Tag Archives: ddos

Building the IoT monster

When Mary Shelley wrote Frankenstein, she imagined the misguided doctor assembling his creature from dead body parts, who instead of elevating science, created something dark and terrible. A modern day Mary might well imagine the monster being assembled, not from arms and legs, from nanny-cams, door locks, and DVRs. It would be hard to miss the events of the past few weeks. In September, security reporter Brian Krebs was hit by a massive DDoS attack. … More ?

See the original article here:
Building the IoT monster

How our household devices get hacked and join zombie bot networks in DDoS attacks

The Internet of Things: blessing or curse? That depends on how much you value your privacy against the ability of your fridge to order fresh milk. Either way, we are now more vulnerable to hackers. Here’s how. I won’t even attempt to answer the question in my opening gambit. Who can say for sure this early whether the Internet of Things is a blessing or a curse (aside from the fact that clichés are always a curse). For one this is something we all have to decide for ourselves – hopefully, after diligent public debate. We all have to decide what privacy is in the digital era, and whether it’s important to us. We may support more stringent data protection laws, even a global bill of rights. Or we may find ourselves in the “post-privacy” camp and not really care. It also depends on how highly we value our digital security. Unbeknownst to us Take the DDoS (distributed denial-of-service) attack that brought down a litany of popular websites last Friday (21.10.2016). The affected websites included Esty, Github, HBO Now, PayPal, Pinterest, Playstation Network, Recode, Reddit, Spotify, Twitter, Netflix, Yammer, and Yelp. Your fridge, your mom’s webcam, computers at the local school, and a kid’s doll may have all taken part – without your even knowing it. Someone, somewhere launched a piece of malware called Mirai. We’ve known about Mirai – so something was in the wind. And DDoS attacks themselves have been around for ages. Mirai searched for poorly-protected, networked devices. That is, household devices that had little or no password protection. Reports suggest these included DVRs and webcams made by a Chinese company called Hangzhou XiongMai, which has since issued a recall on its webcams in the US. Mirai turned the connected devices into its slaves. They then launched the DDoS attack on servers run by Dyn, a so-called DNS host, and home to all those websites. Usually, when you call up a website, your “request” goes via one of these servers. But when the servers are overloaded with bad requests consisting of incomplete data, or they are bombarded with more requests than they can handle, they basically freak out. And no one is served. That’s what happened on Friday. Your fridge, webcam, toy truck and thousands more emitted a coordinated attack of useless information, bringing down some of the world’s most popular websites. The rest is history… Friday’s Mirai attack may well be history now, but it’s one which will surely repeat itself. Many, many times. The question is, where will it all end? If it’s only Netflix and Spotify you can’t access, you may really not care. Certainly if they are back up and running within a few hours. But what if it’s a vital government website, online access to your local hospital, the police, or the energy grid… and what if the attack lasts for days, weeks even? This is what we mean when we talk about cybersecurity. Private, commercial concerns, even dating apps, shouldn’t come into it. And yet what we do – and allow – at a private level can have a momumental impact on society. We may think it’s just the fridge ordering our milk or Barbie chatting to our kids. But we forget that every electronic device these days – especially those connected to the network – is vulnerable to hackers. And the Mirai attack has reminded us they can all be reprogrammed to do whatever the hackers want. Source: http://www.dw.com/en/how-our-household-devices-get-hacked-and-join-zombie-bot-networks-in-ddos-attacks/a-36181744  

More:
How our household devices get hacked and join zombie bot networks in DDoS attacks

Ontario literacy test abandoned due to DDoS attack

There’s no shortage of conspiracy theories when it comes to guessing who’s behind cyber attacks. So when it was announced that a distributed denial of service (DDoS) attack was behind last week’s crash of an Ontario online literacy test for about 190,000 high school students the list was long. –One of the thousands of computer-literate students who want to Get Back At the Education System? (No shortage of them…) –One of the tens of thousands of Ontario high school graduates who want to Get Back At the Education System (Some of whom are reading this right now …) –General mischief makers around the world (Really no shortage of them) –The usual suspects blamed for everything bad (Russia, China). OK, probably not Russia and China. But with DDoS-as-a-service available on the dark web (all you need is Tor and a credit card) and — here’s the tricky part — the right URL — it’s not hard to launch an attack anywhere on the planet. Who had that URL and how they got hold of it is the question. It may not have been that hard because last week’s test was preceded by earlier, smaller ones. What we do know for sure is that on Monday the provincial Education Quality and Accountability Office (EQAO) said the Oct. 20 province-wide trial of the online Ontario Secondary School Literacy Test (OSSLT) had to be terminated because of what it called an “intentional, malicious and sustained” DDoS attack. “An extremely large volume of traffic from a vast set of IP addresses around the globe was targeted at the network hosting the assessment application,” the office said in a statement. No personal or private student information was compromised, it added. According to a statement Thursday from the EQAQ, a third party hosted the application. “We planned for a variety of cyber incidents,” the statement said, “but we are unable to disclose the specifics of this information because of the need to protect our infrastructure’s security. What we can say, however, is that we did not anticipate a DDOS of this magnitude. A forensics firm is investigating. “We were shocked to learn that someone would deliberately interfere with the administration of the online OSSLT,” Richard Jones, the office’s director of assessment, said in a statement. “There will be discussions over the next few weeks to determine how to strengthen the system, and we will continue to work with Ontario’s education community to understand how best to use online assessments to benefit our province’s students.” —Richard Jones, Director, Assessment Last week’s exercise was was a voluntary trial to test the system’s readiness before the regularly scheduled administration of the OSSLT — either online or on paper — in March 2017. The office is determined to keep to that schedule. Source: http://www.itworldcanada.com/article/ontario-literacy-test-abandoned-due-to-ddos-attack/387852

Read More:
Ontario literacy test abandoned due to DDoS attack

Researchers expose Mirai vuln that could be used to hack back against botnet

Exploit can halt attacks from IoT devices Security researchers have discovered flaws in the Mirai botnet that might be used to mitigate against future attacks from the zombie network.…

Taken from:
Researchers expose Mirai vuln that could be used to hack back against botnet

Historic DDoS attack likely waged by ‘non-state actor’: Intel director

The nation’s top intelligence official on Tuesday said state-sponsored hackers likely weren’t behind the distributed denial-of-service (DDoS) attacks that disrupted internet access across the United States last week. Weighing in on the outages during an event at the Council on Foreign Relations in Washington, D.C., National Intelligence Director James Clapper said investigators believe a “non-state actor” was likely responsible for the DDoS attacks that made it difficult to access some of the world’s most popular websites Friday. “That appears to be preliminarily the case,” Mr. Clapper said, The Hill reported. “But I wouldn’t want to be conclusively definitive about that, specifically whether a nation state may have been behind that or not.”  “The investigation’s still going on,” he added. “There’s a lot of data going on here.” Beyond the Beltway, private sector security researchers like those employed by Flashpoint, a business risk intelligence firm that’s analyzed the attacks, hold a similar opinion. “Despite public speculation, Flashpoint assesses with a moderate degree of confidence that the perpetrators behind this attack are most likely not politically motivated, and most likely not nation-state actors,” its researchers wrote Tuesday. In fact, Flashpoint said its investigation revealed that the same infrastructure used to disrupt access to websites like Twitter and Netflix was also used to attack a well-known video game company — an indication that the culprits of the crippling DDoS weren’t necessarily waging assault on behalf of a foreign power. “While there does not appear to have been any disruption of service, the targeting of a video game company is less indicative of hacktivists, state-actors or social justice communities, and aligns more with the hackers that frequent online hacking forums,” Flashpoint’s researchers wrote. “These hackers exist in their own tier, sometimes called ‘script kiddies,’ and are separate and distinct from hacktivists, organized crime, state-actors, and terrorist groups. They can be motivated by financial gain, but just as often will execute attacks such as these to show off, or to cause disruption and chaos for sport.” “I think they are right,” agreed Mikko Hypponen, chief research officer for security firm F-Secure. “I don’t believe the Friday attackers were financially or politically motivated. It was such an untargeted attack, it’s hard to find a good motive for it. So: kids,” he told TechCrunch. As authorities attempt to identify the culprits responsible for waging last week’s DDoS attacks, investigators have at least found out how the hackers were able to disrupt internet access North America and Europe. Researchers say the outage occurred after hackers compromised millions of internet-connected household devices like video recorders and digital cameras, then used those products to overload a widely used Domain Name System (DNS) — an online directory that enables web users to navigate from site to site. The director of the Department of Homeland Security said Monday that DHS has “been working to develop a set of strategic principles for securing the Internet of Things, which we plan to release in the coming weeks.” Source: http://www.washingtontimes.com/news/2016/oct/26/historic-ddos-attack-likely-waged-by-non-state-act/

See more here:
Historic DDoS attack likely waged by ‘non-state actor’: Intel director

?How to defend against the internet’s doomsday of DDoS attacks

Last week assault on Dyn’s global managed DNS services was only the start. Here’s how to fend off hackers’ attacks both on your servers and the internet. We knew major destructive attacks on the internet were coming. Last week the first of them hit Dyn, a top-tier a major Domain Name System (DNS) service provider, with a global Distributed Denial of Service (DDoS)attack. As Dyn went down, popular websites such as AirBnB, GitHub, Reddit, Spotify, and Twitter followed it down. Welcome to the end of the internet as we’ve known it. Up until now we’ve assumed that the internet was as reliable as our electrical power. Those days are done. Today, we can expect massive swaths of the internet to be brought down by new DDoS attacks at any time. We still don’t know who was behind these attacks. Some have suggested, since Dyn is an American company and most of the mauled sites were based in the US, that Russia or Iran was behind the attack. It doesn’t take a nation, though, to wreck the internet. All it takes is the hundreds of millions of unsecured shoddy devices of the Internet of Things (IoT). In the Dyn onslaught , Kyle York, Dyn’s chief strategy officer said the DDoS attack used “tens of millions” devices. Hangzhou Xiongmai Technology, a Chinese technology company, has admitted that its webcam and digital video recorder (DVR) products were used in the assault. Xiongmai is telling its customers to update their device firmware and change usernames and passwords. Good luck with that. Quick: Do you know how to update your DVR’s firmware? The attack itself appears to have been made with the Mirai botnet. This open-source botnet scans for devices using their default username and password credentials. Anyone can use it — China, you, the kid next door — to generate DDoS attacks. For truly damaging DDoS barrages, you need to know something about the internet’s architecture, but that’s not difficult. Or, as Jeff Jarmoc, a Salesforce security engineer, tweeted, “In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.” That’s funny, but it’s no joke. Fortunately, you can do some things about it. Securing the Internet of Things First, and this unfortunately is a long-term solution, IoT vendors must make it easy to update and secure their devices. Since you can’t expect users to patch their systems — look at how well they do with Windows — patching must be made mandatory and done automatically. One easy way to do this is to use an operating system, such as Ubuntu with Snap, to update devices quickly and cleanly. These “atomic” style updating systems make patches both easier to write and deploy. Another method is to lock down IoT applications and operating systems. Just like any server, the device should have the absolute minimum of network services. Your smart TV may need to use DNS, but your smart baby monitor? Not so much. That’s all fine and dandy and it needs to be done, but it’s not going to help you anytime soon. And, we can expect more attacks at any moment. Defending your intranet and websites First, you should protect your own sites by practicing DDoS prevention 101. For example, make sure your routers drop junk packets. You should also block unnecessary external protocols such as Internet Control Message Protocol (ICMP) at your network’s edge. And, as always, set up good firewalls and server rules. In short, block everything you can at your network edge. Better still, have your upstream ISP block unnecessary and undesired traffic. For example, your ISP can make your life easier simply by upstream blackholing. And if you know your company will never need to receive UDP traffic, like Network Time Protocol (NTP) or DNS, your ISP should just toss garbage traffic into the bit bin. You should also look to DDoS mitigation companies to protect your web presence. Companies such as Akamai, CloudFlare, and Incapsula offer affordable DDoS mitigation plans for businesses of all sizes. As DDoS attacks grow to heretofore unseen sizes, even the DDoS prevention companies are being overwhelmed. Akamai, for example, had to stop trying to protect the Krebs on Security blog after it was smacked by a DDoS blast that reached 620 Gbps in size. That’s fine for protecting your home turf, but what about when your DNS provider get nailed? You can mitigate these attacks by using multiple DNS providers. One way to do this is to use Netflix’s open-source program Denominator to support managed, mirrored DNS records. This currently works across AWS Route53, RackSpace CloudDNS, DynECT, and UltraDNS, but it’s not hard to add your own or other DNS providers. This way, even when a DDoS knocks out a single DNS provider, you can still keep your sites up and running. Which ones will work best for you? You can find out by using Namebench. This is an easy-to-use, open-source DNS benchmark utility. Even with spreading out your risk among DNS providers, DNS attacks are only going to become both stronger and more common. DNS providers like Dyn are very difficult to secure. As Carl Herberger, vice president for security solutions at Radware, an Israeli-based internet security company, told Bloomberg, DNS providers are like hospitals: They must admit anyone who shows up at the emergency room. That makes it all too easy to overwhelm them with massive — in the range of 500 gigabits per second — attacks. In short, there is no easy, fast fix here. One way you can try to keep these attacks from being quite so damaging is to increase the Time to Live (TTL) in your own DNS servers and caches. Typically, today’s local DNS servers have a TTL of 600 seconds, or 5 minutes. If you increased the TTL to say 21,600 seconds, or six hours, your local systems might dodge the DNS attack until it was over. Protecting the internet While the techniques might help you, they don’t do that much to protect the internet at large. DNS is the internet’s single point of total failure. That’s bad enough, but as F5, a top-tier ISP notes, DNS is historically under-provisioned. We must set up a stronger DNS system. ISPs and router and switch vendors should also get off their duffs and finally implement Network Ingress Filtering, better known as Best Current Practice (BCP)-38. BCP-38 works by filtering out bogus internet addresses at the edge of the internet. Thus, when your compromised webcam starts trying to spam the net, BCP-38 blocks these packets at your router or at your ISP’s router or switch. It’s possible, but unfortunately not likely, that your ISP has already implemented BCP-38. You can find out by running Spoofer. This is a new, open-source program that checks to see how your ISP handles spoofed packets. So why wasn’t it implemented years ago? Andrew McConachie, an ICANNtechnical and policy specialist, explained in an article that ISPs are too cheap to pay the small costs required to implement BCP-38. BCP-38 isn’t a cure-all, but it sure would help. Another fundamental fix that could be made is response rate limiting (RRL). This is a new DNS enhancement that can shrink attacks by 60 percent. RRL works by recognizing that when hundreds of packets per second arrive with very similar source addresses asking for similar or identical information, chances are they’re an attack. When RRL spots malicious traffic, it slows down the rate the DNS replies to the bogus requests. Simple and effective. Those are some basic ideas on how to fix the internet. It’s now up to you to use them. Don’t delay. Bigger attacks are on their way and there’s no time to waste. Source: http://www.zdnet.com/article/how-to-defend-against-the-internets-doomsday-of-ddos-attacks/  

View article:
?How to defend against the internet’s doomsday of DDoS attacks

Chinese firm recalls camera products linked to massive DDOS attack

Hangzhou Xiongmai Technology is recalling earlier models of four kinds of cameras due to a security vulnerability A Chinese electronics component maker is recalling 4.3 million internet-connected camera products from the U.S. market amid claims they may have played a role in Friday’s massive internet disruption. On Monday, Hangzhou Xiongmai Technology said it was recalling earlier models of four kinds of cameras due to a security vulnerability that can make them easy to hack. “The main  security  problem is that users aren’t changing the device’s default passwords,” Xiongmai said in a Chinese-language statement posted online. According to  security  firm Flashpoint, malware known as Mirai has been exploiting the products from Xiongmai to launch massive distributed denial-of-service attacks, including Friday’s, which slowed access to many popular sites, including Netflix, PayPal, and Twitter. Companies observing Friday’s disruption said botnets powered by the Mirai malware were at least partly responsible for the attack. Xiongmai, a maker of camera modules and DVR boards, has acknowledged that its products have been a target for hackers, but it said it patched the problem with the default passwords back in April 2015. For older products, the company has come up with a firmware update to fix the flaw. To prevent the security risks, the company has still decided to recall earlier models. However, Xiongmai has also dismissed news reports that its products were largely behind Friday’s DDOS attack as untrue and is threatening legal action against those who damage its reputation. “Security vulnerabilities are a common problem for mankind,” the  company  said. “All industry leaders will experience them.” Experts have said the Mirai malware is probably targeting products from several vendors, in addition to Xiongmai. The malicious coding is built to try a list of more than 60 combinations of user names and passwords when infecting  devices . So far, the Mirai malware has gone on to infect at least 500,000 devices, according to internet backbone provider Level 3 Communications. Source: http://www.pcworld.com/article/3133962/chinese-firm-recalls-camera-products-linked-to-massive-ddos-attack.html

Read More:
Chinese firm recalls camera products linked to massive DDOS attack

Anonymous hacker charged with #opJustina DDoS attacks on hospital

The Anonymous-affiliated hacker who admitted to cyberattacks on two hospitals in the #opJustinaoperation and fled the country while being investigated was indicted last week. Martin Gottesfeld, 32, a biotechnology information technology professional from Somerville, Massachusetts, is being charged with conspiracy to launch cyberattacks against two local hospitals: Boston Children’s Hospital (BCH) and the Wayside Youth and Family Support Network, a mental health facility. Those two hospitals were at the center of a case that attracted masses of media attention: that of Justina Pelletier, the then-15-year-old who was caught in a 16-month custody battle as her parents tried to have her treated for mitochondrial disease at one hospital, while Boston Children’s Hospital treated her in a psychiatric unit as a ward of the state. Gottesfeld’s indictment, handed down on Wednesday, also charges him with intentional damage to a protected computer. Both are felony hacking charges. Gottesfeld admitted to the attacks last month, explaining how he did it and why in an editorial published by the Huffington Post. I had heard many, too many, such horror stories of institutionalized children who were killed or took their own lives in the so-called “troubled teen industry”. I never imagined a renowned hospital would be capable of such brutality and no amount of other good work could justify torturing Justina. The distributed denial of service (DDoS) attack against BCH was planned for maximum financial damage, Gottesfeld said: he knew that the hospital was planning a big fundraising drive and that most donors gave online. In his editorial, he went on to scoff at BCH for making it easy for him to attack it, since the hospital kept its donation page on the same public network as the rest of its systems: Rookie mistake. To take it down, I’d have to knock the whole hospital off the internet. He also claimed that no patients would be harmed: There’s no such thing as an outage-proof network, so hospitals have to be able to function without the internet. It’s required by federal law, and for accreditation. The only effects would be financial and on BCH’s reputation. That’s not how the hospital, or the prosecution, sees it. The indictment states that BCH had to shut down its access to the internet and email servers to protect patient medical records. That meant that physicians outside the hospital couldn’t get at patients’ records. Nor could patients communicate with their doctors. BCH claims that responding to, and mitigating, the damage of the attack cost $300,000, while the disruption in fundraising meant another $300,000 hit, for a total loss of $600,000. Gottesfeld claims that the attack against BCH was a justifiable reaction to the actions of the hospital, which was described as  a “parentectomy”. Gottesfeld’s defence, to blame the hospital for the attack, is all too commonly heard. The blame-the-victim reasoning is often voiced by other cyberattackers, be it from people who guess at weak passwords and use them to waltz into accounts without authorization, or those who launch crippling attacks such as those that Gottesfeld admits to. But just because it’s easy to do doesn’t make those or other cybercrimes OK. They’re illegal, and they can result in jail time, fines or both. Each of the charges Gottesfeld’s facing carry a maximum sentence of five years in jail, along with fines. Gottesfeld has been detained in Rhode Island since he and his wife were plucked off their boat near the coast of Cuba and arrested in Florida. When the indictment was handed down last Wednesday, Gottesfeld was reportedly on day 16 of a hunger strike over the appointment of the office of Carmen Ortiz as his prosecutor. Ortiz was the prosecutor in the cases against both Aaron Swartz and Jonathan James, who both later took their own lives. She has faced sharp criticism over her approach to those cases. In spite of his admission to the DDoS attacks, Gottesfeld is likely to plead not guilty at his arraignment this week before US Magistrate Judge Marianne B. Bowler, his wife told the Washington Times. Source: https://nakedsecurity.sophos.com/2016/10/24/anonymous-hacker-charged-with-opjustina-ddos-attacks-on-hospitals/

Taken from:
Anonymous hacker charged with #opJustina DDoS attacks on hospital

How Hackers Make Money from DDoS Attacks

Attacks like Friday’s are often financially motivated. Yesterday’s attack on the internet domain directory Dyn, which took major sites like Twitter and Paypal offline, was historic in scale. But the motivation for the attack may seem opaque, since no valuable information seems to have been stolen. A group called New World Hackers is claiming credit, but giving conflicting accounts of their motives—and security experts have called them “impostors.” So why else might someone have done it? This class of hack, known as a distributed denial of service (DDoS) attack, has been around for a while. And while many DDoS attacks are indeed motivated by politics, revenge, or petty trolling, there’s frequently money involved. For instance, DDoS attacks are often used as leverage for blackmail. Once a hacking group has a reputation for being able to field a large and dangerous botnet to knock servers offline, they can demand huge ‘protection’ payments from businesses afraid of facing their wrath. In fact, they don’t even have to do the hacking in the first place—in one recent case, someone posing as a notorious cabal merely emailed blackmail messages and managed to pocket tens of thousands of dollars before they were exposed. In the current case, there are rumors that Dyn was a target of extortion attempts before the attack. And the hackers behind what may be the biggest DDoS attack in history could demand a pretty penny to leave other companies alone. A wave of impostors will likely give it a shot, too. There’s another, even darker money-driven application of DDoS attacks—industrial sabotage. Companies seeking to undermine their competition can hire hackers to take the other guys offline. DDoS services are often contracted through so-called “booter” portals where anyone can hire a hacker’s botnet in increments as small as 15 minutes. Researchers found last year that three of the most prominent booter services at the time had over 6,000 subscribers in total, and had launched over 600,000 attacks. (And despite the criminal reputation of Bitcoin, by far the largest method used to pay for DDoS-for-hire was Paypal.) But it’s unlikely that this was some sort of hit called in by a competitor of Dyn—that tactic seems to primarily appeal to already-shady dealers, including online gambling operations. Finally, DDoS attacks can serve as a kind of smokescreen for more directly lucrative crimes. While a security team is struggling to deal with an army of zombie DVRs pummeling their system, attackers can grab passwords, credit card numbers, or identity information. In weighing possible explanations for Friday’s attack, it’s important to note the massive scale of the thing. Even if their claims of responsibility aren’t credible, New World Hackers’ description of about 1.2 terabits of data per second thrown at Dyn’s servers is both vaguely plausible and utterly mind-boggling. That’s around a thousand times as powerful as the huge 620 gigabit per second attack that knocked out a single website, Krebs on Security, last month. Dyn has also described the attack as sophisticated, arriving in three separate waves that targeted different parts of their systems. That kind of operation could have been pulled off by a gang of kids doing it for kicks—and maybe that’s the scarier scenario. But such a massive undertaking suggests bigger, and possibly more lucrative, motivations. Source: http://fortune.com/2016/10/22/ddos-attack-hacker-profit/

See the original post:
How Hackers Make Money from DDoS Attacks