Tag Archives: development

DDoS Attack! Is Regulation The Answer?

Four security experts weigh in on why there’s been little progress in combating DDoS attacks and how companies can start fighting back. The scale, diversity, and magnitude of recent DDoS attacks have knocked enterprises back on their heels. Now they’re attracting attention from regulators. Intended or not, attackers are forcing a sea change. The question at hand is whether self-regulation will improve or if regulatory intervention is inevitable. Cloudflare’s recent analysis of a February 13 denial of service attack explains the most recent variation on a recurring DDoS attack theme, and in doing so illustrates that we’ve made little or no progress in mitigating root causes of DDoS: The attack was distributed , emanating from over four thousand servers and twelve hundred networks. The attack used reflection , a technique where the source IP address of query traffic is “spoofed.” All of the attacking hosts set the source IP address of queries to the IP address of the targeted host so that the responses will overwhelm the victim. The attack also used amplification , a technique where a small query results in a much larger response being transmitted in order to deplete the target’s resources more rapidly. There are also other similarities between this and prior DDoS attacks. The attacks exploit UDP-based services (DNS, chargen, and now NTP). They exploit the absence of anti-spoofing measures by ISPs or private networks, and they exploit the “open” operation of these services, taking advantage of open DNS resolvers, publicly accessible network time servers, and services that should be configured to respond only to clients within specific administrative domains. The takeaway is obvious: Services that run over UDP and are accessible in a public or open manner are targets for reflection or amplification attacks, and the ability to spoof IP addresses exacerbates this threat .    

Original post:
DDoS Attack! Is Regulation The Answer?

The rise of UDP-based DDoS attacks

The DDoS war is ramping up with the use of network time protocol (NTP) amplification to paralyse, not just individual organisation’s networks, but potentially large proportions of general internet traffic. The largest ever DDoS attack to date with a DNS amplification hit the anti-spam company, Spamhaus last year. This attack reached 300 Gbps, taking Spamhaus offline and also affecting the DDoS mitigation firm, CloudFare. With the volume of traffic that was going through peering exchanges and transit providers, the attack also slowed down internet traffic for everyone else. However, in the last couple of months these UDP amplification attacks seem to have moved on to NTP, taking advantage of an exploit available in older, unpatched NTP systems. These servers are usually used for time synchronisation and utilise the UDP protocol on port 123. Like DNS, they will respond to commands issued by any client to query certain information, unless they are properly secured. These attack styles are not new, but their historically infrequent usage and the potential for mass disruption means they warrant more attention. Coverage of these attack styles in both industry and mainstream press is to be welcomed in my opinion, because these attacks are relatively defensible and coverage will hopefully get more administrators to secure or patch their NTP servers. What is all the fuss about? DNS amplification attacks ramp up the power of a botnet when targeting a victim. The basic technique of a DNS amplification attack is to spoof the IP address of the intended target and send a request for large DNS zone files to any number of open recursive DNS servers. The DNS server then responds to the request, sending the large DNS zone answer to the attack target rather than the attacker, because the source IP was spoofed. The DNS amplification attack on Spamhaus saw request data (the data the attacker sent to the DNS servers) of roughly 36 bytes in length, while the response data (the data from the DNS server to the attack target) was around 3000 bytes, meaning the attackers increased the bandwidth used by 100x. Not only is that a large increase in attack bandwidth, but these packets from the DNS servers arrive at the target in a fragmented state due to their large size and have to be reassembled, which ties up the routing resources as well. NTP amplification attacks work by spoofing the IP of the attack target and sending a ’monlist’ command request to the NTP servers. This command will return the IP addresses of the last 600 clients that have used the NTP server to synchronise time. By issuing this command a small request packet can trigger much larger UDP response packets containing active IP addresses and other data. The volume of the response data is related to the number of clients that communicate with any particular NTP server. This means that a single request which consists of a single 64-byte UDP packet can be increased to 100 responses each, which contain the last 600 client IP addresses that have synchronised with the server. Each of those 100 responses will be a UDP packet of around 482 bytes which gives the attacker a bandwidth amplification of around 700x [482 bytes x 100 responses = 48200 bytes / 64 bytes = 753.125]. With this level of amplification available and several popular DDoS attack tools already including a module for abusing ’monlist’ we could be on for a new record in DDoS attack size this year unless the vulnerabilities are patched soon. For example, if DNS amplification created a 300 Gbps, then NTP amplification means we could potentially see a 2.1 Tbps (21,000 Gbps) attack. There is no network that could absorb an attack of that size; it would have an enormous knock-on effect on general Internet traffic as the Spamhaus attack did with peering points, transit providers and content delivery networks being overloaded. This isn’t to say that DNS and NTP are the only amplification attack methods. There are other amplification and reflection-style tactics as well and, while not as popular as more tried-and-true DDoS methods, they represent a real threat if you are not prepared for them. Fixing the problem The easiest way to fix this and remove your NTP servers from being an attack vector for a DDoS is to update your NTP servers to version 4.2.7 which removes the ‘monlist’ command. Otherwise you can disable query within your NTP server via a configuration change: nano /etc/ntp.conf [Your configuration file might be located elsewhere] #Restrict general access to this device Restrict default ignore Restrict xxx.xxx.xxx.xxx mask 255.255.255.255 nomodify notrap Noquery This change will prevent your NTP server from being used to launch DDoS attacks against other networks, but an update to the latest version is still recommended. Conclusion DDoS attacks have been around in one form or another since the very beginnings of the internet, but the motivations, as well as the scale of these attacks seem to have grown significantly. In the early days it was just extortion; a hacker would ask for payment to stop the attacks. Nowadays, some businesses may pay for competitors to be attacked, as a few hours offline could be worth millions. You also have DDoS being used as a method of political activism by groups such as Anonymous, as well as the potential for a government to use DDoS to disrupt another country’s infrastructure. Systems administrators need to ensure their systems are reviewed regularly for patches and known vulnerabilities. If systems are left unpatched then at best you can be used as a vector to attack another network or organisation, but at worst those vulnerabilities could be exploited to take your systems offline or steal your data. Source: http://blogs.techworld.com/industry-insight/2014/02/the-rise-of-udp-based-ddos-attacks/index.htm

Read more here:
The rise of UDP-based DDoS attacks

Cyber attacks ready to lay siege to 2014 World Cup

Brazilian hackers have issued threats to disrupt this summer’s FIFA World Cup and there are worries that the telecommunications infrastructure won’t be able to cope with the attacks. Reuters spoke to hacking groups headquartered in Brazil that are planning to attack the event due to the global exposure it will give them and they are confident of bringing down some of the largest sites involved with the tournament. “We are already making plans,” said an alleged hacker who goes by the name Eduarda Dioratto. “I don’t think there is much they can do to stop us.” Distributed denial of service [DDoS] attacks are reportedly the weapon of choice for Brazil’s hackers to target sites operated by FIFA and the Brazilian government as well as other sponsors and organisers.   “The attacks will be directed against official websites and those of companies sponsoring the Cup,” a hacker known as Che Commodore told Reuters over Skype.Some of the problems that could be exploited include overstrained networks, widespread use of pirated programming and little care taken to invest in online security. The same report also states that one of the “world’s most sophisticated cyber criminal communities” already operates in the country and it has already started to scupper ticket sales through phishing. “It’s not a question of whether the Cup will be targeted, but when,” said William Beer, a cybersecurity expert with the consultancy firm Alvarez & Marsal. “So resilience and response become extremely important.” FIFA has yet to comment on the issue and the country itself is confident that it is at least some way prepared for any attacks that are launched. “It would be reckless for any nation to say it’s 100 percent prepared for a threat,” said General José Carlos dos Santos, the head of the cyber command for Brazil’s army. “But Brazil is prepared to respond to the most likely cyber threats.” During the Confederations Cup 2013, the traditional dress rehearsal for the World Cup, the cyber command stopped over 300 cyber attacks and dos Santos added that the number will be “much higher” during the tournament proper. Source: http://www.itproportal.com/2014/02/26/cyber-attacks-ready-to-lay-siege-to-2014-world-cup/#ixzz2uZ9neK9Q

Read More:
Cyber attacks ready to lay siege to 2014 World Cup

Bitly faces complete shutdown of services due to DDoS attack

Online URL shortening services provided by Bitly are down due to a DDoS attack and engineers were trying to solve the issues at the time of publishing Online URL shortening service provided by Bitly was under a major DDoS (distributed denial-of-service attack) on Wednesday. The website states the problem on a banner on their site and a tweet was put out by the company that its services would be restored eventually. Bitly’s internal team of engineers are working on fixing the problem. We are currently working to mitigate a DDoS attack. Some of our site may be unavailable, but we’re working to restore full functionality. — Bitly (@Bitly) February 26, 2014 Services to the links was resumed a little later, however damage from the attack was still being worked on at the time of publishing this article. Bitly, informs on their website, “All links are working after mitigating an earlier DDOS attack. Some link metrics may still be delayed.” Update: All links are working after mitigating an earlier DDOS attack. Some link metrics may still be delayed. — Bitly (@Bitly) February 26, 2014   What is DDoS attack?  – Distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users. – Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. – As clarification, DDoS (Distributed Denial of Service) attacks are sent by two or more persons, or bots. – DoS (Denial of Service) attacks are sent by one person or system.   The company Bitly, Inc. was established in 2008 and is privately held and based in New York City. Bitly shortens more than one billion links per month, for use in social networking, SMS, and email services and is relied for accuracy and reliability. No doubt, this caused some what of a furor online with people even going so far as to refer to this attack as the ‘death of the internet’. #bitly is down. The internet is dying — iwyg (@_iwyg_) February 26, 2014 Why are so many #Bitly links failing to open today?? What’s up @hootsuite ?? — Slaweezy (@Slaweezy) February 26, 2014 On no #bitly is down and I haven’t had my fix of web based stats yet for the day #marketingbreakdown — Steve Scheja-Terry (@Von_Steve) February 26, 2014 The web is collapsing! #bitly is down! — Ben R. Hodges (@BenHodgesH2O) February 26, 2014

View article:
Bitly faces complete shutdown of services due to DDoS attack

Theresa May Home Office website DDoS attack: Man charged

A man is being charged with attacking websites belonging to the Home Office and the Home Secretary Theresa May. Mark Lynden Johnson, 43, from Stoke-on-Trent, is being charged with encouraging or assisting an offence under the Computer Misuse Act. He is due to appear at Birmingham Magistrates’ Court on 12 March. Both websites were taken offline during attacks between 15 and 18 June 2012, the Crown Prosecution Service (CPS) said. The websites were subjected to a Distributed Denial Of Service attack, also known as a DDoS attack, which prevented visitors accessing them, a CPS spokesperson said. A DDoS attack floods a webserver with so many requests that it can no longer respond to legitimate users. Source: http://www.bbc.co.uk/news/uk-england-stoke-staffordshire-26341874

Continue reading here:
Theresa May Home Office website DDoS attack: Man charged

Apple Daily in Hong Kong and Taiwan hit by DDoS attack

Apple Daily said its websites for both Hong Kong and Taiwan were hit by DDoS attacks on Saturday. IP addresses reveal that attacks originated from China, Russia, and France, according to Michael Yung, CIO of Next Media, the parent company of Apple Daily. Starting 1pm on Saturday, traffic to the Next Media website became increasingly huge that access to Apple Daily and other contents of the firm was significantly slow, Yung said, adding that audiences could only view text content via the newspaper’s mobile app. The firm’s website was restored at 6pm after several hours of fixing, Next Media said. According to Yung, small-scale attacks to the Next Media website are frequent but much more severe ones come before the June 4 commemoration and July 1 protest every year. Next Media said the attack is an act of harming freedom of press and but that won’t stop the organization from defending it. While Anonymous reportedly confirms that the attack came from the mainland Chinese government, Next Media said the identity of the attacker remains unknown at the moment because IP addresses identified could be fake. There’s also speculation that the attack’s related to Sunday’s “Free Speech, Free Hong Kong” protest organized by the Hong Kong Journalists Association. The protest is a response to recent moves that are seen as compromising editorial independence and freedom of speech. Of late, Commercial Radio fired its outspoken host Li Wei Ling while Chinese-language newspaper Ming Pao replaced its existing chief editor with a Malaysian journalist who’s not known to the local community and media industry. Source: http://news.idg.no/cw/art.cfm?id=F7551BB6-DF9A-6D69-EBD70AD566B9147F

Continued here:
Apple Daily in Hong Kong and Taiwan hit by DDoS attack

Cyber attacks: preventing disruption to your website

 One of the largest ever cyber attacks took place this month and it has been cited that it was the shape of things to come.  But it is not all doom and gloom – there is plenty that businesses can do to prepare for the future. Start by thinking about the impact of your website being down for a day to three days and how it would affect current and prospective clients and the reputation of your brand.  Google  is usually the first port of call when checking out products and services, so chances are high that any disruption to your web experience won’t be favourably looked upon by prospects. Cyber criminals will often inject malware into legitimate websites with the goal of getting innocent users to click on it, which will automatically trigger a download and can lead to all sorts of problems for the user.  As the website owner, you may be completely unaware, but this is something that Google is cracking down on. If a website is spotted hosting malicious links, Google can blacklist it, meaning it will not show up in searches and it will temporarily remove it from the Google index, which badly affects SEO.  Browsers, such as Chrome, Firefox etc will also flag insecure or risky websites and that may scare away potential customers.  It may take weeks of effort to get removed from blacklists and re-indexed. If this wasn’t bad enough, the risk is actually two-fold.  There are some would-be attackers that will threaten to hold your website to ransom.  In this case, they will identify the holes in your website and blackmail you into paying them in order for them not to get your website blacklisted. The best way to avoid getting blacklisted, or indeed blackmailed, is to have the website checked for malware and other infections.  And it is also highly recommended to have your website scanned for known vulnerabilities. This will ensure that there are no “holes” that attackers can exploit to install malware or create watering holes for unsuspecting customers. Another issue to avoid falling victim to is a DDoS attack.  DDoS attacks bombard a website with so many external communication requests that it floods the system and overloads the server to such a point that it can no longer function, leaving the website paralysed and unable to transact business. Attacks of this nature are on the rise and it’s fair to predict that this year will be no exception to this trend.  The best start is to have a plan in place- whether it is a hardware solution  that takes days to install and requires a higher up-front cost; or a provider who offers DDoS protection services that can be up and running in as little as a few hours for a monthly cost. In addition, it’s worth noting that some good DDoS protection services will offer a caching component that will allow bursts of legitimate traffic to your website without negatively impacting on the server.  Because it will automatically balance the load coming in, it keeps the website available to handle large amounts of requests with no disruption to your user base. So, make sure you do your research when choosing the best option for your website. Bear in mind that, while you can get a protection service in an emergency situation, as with so many things, the best offense is a good defence, so businesses should make sure that they have a proactive DDoS solution in place to avoid disruption to your web presence. Top tips: 1) Run malware detection and anti-virus on your website to spot and clear any existing infections 2) Enlist the services of a vulnerability scanner to identify and fix any exploits in your website 3) Have proactive DDoS protection in place; either in the form of hardware or a managed service 4) Have load balancing in place to ensure your website can handle increases in transactions Source: http://www.itproportal.com/2014/02/21/cyber-attacks-preventing-disruption-your-website/

Read More:
Cyber attacks: preventing disruption to your website

Namecheap Is In The Middle Of A DDoS Attack

If any of your favorite sites don’t seem to be working right now, don’t panic — it’s not just you. Namecheap, the host of some 3 million-plus domains, is reporting that they’re currently undergoing a Distributed Denial Of Service attack of unknown origins. If that sounds like a bunch of mumbo-jumbo to you, here’s all you need to know: a Distributed Denial Of Service (or DDoS) attack is, generally, when an attacker floods its target with so much traffic that it’s unable to respond to legitimate requests. Namecheap, a company that helps make it so that you can type URLs (like WhateverWebsiteHere.com) instead of IPs (like 192.168.0.1), is currently facing an attack like this, making it quite hard for them to do their job. The attackers appear to be focusing on some of Namecheap’s primary DNS servers. As a result, many domains that are hosted on Namecheap will be unable to resolve, and other features that rely on their nameservers (like email) might not work. The company is actively battling the attack, and are hoping that they’ll have everything locked down within the next hour or so. In the meantime: if your domain is hosted on Namecheap and is having difficulties resolving, Namecheap recommends temporarily switching it to their backup DNS system. Update: Namecheap tells us that the situation now seems to be under control. See their full response to this attack below. Namecheap gained many a fan back in 2011, when the company launched a campaign called Move Your Domain Day in response to competitor GoDaddy’s then-support of the controversial Stop Online Piracy Act. This, along with many other pressures, eventually lead GoDaddy to recanting their support for the bill. Update: Here’s the official response and breakdown of the attack from Namecheap CEO Richard Kirkendall and VP Matt Russell: Today is one of the days that as a service provider who strives to deliver excellence day in and day out, you wish you never had. At around 15.55 GMT / 11.55 EST, a huge DDoS attack started against 300 or so domains on our DNS platform. Our DNS platform is a redundant, global platform spread across 3 continents and 5 countries that handles the DNS for many of our customers. This is a platform meticulously maintained and ran, and a platform that successfully fends off other DDoS attacks on an almost-daily basis. Today, however, I am compelled to announce that we struggled. The sheer size of the attack overwhelmed many of our DNS servers resulting in inaccessibility and sluggish performance. Our initial estimates show the attack size to be over 100Gbps, making this one of the largest attacks anyone has seen or dealt with. And this is a new type of attack, one that we and our hardware and network partners had not encountered before. We responded with our well-practiced mitigation plan while also enabling our backup system for those with affected domains. It took us around 3 hours to fully mitigate the attack, working closely with our hardware and network vendors. At this moment in time, 99% of our services are back to normal. I’d like to take this time to apologize to those customers affected. I also wish to iterate that we will learn from this attack and come back stronger, and more robust. We are bringing forward a key DNS infrastructure enhancement program that will see us massively expand the size of our DNS infrastructure and our ability to absorb and fend off attacks like these. We remain firmly committed to delivering the absolute best service possible to our loyal customers. Richard Kirkendall CEO Source: http://techcrunch.com/2014/02/20/namecheap-ddos/

More:
Namecheap Is In The Middle Of A DDoS Attack

MMO developer offering $14,000 reward for DDoS attack info

If you know a little thing or two about MMOs and a little more about DDOS attacks, you might be able to net yourself a near $15,000 bounty. Wurm Online, the MMO from Minecraft creator Markus Persson (no longer involved) and childhood friend Ralf Jansson, was hit by a DDOS attack yesterday and at the time of writing, it still remains down. Nobody so far has owned up to the attack, which was launched soon after a recent update. Presumably from the relative obscurity of the game, the DDOSer is a player, but there’s very little information on who they are or why they might have done it. However, in an attempt to find out more and ultimately catch and convict those responsible, the studio behind it, Code Club, is now offering a reward: “Shortly after today’s update we were the target of a DDOS attack and our hosting provider had to pull us off the grid for now,” it said in the announcement. “We will be back as soon as possible but things are out of our hands since their other customers are affected. As we wrote in a previous news post we are planning on changing hosting anyways which should improve things for the future. We can offer 10 000 Euro for any tips or evidence leading to a conviction of the person responsible for this attack.” DDOS attacks against large games has become more common over the past few years, since it usually garners a lot of attention and understandably annoys a lot of gamers. However the purpose beyond attention getting is often unclear, since it rarely impacts anyone more than the players. So what about it guys? Anyone here think they could track down a DDOSer? Source: http://megagames.com/news/mmo-developer-offering-14000-reward-ddos-info

Continue Reading:
MMO developer offering $14,000 reward for DDoS attack info

Second Anonymous member sentenced for role in DDoS attack

The U.S. District Court, Eastern District of Wisconsin, has sentenced Jacob Wilkens to 24 months of probation and ordered him to pay $110,932.71 in restitution for his role in a distributed denial-of-service (DDoS) attack against Koch Industries. Wilkens pled guilty to intentionally causing damage to a protected computer by assisting other members of the hacktivist collective Anonymous in launching a DDoS attack on the servers of Angel Soft bathroom tissue, based in Green Bay, in February and March of 2011. The attacks against Koch Industries were said to have lasted three days and resulted in several hundred-thousand dollars in losses. For his role in the same attack, Christopher Sudlik was ordered earlier this month to pay the same in restitution, as well as being sentenced to 36 months of probation and 60 hours of community service. Source: http://www.scmagazine.com/second-anonymous-member-sentenced-for-role-in-ddos-attack/article/334490/

More:
Second Anonymous member sentenced for role in DDoS attack