated with cyber-activity at all,” Wansley noted. “[The name has] been associated with Hamas. And for them to, all of the sudden, become a hacktivist group is just really interesting. We’ve never seen that before. That doesn’t mean they’re not doing it, but it could also mean they’re being used as a cover for some other country or organization to do something.” The timing of this fourth phase further supports the notion that al-Qassam is actually a nation-state actor, Gartner’s Litan contends. The Iranian presidential election, as well as elections for regional posts, occurred June 14. Litan says the attacks were expected to lapse during the election, assuming that the Iranian government is actually funding the attacks. “We all knew they’d be back after the election,” she says. “Really, this is just business as expected.” Based on information she’s gathered from law enforcement and some of the attacked banks, Litan concludes: “We know it’s Iran because the attacks have been traced back to them, through the files, through the servers.” Is There a Criminal Connection? But could there be a criminal element involved? Many experts say a connection to organized crime is possible, because the attackers waging these long-term, extensive DDoS strikes are likely getting funding from a nefarious source. But are there clues al-Qassam is waging its attacks for a criminal purpose? Brobot, al-Qassam’s botnet, keeps growing, experts say. While the attacks waged by Brobot have been unsuccessful at causing any significant online outages during the third and fourth phases, al-Qassam has continued to increase the botnet’s size. Why? Some argue the purpose is to rent out Brobot for a profit – perhaps to cybercrime rings. And attacks linked to Brobot this campaign may support the notion that Brobot is now being used by more than just al-Qassam. During the afternoon hours of July 30, Brobot was used to attack merchant sites, seemingly as a coding test for the attacks that kicked off July 31, says Mike Smith of the cybersecurity firm Akamai, which has been tracking and mitigating DDoS activity linked to al-Qassam. The only commonality among the July 30 targets: They all have the word “Da Vinci” in their website URLs, Smith and others confirmed. “There was no connection to banking at all,” Smith says. Source: http://www.govinfosecurity.com/analysis-whos-really-behind-ddos-a-5966

View article:
Analysis: Who’s Really Behind DDoS?

DDoS attacks getting bigger but shorter in duration

Distributed Denial of Service (DDoS) attacks are getting bigger, but their duration are getting shorter, according to an analysis released this week by Arbor Networks. During the first six months of 2013, the average size of DDoS attacks remained solidly over the 2Gbps, Arbor reported — something the company has never seen before. Although the average may have been skewed during the period by the massive attack on Spamhaus in March, which reached 300Gbps at its zenith, large attacks in general have been going up too, Arbor found. From January to June this year, it said attacks exceeding 20Gbps more than doubled over 2012. Several security experts agreed with Arbor’s analysis. Michael Smith, CSIRT director for Akamai Technologies, cited two factors affecting DDoS numbers during the period. “It’s just easier to do these days,” he said in an interview. “You can rent a botnet for $20.” He added that a hacktivist group known as the Izz ad-Dim al-Qassam Cyber Fighters (QCF) has adopted a strategy that is also driving up the raw number of attacks and depressing their duration. “They attack multiple targets during the course of a day,” Smith explained. Not only do they attack multiple sites, but they don’t prolong an attack if they don’t see immediate results. “They’ll move from target to target after 10 or 20 minutes until they find one they can cause an immediate impact on,” Smith noted. Attacks are becoming bigger because hackers have more resources to mount attacks than ever before, said Marc Gaffan, founder of Incapsula. “There’s more ammunition for hackers in the wild which is why attacks have grown in size,” he said. New techniques have also contributed to the size of the attacks. For example, in the Spamhaus attack, hackers exploited openings in DNS servers to amplify the magnitude of their attacks on the website. They do that by sending a request to a server with an open DNS resolver. In the request, they spoof the address of their target so when the server answers the request, it sends its answer to the target. “When the resolver sends back the answer, which is larger than the question, it’s amplifying the attacker’s request,” Gaffan said. “Sometimes the answer can be as much as 50 times larger than the request,” he continued. “So an attack can be 50 times the original firepower used for the request.” In addition to improving their techniques, hackers have also increased their efficiencies by shortening their attacks. They will hit a site long enough to bring it down, disappear into the ether, then return to take it down again just as it’s recovering from the initial attack. “When a website goes down, it takes time to bring it back up,” Gaffan said. “There’s no point continuing to fire at that target when it’s down. You want to conserve your ammunition and fly under the radar, because the more you fire the greater the chances of someone identifying you as the source of the fire.” The technique also allows the attackers to get better mileage from their resources. “They could hit multiple targets with a single piece of infrastructure as opposed to hitting one target for an hour,” Gaffan said. Part of the reason attackers are sharpening their skills of deception is that defenders are getting better at blunting DDoS attacks. “The Internet as a whole is getting better at responding to these attacks,” said Cisco Technical Leader for Threat Research, Craig Williams. “We’ve seen DNS amplification shoot through the roof, but I suspect that’s going to start dropping with the addition of RPZs that can mitigate queries and people getting better at closing down open resolvers,” Williams told CSOonline . Source: http://www.networkworld.com/news/2013/073113-ddos-attacks-getting-bigger-but-272389.html?page=2

Taken from:
DDoS attacks getting bigger but shorter in duration

DDoS: Lessons From U.K. Attacks

While U.S. banking institutions brace for the next wave of distributed-denial-of-service attacks by Izz ad-Din al-Qassam, new cyberthreat research reminds us that no industry or global market is immune to DDoS. A new study from online security provider Neustar shows that DDoS attacks are up in the United Kingdom, just as they are in the U.S., and they’re targeting everything from e-commerce sites to government. It’s not just banking institutions that DDoS attackers want to take down – a truth we’ve been preaching for several months. But now, data proves it. Of the 381 U.K. organizations polled between May and June by Neustar, 22 percent said they suffered from some type of DDoS attack in 2012. By comparison, a survey of 704 North American organizations released in April 2012 showed that 35 percent had been targeted by DDoS within the last year. While the financial services sector has been the primary DDoS target in the U.S., telecommunications companies are the No. 1 target in the U.K., according to the Neustar survey, with 53 percent reporting attacks. Half of U.K. e-commerce companies and 43 percent of online retailers surveyed reported attacks. But only 17 percent of the U.K. financial-services organizations say they had been targeted, compared with 44 percent in the North American survey. The North American data is a bit out of date, so the percentage of financial institutions hit by DDoS is now probably even higher. And attacks aimed at U.K. organizations have been nowhere as fierce as those waged against U.S. banks since September 2012. More Attacks on Way Now that al-Qassam has just announced plans for a fourth phase of attacks, we’re all bracing for more strikes against U.S. banks (see DDoS: Attackers Announce Phase 4 ). But the new survey sends a clear message: No organization is safe from DDoS. “As in North America, U.K. companies face serious challenges as they decide on DDoS protection and attempt to mitigate losses,” Neustar writes in its survey study. “While many companies are hoping traditional defenses will suffice, given the frequency of attacks, their growing complexity and the impact when sites go dark, such hopes are badly misplaced.” U.K. organizations could learn quite a bit from the example U.S. banks have set. Experts have noted time and time again that European banks and others are not well-prepped for DDoS. Despite the fact that the attacks waged against U.S. banks have been among the largest the industry has ever seen, the percentage of U.S. organizations that experienced extended outages was much smaller than that of U.K. organizations, the surveys showed. The defenses U.S. banking institutions have put in place have set a new bar. We already knew that, but now Neustar’s survey results support it. According to Neustar, while online outages lasting about 24 hours affected about 37 percent of both North American and U.K. organizations surveyed, outages lasting more than a week affected 22 percent in the U.K. and only 13 percent in North America. Having a site down for more than a week is an embarrassment, and costly. Can you even imagine a major banking institution’s site being down that long? Banks in the U.S. are prepared for DDoS. But what about other organizations? Are non-banks getting ready for DDoS, or do they still see this as only a threat to banking institutions? What you think? Let us know in the comment section below. Source: http://www.bankinfosecurity.com/blogs/ddos-no-industry-safe-p-1524

Visit link:
DDoS: Lessons From U.K. Attacks