There’s a new species of Distributed Denial of Service (DDoS) attack targeting name servers, which could be called the “nonsense name” attack. It can wreak havoc on recursive and authoritative name servers alike, and some of our customers at Infoblox have fallen victim to it—but it’s not always clear whether they were actually the targets. The “nonsense name” DDoS attack works like this: – An attacker chooses a zone to attack, say foo.example . – A botnet controlled by the attacker generates random domain names in the zone, with nonsense-first labels, such as asdfghjk.foo.example and zxcvbnm.foo.example . – The bots send many queries for those domain names to recursive name servers. – Those recursive name servers, in turn, send queries to foo.example ’s authoritative name servers for those domain names. – The authoritative name servers send responses saying that the domain names in question don’t exist (in the DNS business, what’s called an NXDOMAIN response). – The recursive name servers relay that response to the original querier and cache the non-existence of the domain name. – Lather, rinse, repeat. If the attacker can generate queries quickly enough, the aggregate query rate will overwhelm the foo.example name servers. That’s when the fun really starts: – The bots continue sending queries for the generated domain names to recursive name servers. – Now that the authoritative name servers have stopped responding, the recursive name servers take much longer to process each query. In the case of the BIND name server, the name server can wait 30 seconds and send dozens of (unanswered) queries before giving up. – This uses up recursive query slots on the recursive name server, which eventually runs out, denying additional recursive queries—some of them legitimate. When this happens, a BIND name server sends a message like the following to syslog : Jan 21 14:44:00 ns1 named[4242]: client 192.168.0.1#1110: no more recursive clients: quota reached At that point, the name server will refuse additional recursive queries, denying service to clients. Who’s the target? In most cases, the organization running the authoritative name servers (in this example, those for foo.examp le ) seems to bethe target. For example, some of the domain names in attacks we’ve seen are used by Chinese gambling sites. (Maybe someone is trying to exact revenge on the house for some tough losses?) However, the recursive name servers involved end up as collateral damage in the attack. Could they have actually been the targets? We’ve seen some evidence of this. Some of the zones involved in attacks against our customers have mysteriously disappeared a day or two after the attack, indicating that they likely weren’t in active use (and in fact were probably registered in a “Domain Tasting” scheme). The attackers could have deliberately registered these zones with slow or unresponsive name servers, so that resolution of domain names in the zone would take as long as possible. Of course, regardless of the target, the mechanism behind the attack remains exactly the same. Mitigation Generally speaking, you’d notice a nonsense name attack when your recursive name server starts running out of recursive query slots, as evidenced by the syslog message earlier. These messages provide the IP addresses of the queriers denied access by the lack of slots. First, ask yourself whether the IP addresses in the messages are addresses your name server should be serving. If not, you may be able to simply configure your name server with an access control list to restrict queries to authorized queriers. If the malicious queries are coming from legitimate IP addresses, clearly you’ll need to use another mechanism. One possibility is to use BIND’s very handy Response Policy Zones feature to temporarily prevent your name server from sending queries for the troublesome zone. An RPZ rule to prevent your name server from looking up foo.example domain names could be as simple as: *.foo.example.your.rpz.zone. IN CNAME . You also need to set an option called qname-wa it-recurse to no ( for more information on these options click here). This will cause your name server to respond to queries for domain names in foo.example with NXDOMAIN without querying the foo.example name servers. If your recursive name servers don’t run BIND 9.10 yet (the first version of BIND that supports this option), or don’t run BIND at all, you can still temporarily set up an empty foo.example zone to prevent your name server from trying to look up data in the misbehaving one. The zone data file would be minimal: @ IN SOA ns1 root 2015010700 1h 15m 30d 10m IN NS ns1 Configure your recursive name server as authoritative for the zone—an exercise left to the reader—and it’ll simply answer most queries for foo.example domain names with NXDOMAIN (except queries for foo.example ’s SOA or NS record, obviously). Just remember that the RPZ rules or zone configuration is temporary. After the attack ends, you’ll need to remove them to be able to resolve domain names in the zone again. The good folks at the Internet Systems Consortium, who develop the BIND name server, are also working on new mechanisms to address the issue more subtly, by introducing two new configuration options: fetches-per-server and fetches-per-zone . Fetches-per-server places a limit on the number of concurrent queries a recursive name server can have outstanding to a single authoritative name server. The imposed limit is actually dynamic, and adjusted downward based on timeouts experienced when querying the authoritative name server. Fetches-per-zone places a limit on the number of concurrent queries a recursive name server can have outstanding for a single zone. Between these two features, administrators should be able to reduce the chance that their BIND name servers will be victims—inadvertent or not—of nonsense name DDoS attacks like these. Source: http://www.networkworld.com/article/2875970/network-security/a-new-kind-of-ddos-threat-the-nonsense-name-attack.html
Tag Archives: ddos-defense
Malaysia Airlines Website Hacked by Group Calling Itself ‘Cyber Caliphate’
Airline’s Site Attacked by Group Claiming to Be Aligned With Islamic State Malaysia Airlines had its website hacked by a group that appeared to be trying to settle a score with a U.S. videogame company. Most visitors to MalaysiaAirlines.com for several hours Monday saw a message that said “ISIS WILL PREVAIL” at the top of their browser’s window, and the airline’s ticket booking and other services were unavailable. Instead, a large picture of a Malaysia Airlines Airbus Group NV A380 plane and the messages “404-Plane Not Found,” and “Hacked by Cyber Caliphate,” were displayed. Later, the site displayed a different image: a tuxedo-adorned, pipe-smoking lizard sporting a top hat and monocle. “Hacked by Lizard Squad, Official Cyber Caliphate,” it said, giving the Twitter handle for a group called Lizard Squad. A group calling itself Lizard Squad in December claimed responsibility for a cyberattack on videogame servers of Sony Corp. and Microsoft Corp. Later Monday, the carrier replaced the hacked version of its site with a pared-down version that allowed users to book flights. Both images displayed the Twitter handles for the accounts of what appear to be two men who work for Roxana, Illinois-based U.S. gaming company UMG, which hosts videogame events across the U.S. “We were not involved in any website being hacked in any way,” one of the men, Chris Tuck, told The Wall Street Journal via a direct message on Twitter. “The group who did it is a group of kids who aren’t fond of our company,” he said. “I presume they added our names to either scare us or warn us.” The other man whose handle was shown, UMG Chief Executive Robert Terkla, couldn’t be reached for comment. The Twitter timeline for Lizard Squad revealed recent Tweets directed at the two men about the alleged banning from events of certain gamers. It was unclear whether the gamers allegedly banned were involved with Lizard Squad. The owner or owners of the Lizard Squad Twitter account didn’t immediately respond to a request for comment via Twitter. It was unclear why Malaysia Airlines was targeted. The airline’s loss of two aircraft last year, which left 537 people dead or missing, brought global attention to Malaysia Airlines, which to that point hadn’t been widely known outside the region. In a statement, the company said its web servers are “intact” and customer bookings and data are secure. It said that its domain name system was compromised. Malaysia Airlines said the matter was immediately reported to CyberSecurity Malaysia, a forensics and analysis agency under the Ministry of Science, Technology and Innovation, and the Ministry of Transport. CyberSecurity Malaysia Chief Executive Amirudin Abdul Wahab said its investigation determined that it was a case of domain hijacking. Domain name servers are Internet phone books that translate Web domain names, such as MalaysiaAirlines.com, into numeric addresses computers use to reach individual machines. Tampering with domain names to divert traffic from the intended site would generally require less sophistication than a more complex breach in which a company’s servers are compromised and data is exposed. In December a group called Lizard Squad claimed responsibility for attacking Sony’s PlayStation Network and Microsoft’s Xbox Live videogame services. The group said that attack was a distributed denial of service attack, which disrupts websites by overwhelming them with data traffic. Source: http://www.wsj.com/articles/malaysia-airlines-website-hacked-by-group-calling-itself-cyber-caliphate-1422238358
More here:
Malaysia Airlines Website Hacked by Group Calling Itself ‘Cyber Caliphate’
DDoS dilemmas: how far can you predict attacks, and what can be done?
Distributed Denial of Service (DDoS) attacks are back in the news; it seems that barely a month goes by without media reports of a website or service being brought down by a DDoS attack. Sony’s PlayStation Network again became the victim of such an attack recently, while hacking group Anonymous is on a disabling offensive of extremist websites. DDoS attacks can come in a variety of shapes and sizes. However, the aim of a DDoS attack is always the same: to saturate a server with so many requests that it simply cannot cope, leaving legitimate users unable to connect. Attackers will sometimes use their own network of computers to launch DDoS attacks, but what is now more common is for them to use a network of PCs across the world that have been infected with malware that is capable of joining in a DDoS attack without the owner’s knowledge. We’ve written before about the easy availability of DDoS attack kits, which anyone can download and use to launch their own attacks. DDoS attacks were one of the primary methods used by Anonymous and LulzSec to tackle their victims: the Vatican, the Church of Scientology, the Australian government were all hit, as were Amazon, PayPal, MasterCard and Visa in response to their perceived lack of support for whistleblowing website WikiLeaks. Some of these big name companies could perhaps have predicted a DDoS attack was on its way; taking a stance against Anonymous would often leave a company in its firing line. In fact, Anonymous often warned targets that an attack was imminent. But for many other businesses, predicting a DDoS attack is difficult, and the results can be disastrous: loss of revenue-generating applications as well as reputational damage can negatively impact a business for years. Why would a company be a target for DDoS attacks? Hacktivism is certainly one reason, competition with rival businesses is another. But beyond that, it is tough to establish whether a business is at risk and, if so, from whom? With the exception of the aforementioned Anonymous messages, DDoS attacks can start without warning. So while predicting an attack may be difficult, protecting against one is less so. There are ways a company can keep its applications, services and even its whole network online without stopping legitimate traffic. A sophisticated firewall manager, application security manager and local traffic manager combined provide the protection needed to mitigate DDoS attacks, from blocking attack traffic to re-routing legitimate requests to ensure uptime. Analysis is also key: understanding who is attacking you, as well as how and why, can help prevent an attack from causing too much damage and can help protect against future attacks. Establishing which layer is being attacked (application, network or session, for example) will help a company know where to focus its resources, and intelligent firewall management will be able to inspect all traffic coming into a network and stop traffic that is coming from a DDoS attack. Source: http://memeburn.com/2015/01/ddos-dilemmas-how-far-can-you-predict-attacks-and-what-can-be-done/
Continue reading here:
DDoS dilemmas: how far can you predict attacks, and what can be done?
The Dirty hit by DDoS attack
The FBI is on the hunt for hackers who shutdown Nik Richie ‘s website The Dirty … and the reality star tells us he’s hemorrhaging money. The Dirty has been down for weeks after a team of hackers began hitting the site with a DDoS attack — which basically floods a server with so many requests it shuts down. Nik tells us he contacted FBI investigators and they’re on the case. Richie says he’s lost $250-300K this month alone in Super Bowl ads he couldn’t deliver. He’s also losing out because of cancelled appearances because he promotes them on his site. Nik is blunt … “These hackers are hypocrites. My website promotes free speech. F****** losers.” Source: http://www.tmz.com/2015/01/20/the-dirty-hacked-nik-richie-fbi-investigation-ddos-attack/
Continue Reading:
The Dirty hit by DDoS attack
French DDoS attacks spike after terror protest
The firm leveraged its Arbor Atlas initiative, which receives anonymised internet traffic and DDoS event data from 330 internet service providers (ISPs) worldwide, to view events in France in the days after the protest, which was in response to the Charlie Hebdo shootings that left 20 people dead. The magazine was targeted by ISIS sympathisers and others unhappy with the satirical magazine’s ridiculing of Islam, including its depiction of the Prophet Muhammed. The publication also satirised other religions. Comparing the DDoS attacks between January 3-10 and 11-18, the US security firm found that there were 1,342 unique attacks – an average of 708 attacks a day – during the two week period. However, the firm noted in a recent blog post that the number of DDoS attacks after the march rose by 26 percent with the average size of DDoS attack growing 35 percent. In the eight days prior to the attack, the average size was 1.21Gbps but this later increased to 1.64Gbps. The vast majority of these DDoS attacks were low-level although the number of attacks larger than 5Gbps did double in the days after the protest. Arbor reports that one attack measured as high as 63.2 Gbps on January 11. “This is yet another striking example of significant online attacks paralleling real-world geopolitical events, wrote Arbor’s threat intelligence and response manager Kirk Soluk. Speaking to SC after it first emerged that ‘thousands’ of French websites were facing cyber-attacks, Corero Network Security CEO Ashley Stephenson said that DDoS attacks were increasingly being used as an attack tool during international conflicts. “Whatever the motivation – cyber-terrorism, retaliation, religious incitement, radicalisation… It is clear that modern conflicts will be fought in the cyber-world as well as the real world,” he said via email. “The internet should be better protected against all of these associated cyber-threats. Increasingly we are seeing DDoS used as a tool in and around these conflicts and we should be prepared to institute increased cyber-security to protect this vital resource.” Last week, Admiral Arnaud Coustilliere, head of cyber-defence at the French military, said that about 19,000 French websites had faced cyber-attacks in the days after the shootings, although one source closely connected with the clean-up operation for some of these sites later told SC that hacking groups from Tunisia, Syria, Morocco, the Middle East and Africa had largely ignored DDoS as an attack vector because such attacks “didn’t work”. Instead, Gérôme Billois, senior manager of Solucom, said that these groups – also believed to often be ISIS sympathisers – had looked to scan thousands of websites to identify and exploit common WordPress, Joomla and other content management system (CMS) vulnerabilities. Source: http://www.scmagazineuk.com/french-ddos-attacks-spike-after-terror-protest/article/393796/
Read this article:
French DDoS attacks spike after terror protest
Thousands of French Websites Face DDoS Attacks Since Charlie Hebdo Massacre
Nineteen thousand French websites have been attacked since the Charlie Hebdo terrorist attacks last week, according to French military head of cyberdefense Adm. Arnaud Coustilliere. The attacks have been carried out by a variety of hackers, including “more or less structured groups” and some well-known Islamic groups, Coustilliere said. Most have been minor DDoS attacks, carried out on sites for everything from military regiments to pizza shops. “What’s new, what’s important, is that this is 19,000 sites — that’s never been seen before,” the Associated Press quoted Coustilliere as saying. “This is the first time that a country has been faced with such a large wave of cyber-contestation.” The Huffington Post published a story earlier this week on Algerian hackers attacking French sites in response to the publication of offensive images by the French magazine. Those hackers included members of a group called Anonymous Algeria, though the similarly named group Anonymous explicitly expressed support for Charlie Hebdo while vowing to disrupt terrorist websites. Coustilliere characterized the attacks as a response to the public outpouring of support for free speech and the victims of the attack. Arbor Networks counted 1,070 DDoS attacks in a 24 hour period this week, CBC said. For comparison, Arbor says the US hosts 30 times more sites and suffered four times more attacks, meaning French sites are roughly 750 percent more likely to be attacked. Jihadist hackers also hacked US military social media accounts on Monday, and the intersection of hacking with the revived “war on terror” promises to further muddy a whole raft of long awaited regulatory reforms related to internet communication and security. The European Union and UK have both suggested more monitoring of internet communication is necessary since the attacks. Source: http://www.thewhir.com/web-hosting-news/thousands-french-websites-face-ddos-attacks-since-charlie-hebdo-massacre
More:
Thousands of French Websites Face DDoS Attacks Since Charlie Hebdo Massacre
The Evolution of Web Application Firewalls
Technological advances related to computing and the Internet have affected every one of us. The Information Revolution that the Internet has made possible is affecting society just as dramatically as the Industrial and Agricultural Revolutions of the past, but there is an unpleasant side to progress. Criminal use of the Internet, or hacking, is an unavoidable part of information technology development. Hackers have gained unauthorized and undesirable access to information, sometimes with far-reaching consequences. Innovations in hacking have in turn led to the development of protection methods and devices commonly known as web application firewalls (WAF) . An application firewall is a form of firewall which controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall. A Web Application Firewall does much more than a consumer’s computer firewall. Consumer-level applications work by blocking software access to certain ports. Web applications such as Apache, WordPress and Microsoft’s Office all require an extra level of protection against malicious users. WAFs offer this extra protection and work by analyzing all data passing through them and checking its conformity to pre-set rules. A WAF fulfills a web-user’s need to protect both internal and public web applications, whether locally (on-premises) or remotely (cloud-hosted), against unauthorized access attempts. These attacks revolve around hacking and illegal access to web applications. According to statistics, every year, cyber attacks are increasing by 30%, while successful breaches are increasing at twice that rate, 60% a year: In plain English, more attacks are getting through. Basic consumer-level cyber security measures are essential and are an urgent call on companies’ financial resources, but these are not enough. If a company has a website then that website must be protected using a WAF against unauthorized intrusion by hackers. The need to protect customers’ data is even more important than the need to keep the website live. If there is a security breach the negative effects of the attendant publicity and loss of trust are immeasurable. So how have application firewalls been evolving? Web application firewalls have been evolving rapidly and becoming more sophisticated with the objective of protecting websites and customer data from increasingly sophisticated attacks and unauthorized access. Hackers’ methods have become more devious and WAF sophistication has increased correspondingly as part of the information security industry’s fight back against criminals stealing data and malicious hacking. The more evolved and developed WAF solutions are capable of preventing attacks and unwanted intrusion on any website. Modern web application firewalls generally have default settings that give no false negatives and errors and all modern WAFs are designed to work perfectly without the need for any user knowledge of source code. A WAF has become crucial in detecting and preventing any attack that that is masquerading as network access by a legitimate user. Understanding interactions Web Application Firewalls need to do much more than just see the code: They need to be able understand every line of code passing through them and to evaluate any risk that it represents. This risk evaluation ability enables a WAF to analyze visitors based on reputation behaviors. The old adage of prevention being the best cure still holds true and is very relevant here. Instead of blocking an attack as and when it occurs, a WAF should see it coming by understanding and tracking visitor behavior. It should be proactive. More than In-Depth Inspection From the historical perspective of web application firewalls, they have always performed an in-depth inspection of any access routes to the protected sites. However, the modern evolution of web application firewalls comes with more than in-depth inspection of access routes in the sense that modern WAFs are deployed in-line in the form of reverse proxies. These are crucial in preventing any form of access log collection that may be used later to audit the protected site or perform any form of analysis on the protected web applications. Simplicity of use is vital, so the modern web application firewall has evolved to the extent that it can be deployed out of the box with no user setting changes necessary. New-age WAFs such as those from the aforementioned Incapsula are constantly learning and are able to stop threats that have never been seen before by analysis of their code and finding similarities to previous threats. They are updated frequently and monitoring is available on some plans to ensure maximum protection for your site and your customers. Modern firewalls have enabled an increase in firewall features that revolve around transparent proxy and bright modes, which can enable WAFs to easily integrate with other network security technologies such as vulnerability scanners, protection applications, distributed denial of service prevention, database security solutions, and web fraud detection. Another major noticeable evolution has to do with the fact that modern WAFs are perfectly packaged to include content caching, as well as web access management modules, which are specially designed to provide simple sign-in features, especially for distributed web applications. Concluding thoughts There are massive advances going on in the field of web application firewalls. Modern firewalls are perfectly devised to provide maximum protection against hacking, easy detection and filtering of both known and unknown threats, while at the same time, minimizing false alerts. Are you aware of the level of protection that your web application firewall offers? Does it protect you against a DDOS attack? Does it protect your customers’ login and credit card details adequately? Source: http://tech.co/evolution-web-application-firewalls-2015-01
Visit site:
The Evolution of Web Application Firewalls
Extratorrent down – Massive DDoS attack against popular torrent website
The worlds number 4 torrent website is down following a massive Distributed Denial of Service (DDoS) attack by unknown hackers. The website seems to have been down for 23 hours and seems to come online for little bit before throwing up a 503 service error. The Extratorrent admin took to Twitter to tell its fans about the DDoS attack ExtraTorrent was one of the more popular torrent websites in 2014. It has grown in size due to more traffic and has moved up again in the top 10, now placed as the 4th most-visited torrent site by torrent ranking websites. This success didn’t go unnoticed by rightsholders groups such as the MPAA who recently called out ExtraTorrent as one of the top pirate sites. The site was forced to trade in its .com domain for .cc this year, after it was suspended by its domain registrar. The Isitdownrightnow says that Extratorrent has been down for past 23 hours (now it says 4 minutes because the website sprang to live for few seconds before going down again While the admin says that its a DDoS attack by unknown hackers, the actual reason may be a takedown by authorities or a revenge DDoS by the music and movie companies. Earlier Sony had allegedly undertaken a similar kind of DoS attacks to stop the torrents sites from sharing the files from the massive hack attack. Reader may note that only two days back around 13 mega Hollywood movie screener versions were leaked and being shared on torrent websites. These movies are considered to be prime Oscar award contenders and it is though that one of the guild members or his/her associates may have leaked these screener versions. Source: http://www.techworm.net/2015/01/extratorrent-down-hackers-launch-ddos-attack.html
Taken from:
Extratorrent down – Massive DDoS attack against popular torrent website
Anonymous vows to take down jihadist websites to avenge ‘Charlie Hebdo’ victims #OpCharlieHebdo
Hacker group Anonymous has vowed to avenge those killed in the deadly attack on the offices of French satirical magazine Charlie Hebdo by taking down jihadist internet sites and social media accounts. In a video uploaded to the Anonymous Belgique YouTube channel, a figure wearing the group’s signature Guy Fawkes mask condemned the attack that killed 12 individuals, which includes eight journalists. The video description addresses the message to “al-Qaeda, the Islamic State and other terrorists.” “We are fighting in memory of these innocent people today who fought for freedom of expression,” stated the disguised person in the video. The group integrated a link to anonymous data sharing internet site Pastebin with a list of Twitter accounts it claims are linked to jihadists. The group is using the hashtag #OpCharlieHebdo to urge other customers to assistance them take down the accounts by reporting them to Twitter, or participating in a Distributed Denial of Service (DDoS) attack – a practice normally used by the hacker group. “Anonymous should remind each citizens (sic) that the press’s freedom is a fundement of the democracy. Opinions, speech, newspaper articles with no threats nor pressure, all these issues are rights you can’t modify,” read a statement posted to Pastebin by the group Thursday. “Expect a massive reaction from us, simply because this freedom is what we’ve been often fighting for.” Read A lot more: Each ‘Charlie Hebdo’ suspects killed as police storm constructing Wednesday’s attack in Paris has not been linked to ISIS – numerous reports have suggested it is much more most likely to be connected to the Yemen-based al-Qaeda in the Arabian Peninsula. On Friday, Charlie Hebdo suspects Cherif Kouachi, 32, and Stated Kouachi, 34, had been killed just after police stormed the constructing exactly where they were holed up for extra than five hours. The third suspect Hamyd Mourad, 18, surrendered to police early Thursday. Source: http://www.finditwestvalley.com/world/anonymous-vows-to-take-down-jihadist-websites-to-avenge-8216charlie-hebdo8217-victims-h46362.html
Read More:
Anonymous vows to take down jihadist websites to avenge ‘Charlie Hebdo’ victims #OpCharlieHebdo
Nordea bank’s online services hit by DDoS Attack
Nordea Bank Finland was quoted as saying on Friday that its online banking services were hit by a denial of services attack on the heels of Wednesday’s hacking on OP-Pohjola, another Finnish financial services group. Nordea said that its online banking system has suffered a denial of services attack, which started on Friday morning. As a result, the services have worked much slowly than usual. In addition, Fixing the problem and additional security measures might cause service interruption. According to the bank, the attack has not affected the use of its credit or debit cards or other services. Marko Mettenranta, spokesperson of Nordea, told Finnish national broadcaster YLE that the bank has contacted the police about the attack and measures are underway to fix the problem. Denial of service attacks essentially makes an online resource or service unavailable for its intended users. The National Bureau of Investigation of Finland is investigating OP-Pohjola’s case, saying that the attacks came from both Finland and abroad. Source: http://www.dailytimes.com.pk/business/04-Jan-2015/nordea-bank-s-online-services-hit-by-hackers