Tag Archives: defend against ddos

DDoS attacks enabled via vulnerable Google Maps plugin

An industry warning has been issued to businesses and Software-as-a-Service providers advising that attackers are currently exploiting a vulnerable Google Maps plugin installed on Joomla servers to launch distributed denial of service (DDoS) attacks. “Vulnerabilities in web applications hosted by Software-as-a-Service providers continue to provide ammunition for criminal entrepreneurs. Now they are preying on a vulnerable Joomla plugin for which they’ve invented a new DDoS attack and DDoS-for-hire tools,” said Stuart Scholly, senior vice president and general manager at the Security Business Unit, Akamai Technologies. “This is one more web application vulnerability in a sea of vulnerabilities.” The vulnerability found in the Google Maps plugin for Joomla allows the platform to act as a proxy, enabling attackers to process fake requests and return the proxy results to a targeted user in the form of a DDoS attack. The source of the attack remains anonymous as the hack-related traffic appears to come from the Joomla servers. Figures released in February 2014 showed that Joomla, the second most frequently used online content management system after WordPress, had been downloaded over 50 million times. Working with Phishlab R.A.I.D, Akamai’s Prolexic Security Engineering and Research Team (PLXsert) were able to match the DDoS signature traffic coming from a number of Joomla sites, suggesting that the vulnerable plugins are currently being used to execute a large amount of reflected GET flood DDoS attacks. The research has also found that the attack vector is being advertised over popular DDoS-for-hire websites. PLXsert identified over 15,000 supposed Joomla reflectors online. Despite many of the vulnerable plugins having been patched, removed or reconfigures, many of the servers remain open to attack. Reflection techniques to conduct DDoS attacks are extremely common, with 39% of all DDoS traffic employing reflection to bounce malware off third-party servers and to hide the attackers’ identity. Source: http://thestack.com/ddos-attacks-vulnerable-google-maps-plugin-020315

Read this article:
DDoS attacks enabled via vulnerable Google Maps plugin

DDoS Exploit Targets Open Source Rejetto HFS

Apparently no vulnerability is too small, no application too obscure, to escape a hacker’s notice. A honeypot run by Trustwave’s SpiderLabs research team recently snared an automated attack targeting users of the open source Rejetto HTTP File Server (Rejetto HFS). Someone was trying to exploit a vulnerability—which has since been patched—and install the well-known distributed denial-of-service tool IptabLes (unrelated to the Linux tool), also known as IptabLex. Rejetto HFS has been downloaded more than 24,000 times in the last seven days and according to the project’s website has an estimated 12,500 users and is used as a file-sharing application as well as a webserver. It also runs on Wine, the Windows emulator for Linux systems. “This is just one snapshot, one request. This is one example to extrapolate and take a higher level view; there’s likely a lot more activity out there,” said Ryan Barnett, SpiderLabs lead researcher. It’s likely the attackers have simply incorporated this exploit into a larger attack platform, Barnett said. “That’s the value of honeypots, spotting automated tools scanning the Internet shot-gunning exploits, and hoping it works,” Barnett said. The exploit, sent from a possible compromised IP address in China, was targeting CVE-2014-6287, a remote code execution bug in Rejetto. Specifically, the vulnerability affects Rejetto versions prior to 2.3c; the vulnerability is in the findMacroMarker function. Barnett said the exploit relies on a null byte character to trigger the attack code, which is written in Microsoft VBScript. Once the exploit executes, it tries to connect to a pair of IP addresses hosted in Paris (123[.]108.109.100 and 178[.]33.196.164) on three ports: 80 (HTTP); 53 (DNS); and 443 (HTTPS). Barnett said only 178[.]33.196.164 remains online and is a malware repository responding to XML HTTP Requests (XHR) from the exploit. The exploit tries to infect Rejetto users with the IptabLes DDoS tool. via @Threatpost Tweet A file called getsetup.exe is sent to the compromised server along with another executable, ko.exe, which drops IptabLes. Barnett said detection rates are high for the hash of getsetup.exe. IptabLes is a troublesome DDoS tool, capable of synflood and DNSflood attacks. It installs itself into boot for persistence, according to the SpiderLabs research, which added that IptabLes has been widely reported targeting Linux and Unix servers. The vulnerability being targeted was submitted last September. “It’s not very sophisticated, and a lot of times these types of attacks don’t have to be,” Barnett said. “These guys are concerned with scale because they’re running botnets. What makes botnets so nice to the criminals running them is that they don’t care to be stealthy. They can send attacks blindly, and if they’re shut down, they just move on.” Source: http://threatpost.com/ddos-exploit-targets-open-source-rejetto-hfs/111286

Originally posted here:
DDoS Exploit Targets Open Source Rejetto HFS

New York City hit with DDoS attacks, government email service knocked out

Unknown hackers knock out New York City governments email system For whole of last week and uptil Monday, unknown hackers had knocked of New York City government’s emailing system. The attack was pretty ferocious according to a City Hall source who said that the “universal” denial of service attack had now been contained but there was still “ongoing malicious activity” as recently as Monday. Almost all government agencies in New York City were unable to send or receive messages for the past week due to this attack. Some agencies such as the Department of Transportation set up temporary Gmail accounts to send and receive emails. Sources said that inbound and outbound emails were affected while intra-agency emails were not affected by the attack Speaking about the DDoS attack, Jackie Albano, a spokeswoman for the city’s Department of Information Technology and Telecommunications, said that the attack which started last Tuesday, had been resolved last week. He also added that the efforts taken to mitigate the attack may have slowed the email servers resulting in slowed emails. It is not known whether New York City government websites were under DDoS attack or were hacked because Albano added that no sensitive information or data was compromised during the attack. He however said that this was a “big attack” but downplayed its impact on New York City government services. “It is a big deal but….it’s like a lot of mosquitoes buzzing around you,” said Albano. “The nature of the attack is only designed to interfere with service, not to steal or access any private information. It’s designed to slow down email. On the scale of cyber incidences it’s kind of low.” Albano said that MSISAC, New York Police Department and FBI were all investigating the incident and it is still not clear who initiated the attack of why. Source: http://www.techworm.net/2015/02/new-york-city-hit-with-ddos-attacks-government-email-service-knocked-out.html

More here:
New York City hit with DDoS attacks, government email service knocked out

Hackers create tool that DDoS attacks on telephone lines

There are only the sites and services Internet which are subject to known denial of service attacks – common phones, whether mobile or not, are also subject to suffering such blows. That’s what the site revealed The Register that, on Monday (23), brought the story of TNT Instant Up, a device created by hackers Eastern Europe just facing this purpose. Sold on the Internet by values ??ranging between $ 500 and $ 1,200, the equipment uses an interconnected system of SIM cards and modems to bomb one or more numbers linked. Calls are empty and only serve to clog the lines, preventing legitimate users are able to access them The idea here is basically the same as any attack DDoS :. Prevent the use services. But, here, they are not removed from the air, but only end up congested and unusable for the duration of the attacks. The practice is being called TDOs, short for Telephone Denial of Service , or denial of telephone service. The problem is that in the new modality, the results would be much more dangerous . While most of the scams of this type cause financial losses to affected companies and inconvenience to its users, it TDOs would be able to, for example, block emergency services. Furthermore, the TNT Instant up would be simple enough to literally anyone could use it. In a demonstration video freely available on YouTube, one of tool vendors shows up with various cell at the same time, with numbers that are entered from a running software on a computer. Trading in the “merchant” happens ICQ or email and the product is sent by mail as any conventional electronic. The FBI would have identified at least two circumstances in which a device such as TNT Instant Up was used to prevent user access to health service plan or emergency lines. Nevertheless, did not identify crimes that were being made in relation to the attack and that would justify blocking the line and trying to prevent citizens to contact the police, for example. According to the information of IntelCrawler , a provider of systems and security solutions, as well as in denial of service attacks on the web, there are ways to protect against this new type of coup, unless, of course, disconnect the line to phone stops ringing nonstop. An alternative that simply does not exist for emergency services, especially now become more of a tool target that can be used by anyone, whatever her intent. Source: http://www.unlockpwd.com/hackers-create-tool-that-ddos-attacks-on-telephone-lines/

Originally posted here:
Hackers create tool that DDoS attacks on telephone lines

Komodia Website Under DDoS Attack

Komodia.com, home to the SSL interception module at the heart of the Superfish adware dustup, is currently under a distributed denial-of-service attack. As of 2 p.m. Eastern time, its home page had been replaced with a notice that the site was offline because it was under attack. “Some people say it’s not DDoS but a high volume of visitors, at the logs it showed [thousands] of connections from repeating IPs,” the notice said. The attack may be an outcome of last week’s disclosure that Superfish, pre-installed on new Lenovo laptops between September 2014 and this January, put users’ sensitive transactions at risk to man-in-the-middle attacks. Komodia’s SSL Digester, a self-proclaimed “SSL hijacker SDK,” is used by Superfish, which analyzes images on a website and serves up ads for products similar to the respective images. Komodia decrypts SSL traffic and does so without triggering a browser-based certificate warning. This enables Superfish, which uses the library, to sit in a man-in-the-middle position and see all traffic leaving the machine beyond online advertisements, putting banking, email and other private transactions at risk. Late last week, researchers uncovered that the Komodia library installs a self-signed root certificate. That same cert, protected by the same password, was shipped on all Lenovo machines. Researcher Rob Graham of Errata Security cracked that password late last week and published details. Attackers can use that information to read traffic that’s supposed to be protected, carrying out a man-in-the-middle attack. Shortly thereafter, researchers with Facebook’s Security Team reported that it had discovered more than a dozen other software applications using the Komodia library in question, along with a list of certificate issuers. That list includes: CartCrunch Israel LTD WiredTools LTD Say Media Group LTD Over the Rainbow Tech System Alerts ArcadeGiant Objectify Media Inc Catalytix Web Services OptimizerMonitor “Initial open source research of these applications reveals a lot of adware forum posts and complaints from people. All of these applications can be found in VirusTotal and other online virus databases with their associated Komodia DLL’s,” said Matt Richard, threats researcher at Facebook. “We can’t say for certain what the intentions of these applications are, but none appear to explain why they intercept SSL traffic or what they do with data.” Richard said the list represents certs on more than 1,000 systems on applications including games, popup generators, or behavior such as Superfish’s. “What all of these applications have in common is that they make people less secure through their use of an easily obtained root CA, they provide little information about the risks of the technology, and in some cases they are difficult to remove,” said Richard, adding that the SSL proxies aren’t likely to adopt advanced protections such as certificate pinning or forward secrecy. “Some of these deficiencies can be detected by anti-virus products as malware or adware, though from our research, detection successes are sporadic,” Richard said. Facebook said that the installer for the root CA includes a number of attributes that make it easy to detect, adding that most are designed to work with newer versions of Windows and won’t install on older versions. Source: https://threatpost.com/komodia-website-under-ddos-attack/111195

Read the original:
Komodia Website Under DDoS Attack

DDoS-for-hire cyberattacks are effective and cost-effective

DDoS-for-hire is a growing business for cybercriminals, and continues to prove effective Read more at http://www.tweaktown.com/news/43708/ddos-hire-cyberattacks-effective-cost/index.html Distributed denial of service (DDoS) cyberattacks have plagued consumers and businesses for quite some time, but the rising number of DDoS attacks available as a paid service is troubling. Clients can pay from $2 up to $5 per hour to launch DDoS attacks, or pay a subscription for prices as low as $800 per month. The Lizard Squad hacker group helped draw increased scrutiny to the underground cybercriminal activity – demonstrating its LizardStresser DDoS service in successful attacks against the Sony PlayStation Network and Microsoft Xbox Live. Meanwhile, the Gwapo DDoS service has been publicly advertised via social media and YouTube posted videos, with attacks starting at $2 per hour. “Since their inception in 2010, DDoS-for-hire capabilities have advanced in success, services and popularity, but what’s most unnerving is booters have been remarkably skilled at working under the radar,” according to the “Distributed Denial of Service Trends” report from Verisign. “Given the ready availability o DDoS-as-a-service offerings and the increasing affordability of such services, organizations of all sizes and industries are at a greater risk than ever of falling victim to a DDoS attack that can cripple network availability and productivity.” Source: http://www.tweaktown.com/news/43708/ddos-hire-cyberattacks-effective-cost/index.html

View original post here:
DDoS-for-hire cyberattacks are effective and cost-effective

Network of city websites CitySites under DDoS Attack

On February 15, about ten websites of the cities that are in the same network CitySites, were under a DDoS-attack. The ones to suffer most from the attack were the websites of Kharkiv (057.ua), Zaporizhzhya (061.ua), and Mykolaiv (0512.com.ua). Also, the websites of Artemivsk, Luhansk, and Sumy were affected. According to the network’s tech support, the attacks are random as if the hackers were feeling out the websites’ defense. The websites of Donetsk, 62.ua, and Mariupol, 0629.com.ua, are beyond the hackers’ reach. Source: http://imi.org.ua/en/news/47756-network-of-city-websites-citysites-under-ddos-attack.html

View article:
Network of city websites CitySites under DDoS Attack

The growing threat of DDoS attacks on DNS

Current security solutions are proving inadequate in combating DNS attacks – See more at: http://www.information-age.com/technology/security/123459033/growing-threat-ddos-attacks-dns#sthash.Yy7UXtWd.dpuf Since 2012, the number of infrastructure attacks on the domain name system (DNS) has increased by over 200%. Yet despite this rise, many businesses still aren’t doing enough to secure a critical component of their IT infrastructure. A 2014 survey on IT infrastructure security found that more than a quarter of companies had not established formal responsibility for DNS security. The reaction of both the media and consumers to the high-profile attacks witnessed in 2014, such as those on Target and JP Morgan, has shown companies will not be easily forgiven when a hack occurs – especially if certain security measures could have prevented the attack. With the ever-increasing rise in distributed denial of service (DDoS) attacks on DNS, companies not taking measures to secure their DNS will appear negligent. DNS is easy to exploit, and organisations need to understand that they have little choice but to work around its weaknesses. In its 2014 Annual Security Report , Cisco found that all the corporate networks examined showed evidence of having been compromised. 96% showed traffic to hijacked servers and 92% revealed traffic to sites without any content, typically a sign of malware hosting. It is clear that DNS-based DDoS attacks are not only a growing threat, but also one that’s being overlooked. DNS security should be considered a priority given these increasing risks. Knowledge is key, and businesses need to understand how these attacks work if they want to protect themselves. Understanding DDoS attacks It’s surprisingly, and worryingly, simple to generate a DDoS attack using an organisation’s DNS infrastructure. Hackers hijack the system to send queries to name servers across the Internet from a spoof IP address of their target (this is as simple and effective as writing someone else’s return address on a postcard). The name servers then, in turn, send back responses. If these responses were around the same size as the queries themselves, this wouldn’t in itself be enough to wreak the desired havoc on the target. To inflict the maximum damage, the query needs to be amplified so it returns the largest possible response. And this has become much simpler since the adoption of DNS security extensions (DNSSEC). Following the introduction of the set of extensions known as EDNS0 in 1999 UDP-based DNS messages (DNS messages which use Internet Protocol (IP) to get data from one computer to another) have been able to carry greater amounts of data. Whilst most queries are under 100 bytes, the responses can be significantly larger, anywhere up to 4,096 bytes. Responses of this size were once a rare occurrence in the internet’s namespace, but digital signatures and cryptographic keys stored by DNSSEC in the namespace are now commonplace and massive. To see the extent to which these amplified responses can be used as an effective DDoS attack, consider a query of just 44 bytes. This single query, if sent from a spoofed IP address to a domain containing DNSSEC records, could generate a response of over 4,000 bytes. Using a botnet of thousands of computers, and recruiting 10 fellow comrades, could deliver 1Gbps of replies to incapacitate the target. Thankfully most name servers can be modified to recognise when they’re being repeatedly queried for the same information from the same IP address. However, it’s a different story for open recursive servers, of which there are estimated to be 33 million around the world. These will continually accept the same query from the same spoofed IP address, each time sending back responses as discussed in the DNSSEC examples previously mentioned. Knowledge is the key Of all the steps that companies can take to protect themselves from such attacks, the first and probably the most important is learning to recognise just when a DDoS attack is taking place. Many organisations don’t know what their query load is, let alone when they’re under attack. With the statistics support built into the DNS software BIND, administrators are able to analyse their data for socket errors, query rates, and other attack indicators. Whilst it may not be clear exactly what the attack looks like, by monitoring the DNS statistics it is possible to get an understanding of what the trends are, so anomalies can be more easily identified. It’s also important to scrutinise an organisation’s internet-facing infrastructure for single points of failure. This should not only be in external authoritative name servers, but also in the firewalls, switch and router interactions, and connections to the Internet. Once these vulnerabilities have been identified, the question is whether these can be cost-effectively and easily eliminated. Also, wherever possible, external authoritative name servers should be broadly geographically distributed. This will not only help avoid single points of failure, but will also improve the response time performance for the closest customers. Another easy step is overprovisioning existing infrastructure, which is both inexpensive and easy to trial prior to an attack. This helps mitigate the massive number of responses resulting from a DDoS attack. But has the consequence of potentially making you a better ‘amplifier’ for attacks on a third party. Therefore an approach that enables your DNS servers to continue to serve legitimate traffic whilst identifying and intelligently limiting rouge traffic may be a better approach. The ever-increasing threat posed to DNS means that priority must be given to learning about and implementing preventative measures to mitigate the threat. Understanding how DDoS attacks exploit DNS servers is the first step to reducing an organisation’s threat level. Formally assigning responsibility for DNS security and taking steps to understand typical query loads are both relatively simple tasks that will help reduce exposure to DNS attacks. With attacks on DNS increasing at an alarming rate, businesses that fail to act will be vulnerable. Source: http://www.information-age.com/technology/security/123459033/growing-threat-ddos-attacks-dns

See the original article here:
The growing threat of DDoS attacks on DNS

Dutch government says DDoS attack took down websites for hours

Cyber attackers crippled the Dutch government’s main websites for most of Tuesday and back-up plans proved ineffective, exposing the vulnerability of critical infrastructure at a time of heightened concern about online security. The outage at 0900 GMT (0400 ET) lasted more than seven hours and on Wednesday the government confirmed it was a cyber attack. The United States has beefed up cybersecurity laws and created an intelligence-gathering unit to coordinate analysis of cyber threats after attacks against Sony Pictures and Home Depot. The outage affected most of the central government’s major websites, which provide information to the public and the media, but phones and emergency communication channels remained online. Other websites, including GeenStijl.nl, a popular portal which mocks politicians and religions, were also hit by the “distributed denial of service” (DDoS) attack, said Rimbert Kloosterman, an official at Government Information Service, which runs the websites. “Our people are investigating the attack together with the people from the National Centre for Cyber Security,” he said. The complexity and size of the government’s many websites had rendered the back-up useless, he said. Prolocation, the website host, said the attack had been a “complex” problem and that its phone lines had also gone down. “The initial symptoms pointed first to a technical problem, but it then emerged we were facing an attack from the outside,” the company said in a statement. But one computer security expert doubted that a DDoS attack, in which systems are overloaded with a flood of requests from hijacked computers, could have been hard to identify. “If you face a DDoS, you know it,” Delft Technical University cyber security specialist, Christian Doerr, said. Such attacks were hard to guard against and the software for such an attack could be bought illegally for as little as $25. “Even a 16-year-old with some pocket money can attack a website,” he said. Source: http://www.reuters.com/article/2015/02/11/us-netherlands-government-websites-idUSKBN0LF0N320150211

See original article:
Dutch government says DDoS attack took down websites for hours

How The Great Firewall Of China Caused A DDoS Attack In France

Many people outside China know about the country’s Great Firewall, but probably assume it will have little, if any, impact on their own online activities. However, a fascinating post on Benjamin Sonntag’s blog explains how one of the servers of La Quadrature du Net, the Paris-based digital freedom association he co-founded, and for which his company provides free hosting, was hit by distributed denial of service attacks (DDOS) caused directly by the Great Firewall’s policies. His blog post provides all the technical details: it turned out that the vast majority of the attacks were coming from Chinese IP addresses. Here’s what seems to have happened: China is censoring its Internet, that’s well known to do this, this country censors (among others) DNS [Domain Name System] queries in its network (and also censoring as a side effect, the rare Japanese, Korean or Taiwanese queries going through China) when it answers a DNS query to a censored website, it answers with “any incorrect IP address” instead. That is, instead of letting Chinese Net users access “forbidden” content, the Great Firewall generally re-directs them to some random, presumably harmless, site. But that wasn’t happening here: we see spikes of requests to websites censored in China coming to IP addresses such as those of La Quadrature du Net. Other people had this same issue : http://furbo.org/2015/01/22/fear-china/ So, the end story is that we just saw censored websites requests coming to La Quadrature du Net’s IP address from China, due to how the Chinese Internet censorship is working! Rather than pushing limited traffic to lots of sites, the Great Firewall was sending lots of traffic to just a few. Among the possible explanations for this new behavior, Sonntag offers two that are equally worrying: Maybe one of the system administrator of the great firewall of China is gaining some small and quick money selling DDOS, selling Internet attacks to the highest bidder (in bitcoin? ) and using that censorship system as a weapon Maybe China chose a precise list of targets to send censored traffic to, adding to this technical “useful” process (the censorship) a “nice” one (putting down foreign opponents’ websites)… La Quadrature du Net, as a digital freedom association, seems to be too nice a target (among others of course). Neither is good news for sites in the West. Whatever the real reason for this DDOS attack on La Quadrature, it certainly shows that the operation of the Great Firewall of China can have very direct effects outside that country. Another reason, perhaps, for those in the West to pay closer attention to China’s increasingly harsh approach to online censorship. Source: https://www.techdirt.com/articles/20150204/09454829910/how-great-firewall-china-caused-ddos-attack-france.shtml

More:
How The Great Firewall Of China Caused A DDoS Attack In France