Tag Archives: ddos-defense

#CLOUDSEC2017: DDoS: Large Attacks Shake the Internet but Modest Attacks Cause More Business Damage

Speaking at CLOUDSEC 2017 today Ashley Stephenson, CEO of Corero, explored innovation in DDoS mitigation and ways to defeat the modern day DDoS attack. Stephenson said that whilst, in the last five years, there have been various large-scale DDoS attacks that have made national or even global headline news, these are not good examples of the types of attacks that companies are suffering from day-to-day. Instead, he explained that it is the frequent, modestly sized, short duration modern DDoS attacks that are the real problem as they actually cause organizations the most damage regularly, and it’s those types of attacks that businesses should be focusing on. “The headline-grabbing attacks aren’t always the ones that you really have to worry about with regards to improving your security posture for your business,” Stephenson argued. “Those high-profile attacks are really just the tip of the iceberg. There is much more activity that ends up in real terms doing more harm to businesses below the waterline. If you’re not doing something today to protect your business against these types of threats, then you are exposed.” The reality is, he added, protecting against the everyday types of attacks is something you can do a lot about and you can inform yourselves much more clearly about the consequences and the types of vectors being used through the use of good technology products that are aimed at DDoS specifically. “The very large, internet-overpowering events that occur might make the internet itself creak in certain geographies or services, but there’s very little you can do as an individual corporation to deal with those issues,” Stephenson concluded. Source: https://www.infosecurity-magazine.com/news/cloudsec2017-ddos-large-attacks/

See the original post:
#CLOUDSEC2017: DDoS: Large Attacks Shake the Internet but Modest Attacks Cause More Business Damage

America’s Cardroom, WPN Hit by DDoS Attack Again

It had been a while, but America’s Cardroom seemed due for another cyber attack. Yup, leading into the Labor Day weekend, ACR and its network, the Winning Poker Network, were hit with a Distributed Denial of Service (DDoS) attack, something that is unfortunately not a unique event for either the online poker room or the network. The attack began Thursday evening, affecting, among many other games, ACR’s Online Super Series (OSS) Cub3d. Problems continued all the way through Saturday. America’s Cardroom initially tweeted about the issues at about quarter after eight Thursday night, writing, “We are currently experiencing a DDOS attack, all running tournaments have been paused. Will keep you updated.” A half hour later, ACR announced that it was cancelling all tournaments in progress and providing refunds per the site’s terms and conditions. At about 9:00pm, the site was back up, but the DDoS attacks continued, causing poker client interruptions less than two and a half hours later. Problems continued well into Friday morning until ACR and WPN finally got things under control (temporarily) close to noon. The pattern continued that evening, with games going down after 6:00pm Friday and then resuming, and going down again after 7:00pm. Finally, around noon Saturday, ACR’s techs seemed to get a handle on things “for good.” In a Distributed Denial of Service attack, the attacker (or attackers) floods a server with millions of communications requests at once. It’s not a virus or a hack or anything malicious like that, but the communications overwhelm the server and grind it to a halt. Think of it like the traffic jam to end all traffic jams. It wouldn’t be THAT big of a deal if the attack was coming from one source, but since it is “distributed,” the attacker arranges it so that it originates from literally millions of IP addresses. It makes defending one’s network insanely difficult. To use another brilliant illustration, if you are trapped in a house and a zombie horde is coming for your juicy brains, it’s scary and awful, but if all the zombies decide to come in through the front door, you can probably handle it if properly equipped. If they surround you and just crash in through every door, window, and mouse hole like in Night of the Living Dead, might as well develop a taste for human flesh because you’re screwed. As with other DDoS attacks, the network was contacted by the aggressor, who demanded a ransom of some sort. WPN CEO Phil Nagy went on Twitch and said he refused to cave to any demands. He even posted a brief series of messages from the attacker, who said he was doing it on behalf of a competing poker room (all spelling mistakes what-not his): this is my job anouther site give me money for doos you and i ddos you this is my job Nagy said that he hoped that by at least making it public that it may be another site responsible for the DDoS attack that it will make someone nervous that they could get caught and the attacks will subside. WPN first experienced a major DDoS attack in December 2014, during its Million Dollar Sunday tournament, when it caused disconnections, lag, and registration problems. It happened again in September 2015 and again in October 2015. The network will be re-running many of the tournaments, including the OSS and MOSS, and will cut the buy-in of the million dollar guaranteed OSS tourney in half as well as add an extra Sunday Million. Source: https://www.pokernewsdaily.com/americas-cardroom-wpn-hit-ddos-attack-30342/

Alleged UK Bank Hacker Extradited From Germany

U.K. officials have extradited the man who allegedly masterminded a cyberattack earlier this year that impacted two of England’s biggest banks. They have accused 29-year-old Daniel Kaye, who was found in Germany, of using an infected computer network to damage and blackmail both Barclays and Lloyds Banking Group, The Financial Times reported. Following the cyberattack, Lloyds found its digital services crippled on and off for over 48 hours in January 2017, preventing some customers from being able to check their bank balances or send out payments via the network. The assault was a distributed “denial of service” (DDoS) attack, which overwhelms a firm’s website so its services don’t operate properly. The same month, Barclays fought off their own cyberattack, according to the National Crime Agency. These cybercrime attacks occurred just months following a high-profile cyberattack against Tesco Bank that caused 9,000 people to have their money stolen from accounts. HSBC also saw an attack against its personal banking website and mobile app in 2016, causing thousands of customers to be locked out of their accounts. “The investigation leading to these charges was complex and crossed borders,” said Luke Wyllie, the National Crime Agency’s senior operations manager. “Our cybercrime officers have analyzed reams of data on the way. Cybercrime is not victimless, and we are determined to bring suspects before the courts,” the Financial Times reported. Daniel Kaye is also being accused of operating a cyberattack against Liberia’s largest internet provider, Lonestar MTN. Kaye is scheduled to appear in the U.K.’s Westminster Magistrates Court on Aug. 31. “In January, we were the target of a substantial distributed denial of service (DDoS) attack,” Lloyds Banking Group said in remarks according to news by the Financial Times . “This was successfully defended but resulted in intermittent and temporary service issues for some customers. There was no attempt to access the bank’s systems and no customer details or accounts were compromised.” Source: http://www.pymnts.com/news/security-and-risk/2017/cybercriminal-daniel-kaye-extradited-following-ddos-cyberattacks/

Google pulls 300 Android apps used for DDoS attacks

A number of security researchers teamed up to fight the WireX botnet. If a random storage manager or video player you downloaded recently has disappeared from your Android device, don’t worry: it might have been for your own good. Google has removed 300 apps from the Play store, which were apparently merely masquerading as legitimate applications. In truth, they were made to hi-jack your phone so it can be used as part of a botnet’s distributed denial of service (DDoS) attacks. WireX, as the botnet is called, pummeled several content providers and delivery networks with traffic from the devices it hi-jacked on August 17th, though it’s been active since around August 2nd. In some cases, it also acted as a ransomware, demanding money from its victim. It was content delivery network Akamai that discovered its existence following an assault on one of its clients. The company then got together with Google and several security researchers from rival companies like Cloudflare, Flashpoint, Oracle + Dyn, RiskIQ, Team Cymru and other organizations to solve the issue. Upon learning that the Play Store is inundated with hundreds of fake WireX apps hiding behind the guise of innocuous programs like storage managers and ringtones, the big G did its part and blocked them all. Here are a few samples of infected apps: In a statement, Mountain View said it’s now also in the process of removing applications from affected devices. It’s unclear how long that would take, though, since based on the team’s research, WireX compromised over 70,000 devices from over 100 countries. Source: https://www.engadget.com/2017/08/29/google-pulls-300-android-apps-wirex-ddos/

Taken from:
Google pulls 300 Android apps used for DDoS attacks

Critical infrastructure not ready for DDoS attacks: FOI data report

The UK’s critical infrastructure is vulnerable to DDoS attacks due to failure to carry out basic security defence work – 39 percent of respondents to a recent survey had not completed the government’s ’10 Steps to Cyber Security’ programme, which was first issued in 2012. New data was obtained by Corero Network Security under the Freedom of Information Act surveying 338 critical infrastructure organisations in the UK, including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers and transport organisations; it also showed that 42 percent of NHS Trusts had not completed the programme. More than half (51 percent) of these critical infrastructure organisations were described by Corero as ignoring the risk of short, stealth DDoS attacks on their networks – which typically account for around 90 percent of DDoS attacks and are used by attackers to plant malware or ransomware, or engage in data theft. Corero reports that these stealth attacks are typically less than 30 minutes in duration, and 98 percent of those stopped by the company were less than 10Gbps in volume, hence they often go unnoticed by security staff, but are frequently used by attackers in their efforts to target, map and infiltrate a network. In a statement issued today, Sean Newman, director of product panagement at Corero, comments: “Cyber-attacks against national infrastructure have the potential to inflict significant, real-life disruption and prevent access to critical services that are vital to the functioning of our economy and society. These findings suggest that many such organisations are not as cyber resilient as they should be, in the face of growing and sophisticated cyber threats.” Newman adds, “ By not detecting and investigating these short, surgical, DDoS attacks on their networks, infrastructure organisations could also be leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attacks.” It was also pointed out that in the event of a breach, these organisations could be liable for fines of up to £17 million, or four percent of global turnover, under the UK government’s proposals to implement the EU’s Network and Information Systems (NIS) directive, from May 2018. In an email to SC, David Emm, principal security researcher, Kaspersky Lab observed, “The world isn’t ready for cyber -threats against critical infrastructure – but criminals are clearly ready and able to launch attacks on these facilities. We’ve seen attempts on power grids, oil refineries, steel plants, financial infrastructure, seaports and hospitals – and these are cases where organisations have spotted attacks and acknowledged them. However, many more companies do neither, and the lack of reporting these incidents hampers risk assessment and response to the threat.” Edgard Capdevielle, CEO of Nozomi Networks, also emailed SC to comment: “This report emphasises the impact of DDoS attacks and how they are often used as a cover to distract security teams while infecting systems with malware or stealing data. Such initiatives are often the first step in “low and slow” attacks that provide the perpetrators with the information and access they need to carry out system disruptions. Examples of this are the Ukraine power outages of 2015 and 2016, both of which involved cyber-attacks which persisted for many months before culminating in shutdowns. “In light of this information, CNI organisations should give a high priority to re-assessing their cyber-security programmes, evaluate where they are in relation to government recommendations, and inform themselves about current technologies available for protection….The right approach is to both shore up defenses and be able to quickly respond when attacks do occur.” Previously, when talking about the new UK legislation targetting CNI, Eldon Sprickerhoff, founder and chief security strategist at eSentire commented in an email to SC, “Although cyber-security regulations will require significant effort for the companies that are affected, this new legislation by the UK government demonstrates that they understand the severity of cyber-threats in today’s digital world and the destruction they can cause, if undeterred. Even if you’re not a CNI, cyber-threats should concern you. With cyber-criminals constantly adjusting their tactics, it is imperative that companies never stop defending themselves by constantly improving and expanding their cyber-security practices. Managed detection and response and incident response planning are common ways companies can stay ahead of their attackers.” Sprickerhoff recommended the same measures be taken by CNI organisations to improve cyber-security as for other enterprises, namely: Encryption – store sensitive data that is only readable with a digital key Integrity checks – regularly check for any changes to system files Network monitoring – use tools to help you detect for suspicious behaviour Penetration testing – conduct controlled cyber-attacks on systems to test their defences and identify vulnerabilities Education – train your employees in cyber-security awareness and tightly manage access to any confidential information Source: https://www.scmagazineuk.com/critical-infrastructure-not-ready-for-ddos-attacks-foi-data-report/article/684838/

Visit link:
Critical infrastructure not ready for DDoS attacks: FOI data report

Hackers Use Thousands Of Infected Android Devices In DDoS Attacks

Hundreds of thousands of home routers, IP cameras and other internet-of-things devices have been infected with malware over the past year and have been used to launch some of the largest distributed denial-of-service (DDoS) attacks ever recorded. Attackers are now doing the same with Android devices, with the help of malicious applications hosted on Google Play and other third-party app stores. A joint investigation by the security teams from Akamai, Cloudflare, Flashpoint, Google, RiskIQ and Team Cymru has led to the discovery of a large botnet made up of over 100,000 Android devices located in more than 100 countries. The investigation was launched in response to large DDoS attacks that have hit several content providers and content delivery networks over the past few weeks. The goal behind DDoS attacks is to flood servers with bogus traffic in order to use up their available internet bandwidth or their CPU and RAM resources so they can no longer serve requests from legitimate users. Servers are typically configured to handle a certain number of concurrent connections based on the estimated number of visitors that they’re expected to receive. Load balancers, firewalls and other anti-DDoS technologies are used to limit the negative impact of any sudden traffic spikes, but with enough firepower, attackers can disrupt even the most well-protected networks. This particular Android botnet, which has been dubbed WireX, was used to send tens of thousands of HTTP requests that were meant to resemble those coming from legitimate browsers. The researchers were able to establish a pattern to the User-Agent string reported by the rogue clients and traced them back to malicious Android applications. Some of the applications were available in third-party app stores that came pre-installed on devices, but around 300 of them were hosted on Google Play. “Many of the identified applications fell into the categories of media/video players, ringtones or tools such as storage managers and app stores with additional hidden features that were not readily apparent to the end users that were infected,” the researchers said in a report. Most of the rogue applications requested device administrator permissions during installation, which allowed them to launch a background service and participate in DDoS attacks even when the applications themselves were not actively used or when the devices were locked. Google has removed the malicious applications from Google Play and started to remotely remove them from affected devices as well. Furthermore, the Play Protect feature which runs locally on Android devices prevents these apps from being reinstalled, the researchers said. Some antivirus products detect the malicious applications as an “Android Clicker” Trojan which might suggest that the botnet’s original purpose was click fraud, a method of earning revenue from fraudulent clicks on advertisements. However, by the time it was discovered, the botnet had clearly been repurposed for DDoS and was receiving attack instructions from command-and-control servers hosted under the same domain name. This is not the first Android-based DDoS botnet ever found, but it is certainly the largest. At the peak of the attacks, the researchers observed malicious traffic coming from over 120,000 unique IP addresses per hour. Last year, security firm Imperva uncovered a similar botnet that was used to launch DDoS attacks from around 27,000 infected Android devices. While Google is making significant efforts to keep malware off Google Play and constantly scans the apps hosted on its platform, this is not the first time when malicious applications have made it past its defenses. Just last week, the company removed applications that were using an advertising toolkit with spying capabilities and in May the company removed around 40 apps that included click fraud functionality. Source: https://www.forbes.com/sites/lconstantin/2017/08/28/hackers-use-thousands-of-infected-android-devices-in-ddos-attacks/#67c498825228

See the article here:
Hackers Use Thousands Of Infected Android Devices In DDoS Attacks

3 Ways to Defeat DDoS Attacks

In 2012, a number of DDoS attacks hit Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank and PNC Bank. These attacks have since spread across most industries from government agencies to local schools and are showing an almost yearly evolution, with the most recent focus being the Internet of Things (IoT). In 2016, compromised cameras, printers, DVRs and other IoT appliances were used in a large attack on Dyn that took down major websites including Amazon, Twitter, Netflix, Etsy and Spotify. Inside Distributed Denial-of-Service Threats Although these large attacks dominate the headlines, they’re not what most enterprises will deal with day to day. The most common attacks are in the range of 20 to 30 Gbps or less, while larger attacks have been reported at 1.2 tbps. Creating DDoS Defense Security technology is becoming more sophisticated, but so are hackers, which means attacks can be much more difficult to mitigate now than in the past. Enterprises must be knowledgeable and prepared with mitigation techniques as the attacks continue to evolve. DDoS mitigation comes in three models: Scrubbing Centers The most common DDoS mitigation option for enterprises is to buy access to a scrubbing center service. During an attack, traffic is redirected to the security provider’s network, where the bad traffic is “scrubbed out” and only good traffic is returned to the customer. This option is good for multi-ISP environments and can be used to counter both volumetric and application-based attacks. For added protection, some providers can actually place a device in your data center, but this is not as cost-effective as the cloud-based option. ISP- Clean Pipes Approach With the rise of DDoS attacks, many ISPs have started their own scrubbing centers internally, and for a premium will monitor and mitigate attacks on their customers’ websites. In this scenario, ISPs operate as a one-stop-shop for bandwidth, hosting and DDoS mitigation. But some ISPs are more experienced at this than others, so customers must be sure to thoroughly test and research the quality of the service offered by their ISPs. Content Delivery Network Approach The distributed nature of content delivery networks (CDNs) means that websites live globally on multiple servers versus one origin server, making them difficult to take down. Large CDNs may have over 100,000 servers distributing or caching web content all over the world. However, CDN-based mitigation is really only a good option for enterprises that require core CDN functionality, as porting content to a CDN can be a time-intensive project. Source: https://www.forbes.com/sites/gartnergroup/2017/08/28/3-ways-to-defeat-ddos-attacks/#dda62aada78f

See the original article here:
3 Ways to Defeat DDoS Attacks

DreamHost, web hosting company, blames powerful DDoS attack for online outages

DreamHost, one of the world’s largest web hosting companies, said a distributed denial-of-service (DDoS) caused significant outages Thursday affecting customers of its web and email services. The Los Angeles-based hosting provider said that “internet vigilantes” conducted an attack against part of its online infrastructure resulting in connectivity issues affecting several aspects of its operations, ranging from its online customer support features to the hosting service used by over 1.5 million websites. The attack targeted DreamHost’s Domain Name Servers (DNS) – digital directories that allow internet users to access specific websites without remembering their lengthy, numeric IP addresses – and was remedied about four hours after first being detected, according to the company. DDoS attacks involve knocking websites offline by overloading their servers with illegitimate traffic and effectively rendering them inaccessible. Low-level attacks are capable of briefly disabling websites lacking DDoS protection, but wide-scale attacks like the one conducted last year against Dyn, an American DNS provider, caused unprecedented outages affecting some of the world’s most popular websites, including Amazon and Netflix. DreamHost customers, including the Cambridge Seventh-day Adventist Church in England and the Tale of Two Wastelands video gaming project, were among those who said their websites were unavailable Thursday due to the powerful DDoS attack. The DDoS attack was confirmed by DreamHost as two of the company’s customers made headlines in their own right over their unrelated efforts to survive scrutiny: DisruptJ20, an anti-Trump protest site, and The Daily Stormer, a white supremacist website that remerged online this week with the help of DreamHost after being all but driven off the internet. A federal judge earlier Thursday ordered DreamHost to provide information sought by federal prosectors investigating the riots that erupted in Washington, D.C. during President Trump’s inauguration Jan. 20. The Daily Stormer, meanwhile, relaunched on a DreamHost website Thursday after previously being banned from the internet’s biggest domain registrars and hosting providers, including GoDaddy, Google and Cloudflare. The Daily Stormer had quietly registered the new domain using an automated signup form and was subsequently booted several hours later, , DreamHot said Thursday evening. “Unfortunately, determined internet vigilantes weren’t willing to wait for us to take that action,” DreamHost said in a statement to Ars Technica. “They instead launched a DDoS attack against all of DreamHost this morning. We were ultimately able to declaw that attack, but the end result was that most of our customers experienced intermittent connectivity issues to their sites today.” Source: http://www.washingtontimes.com/news/2017/aug/24/dreamhost-web-hosting-company-blames-powerful-ddos/

View the original here:
DreamHost, web hosting company, blames powerful DDoS attack for online outages

90% of Companies Get Attacked with Three-Year-Old Vulnerabilities

A Fortinet report released this week highlights the importance of keeping secure systems up to date, or at least a few cycles off the main release, albeit this is not recommended, but better than leaving systems unpatched for years. According to the Fortinet Q2 2017 Global Threat Landscape, 90% of organizations the company protects have experienced cyber-attacks during which intruders tried to exploit vulnerabilities that were three years or older. In addition, 60% of organizations were attacked with exploits ten years or older. Organizations that did a relatively good job at keeping systems patched would have been able to block the attacks. Nonetheless, it is always recommended that companies keep systems up to date at all times. This has been shown in the past year. First last year with a Joomla flaw that saw exploit attempts days after being disclosed, then again at the start of January when attackers started scanning for a recently disclosed WordPress flaw hours after the official announcement. The focus on older exploits is simple to explain. Not all hackers are on the same skill level of nation-state cyber-espionage units, and most rely on open-sourced exploits. The older the vulnerability, the better the chances of finding a working exploit on one of the many exploit-sharing sites currently available online. Weekend warriors Furthermore, the Fortinet includes an interesting chart that shows attackers launching attacks mostly over the weekend. There are a few simple explanations for these. First, there are no SIRT (Security Incident Response Team) responders at most businesses over the weekend. Second, most hackers have jobs as well, and the weekend is when most are free for “side activities.” Number of DDoS attacks grew after Mirai source code release Also this week, Akamai released the State of the Internet/Security Report for Q2 2017. The report contains statistics on a wide variety of web attacks that took place via the company’s infrastructure in April, May, and June. The report’s main finding is the rise in the number of DDoS attacks during the first half of 2017 after DDoS attacks went down during the second half of 2016. According to Akamai, the release of the Mirai DDoS malware source code in September 2016 helped breathe new life into a declining DDoS booter market. Since then, a large number of different botnets built on the Mirai source code have been spotted, many of which were offered as DDoS-for-hire services. In a separate research presented at the USENIX security conference last week, researchers from Cisco, Akamai, Google, and three US universities revealed that despite having a reputation of being able to take down some of the largest online companies around, most Mirai botnets were mainly used to target online gaming servers. Besides Mirai, another very active strain of DDoS-capable malware was the PBos trojan, also targeting Linux-based devices. Some of these attacks even reached the massive size of 75 Gbps. Source: https://www.bleepingcomputer.com/news/security/90-percent-of-companies-get-attacked-with-three-year-old-vulnerabilities/

See the original article here:
90% of Companies Get Attacked with Three-Year-Old Vulnerabilities

DDoS attacks down in second quarter

Attacks designed to overwhelm servers with internet traffic — known as distributed denial of service (DDoS) attacks — were less frequent this spring than last, according to Akamai’s second quarter report. Akamai is a major seller of services to fight DDoS attacks. According to the company’s report, attacks declined by 18 percent between the beginning of April and end of June from the same period last year. DDoS attacks use hacked computers and internet-connected devices to send abnormal levels of traffic to a target, forcing it to slow or crash. A DDoS attack knocked out a critical internet switchboard known as Dyn, a domain name system provider, in October that rendered Twitter, Netflix and The New York Times unreachable. In May, the FCC reported a DDoS attack slammed its commenting system, though critics have questioned whether this was an attack or just a flood of commenters weighing in on the contentious issue of net neutrality. The report notes that while attacks are down year over year, attacks jumped 28 percent from the first quarter. But, it cautions quarterly data may not be the best measure of trends. It explains many attacks are tied to yearly events: “For most organizations, security events aren’t seasonal, they happen year round, without the ability to anticipate attacks. Unless you’re the security team for a merchant, in which case you need to plan for Black Friday and Cyber Monday, since they are likely to be the high water marks for attack traffic for the year.” While attacks rose from the beginning of the year, attack severity declined. “[F]or the first time in many years” Akamai observed no attacks exceeding 100 gigabits per second. The report speculates one potential cause of lower severity attacks might be international success taking the networks of hijacked computers, known as botnets, offline. Gaming companies were the victim in around 80 percent of attacks observed by Akamai in the second quarter, with one customer seeing more than 550 attacks. At the USENIX conference this year, Akamai researchers, teaming with other industry players and academics, presented research that the Dyn attack was actually intended as an attack on one of Dyn’s clients — the gaming platform PlayStation. According to that presentation, Dyn crashed as it handled requests headed to PlayStation. Source: http://thehill.com/policy/cybersecurity/347496-ddos-attacks-down-in-second-quarter

View the original here:
DDoS attacks down in second quarter