Tag Archives: dos attacks

Network of city websites CitySites under DDoS Attack

On February 15, about ten websites of the cities that are in the same network CitySites, were under a DDoS-attack. The ones to suffer most from the attack were the websites of Kharkiv (057.ua), Zaporizhzhya (061.ua), and Mykolaiv (0512.com.ua). Also, the websites of Artemivsk, Luhansk, and Sumy were affected. According to the network’s tech support, the attacks are random as if the hackers were feeling out the websites’ defense. The websites of Donetsk, 62.ua, and Mariupol, 0629.com.ua, are beyond the hackers’ reach. Source: http://imi.org.ua/en/news/47756-network-of-city-websites-citysites-under-ddos-attack.html

View article:
Network of city websites CitySites under DDoS Attack

The growing threat of DDoS attacks on DNS

Current security solutions are proving inadequate in combating DNS attacks – See more at: http://www.information-age.com/technology/security/123459033/growing-threat-ddos-attacks-dns#sthash.Yy7UXtWd.dpuf Since 2012, the number of infrastructure attacks on the domain name system (DNS) has increased by over 200%. Yet despite this rise, many businesses still aren’t doing enough to secure a critical component of their IT infrastructure. A 2014 survey on IT infrastructure security found that more than a quarter of companies had not established formal responsibility for DNS security. The reaction of both the media and consumers to the high-profile attacks witnessed in 2014, such as those on Target and JP Morgan, has shown companies will not be easily forgiven when a hack occurs – especially if certain security measures could have prevented the attack. With the ever-increasing rise in distributed denial of service (DDoS) attacks on DNS, companies not taking measures to secure their DNS will appear negligent. DNS is easy to exploit, and organisations need to understand that they have little choice but to work around its weaknesses. In its 2014 Annual Security Report , Cisco found that all the corporate networks examined showed evidence of having been compromised. 96% showed traffic to hijacked servers and 92% revealed traffic to sites without any content, typically a sign of malware hosting. It is clear that DNS-based DDoS attacks are not only a growing threat, but also one that’s being overlooked. DNS security should be considered a priority given these increasing risks. Knowledge is key, and businesses need to understand how these attacks work if they want to protect themselves. Understanding DDoS attacks It’s surprisingly, and worryingly, simple to generate a DDoS attack using an organisation’s DNS infrastructure. Hackers hijack the system to send queries to name servers across the Internet from a spoof IP address of their target (this is as simple and effective as writing someone else’s return address on a postcard). The name servers then, in turn, send back responses. If these responses were around the same size as the queries themselves, this wouldn’t in itself be enough to wreak the desired havoc on the target. To inflict the maximum damage, the query needs to be amplified so it returns the largest possible response. And this has become much simpler since the adoption of DNS security extensions (DNSSEC). Following the introduction of the set of extensions known as EDNS0 in 1999 UDP-based DNS messages (DNS messages which use Internet Protocol (IP) to get data from one computer to another) have been able to carry greater amounts of data. Whilst most queries are under 100 bytes, the responses can be significantly larger, anywhere up to 4,096 bytes. Responses of this size were once a rare occurrence in the internet’s namespace, but digital signatures and cryptographic keys stored by DNSSEC in the namespace are now commonplace and massive. To see the extent to which these amplified responses can be used as an effective DDoS attack, consider a query of just 44 bytes. This single query, if sent from a spoofed IP address to a domain containing DNSSEC records, could generate a response of over 4,000 bytes. Using a botnet of thousands of computers, and recruiting 10 fellow comrades, could deliver 1Gbps of replies to incapacitate the target. Thankfully most name servers can be modified to recognise when they’re being repeatedly queried for the same information from the same IP address. However, it’s a different story for open recursive servers, of which there are estimated to be 33 million around the world. These will continually accept the same query from the same spoofed IP address, each time sending back responses as discussed in the DNSSEC examples previously mentioned. Knowledge is the key Of all the steps that companies can take to protect themselves from such attacks, the first and probably the most important is learning to recognise just when a DDoS attack is taking place. Many organisations don’t know what their query load is, let alone when they’re under attack. With the statistics support built into the DNS software BIND, administrators are able to analyse their data for socket errors, query rates, and other attack indicators. Whilst it may not be clear exactly what the attack looks like, by monitoring the DNS statistics it is possible to get an understanding of what the trends are, so anomalies can be more easily identified. It’s also important to scrutinise an organisation’s internet-facing infrastructure for single points of failure. This should not only be in external authoritative name servers, but also in the firewalls, switch and router interactions, and connections to the Internet. Once these vulnerabilities have been identified, the question is whether these can be cost-effectively and easily eliminated. Also, wherever possible, external authoritative name servers should be broadly geographically distributed. This will not only help avoid single points of failure, but will also improve the response time performance for the closest customers. Another easy step is overprovisioning existing infrastructure, which is both inexpensive and easy to trial prior to an attack. This helps mitigate the massive number of responses resulting from a DDoS attack. But has the consequence of potentially making you a better ‘amplifier’ for attacks on a third party. Therefore an approach that enables your DNS servers to continue to serve legitimate traffic whilst identifying and intelligently limiting rouge traffic may be a better approach. The ever-increasing threat posed to DNS means that priority must be given to learning about and implementing preventative measures to mitigate the threat. Understanding how DDoS attacks exploit DNS servers is the first step to reducing an organisation’s threat level. Formally assigning responsibility for DNS security and taking steps to understand typical query loads are both relatively simple tasks that will help reduce exposure to DNS attacks. With attacks on DNS increasing at an alarming rate, businesses that fail to act will be vulnerable. Source: http://www.information-age.com/technology/security/123459033/growing-threat-ddos-attacks-dns

See the original article here:
The growing threat of DDoS attacks on DNS

Dutch government says DDoS attack took down websites for hours

Cyber attackers crippled the Dutch government’s main websites for most of Tuesday and back-up plans proved ineffective, exposing the vulnerability of critical infrastructure at a time of heightened concern about online security. The outage at 0900 GMT (0400 ET) lasted more than seven hours and on Wednesday the government confirmed it was a cyber attack. The United States has beefed up cybersecurity laws and created an intelligence-gathering unit to coordinate analysis of cyber threats after attacks against Sony Pictures and Home Depot. The outage affected most of the central government’s major websites, which provide information to the public and the media, but phones and emergency communication channels remained online. Other websites, including GeenStijl.nl, a popular portal which mocks politicians and religions, were also hit by the “distributed denial of service” (DDoS) attack, said Rimbert Kloosterman, an official at Government Information Service, which runs the websites. “Our people are investigating the attack together with the people from the National Centre for Cyber Security,” he said. The complexity and size of the government’s many websites had rendered the back-up useless, he said. Prolocation, the website host, said the attack had been a “complex” problem and that its phone lines had also gone down. “The initial symptoms pointed first to a technical problem, but it then emerged we were facing an attack from the outside,” the company said in a statement. But one computer security expert doubted that a DDoS attack, in which systems are overloaded with a flood of requests from hijacked computers, could have been hard to identify. “If you face a DDoS, you know it,” Delft Technical University cyber security specialist, Christian Doerr, said. Such attacks were hard to guard against and the software for such an attack could be bought illegally for as little as $25. “Even a 16-year-old with some pocket money can attack a website,” he said. Source: http://www.reuters.com/article/2015/02/11/us-netherlands-government-websites-idUSKBN0LF0N320150211

See original article:
Dutch government says DDoS attack took down websites for hours

Anonymous-linked hacker admits to DDoS of public services

Merseyside resident disrupted more than 300 sites with bogus traffic. A hacker with links to Anonymous has admitted conducting distributed-denial-of-service (DDoS) attacks against social services, crime prevention bodies and businesses. Ian Sullivan, a 51-year-old from Bootle in Merseyside, flooded more than 300 websites with bogus traffic in 2013, rendering them unusable for legitimate visitors, though the police said no data was stolen. Steven Pye, senior operations manager at the National Crime Agency’s (NCA) cybercrime unit, said: “Many DDoS attacks are little more than a temporary inconvenience, but in this case Sullivan’s actions are likely to have deprived vulnerable people of access to important information, ranging from where to get support on family breakup, to reporting crime anonymously.” “This multi-agency operation illustrates the commitment of the NCA and its partners to pursuing people who think they can criminally disrupt important public services or legitimate businesses.” Sullivan was arrested on July 29, 2013 by the Police Central e-Crime Unit after the DDoS attacks were referenced by a Twitter account. Investigators found software on his computer capable of taking websites offline, as well as documents linking him to other campaigns run by hacking collective Anonymous. He will be sentenced at Liverpool Crown Court on May 1. Source: http://www.cbronline.com/news/security/anonymous-linked-hacker-admits-to-ddos-of-public-services-4507312

View article:
Anonymous-linked hacker admits to DDoS of public services

Massive DDoS Brute-Force Campaign Targets Linux Rootkits

A brute force campaign looking to set up a distributed denial of service (DDoS) botnet using a rare Linux rootkit malware has been launched, emanating from the servers of a Hong Kong-based company called Hee Thai Limited. The malware, known as XOR.DDoS, was first spotted in September by security research firm Malware Must Die. But security firm FireEye says that new variants have been making their way into the wild, as recently as Jan.20. XOR.DDoS is installed on targeted systems via SSH (Secure Shell) brute-force attacks that target both servers and network devices. And these are being carried out using complex attack scripts to serve the malware through a sophisticated distribution scheme that allows the attackers to compile and deliver tailored rootkits on-demand, to infect x86 and mobile ARM systems alike. Once infected, the hosts are enlisted to launch DDoS attacks. “While typical DDoS bots are straightforward in operation and often programmed in a high-level script such as PHP or Perl, the XOR.DDoS family is programming in C/C++ and incorporates multiple persistence mechanisms including a rare Linux rootkit,” FireEye researchers noted in an analysis. What’s notable about the Hee Thai attack is the sheer scale of the operation. Within 24 hours of first sighting back in November, FireEye had observed well over 20,000 SSH login attempts, per server. By the end of January, each server had seen nearly 1 million login attempts. During this time period, traffic from 103.41.124.0/24 accounted for 63% of all observed port 22 traffic. “Someone with a lot of bandwidth and resources really wanted to get into our servers,” FireEye researcher noted. They also said that the campaign has been evolving. At the beginning, each IP address would attempt more than 20,000 passwords before moving on. It then dropped to attempting a few thousand passwords before cycling to the next, and repeat attacks also began to occur. Now, a new stage of the Hee Thai campaign is more chaotic than the previous two. “The attacks now occur en masse and at random, frequently with multiple IPs simultaneously targeting the same server,” FireEye explained. The Hee Thai campaign also features an on-demand malware build system. Using a sophisticated set of build systems, the malware harvests kernel headers and version strings from victims to deliver customized malware that may be compiled on-demand to deliver XOR.DDoS to the target machine. This strategy makes hash signature-based detection systems ineffective for detecting XOR.DDoS. “Brute force attacks are one of the oldest types of attacks,” FireEye researchers said. “Due to its ubiquity, there are numerous solutions available for defending against them. However a great many systems are vulnerable. Even in enterprise settings, network devices and servers in forgotten branch offices could be exposed to this threat.” Source: http://www.infosecurity-magazine.com/news/massive-ddos-bruteforce-targets/

Read the article:
Massive DDoS Brute-Force Campaign Targets Linux Rootkits

Hackers ransoming encryption keys from website owners

Hackers are finding even more ways to harm website owners, in a new report from security firm High-Tech Bridge hackers are switching encryption keys and then ransoming website owners for money. The attack—known as “RansomWeb”—manages to take the current encryption keys and swap them with non-working numbers. In order for the website owner to regain control, they are forced to pay the hackers. Encryption is the basis of modern internet security, but with this new hack it locks the website owner out and gives no way to get back in, without having even more security latched on top. Even if the website owner sends payment over, there is no guarantee they will get the website back, or any guarantee that the attacker will not launch the same attack later. “We are probably facing a new emerging threat for websites that may outshine defacements and DDoS attacks.” Ilia Kolochenko, chief executive of High-Tech Bridge said. “RansomWeb attacks may cause unrepairable damage, they are very easy to cause and pretty difficult to prevent.” These hackers wait for months until new patches of encryption keys are added, before locking out the website owner. This gives them full control over the website and allows them to implement old keys that are invalid. Kolochenko claims this is a change in hacker identity, moving from chaos to financial motives. He believes the next slew of hackers will always look for ransoms and lock owners out, instead of simply defacing a website. This was first seen on the Sony Pictures hack, when the apparent hackers sent ransom messages to Sony executives three days before taking the entire system offline. The ever changing world of encryption makes it hard for security firms to properly defend customers, especially with this new RansomWeb attack. It may lead to firms like Google and Facebook offering security help for smaller sites, offering new encryption and security tools. Source: http://www.itproportal.com/2015/02/03/hackers-ransoming-encryption-keys-website-owners/

Tidal waves of spoofed traffic: DDoS attacks

While massive retail breaches dominated headlines in 2014, with hacks involving state-sponsored threats coming in a strong second, distributed denial-of-service (DDoS) attacks continued to increase, both in the volume of malicious traffic generated and the size of the organizations falling victim. Recently, both the Sony PlayStation and Xbox Live gaming networks were taken down by Lizard Squad, a hacking group which is adding to the threat landscape by offering for sale a DDoS tool to launch attacks. The Sony and Xbox takedowns proved that no matter how large the entity and network, they can be knocked offline. Even organizations with the proper resources in place to combat these attacks can fall victim. But looking ahead, how large could these attacks become? According to the “Verisign Distributed Denial of Service Trends Report,” covering the third quarter of 2014, the media and entertainment industries were the most targeted during the quarter, and the average attack size was 40 percent larger than those in Q2. A majority of these insidious attacks target the application layer, something the industry should be prepared to see more of in 2015, says Matthew Prince, CEO of CloudFlare, a website performance firm that battled a massive DDoS attack on Spamhaus early last year. Of all the types of DDoS attacks, there’s only one Price describes as the “nastiest.” And, according to the “DNS Security Survey,” commissioned by security firm Cloudmark, more than 75 percent of companies in the U.S. and U.K. experienced at least one DNS attack. Which specific attack leads that category? You guessed it. “What is by far the most evil of the attacks we’ve seen…[are] the rise of massive-scale DNS reflection attacks,” Prince said. By using a DNS infrastructure to attack someone else, these cyber assaults put pressure on DNS resolver networks, which many websites depend on when it comes to their upstream internet service providers (ISP). Believing these attacks are assaults on their own network, many ISPs block sites in order to protect themselves, thus achieving the attacker’s goal, Prince said. By doing so “we effectively balkanize the internet.” As a result, more and more of the resolvers themselves will be provided by large organizations, like Google, OpenDNS or others, says Prince. Source: http://www.scmagazine.com/tidal-waves-of-spoofed-traffic-ddos-attacks/article/393059/

Originally posted here:
Tidal waves of spoofed traffic: DDoS attacks

BitTorrent’s Project Maelstrom will host websites in torrents

When you enter a URL and hit enter, your computer reaches out to a server someplace in the world to access a website. Sometimes a site is stored on a few servers for redundancy or load balancing, but the model is functionally the same. BitTorrent, the company behind the popular file sharing protocol, is looking to change the way websites are hosted by keeping the data not on a centralized server, but on the home computers of users. These sites would be split up into pieces just like a file shared via a torrent. BitTorrent calls this system Project Maelstrom, and it’s getting very close to reality. Project Maelstrom is built on a modified version of Chromium, the open source project that backs Google’s Chrome browser. If we extend the file sharing analogy to Project Maelstrom, the modified browser is basically your torrent client. You enter a web address, and the browser connects to a “swarm” of users already accessing the site who have pieces of it ready to send over. These bits are assembled into the final product and displayed normally. If it works as intended, you won’t notice a difference in the functionality of these sites. The torrent browser is going to be able to access regular web pages via the internet, but it’s mainly for these so-called torrent web pages. One of the main advantages here will be scalability that surpasses anything we have today on traditional server infrastructure. When a site gets hit by a lot of traffic, a server has to devote more and more bandwidth to serving content, which can easily saturate the pipes. In the case of a distributed denial of service attack (DDoS), a website can be knocked offline for hours or days. A torrent web page should actually become more reliable as it is accessed more. More seeds means more speed and accessibility. One notable drawback to Project Maelstrom would be the relative difficulty in keeping very new or unpopular sites online. When a new torrent web page is created, there is only one source for the data, probably with nowhere near the power of a dedicated web server. So the creator is the first seed, the next person to visit is the second seed, but the third person then has two sources to download from, then becoming the third seed. It’s just like a torrent — it can get stupid-fast when there are enough seeds. The decentralized nature of Project Maelstrom would also make it nearly impossible to take down a website as long as users kept seeding it. Seems like a perfect match for The Pirate Bay, right? This platform would present ethical issues, of course. What if a legitimately terrible or illegal site were hosted in Maelstrom? There might not be any way to take it down. This is something law enforcement already deals with on Tor, but Project Maelstrom has the potential to be much faster and easier to use. Still, BitTorrent thinks content providers will get on board with Maelstrom as a way to reduce costs. For example, if Netflix can detect when a user is connecting through a Maelstrom-enabled browser, it could save money by serving video content through a swarm of multiple users, rather than pushing separate streams out to everyone individually. It would be like a content delivery network on steroids. BitTorrent is going to find out if Maelstrom will be used for good or evil soon. A consumer version is expected this year. Source: http://www.extremetech.com/internet/198578-bittorrents-project-maelstrom-will-host-websites-in-torrents

View article:
BitTorrent’s Project Maelstrom will host websites in torrents

Latest Lizard Squad hack shows increasing strength of DDoS attacks

Bill Barry, executive vice president, Nexusguard, has prepared a comment in light of the recent Lizard Squad hack on Taylor Swift’s Twitter account: “The hack on Taylor Swift proves that the Lizard Squad has another string to its bow, having previously used DDoS attacks to bring down the Sony Playstation, Microsoft Xbox and Malaysian Airlines systems rather than infiltrating them. “It’s time for businesses and brands to realise the multi-faceted security threats presented by sophisticated cyber criminals. “The DDoS for hire space has become so lucrative that these mayhem-for-sport acts of hacking a celebrity Twitter account is a way to build brand recognition and raise awareness that anyone, anywhere could be the victim of cyber attacks. “This heightened market awareness becomes a dangerous marketing engine to allow anyone with a slight motive to launch their own attacks at intended targets. “Using this tactic has meant that in a short time over 14,000 customers have signed up to use the Lizardstresser DDoS tool. “The Lizard Squad has proved, if nothing else, that DDoS attacks are becoming more effective. The methods used by DDoS networks to locate vulnerabilities within security systems are more sophisticated and automated. “Leveraging zero-day and zero-plus vulnerabilities in unprotected networks means that they are able to recruit and add infected computers to their attack army at an ever-alarming rate. “This increased rate of botnet recruitment not only gives the attacker a flexible arsenal of attacks for causing mayhem, but increases the overall effectiveness and success rate of each attack. “Imagine the leverage a group such as The Lizard Squad could gain by bringing down a betting website on Grand National Day, for example. “The best way to guard against zero-plus attacks to is to always be vigilant and proactively try to identify vulnerabilities and weaknesses in your system before the attackers do. For an enterprise, this may mean compiling rules and guidelines on which online applications are approved for use, and implementing proactive monitoring at an application level to detect abnormalities as early as possible. “However, this is just the first layer of total protection – an effective defence requires in-depth, tailored implementation, not a one-size-fits-all mitigation solution. “With multi-vector attacks, all avenues of attack must be detected and mitigated. For example, sophisticated attackers like the Lizard Squad may be using a mixture of DDoS and hacking – no off-the-shelf product is likely to deal with such an approach effectively. “Best practice is to seek the guidance of a security specialist that can design and customise a solution specific to your business.” Source: http://www.itproportal.com/2015/01/30/latest-lizard-squad-hack-shows-increasing-strength-ddos-attacks/

View original post here:
Latest Lizard Squad hack shows increasing strength of DDoS attacks

Facebook downtime was due to server fault, not DDoS attack

Unless you were living under a rock or had something better to do than check Facebook every single minute, you would have realised that both Facebook and Instagram was down for many people. However, despite claims that it was due to a DDoS attack, Facebook has said that the outage was because of a server fault. “This was not the result of a third-party attack but instead occurred after we introduced a change that affected our configuration systems,” Facebook said in a statement to the ABC. “Both services are back to 100 per cent for everyone.” Other services that also suffered an outage were Tinder and HipChat – both are now accessible at the time of writing. While Tinder hasn’t confirmed what caused the outage, HipChat has suggested that it was a database error. Facebook’s explanation is different to what Lizard Squad, known for their high-profile DDoS attacks on PlayStation Network and Xbox Live, recently posted on Twitter. A post suggested that they did a DDoS attack to take Facebook down. Another news organisation has casted doubt on Facebook’s explanation, citing a screenshot of IP Viking as evidence. IP Viking is a website maintained by security company Norse and displays cyberattacks in real-time. However, that does not necessarily proof that Facebook was taken down by a DDoS attack by attackers. IP Viking only tracks cyberattacks on Norse’s honeypot servers only – which emulate vulnerable servers to gather intelligence on attackers, such as IP addresses. While Facebook might have data centres in particular city, so do many other companies – like Norse. So, unless something drastic happens – like a massive data dump of personal information – to prove otherwise, then the outage was just a system change gone wrong. Source: http://techgeek.com.au/2015/01/27/facebook-downtime-due-server-fault-not-ddos-attack/

Read the article:
Facebook downtime was due to server fault, not DDoS attack