Tag Archives: defend against ddos

DDoS Extortion – Biting the DDoS Bullet

It started with a five minute long DDoS attack which established that the cybercriminals meant business and could cause impact, this small sample attack stopped all business for five minutes. They then sent an email demanding payment of the ransom in bitcoins within 48 hours, otherwise a second and far more damaging DDoS attack would ensue and the ransom amount would be raised. This type of attack: ‘DDoS Extortion’ has become increasingly popular during the past year and the official guidance to companies who find themselves in a DDoS Extortion situation, as recently reiterated by the FBI, is: Do Not Pay the ransom but rather focus efforts at strengthening DDoS mitigation. The ‘target’ in this case was a leading ecommerce corporation and downtime was not an option both in terms of possible transaction loss and equally importantly reputational damage. The company had already invested in multi-layered DDoS mitigation strategy. The five-minute outage caused by the extortionists had senior IT management under pressure and they knew that serious financial loss as well as impact to their reputation was possible. “DDoS mitigation does not boil down to one device that ‘bites the DDoS bullet’” DDoS Testing Testing DDoS mitigation systems is done by generating traffic which simulates real DDoS attacks in a completely monitored and controlled manner. Control is key because DDoS mitigation does not boil down to one device that ‘bites the DDoS bullet’ but is rather a chain of devices that need to be configured much like an orchestra in order to work in complete harmony. Testing this way allows a company to verify that each element of their DDoS mitigation systems is working as expected and that together they are configured for optimal protection. DDoS testing typically impacts the tested environment and therefore is conducted during maintenance windows to ensure minimal disruption to ongoing operations. This means the company’s key team members are usually all on site and because maintenance windows usually last 3-5 hours – time is of the essence. For this reason effective DDoS testing allows for: i. Quickly switching from one type of test to another once you have evaluated how the environment responds to a test (there are numerous types of tests ranging from Layer 3, Layer 4 to Layer7), and ii. Ramping up test bandwidth to simulate a realistic load level We received a call on Saturday afternoon describing the ransom scenario and possibilities of a large attack and our SOC team was at the customer’s premises the following morning. “It’s all about knowing which attacks to simulate and getting as many of them done, in as little time as possible. You know that clock is ticking..” Our ‘Emergency BaseLine DDoS Testing’ as we have come to call it, is comprised of the following three stages: 1. Reconnaissance – Working with the company to understand as much as possible about relevant subnets and foot-printing the environment with port scanning and DNS enumeration. 2. Testing – Simulating a variety of tests to identify points of failure 3. Troubleshooting & Hardening – Resolving immediate critical issues and troubleshooting the necessary network points to have a DDoS mitigation defense ready for the threatened attack. Source: http://blog.mazebolt.com/?p=590

Read this article:
DDoS Extortion – Biting the DDoS Bullet

Carphone Warehouse hackers used DDoS attack as smokescreen

Hackers bombarded Carphone Warehouse with online traffic as a smokescreen while they stole the personal and banking details of 2.4 million people, according to sources with knowledge of the incident. The retailer revealed at the weekend that its security had been breached in a “sophisticated” attack. It is now thought that criminals used a cyber attack technique known as Distributed Denial of Service (DDoS) as a cover to help them infiltrate the retailer’s systems and perpetrate one of Britain’s biggest ever data thefts. To mount a DDoS attack, a global network of hijacked computers, known as a botnet, is used to bombard the target computers with traffic, overloading them and potentially forcing them offline. The ensuing technical problems can serve as a distraction for security staff, allowing hackers to exploit software vulnerabilities or stolen administrator credentials to break into systems and extract data undetected. A source with knowledge of the attack on Carphone said its online retail systems had come under bombardment before the major data theft was noticed on Wednesday last week. The millions affected are customers of OneStopPhoneShop.com , e2save.com and Mobiles.co.uk , as well as Carphone and its own mobile operator, iD Mobile. The systems broken into also held data for Talk Mobile and TalkTalk Mobile, the retailer said. Victims were advised to ask their bank to be on the lookout for suspicious activity, although on Monday there were no verified reports of fraud using the stolen data, sources said. Hackers who steal personal data often sell it in bulk on digital black markets to other criminals who seek to use it to commit fraud. According to internet security experts, criminals are increasingly using DDoS attacks to disguise their intrusions. In the most famous case, in 2011, Sony’s PlayStation Network, an online gaming service, was shut down for weeks after the personal and financial details of 77 million customers were stolen. The chief of the PlayStation division told the US Congress that a simultaneous bombardment of traffic against the network “may have made it more difficult to detect this intrusion quickly”. Subsequent examples of DDoS smokescreens include a 2012 attack on a bank during which card date was stolen and $9m drained from accounts via cash machines around the world. A warning that online bombardment can be a “diversionary tactic” for fraudsters is now part of official cyber security advice to US banks. Carphone Warehouse, which is contacting customers affected and co-operating with police and the Information Commissioner’s Office, declined to comment. Source: http://www.telegraph.co.uk/finance/newsbysector/epic/cpw/11794521/Carphone-Warehouse-hackers-used-traffic-bombardment-smokescreen.html

See the original post:
Carphone Warehouse hackers used DDoS attack as smokescreen

Hackers are blackmailing banks with threats of DDoS attacks

Hackers are threatening banks and other financial institutions with Distributed Denial of Service (DDoS) attacks if they don’t pay them tens of thousands of dollars, according to various reports More than 100 companies were threatened, according to MarketWatch, which cited a Federal Bureau of Investigation (FBI) agent. Among the companies being targeted were big banks and brokerages in the financial sector. A DDoS attack is when a hacker floods a website with traffic, forcing it offline. It is usually done with the help of multiple compromised systems, which are often infected with a Trojan. Richard Jacobs, assistant special agency in charge of the cyber branch at the FBI’s New York office, told MarketWatch these threats have been coming in since April. He added that in some cases, the companies have paid up. These companies end up facing further trouble as hackers know that they are willing to engage. “There are some groups who typically will go away if you don’t pay them, but there’s no guarantee that’s going to happen,” Jacobs says. He says not all targets have experienced actual attacks. Companies are willing to pay large sums of money, as DDoS attacks could see them lose even more. A DDoS attack could see a company lose more than $100,000 an hour, according to Neustar, a Sterling, Va.-based information services and analytics company. Jacobs says the FBI does not advise or direct firms as to whether or not to pay the attackers or let their websites go down. “How important is that access to that website to your business? They have to make their own calls,” Jacobs says. “If you’re a discount broker and that’s the only way your customers can trade, that would be a concern. If it’s just a website that’s used for general news and information, maybe it’s not so difficult to have it down for an hour or two.” Yaroslav Rosomakho, Principal Consulting Engineer EMEA at Arbor Networks commented: “The fact hackers are planning on taking down websites with DDoS attacks unless organisations pay large sums of money is testament that hackers are becoming increasingly ruthless. Hackers’ activities against internet services of financial institutions are on the rise, since these services are an absolutely critical part of daily business. “Hackers realise that DDoS can be as disruptive as other more traditional attack methods and, unfortunately, still many organisations do not pay enough care to availability protection of their services and infrastructure. “Our research shows that DDoS attacks are continuing to grow in size, complexity and frequency with nearly half of businesses experiencing DDoS attacks last year. As attack size increases, so does the complexity of the hacker’s toolkit. “To ensure protection from these threats, organisations must have multi-layered DDoS protection in place, using both cloud and network-perimeter components to protect from stealthy application layer, state exhaustion and large volumetric attacks.” Source: http://www.itproportal.com/2015/07/31/hackers-threaten-banks-with-ddos-ask-for-ransom/

Read the original:
Hackers are blackmailing banks with threats of DDoS attacks

DDoS attacks rage on, primarily impacting U.S. and Chinese entities

Organizations in the U.S. and China should be especially aware of distributed denial-of-service (DDoS) attacks, as more than half of them in Q2 of this year were aimed at the two countries. Kaspersky Lab’s “DDoS Intelligence Report Q2 2015” found that from April until the end of June this year, DDoS attacks impacted 79 countries, with most, 77 percent, affecting only 10 countries. In addition to China and the U.S., South Korea, Canada, Russia and France accounted for a large portion of attacks. The cybersecurity company defined a single attack as an incident during which there was “no break in botnet activity lasting longer than 24 hours.” If the same entity was attacked by the same botnet but with a 24 hour gap in activity, the two incidents would be considered separat e. The longest attack recorded during this past quarter lasted 205 hours, or eight and a half days. The peak number of attacks clocked in at 1,960 on May 7, and the low, at 73 attacks, occurred on June 25. The popularity of these attacks stems from the ease with which they can be arranged, said Andrey Pozhogin, senior product marketing manager at Kaspersky Lab North America, in emailed comments to SCMagazine.com. “Today, it is much easier to launch a DDoS attack,” he wrote. “Suddenly, you don’t have to be an expert in the field – all the power and potential damage is available to you with a few clicks. It’s also relatively cheap to commission a DDoS attack.” He noted that some online services charge as little as $50 for an attack that can cause serious damage to a company’s reputation, as well as financial losses. An average DDoS attack can range in cost to a company, depending on its size, anywhere from $52,000 to $444,000, Pozhogin said. As far as days of the week to be attacked, Sunday was the most popular day, accounting for 16.6 percent of them, and Tuesday was the least popular with 12.1 percent. Even as companies attempt to beef up their protection, it’s nearly impossible to stay ahead of the attackers and their tools. “As long as a company continues to focus on its core business it will not be able to match the resources poured into bypassing outdated protection and staying ahead of the attackers,” Pozhogin said. That said, cybersecurity firms’ technology can assist in keeping attackers at bay and enterprises’ sites running, he reminded. Source: http://www.scmagazine.com/kaspersky-lab-releases-q2-ddos-report/article/431034/

View article:
DDoS attacks rage on, primarily impacting U.S. and Chinese entities

DDoS Attack Temporarily Shuts Down International ‘DOTA 2? Tournament

The International DOTA 2 tournament is underway, but a reported DDoS attack forced Valve to suspend the matches for several hours. The tournament has had several Internet-related problems since it began, but commentators confirmed that a DDoS attack was indeed to blame for today’s outage. It’s a funny thing that even an official Valve tournament, with all the top players in the world on the same stage, still needs to deal with all the same outage problems that average gamers have to deal with all the time. There is no LAN mode for DOTA 2. We’ve contacted Valve for comment and will respond with any update. The matches are up and running again. A DDoS is a rudimentary form of hack where people overwhelm a given server with a gigantic number of false requests, rendering it unable to respond. DDoS attacks and other Internet tomfoolery are a an unfortunate side effect of video games in general: virtual vandals have a habit of knocking down everything from smaller PC games to PSN and Xbox Live. Video games have an outsize presence amongst the young and internet-savvy, making them an ideal, if monumentally annoying, target for coordinated groups and lone actors alike. The international DOTA 2 tournament carries with it a record $18 million prize purse, raised through crowd-funding and in game purchases. It’s a landmark purse for eSports, carrying with it the sort of legitimacy that only outsize rewards for obsessive skill can provide. You can watch the proceedings below on the live Youtube stream, though Valve also provides a newcomers stream with explanation and commentary for people who don’t know the ins and outs of the game. It’s complicated, no doubt, but then again, so is football. Source: http://www.forbes.com/sites/davidthier/2015/08/04/ddos-attack-temporarily-shuts-down-international-dota-2-tournament/

Curriculum Protests: DDoS attacks launched on official, pan-blue Web sites

In what it said was support for the ongoing curriculum protests, hacker group Anonymous Asia yesterday launched a third wave of distributed denial of service (DDoS) attacks against the Web sites of two political parties and a government ministry. The Web sites of the New Party, Chinese Nationalist Party (KMT), the KMT Taipei branch office and the Ministry of Economic Affairs were attacked for more than an hour. According to reports by Storm Media Group, Anonymous launched its first wave of DDoS attacks under the name “Anonymous #Op Taiwan” on Friday last week by locking down the Presidential Office and Ministry of Education Web sites for five hours. A notice released by the group said: “We are everywhere and nowhere. Taiwan’s police are not exempt [from our attacks], and all police must take responsibility for this incident. We cannot permit the use of violence or pepper spray on peacefully demonstrating people. When you hurt the Taiwanese people, revenge will be sought. We cannot forget, support us and the corrupt officials will be afraid of us. Taiwan’s government, expect us.” On Sunday, the group launched a second wave of DDoS attacks against the Ministry of Education, the Ministry of National Defense, the National Academy of Educational Research and CtiTV, a television station generally sympathetic toward the KMT, the report said. In a Facebook post on Sunday, New Party Chairperson Yok Mu-ming (???) said the DDoS attacks were serious national security concerns. “Do we not see China as our enemy and try to prevent Beijing hacking our Web sites? What I’m seeing now is like the opening salvoes of a Taiwanese civil war,” Yok said. Yok called on the public to put pressure on the Presidential Office and National Security Bureau to look into the attacks and find out who was behind them. “We must know if the motives are against curriculum changes or if there are other ulterior motives,” he said. Shortly after Yok’s Facebook post the New Party Web site was hacked. Anonymous Asia said on Facebook: “Yok Mu-ming, are you looking for us? Here we come.” Anonymous Asia is a loose coalition of hackers and Internet activists. The group describes itself as “an internet gathering” with “a very loose and decentralized command structure that operates on ideas rather than directives” and has been known for high-profile public DDoS attacks on government, religious, and corporate Web sites. Source: http://www.taipeitimes.com/News/taiwan/archives/2015/08/04/2003624588

More here:
Curriculum Protests: DDoS attacks launched on official, pan-blue Web sites

FBI to Banks: DDoS Extortions Continue

Don’t Pay Attackers or Scammers, Security Experts Warn Numerous firms across the financial services sector – and beyond – continue to face a variety of distributed-denial-of-attack and data breach extortion attempts. Attackers’ tactics are simple: Sometimes they threaten to disrupt a firm’s website, preventing customers from accessing it. And other times they warn that they will release data – which they obtained by hacking into the firm – that contains sensitive information about the organization’s employees and customers. Or, the attackers say, the organization can pay them off – typically via bitcoins – to call off the attack or delete the data. Richard Jacobs, assistant special agenct in charge of the cyber branch at the FBI’s New York office, reports that the bureau continues to see a large number of related shakedown attempts, with attackers in April making DDoS extortion threats against more than 100 financial firms, including some big banks and brokerages, MarketWatch reports. Some firms have reportedly been hit with demands for tens of thousands of dollars, and the FBI says that some victims do pay, even though attackers might never have followed through on their threats. Likewise, the payoff sometimes leads attackers to blackmail victims for even more money. “There are some groups who typically will go away if you don’t pay them, but there’s no guarantee that’s going to happen,” Jacobs tells Marketwatch. Attacks on the Rise This is far from a new tactic for criminals operating online, and law enforcement experts have long warned organizations to not accede to attackers’ demands. “Extortion types of attacks have always been around,” says information security expert Brian Honan, who heads Dublin-based BH Consulting and also serves as a cybersecurity advisor to Europol. “They were quite popular during the 1990s and early 2000s, waned for a while, but are now gaining popularity again with criminals. We are seeing a rise in such types of attacks both in the U.S. and in Europe.” Large financial institutions in particular appear to be getting singled out by blackmailers, says financial fraud expert Avivah Litan, an analyst at the consultancy Gartner. “The large banks are under an onslaught of [such] attacks; the smaller banks, I hear mixed things from,” she says. But banks don’t talk about such attacks much, she adds, “because no one wants the public to know that they’re being extorted.” The growth of such shakedown attempts has been driven in part by the increasing availability and ease of use of DDoS-on-demand services, Litan says. “It’s always been easy to get DDoS attacks, but now it’s just more organized, more readily available, and you can say, ‘I want to do it against these particular U.S. banks or U.K. banks,’ for example,” she says. Sometimes, attackers do follow through on their threats by executing DDoS disruptions or leaking data. Earlier this year, for example, a hacking team calling itself “Rex Mundi” demanded a payment of 20,000 euros ($21,000) from French clinical laboratory Labio, or else it would release people’s blood test results. When Labio refused to pay, the hackers dumped the data. The “Pedro Batista” Scam But at least some of these shakedown attempts appear to be little more than bluster. For example, one threat researcher – speaking on condition of anonymity – reports that in recent months, an apparently Portugal-based attacker or middleman named “Pedro Batista” has attempted to extort both the Federal Savings Bank, plus the Industrial Bank in China. Batista claimed in an email – sent to the researcher – to have obtained root access to an FSB MySQL database, which supposedly contained extensive information about the firm’s clients. For the Industrial Bank of China, Batista also claimed to have stolen a database containing employees’ salaries, plus usernames and passwords. Neither of those firms responded to Information Security Media Group’s queries about whether they could confirm having received blackmail notices from Batista, or if they had given in to the extortion demands. But Mikko Hypponen, chief research officer at F-Secure, says the Pedro Batista shakedown is a scam. “Since 2013, an individual using this name has been contacting security experts, offering vulnerabilities or leaked databases for sale,” he tells Information Security Media Group. “Those that have kept up the communication with him have found out that he had no goods or very little goods to actually deliver. He might be able to do some SQL injections to gain partial access to some information, but for the most part, this seems to be some kind of a scam operation.” How To Respond: 5 Essentials Organizations can simply ignore those types of scams, security experts say. But dealing with DDoS threats requires a more structured response, says Honan, who offers the following recommendations: React: Take the threat seriously, and “spin up” an incident response team to deal with any such attacks or threats. Defend: Review DDoS defenses to ensure they can handle attackers’ threatened load, and if necessary contract with, subscribe to or buy an anti-DDoS service or tool that can help. Alert: Warn the organization’s data centers and ISPs about the threatened attack, which they may also be able to help mitigate. Report: Tell law enforcement agencies about the threat – even if attackers do not follow through – so they can amass better intelligence to pursue the culprits. Plan: Continually review business continuity plans to prepare for any disruption, if it does occur, to avoid excessive disruptions to the business. Litan likewise advocates technical planning as the primary way to defend against threatened or in-progress DDoS attacks. Furthermore, if an organization’s DDoS defenses do fail to mitigate the attack, she says an excellent fallback strategy is to redirect customers to a backup site that attackers don’t yet know about. “If you are under attack, you have a miniature website set up that you can immediately redirect your customers to, with most of the functions on the site, so you don’t have to deal with extortion attempts – go ahead and DDoS me, it doesn’t matter,” Litan says. “Some of the large banks have done that, and it has worked effectively.” Above all, Honan says that on behalf of all would-be victims, no targeted organization should ever give in to extortion attempts. “Needless to say, you should not pay the ransom, as you have no guarantee the criminals will not attack you anyway, or that other criminals may target you in the future,” Honan says. “And by paying the demands you simply motivate the criminals to carry out similar attacks against you and others.” Source: http://www.bankinfosecurity.com/fbi-to-banks-ddos-extortions-continue-a-8446

More here:
FBI to Banks: DDoS Extortions Continue

FBI Warns of Increase in DDoS Extortion Scams

Online scammers constantly are looking for new ways to reach into the pockets of potential victims, and the FBI says it is seeing an increase in the number of companies being targeted by scammers threatening to launch DDoS attacks if they don’t pay a ransom. The scam is a variation on a theme, the familiar ploy of either holding a victim’s data for ransom or threatening some kind of attack if a ransom isn’t paid. Ransomware gangs have been running rampant in recent years, using various kinds of malware to encrypt victims’ data and then demand a payment, usually in Bitcoin, for the encryption key. The scam that the FBI is warning about isn’t as intrusive as that, but it can be just as damaging. The attackers in these cases are emailing people inside organizations and demanding that they pay a ransom or face a DDoS attack. “Victims that do not pay the ransom receive a subsequent threatening e-mail claiming that the ransom will significantly increase if the victim fails to pay within the time frame given. Some businesses reported implementing DDoS mitigation services as a precaution,” an alert from the FBI says. The FBI says that it believes there are several people involved in these scams and they anticipate that they will expand the number of industries that they’re targeting in the near future. Organizations that haven’t paid the ransom have in some cases been hit with the threatened DDoS attacks, but the FBI said they typically don’t last very long. “Businesses that experienced a DDoS attack reported the attacks consisted primarily of Simple Discovery Protocol (SSDP) and Network Time Protocol (NTP) reflection/amplification attacks, with an occasional SYN-flood and, more recently, WordPress XML-RPC reflection/amplification attack. The attacks typically lasted one to two hours, with 30 to 35 gigabytes as the physical limit,” the FBI alert says. There have been high-profile incidents like this in the recent past. Basecamp, a project management console, was hit with such an attack in 2014 when attackers tried to blackmail they company and then hit it with a DDoS attack. Source: https://threatpost.com/fbi-warns-of-increase-in-ddos-extortion-scams/114092#sthash.2CvEua2m.dpuf

See the original article here:
FBI Warns of Increase in DDoS Extortion Scams

Planned Parenthood websites downed in DDoS attack

Planned Parenthood websites have gone down and are, according to the main page, undergoing maintenance. In a statement emailed to SCMagazine.com on Thursday, Dawn Laguens, executive VP of Planned Parenthood, said that the Planned Parenthood websites were the target of a DDoS attack. “Today, the Planned Parenthood websites experienced a wide scale distributed denial-of-service (DDoS) attack, a hacker tactic to overwhelm websites with massive amounts of traffic to block any legitimate traffic from getting in,” Laguens said. The websites were back online shortly after the attack, but are scheduled to remain down throughout Thursday for security purposes, Laguens said, adding that during this time visitors are being redirected to the organization’s Facebook pages. Following reports that politically motivated attackers released website databases, Planned Parenthood announced on Monday that it is investigating possible unauthorized access to its systems. Source: http://www.scmagazine.com/planned-parenthood-websites-downed-in-ddos-attack/article/429563/

Taken from:
Planned Parenthood websites downed in DDoS attack

New York Site DDoS attack After Massive Cosby Story Goes Online

At 9PM on Sunday night, New York Magazine published to the web one of its most ambitious and powerful stories of the year, an extended interview with 35 women who have accused Bill Cosby of sexual assault. Within minutes, writers and editors heaped praise on the feature, but later into the night, it mysteriously disappeared, along with everything else hosted at NYMag.com, victim to an apparent denial-of-service attack. On Twitter, accounts identifying themselves as the hackers gave a variety of conflicting and implausible explanations for the attack, ranging from general animosity toward New York City to a personal connection with one of the women involved. The magazine’s only official statement came at 3:32AM: “Our site is experiencing technical difficulties. We are aware of the issue, and working on a fix.” As of press time, the site is still offline. So far, the attack is consistent with a denial-of-service (or DDoS) attack — an unsophisticated flood of traffic that blocks users from accessing a specific address without compromising the site itself. DDoS attacks can be launched cheaply from nearly anywhere, making them a favored tactic for activists and criminals alike. Mitigation techniques have grown more advanced in recent years, but the sheer volume of requests is often enough to knock a site offline or slow response time for days at a time. Denial-of-service actions are occasionally used as cover for more sophisticated attacks, but the vast majority are simple brute force actions, overcome as soon as site managers are able to deploy mitigation measures or, in some cases, comply with extortion demands. But while NYMag.com is still unavailable, the story has continued to proliferate through other channels. New York ‘s Instagram account has published pictures and quotes from four of the women, which the magazine’s Twitter account has continued to promote throughout the outage. A cached version of the story is also available through Archive.org, although not all of the functionality is present. Print distribution of New York has been unaffected by the attack. Source: http://www.theverge.com/2015/7/27/9047765/new-york-magazine-bill-cosby-rape-story-ddos-attack

More:
New York Site DDoS attack After Massive Cosby Story Goes Online