Tag Archives: development

Hacktivist Warns World Cup Sponsors Anonymous DDoS Attack is Coming

Che Commodore claims groups have already tested which are the most vulnerable sites. A hacktivist claiming to be affiliated with infamous online collective Anonymous has said the group is planning to DDoS various high profile sponsors of the forthcoming FIFA World Cup this month. The hacker, who goes under the name “Che Commodore”, told Reuters in a Skype interview from Brazil that Anonymous had already begun planning the campaign, designed to protest the vast sums of money being thrown at the event when the country still suffers severe social inequality. “We have already conducted late-night tests to see which of the sites are more vulnerable,” he said. “We have a plan of attack.” The targeted firms on the Anonymous shortlist apparently include Budweiser, Adidas, Emirates and Coca-Cola – all major sponsors of the tournament, the biggest single-event sporting competition in the world. If it goes ahead, the DDoS campaign will be the second major attack by Anonymous in the region in recent days. Another hacktivist, known as AnonManifest, used a phishing attack to penetrate the Foreign Ministry’s network last week and exfiltrate over 300 confidential documents which were later posted online, the report claimed. The ministry’s email system was apparently taken down as a result and 3,000 account holders told to change their passwords. Civil unrest directed mainly at the Brazilian government has marred the build-up to a World Cup which has already cost £9 billion – money they think would be better spent on improving things like social welfare and public services. In June 2013, over one million people took to the streets of more than 100 cities in violent protests against the spiralling costs of the tournament. David Howorth, VP at Alert Logic, said that the threat of attack during a major tournament like the World Cup is heightened due to the global exposure it gives hacktivists. He urged high profile sponsors to work with their network vendors to plan a DDoS prevention strategy; ensure all apps are up-to-date and patched; and that firewall, IDS and web application firewalls are configured correctly. “Make sure you have expertise that can monitor, correlate and analyse the security threats to your network and applications across your on-premise and cloud infrastructure 24×7 for continuous protection – this should be done now as the hackers are already testing the vulnerabilities in the infrastructure in preparation of their attacks,” he added. “Finally, remember that hackers are creative – don’t just focus on one attack vector as the attacker will try multiple ways to cause damage.” Source: http://www.infosecurity-magazine.com/view/38657/hacktivist-warns-world-cup-sponsors-anonymous-ddos-attack-is-coming/

More:
Hacktivist Warns World Cup Sponsors Anonymous DDoS Attack is Coming

WildStar early access period derailed by DDoS attacks

WildStar was set to launch for early buyers an hour ago, giving those folks a chance to jump into the game’s world days before everyone else. Unfortunately for those players (including our own Giant Robots In Disguise guild), WildStar is experiencing server issues and the developers are pointing the finger at a DDoS attack. WildStar executive producer Jeremy Gaffney posted on Reddit, “I’ve heard from a few folks it’s a confirmed DDOS attack (real time updates, may change, fog of war, etc.). Partially handled. Servers taking in some players now, player counts rising. Ninjitsu continues.” The best suggestion for now is to keep hammering away. The early bird period lasts all the way up to WildStar’s official release on June 3. Source: http://www.shacknews.com/article/84738/wildstar-early-access-period-derailed-by-ddos-attacks

Read the article:
WildStar early access period derailed by DDoS attacks

Repeat attacks hit two thirds of DDoS victims

Empirical research just published suggests that, whilst overall DDoS attack volumes are increasing steadily, new attack vectors are also constantly being used by cybercriminals. The analysis – entitled `NSFOCUS DDoS Threat Report 2013? – is based on more than 244,000 real-life distributed denial of service attacks observed at Tier 1 or Tier 2 ISPs by the research firm during the year. Researchers found that 79.8 percent of all attacks were 50 Mbps or less. In addition, although large size attacks get the most media attention, only 0.63 percent of all attack incidents were logged at 4 Gbps or more. Perhaps most interestingly of all is that more than 90 percent of the observed attacks lasted 30 minutes or less – and that 63.6 per cent of all targeted victims are attacked more than once. This figure is in line with earlier figures from Neustar whose second annual report, entitled `DDoS Attacks & Impact Report – 2014: The Danger Deepens’ – suggested that once attacked, there is an estimated 69 percent chance of a repeat attack. Delving into the report reveals that HTTP_FLOOD, TCP_FLOOD and DNS_FLOOD are the top three attack types – contributing to more than 87 percent of all attacks. DNS_FLOOD attacks, however, significantly increased from 13.1 percent during the first half of the 2013 to 50.1 percent in the second half. So why the short duration attacks? The report suggests that, after analysing almost a quarter million DDoS incidents, a clear trend emerges, namely that that majority of DDoS attacks seen were short in duration, small in total attack size, and frequently repeating against the same target. “These short and frequently repeating attacks often serve two purposes: First, to scout their victims’ defence capabilities before more tailored assaults are launched, and second, to act as smokescreens or decoys for other exploitation,” says the report. The analysis adds that that many companies are using a combination of traditional counter-measures like scripts, tools and access control lists (ACLs) to handle network layer attacks – as well as on-premise DDoS mitigation systems for more prompt and effective mitigation against hybrid attacks (defined as a combination of network-layer and application-layer attacks). The most interesting takeout from the report, SCMagazineUK.com notes, is that the `old guard’ attack vectors – including the use of SNMP – remain an evolving constant. According to Sean Power, security operations manager with DOSarrest, amplification attacks – such as SNMP – are not really that new. “Legitimate SNMP traffic has no need to leave your network and should be prevented from doing so. This attack exists because many organisations fail to prevent this,” he explained. Power went on to say that the effectiveness of the attack stems from the fact that any Web site can be targeted and requires very little effort to produce excessive traffic, since it relies on third party unsecured networks to do most of the heavy lifting for the attack. “Blocking these attacks is best done via your edge devices as far removed from the targets as possible,” he said, adding that if the attack is large enough that it is overwhelming your edge devices, then you need to look at cloud-based technology for cleaning the traffic. Also commenting on the report, Tom Cross, director of security research for Lancope, said that many people who launch attacks on the Internet do so using toolkits that make the process of launching attacks as easy as installing a software application and running it. “DDoS attacks have become increasingly popular, there are many ways to launch them and lots of different tools circulating that launch attacks in different ways. As a consequence, anyone providing service on the Internet should be prepared for volumetric traffic floods involving any kind of Internet traffic,” he explained. Cross says that it is also important that people do not allow their networks to serve as reflectors that attackers can use to amplify their denial of service attacks. “To that end, DNS, SNMP, NTP, and Voice over IP services in particular should be checked to make sure that they cannot be used by an anonymous third party as a reflector. Locking down these services is part of being a good citizen of the Internet,” he said. Source: http://www.scmagazineuk.com/repeat-attacks-hit-two-thirds-of-ddos-victims/article/348960/

More:
Repeat attacks hit two thirds of DDoS victims

HOSTING Partners With DOSarrest Internet Security to Offer DDoS Protection Services

DOSarrest Internet Security, an industry leading DDoS protection provider, has announced a partnership agreement to offer its full suite of DDoS products to HOSTING, the leading cloud service provider in the market today. Products include DDoS protection for client websites, Layer 7 cloud based Load balancing, WAF, vulnerability testing and optimization as well as DEMS, D OSarrest E xternal M onitoring S ervice. “We are excited to add HOSTING to our growing list of service provider partners. DDoS protection has become a necessity to ensure a customer has a stable website environment and more clients are beginning to realize this and are requesting this protection service from their hosting provider,” said Brian Mohammed, DOSarrest Director of Sales and Marketing. “It’s a fact of modern business that organizations must deploy comprehensive, multilayered security to best protect themselves from DDoS attacks,” said Bill Santos, President of HOSTING’s Advanced Solutions. “DOSarrest’s DDoS protection products offer the sophistication, reliability and service that HOSTING customers have come to rely upon, and we are eager to introduce their offerings.” “A single DDoS attack puts a heavy strain on Network Operations Center resources, often for hours,” said Jag Bains, CTO of DOSarrest Internet Security., “This partnership helps to alleviate the strain on HOSTING’s support team, who can remain focused on providing the highest level of support and monitoring for their customers.” About HOSTING: HOSTING helps organizations design, build, migrate, manage and protect their cloud-based environments. Leveraging enterprise-class networking and connectivity technologies, HOSTING provides the highest levels of compliance, availability, recovery, security and performance. HOSTING owns and operates six geographically dispersed data centers under an ITIL-based control environment validated for compliance against HIPAA, PCI DSS and SOC (formerly SAS 70) frameworks. HOSTING’s cloud-enabled solutions were recently recognized by Gartner Group, placing in the Top 10 in the Managed Hosting Magic Quadrant in both “ability to execute” and “completeness of vision” – in both 2012 and 2013. More information at www.hosting.com About DOSarrest Internet Security: DOSarrest founded in 2007 in Vancouver, BC, Canada is one of only a couple of companies worldwide to specialize in only cloud based DDoS protection services. Their global client base includes mission critical ecommerce websites in a wide range of business segments including financial, health, media, education and government. Other cloud based services include, Load balancing, WAF, External Website monitoring and Vulnerability Testing. More information at www.DOSarrest.com Source: http://www.marketwired.com/press-release/-1915044.htm

See the original article here:
HOSTING Partners With DOSarrest Internet Security to Offer DDoS Protection Services

DDoS attacks using SNMP amplification on the rise

Attackers are increasingly abusing devices configured to publicly respond to SNMP (Simple Network Management Protocol) requests over the Internet to amplify distributed denial-of-service attacks. This amplification technique, which is also known as reflection, can theoretically work with any protocol that is vulnerable to IP (Internet Protocol) address spoofing and can generate large responses to significantly smaller queries. Attackers can craft requests that appear to originate from the IP address of their intended victim in order to trick servers that accept requests over such protocols from the Internet to flood the victim with data. Many DDoS attacks in the past year have used misconfigured DNS (Domain Name System) and NTP (Network Time Protocol) servers for amplification. However, devices that support SNMP, a protocol designed to allow the monitoring of network-attached devices by querying information about their configuration, can also be abused if the SNMP service is directly exposed to the Internet. SNMP-enabled devices with such configurations can be found both in home and business environments and include printers, switches, firewalls and routers. Since April 11, the Prolexic Security Engineering Response Team (PLXsert), which is now part of Akamai Technologies, has identified 14 separate DDoS campaigns that used SNMP reflection. Almost half of the malicious SNMP reflected traffic came from IP addresses in the U.S. and 18 percent from China, PLXsert said in a threat advisory published Thursday. “The attacks targeted clients in the following industry verticals: consumer goods, gaming, hosting, non-profits and software-as-a-service (SaaS).” One of the tools used to launch the recent attacks was created in 2011 by a hacker group called Team Poison and can send spoofed SNMP GetBulk requests to publicly accessible SNMP-enabled devices to trigger responses that can be more than 1,700 times larger than the requests, the Prolexic team said. The attackers crafted their requests to have a source port of 80—usually assigned to HTTP—so that vulnerable devices return their SNMP responses to the victims on the same port, flooding their HTTP services. “Until approximately three years ago, SNMP devices were manufactured using SNMP version 2 and were commonly delivered with the SNMP protocol openly accessible to the public by default,” PLXsert said. “Devices using SNMP v3 are more secure. To stop these older devices from participating in attacks, network administrators need to check for the presence of this protocol and turn off public access.” Information over SNMP is controlled by a so-called community string, which in the case of SNMP v2c is “public” by default, PLXsert said. SNMP amplification attacks are not really new, said Sean Power, security operations manager at DDoS protection vendor DOSarrest Internet Security, Friday via email. “Legitimate SNMP traffic has no need to leave your network and should be prevented from doing so. This attack exists because many organizations fail to prevent this.” It’s important for network owners to lock down services that can be used for DDoS reflection and amplification like DNS, SNMP, NTP and voice over IP. This “is part of being a good citizen of the Internet,” said Tom Cross, director of security research for network security and performance monitoring vendor Lancope, via email. Source: http://www.pcworld.com/article/2159060/ddos-attacks-using-snmp-amplification-on-the-rise.html

View original post here:
DDoS attacks using SNMP amplification on the rise

SNMP DDoS Attacks Spike

No botnet necessary: Yet another flavor of distributed denial-of-service (DDoS) attacks that doesn’t require infecting PCs is on the rise. Akamai’s Prolexic Security Engineering and Response Team (PLXsert) today issued a threat advisory warning of a spike in DDoS attacks abusing the Simple Network Management Protocol (SNMP) interface in network devices such as routers, switches, firewalls, and printers. PLXsert has spotted 14 SNMP DDoS attack campaigns over the past month, targeting various industries including consumer products, gaming, hosting, nonprofits, and software-as-a-service, mainly in the US (49.9%) and China (18.49%). The attackers used a tool that’s available online and was developed by the infamous hacker group Team Poison. This latest wave of attacks targets devices running an older version of SNMP, version 2, which by default is open to the public Internet unless that feature is manually disabled. SNMP version 3 is a more secure version of the management protocol, which is used to store device information such as IP address or even the type of toner used on a printer. “Through the use of GetBulk requests against SNMP v2, malicious actors can cause a large number of networked devices to send their stored data all at once to a target in an attempt to overwhelm the resources of the target,” PLXsert says in the advisory. “This kind of DDoS attack, called a distributed reflection and amplification (DrDoS) attack, allows attackers to use a relatively small amount of their own resources to create a massive amount of malicious traffic.” The attacks are using the Team Poison-built tool to automate the “GetBulk” requests. They then use the IP address of the organization they are targeting as the spoofed source of the requests. The attacker then sets off a bulk request for SNMP devices. “These actions will lead to a flood of SNMP GetResponse data sent from the reflectors to the target. The target will see this inflow of data as coming from the victim devices queried by the attacker,” the advisory says, and the attacker’s actual IP address is hidden. David Fernandez, director of the PLXsert team, says this reflection technique, as with NTP reflection attacks, is popular because it’s a way to maximize connections without a botnet, and it’s cheaper to perform. “They can perform campaigns without infections,” Fernandez says. “Unfortunately, the attackers are victims,” such as the duped devices responding to the targeted organization’s network. “These are pretty massive attacks,” he says. “SNMP has a high amplification factor.” The attacks are more than mayhem: Increasingly, DDoS attacks such as these are being used as a smokescreen to divert from a real more deadly attack, he says. Fernandez declined to speculate on the motivation behind these specific attacks. “The use of specific types of protocol reflection attacks such as SNMP surge from time to time,” said Stuart Scholly, senior vice president and general manager of Akamai’s Security Business Unit, in a statement. “Newly available SNMP reflection tools have fueled these attacks.” Source: http://www.darkreading.com/attacks-breaches/snmp-ddos-attacks-spike/d/d-id/1269149

Read the original:
SNMP DDoS Attacks Spike

Australian Labor Party and the Bob Brown Foundation hit by DDoS attack

Inadvertent victims of “politically motivated” hack. A politically motivated DDoS attack on a US-based web hosting service has delivered global repercussions affecting a number of Australian websites including the homepages of the Australian Labor Party and the Bob Brown Foundation. Both organisations use the services of NationBuilder, a cloud-based web hosting and customer relationship management platform designed specifically for nonprofits, political parties and politicians. The ALP.org.au website was down for a few hours yesterday morning, its Canberra HQ confirmed. The Bob Brown Foundation site was also down yesterday and then again last night, said organiser Steven Chaffer, who had been contacted by a NationBuilder account rrepresentative. The state branches of the Labor Party also use NationBuilder, as does Victorian independent MP Cathy McGowan and the community services union United Voice. United Voice said it was not aware of any disturbance to its web presence. Yesterday NationBuilder was hit by a DDoS attack it believes to have been in protest against the political stance of one of its clients. “We are reasonably certain the attack is directed at one of our customers for their political beliefs, and is meant to disrupt upcoming elections,” wrote CEO Jim Gilliam on the NationBuilder website early this morning Australian time. He said the attack has caused “intermittent service outages” for the company’s clients but assured users that data and financial information was never exposed. “We know the impact is immeasurable and we are very, very sorry,” he said. “We are fiercely committed to serving all of our customers. Everyone has the right to organise – in fact, this is the very reason NationBuilder exists.” NationBuilder has not responded to iTnews’ requests to confirm the identity of the targeted client. However posts on the Anonymous hackers forum and from the self-professed antagonist on Twitter claim that the attack is targeting the British political party UKIP, which is taking its anti-immigration policy platform to elections for the UK membership of the European Union next week. The party’s leader Nigel Farage has been a controversial figure, branded as a racist by the UK Labor party. UKIP has been the subject of DDoS attacks before, and its website was one of many down intermittently yesterday and into today. Australian clients told iTnews that their services have now resumed. Source: http://www.itnews.com.au/News/386077,alp-bob-brown-sites-downed-by-ddos.aspx?utm_source=feed&utm_medium=rss&utm_campaign=editors_picks

View the original here:
Australian Labor Party and the Bob Brown Foundation hit by DDoS attack

Dating Website Plenty Of Fish Hit By DDoS Attack

Add Plenty of Fish to the list of technology companies whose websites have come under DDoS attacks from unknown cybercriminals in recent days. The company says that it was the victim of a five-hour attack today that affected approximately 1 million users. Initially, the attacks took down the Plenty of Fish website, then later the company’s mobile apps on iPhone, iPad and Android. As per the usual M.O., the attacker first contacted the site to warn them of the impending DDoS at 6:45 AM PT, then the attack started at 8:13 AM PT where it continued for several hours, off and on. The company says it was only recently able to mitigate the flood, and is now fully up and running again. The attack was 40 Gigabits in size, which makes it larger than the attack which took Meetup.com offline for nearly five days last month – that attack was “only” 8 GBps, the company had said at the time. These DDoS attacks (distributed denial-of-service attacks) have become more powerful as of late, thanks to the way attackers are exploiting older internet protocols like Network Time Protocol, or NTP, to increase their size. That seems to be the case here, given the size of the attack that Plenty of Fish suffered. Other companies that have been attacked more recently include TypePad, Basecamp, Vimeo, Bit.ly, and as of this past weekend, marketing analytics software provider Moz, to name just a few. In Plenty of Fish’s case, the attacker demanded $2,000 to have them stop the attack. Want to know if your company is about to have a bad day? Look for an email like this: From: dalem leinda Date: Tue, May 20, 2014 at 12:09 PM Subject: Re: DDoS attack, warning If you feel ready to negotiate, I’m still here. For something around $2k, I will stop the current attack and I will not resume further attacks. The amount depends on how quickly you can make the payment. Source: http://techcrunch.com/2014/05/20/dating-website-plenty-of-fish-hit-by-ddos-attack/?ncid=rss

TypePad Claims It Was Hit By Another DDoS Attack

A number of technology companies, including Meetup, Basecamp, Vimeo, Bit.ly and others, have undergone website-crashing DDoS attacks (distributed denial-of-service) in recent months, but SAY Media-owned blogging platform Typepad, apparently, has the dubious honor of being taken down for an extended outage more than once in just a few weeks. The company has confirmed to us this morning that it is again undergoing another DDoS attack, which has taken its service offline. However, until all the facts are in and TypePad can provide more info about the nature of this attack, which right now it’s unable to do, it’s unclear at this time that this morning’s network outage is definitely a DDoS attack — the same as before. Because it’s still early in the investigation, it’s possible the company is presuming a DDoS attack, where only a network outage was at fault. We’ll update when we — and they — know more. However, when asked around an hour ago, TypePad did say that it was indeed “under a DDoS attack.” In April, we reported that Typepad was undergoing an extended DDoS attack, which, at the time, had been underway off and on for nearly five days. The company explained that the attack was similar in style to that which had taken down Basecamp, and confirmed that it was working with technology providers, including CloudFlare and Fastly to help mitigate the attack and bring its service back online. Though TypePad never shared extensive technical details about the DDoS attack, the typical scenario — and one that Basecamp had faced, as well — involves an initial demand for some sort of “ransom” once the site and its related services have been knocked offline. The amount first requested is usually small, but once attackers know they have a willing victim, they’ll often increase the amount. SAY Media said it had also received a “ransom” note, and was cooperating with the FBI on an investigation. According to Paul Devine, VP of Engineering at Say Media, this new Typepad attack began at 6:00 AM PT and the company is again working with CloudFlare and Fastly to mitigate the situation. “[We] don’t expect these attacks to have longevity,” he tells us. “We’re looking forward to having the sites up and running as quickly as we can.” As of a few minutes ago, the company tweeted that blogs were loading. However, at the same time, the URL http://www.typepad.com was still largely crashed when we tried it ourselves. That is, instead of loading up properly, CloudFlare is providing a snapshot of the site through its “Always Online” service, which helps sites offer a webpage instead of an error message when taken down through cyberattacks like this. The www.saymedia.com website address came up, however, though a bit slowly. (SAY Media operates a number of brands, including ReadWrite, xoJane, Fashionista, Cupcakes and Cashmere, and others.) The site loads but a “fatal error” message appears at the bottom of the page. Thanks to newer, more powerful types of DDoS attacks that have emerged as of late, attacks that once would have been thought to be record-breaking in size are now becoming routine. For instance, Meetup’s attack was 8 Gigabits in size, and it’s not uncommon for NTP-based DDoS attacks (which exploit an older protocol called Network Time Protocol) to be 10 Gigabits in size. However, one side effect of these attacks is that when a company later experiences a network outage, they sometimes immediately presume that they’re being attacked again. It can be difficult to tell the difference, especially in the early hours of these sorts of situations. We’ll be looking for TypePad to provide its customers with a longer post-mortem following this morning’s outage. Given multiple attacks over the course of several weeks, the company has a responsibility to let their customers know whether or not they’re being targeted by criminals, or if unrelated network outages came into play this morning instead. Source: http://techcrunch.com/2014/05/19/typepad-claims-it-was-hit-by-another-ddos-attack/?ncid=rss

Continued here:
TypePad Claims It Was Hit By Another DDoS Attack

SNMP could be the future for DDoS attacks

DNS amplification and NTP reflection are two big buzz-terms in the modern world of distributed denial-of-service (DDoS) attacks, but when successful defensive measures force those wells to run dry, a lesser-used reflection attack vector, known as Simple Network Management Protocol (SNMP), could take the forefront. Johannes Ullrich, dean of research with the SANS Technology Institute, told SCMagazine.com in a Monday email correspondence that SNMP, a UDP-based protocol used to read and set the configurations of network devices, hasn’t posed as big a threat as DNS and NTP attacks because there are not as many reflectors available as there are for other protocols. Ullrich said that most network-connected devices support SNMP in some form and, in a Thursday post, opined that it could be the next go-to vector for attackers after he observed a DDoS reflection attack taking advantage of an unnamed video conferencing system that was exposing SNMP. In this instance, the attacker spoofed a SNMP request to appear to originate from 117.27.239.158, Ullrich said, explaining that the video conferencing system receives the request and then replies back to the IP address with a significant reply. An 87 byte “getBulkRequest” resulted in a return of 60,000 bytes of fragmented data, Ullrich wrote in the post, adding that the individual reporting the attack observed roughly five megabits per second of traffic. “The requests are pretty short, asking for a particular item, and the replies can be very large,” Ullrich said. “For example, SNMP can be used to query a switch for a list of all the devices connected to it. SNMP provides replies that can be larger than DNS or NTP replies.” As people improve configurations, effectively causing those DNS and NTP reflectors to dry up, SNMP could be the attack vector of choice, Ullrich said – a point that John Graham-Cumming, a programmer with CloudFlare, agreed with in a Monday email correspondence with SCMagazine.com. “I think that attackers will turn to SNMP once other attack methods are thwarted,” Graham-Cumming said. “At the moment it’s easy to use NTP and DNS for attacks, so there’s no need for SNMP.” To get a jumpstart defending against this DDoS vector, Graham-Cumming suggested that network operators limit access to the SNMP devices on their networks. Ullrich went so far as to say that SNMP devices should not be exposed to the internet at all. Both experts added that the “community string,” which serves as a password for accepting requests, should not be so obvious. Source: http://www.scmagazine.com/snmp-could-be-the-future-for-ddos-attacks/article/346799/

Link:
SNMP could be the future for DDoS attacks