Tag Archives: dos attacks

Are DDoS Attacks Against Banks Over?

Distributed-denial-of-service attacks against U.S. banks have been dormant for nearly four weeks, leading security experts to question when and if a new phase of attacks might emerge. The hacktivist group Izz ad-Din al-Qassam Cyber Fighters , which since last September has taken credit for the hits against banks, claimed its attacks were in protest of a YouTube movie trailer deemed offensive to Muslims. But some observers have speculated that Iran was backing the DDoS strikes against banks as payback for cyber-espionage attacks, such as Stuxnet, Flame and Duqu, that have over the last three years affected Iranian computer systems. Rodney Joffe, senior technologist for online security provider Neustar Inc., says the current lull could be a sign that the attacks waged by the hacktivist group are over. “It’s a wild conjecture,” Joffe says. “But we may have seen the end of them.” Joffe says indirect activity linked to the al-Qassam Cyber Fighters’ botnet, known as Brobot, has continued. But there have been no direct attacks. And that lack of activity raises questions about whether al-Qassam will wage any more attacks, Joffe says. “The botnet is no bigger than it was,” he says. “We take [compromised] machines down and then new machines keep getting adding. I still have hope that the government will have some impact or effect, but don’t know one way or the other.” The Federal Bureau of Investigation in April warned that Brobot had been modified, “in an attempt to increase the effectiveness with which the [botnet’s] scripts evade detection.” The FBI said the actors behind Brobot were changing their attack methodology to circumvent mitigation efforts put forth by U.S. banking institutions The FBI also noted that as of April 10, 46 U.S. banking institutions had been targeted by more than 200 separate DDoS attacks of “various degrees of impact” since September. Financial fraud expert Avivah Litan , an analyst at Gartner, says intervention from federal authorities may have spurred al-Qassam to halt its attacks. But, like Joffe, she says there is no way to be sure. “I do know the banks were trying to get the White House to do something politically, and that could be what’s happened.” But other experts, such as Mike Smith of Web security provider Akamai Technologies, don’t think there’s been anything going on behind the scenes to keep the attacks from resuming. Different Attack Actors Other experts anticipate that another group could emerge to resume DDoS attacks against banks if Izz ad-Din al-Qassam Cyber Fighters ends its campaigns. “There has been a lull in the al-Qassam-like attacks,” says Scott Hammack , CEO of DDoS-mitigation provider Prolexic. “But I would definitely not misunderstand this lull as being an end to these types of attacks. The attacks will continue; it’s really just a question of when, not if.” The current break comes after a third phase of hacktivist attacks, which kicked off in March. The latest campaign ran eight weeks, the longest-running so far. The break from the third phase of attacks has lasted four weeks so far. By comparison the break between the first campaign , which began Sept. 18, and the second campaign , which kicked off Dec. 10, lasted six weeks. And the break between the second and third campaigns lasted five weeks. Hammack, like Smith, says Brobot, as well as other botnets, continue to grow. In fact, over Memorial Day weekend, Prolexic helped to mitigate a 167-gigabyte DNS-reflection attack, the largest attack recorded to date, Hammack says. “The attack traffic was global and required us to use all four of our cloud-based scrubbing centers,” he says. DNS-reflection was the attack method used in Operation Stophaus , an attack waged in March by The Spamhaus Project, a Geneva-based not-for-profit organization dedicated to fighting Internet spam. And while it’s not an extremely sophisticated type of attack, Hammack says these types of DDoS strikes are only going to become more prevalent. “There are plenty of countries where rogue elements will continue to exist,” he says. “You’re never going to overcome that. I think, if anything, people should be taking advantage of this down time to fortify their infrastructures.” The application-layer attacks al-Qassam Cyber Fighters favored in its last two campaigns have remained inactive, despite that the group appears to continue efforts to grow and strengthen its botnet. “The botnets are out there,” Hanmmack says. “We have between 15,000 and 100,000 compromised web servers out there that we know of. So the artillery is still out there to create these types of attacks. We just haven’t seen any of the web server attacks for the last 30 days.” Why Have Attacks Stopped So why have the hacktivists remained quiet for the last month? On May 6, al-Qassam Cyber Fighters claimed on the open forum Pastebin that its attacks would cease for just a week, out of respect for OperationUSA , a separate hacktivist movement organized by Anonymous that proved unsuccessful Many experts predicted the group’s attacks against banks would resume by May 14. But they didn’t. Some have speculated that international law enforcement could be close to nailing members of the al-Qassam team. But Hammack says drawing conclusions based on the ebbs and flows of DDoS attacks is dangerous because hacktivists attack in waves. “Certain attacks die down after certain periods,” he says. “That doesn’t mean, though, that the attacks are over.” Banking institution leaders say they’ve been advised by groups such as the Financial Services Information Sharing and Analysis Center not to lessen their DDoS mitigation efforts. Litan says banks are heeding that advice. “The banks have more vendors involved now,” she says. “I don’t think they’ll ever pull back. They have put a lot of systems in. They really can’t go back now, and they shouldn’t.” Source: http://www.bankinfosecurity.com/are-ddos-attacks-against-banks-over-a-5801/op-1

Possibly related DDoS attacks cause DNS hosting outages

Distributed denial-of-service (DDoS) attacks that could be related have in the past few days slammed the DNS servers of at least three providers of domain name management and DNS hosting services. DNSimple, easyDNS and TPP Wholesale all reported temporary DNS service outages and degradation on Monday, citing DDoS attacks as the reason. In some cases the attacks started a few days ago and are ongoing. TPP Wholesale, a subsidiary of Sydney-based Netregistry, one of Australia’s largest providers of Web hosting, domain management and other online services, alerted its customers through its website on Monday that eight of its DNS servers experienced “unscheduled service interruption.” TPP Wholesale experienced a series of DDoS attacks against its DNS name servers over the past several days, the Netregistry Group Security Team said in a blog post. The company managed to mitigate the DDoS attacks that caused service interruptions throughout Monday by taking “the drastic step” of rate-limiting DNS queries, the team said. Such aggressive filtering is prone to false positives and might result in some customers being denied DNS service. “In the next few days we will continue to whitelist such false positives as we discover them,” the team said. Second wave EasyDNS, a DNS hosting provider based in Toronto, also reported DNS service disruptions caused by a DDoS attack on Monday. “This looks like a larger version of a smaller DDoS yesterday which was possibly a test run,” the company’s CEO Mark Jeftovic said Monday in a blog post. “This DDoS attack is different from our previous ones in that it looks as if the target is us, easyDNS, not one of our clients.” Jeftovic said that it was difficult to differentiate the real traffic from the DDoS traffic, but the company managed to partially mitigate the attack and also published workarounds for affected customers. “This is the ‘nightmare scenario’ for DNS providers, because it is not against a specific domain which we can isolate and mitigate, but it’s against easyDNS itself and it is fairly well constructed,” he said. Third victim Aetrion, based in Malabar, Florida, operates a DNS hosting service called DNSimple, which was also attacked on Monday. According to DNSimple founder Anthony Eden, the DDoS attack is ongoing, but the company managed to mitigate it. “Our authoritative name servers were used as an amplifier for an attack against a third-party network,” Eden said Tuesday via email. “The attacker essentially flooded us with ‘ANY’ queries for a variety of domains managed by our DNS service, with the intention of amplifying these small queries into significantly larger responses aimed at a specific network.” This attack technique is known as DNS reflection or DNS amplification. It involves sending queries with a spoofed source IP (Internet Protocol) address—usually the victim’s address—to DNS servers from a large number of computers in order to trigger long responses to be sent by those servers to victim’s IP address within a short time window. If enough computers and DNS servers are used, the resulting rogue DNS traffic will exhaust the victim’s available Internet bandwidth. The DNS reflection technique has been known for a long time. However, its recent use to launch DDoS attacks of unprecedented scale, like the one in March that targeted a spam-fighting organization called Spamhaus, has likely brought it renewed interest from attackers. The attack experienced by DNSimple on Monday was significantly larger in volume and duration than other attacks that hit the company’s name servers in the past, Eden said. He believes that the attack is related to the ones experienced by easyDNS and TPP Wholesale. “The pattern displayed on TPP Wholesale’s blog is similar to what we see, and we have been communicating with easyDNS and find similarities between the attacks.” EasyDNS and TPP Wholesale did not immediately respond to inquiries seeking more information about the recent attacks against their servers and confirmation that they were using DNS reflection techniques. Attack and abuse reports on the increase It’s possible that DNS servers operated by other companies were also affected by this attack, Eden said. “A DNS provider will have a significantly higher number of customers and thus the attacks get noticed much sooner because it affects a larger group of people,” he said. DNSimple’s authoritative name servers were used to amplify a DDoS attack directed at a server hosting company called Sharktech or one of its customers, Eden said. Sharktech has noticed a surge of abuse reports in the past 24 hours coming from ISPs and hosting companies complaining about DDoS attacks against their DNS servers that appear to originate from Sharktech, said Tim Timrawi, president and CEO of Sharktech, via email. Upon further investigation the company determined that these reports were actually the result of a DNS amplification attack against its own customers that abused the authoritative DNS servers of those companies, he said. Most of the affected DNS servers were secured properly and were being queried for domains they are responsible for, Timrawi said. “Unlike previous DNS Amplification Attacks in which the attacker used open recursive DNS servers, in this one, the attacker is collecting all the DNS servers they can find and sending MX (and other kind of queries) to them for their domain records with a spoofed source of the target host,” he said. The amplified DDoS attack targeting Sharktech customers was larger than 40Gbps, Timrawi said. “We are unaware of the reason behind the attacks,” he said. The abuse of authoritative name servers in DNS reflection attacks is not very common because attackers need to know the exact domain names that each abused server is responsible for, said Carlos Morales, vice president of sales engineering and operations at DDoS mitigation provider Arbor Networks. Obtaining this information is not very hard, but it does require additional work compared to abusing open DNS resolvers, and attackers usually prefer the easiest route to reach their goals, he said. Open DNS resolvers are recursive DNS servers that are configured to accept queries from any computers on the Internet. These act as relays between users and authoritative DNS servers; they receive queries for any domain name, find the authoritative name server responsible for it and relay the information obtained from that server back to the user. Meanwhile, authoritative name servers, like those operated by DNSimple, easyDNS and TPP Wholesale, will only respond to queries concerning the domain names they serve. Well-prepared attackers The extra work required to target such servers suggests that the attackers behind the recent attacks on these DNS hosting providers were well prepared and did their homework in advance, Morales said. One mitigation against this kind of attack is to configure the DNS server software to force all “ANY” queries sent over UDP (User Datagram Protocol) to be resent over TCP (Transmission Control Protocol) instead, Eden said. This can be done by sending a UDP response with the TC bit set and an empty answer section. A legitimate DNS client will retry over TCP, while a bogus client will get no benefit, he said. In the case of open resolvers, the problem can be mitigated by restricting which IP addresses are allowed to query them, said Morales. For example, an ISP operating a DNS resolver for its customers can restrict its use to only IP addresses from its network, he said. However, this kind of mitigation is not applicable to authoritative name servers because they are meant to be queried by anyone on the Internet who wants to get information about the specific domain names served by them, Morales said. The mitigation described by Eden is very good and is actually one that Arbor also uses to protect authoritative name servers, he said. Another mitigation is to enforce a query rate limit for source IP addresses, he said. Source: http://www.pcworld.com/article/2040766/possibly-related-ddos-attacks-cause-dns-hosting-outages.html

View original post here:
Possibly related DDoS attacks cause DNS hosting outages

Turkish gov’t websites hacked by Anonymous

A group of computer hackers known as Anonymous carried out early on Monday a series of cyberattacks on Turkish government websites in retaliation for violent police response to anti-government protests. Several Anonymous messages in its Twitter blog provide links to the sites, including those of President Turkish President Abdullah Gul and Turkey’s ruling Justice and Development Party, that have been denied public access. Hackers normally use distributed denial of service (DDoS) attacks to knock their targets offline. Turkey’s Hürriyet Daily News reported on Monday that some Turkish media websites have also been targeted by Anonymous for “for failing to adequately cover the events.” The planned demolition of Gezi Park in central Istanbul sparked mass rallies in the city on Saturday, prompting police to use tear gas and water cannons to disperse the protesters. Violent clashes between protesters and police continued in Istanbul and the capital, Ankara, on Sunday. The rally in Istanbul triggered more than 230 separate protests in 67 cities across the country, according to Sky News. Turkey’s Interior Minister Muammer Guler said on Sunday that more than 1,700 people had been arrested in the unrest nationwide, adding that 58 civilians and 115 security officers had been injured over several days of protests. The United States and the European Union and have already urged the Turkish government to exercise restraint, while Amnesty International has condemned the use of tear gas by Turkish police as “a breach of international human rights standards.” Anonymous declares Internet attacks in support of Turkish protests Anonymous vows to kick off a worldwide action which will “bring the Turkish government to its knees.” With #opTurkey, the hacktivist collective plans to “attack every Internet and communications asset of the Turkish government.” Anonymous claims to have taken down several websites across Turkey, targeting municipal governments in Mersin and Izmir as well the Gebze Institute of Technology. Source: http://www.turkishweekly.net/news/151067/turkish-gov-39-t-websites-hacked-by-anonymous.html

Continued here:
Turkish gov’t websites hacked by Anonymous

Threat of the Week: DDoS For Hire on the Rise

Just when you thought you could tune out the fears about DDoS (distributed denial of service) attacks, listen up: the risks for you suddenly are much graver, and it may be the time when defensive action on your part has become necessary. Yes, the fear-mongering over the May 7th DDoS blitzkrieg – which turned out to be a non-event – has prompted many credit union executives to turn off the DDoS discussion. That’s a mistake, however. “Three years ago I would have called DDoS a nuisance. Now it is a threat to many more businesses,” said Vann Abernethy, an executive with security firm NSFOCUS. A big change that is occurring, sources insist to Credit Union Times , is that for-rent DDoS networks – often costing spare change – are proliferating and they have plenty of firepower to take down most credit unions’ online presences. The scariest part: absolutely no technical skills are required to deploy what is being called DDoS as a service. All that’s needed is digital money – PayPal or BitCoin and there even are some providers that take MasterCard and Visa. Barry Shteiman, senior security strategist at Imperva, named names of sites that he said offer what seems to be DDoS for hire: SSH Booter, Empire Stresser, Quantum Stresser, Asylum Stresser, Titanium Stresser, Illuminati Stresser, Legion Stresser, Agony Stresser. The list is not complete. “There are dozens of companies selling DDoS as a service now,” said Sean Bodmer, chief researcher, Counter-Exploitation Intelligence, for CounterTack. Note: Almost all such sites claim to offer, not rogue DDoS for hire, but “stress testing” so that an organization – a credit union for instance – can check its DDoS defenses. Just one problem: sources insisted that the majority of stress-testing sites they are familiar with do no verification that the person buying the “stress test” has any affiliation whatsoever with the target. What’s fueled the rise in DDoS as a service? For one, the intense publicity for DDoS has just about everybody aware of the attack format. For two, “As email spam has become more and more a solved problem it has forced criminals with botnets to find other uses for them. DDoS lets them monetize their botnets,” said Matthew Prince, CEO of CloudFlare, a DDoS mitigation company. DDoS as a service prices are also tumbling. Hemant Jain, vice president of engineering for security company Fortinet, said that he has found providers who are selling an hour of DDoS for $5, a 24-hour day of it for $40 and a week for $260. Can’t these DDoS as service provider be shut down by law enforcement? It’s not that easy. Commented Carl Herberger, vice president of security solutions at mitigation provider Radware, “It’s important to note that ‘DDos for Hire’ websites move around in terms of their technical underpinning. They don’t stay in one area or one location for too long. It’s almost like a game of “Whack-a-Mole” – just when you think you’ve identified the location of the website, it’s already moved.” Added Chris Ensey, COO of security company Dunbar Digital Army, “These (DDoS as a service) sites are being resold like white-labeled products now. Most of the sellers are just affiliates who leverage another botnet or platform” – that is, they have none of their own infrastructure and, poof, they can be here today and back tomorrow under a new flag. That’s the problem: it is very hard to pinpoint the location of a DDoS command and control center and when it’s found, said sources, it generally is in a country with little or no law enforcement reciprocity with the United States. The bottom line for credit unions: “They have to take DDoS seriously. There is no turning this back,” said Shteiman. The good news: the attack throughputs via DDoS for hire are tiny fractions of what al Qassam is throwing at money center banks – 1% or 2% of the volume in many cases. But that is plenty to knock out a credit union that lacks defenses. As for what defenses are needed to thwart for hire DDoS, experts indicated that in most cases low-cost mitigation, within the budget of just about every credit union, ought to suffice. Talk with mitigation companies, also ask Web hosts what protections they have on hand or can line up, Small expenditures ought to bring peace of mind – at least that’s what the experts are saying today Source: http://www.cutimes.com/2013/05/28/threat-of-the-week-ddos-for-hire-on-the-rise?ref=hp

View the original here:
Threat of the Week: DDoS For Hire on the Rise

Iranian Hackers Launching Cyber-Attacks on U.S. Energy Firms: Report

Iranian hackers launched attacks as part of a campaign against the country’s oil and gas industry, according to current and former U.S. government officials. Iranian hackers have amped up a campaign of cyber-attacks against America’s energy industry, according to a report from The Wall Street Journal . Citing current and former U.S. officials speaking under the blanket of anonymity, the Journal reported that Iranian hackers accessed control system software that could have allowed them to manipulate oil or gas pipelines. The attacks raise the stakes in cyber-space between the U.S. and Iran, which has been accused by U.S. officials of being behind a spate of distributed denial-of-service attacks (DDoS) against U.S. banks stretching back to 2012. “This is representative of stepped-up cyber activity by the Iranian regime. The more they do this, the more our concerns grow,” a source told the Journal . “What they have done so far has certainly been noticed, and they should be cautious.” Alireza Miryousefi, Iran’s spokesperson at the United Nations, denied any connection between hackers and the regime in an interview with the Journal . The officials who spoke to The Wall Street Journal did not name any of the energy companies targeted in the attacks. But two former officials said oil and gas companies located along the Canadian border were among those hit. Word of the attacks comes a week after Charles Edwards, deputy inspector general at the U.S. Department of Homeland Security, told members of a Senate subcommittee that industrial control systems were increasingly coming under attack in cyber-space in ways that could potentially cause “large-scale power outages or man-made environmental disasters.” Securing these systems is complicated, as many are more interconnected with the Internet than people realize, explained Tom Cross, director of security research at network security vendor Lancope. “It is also difficult to fix security flaws with these systems because they aren’t designed to be patched and restarted frequently,” he said. “It is extremely important,” he continued, “that operators of industrial control networks monitor those networks with systems that can identify anomalous activity that might be associated with an attack. Because of the relatively homogenous nature of network activity on many control systems networks, anomaly detection can be can be a powerful tool in an environment where other kinds of security approaches fall flat.” Much of the talk about improving the security of critical infrastructure companies has focused on information sharing between the government and private sector. Improving communication between government and business figured prominently in the executive order on cyber-security that President Barack Obama issued in February. However, many officials and security experts have said that the order does not undo the need for legislation. “The increases in cyber-assaults on our energy systems from Iranian-backed hackers are another signal to the government and the industry that measures must be taken to fortify the security of our critical infrastructure,” said Lila Kee, chief product and marketing officer at GlobalSign and a North American Energy Standards Board (NAESB) board member. “However, there is a fine line between cyber-security regulation and voluntary standards,” she said. “Regulations cannot be so rigid so as to prevent protection from today’s evolving advanced persistent threats, and voluntary standards cannot be so loose so as to provide no purpose. In today’s modern world of malware, solutions must be fluid and scalable to battle aggressive cyber-attacks.” Source: http://www.eweek.com/security/iranian-hackers-launching-cyber-attacks-on-us-energy-firms-report/

Nationwide DDoS Attack Hits ReputationChanger.com

ReputationChanger.com was the most recent target in a string of high-profile cyber-attacks against U.S. web companies and governmental organizations. Reputation.com, LivingSocial and Name.com have all announced recently that they have been the targets of successful attacks by hackers. Tens of millions of consumers have been asked to change passwords in the wake of these attacks with large numbers of the population informed that personal data may have been accessed. A hack of the Associated Press account in Twitter resulted in a temporary loss on U.S. stock markets of $200 billion in late April. The U.S. Defense Department accused Chinese government-backed hackers this week of a sustained cyber campaign which successfully targeted governmental and defense contractor websites. The Chinese later denied these allegations. ReputationChanger.com was indeed targeted by an attack from a Chinese IP address that lasted most of the day. While the company’s public website was taken down for roughly half an hour in a distributed denial of service attack (DDoS), an investigation confirms that the company’s critical information — including client data — remained untouched. “The attack brought down our main website briefly but I think overall it revealed the strength and security of our operation in a way that we are truly proud of,” comments the company’s president, Michael Zammuto. “Because of the system set up, no client data was in danger of being accessed or compromised — and indeed, no client data was accessed or compromised. No action is required of any client although periodic password changes are always recommended.” Even a cyber-attack targeting the company’s Command Center, the firm’s online reputation management platform, could not have led to illicit data access. “The confidentiality of what we do is critical, and we are endlessly devoted to maintaining the complete privacy of our clients,” Zammuto offers. “As such, we have a highly distributed cloud system, response teams and processes in place to prepare for cyber threats.” Though the identity of the cyber assailant is yet unknown, Zammuto says the impetus for the attack is likely the high-profile client list that ReputationChanger.com maintains. “We were surely targeted because of the very important clients that we work with,” he affirms. ReputationChanger.com’s clientele encompasses governments, political figures, educational institutions, celebrities, and major, internationally-recognized businesses and brands. Despite the brief downtime experienced on the ReputationChanger.com website, Zammuto says that he is ultimately thrilled with how well the enterprise held up in the face of a malicious online assault. “I am very pleased with the performance of our network security team and partners,” he remarks. “It is a great reminder of how valuable investments are in these areas. They kept us safe from a vicious online enemy. It is because of their hard work and their expertise that ReputationChanger.com’s clients can rest assured that their confidential data is in the best possible hands.” ReputationChanger.com is the top rated online reputation management firm according to Top SEOs and was announced as a finalist for the Red Herring 100 earlier this week Both organizations citing the firm’s technology and its commitment to serving its clients. For protection against your eCommerce site click here . Source: http://online.wsj.com/article/PR-CO-20130509-912785.html?mod=googlenews_wsj

Visit link:
Nationwide DDoS Attack Hits ReputationChanger.com

Anonymous OpUSA: Massive Cyber Attack Planned For Wednesday May 8 Against Government and Banks

The hacktivist collective Anonymous, along with other hacker groups based in the Middle East and North Africa, began an operation, dubbed “OpUSA,” targeting the websites of nine major U.S. government agencies and over 130 banks earlier this morning in a protest against American foreign policy. Targets include the Pentagon, the National Security Agency, the FBI and the White House, along with the websites of banks such as Bank of America, Capital One and TD Bank. Calling themselves the “N4m3le55 Cr3w,” the collective of hacker groups said in a statement that it aims to make sure “this May 7th will be a day to remember.” The relatively amorphous Anonymous, a decentralized and loosely associated collective of hackers, grew out of the internet imageboard 4Chan back in the early 2000s. As the very interesting and informative 2012 documentary on the group, “We Are Legion: The Story of the Hacktivists,” highlights, there is no one group called Anonymous with one set of goals or ideals. Rather there are a collection of groups and individuals that operate under the name Anonymous, often with varying agendas ranging from principle social activism to just messing with people because they can. Because of this, their actions can range from the awesome (such as their support for protesters during the Arab uprisings) to the simply mean and unnecessary (such as posting flashing animations on the website of an epilepsy support group). Anonymous is joined by groups including the Izz al-Din Qassam Cyber Fighters, whose sole aim is apparently to get the “Innocence of Muslims” video removed from YouTube. Other groups involved in OpUSA include Mauritania hackers, Muslim liberation army, antisec, and lulzsec. Over the past six months, the Qassam Cyber Fighters have successfully carried out distributed denial of service (DDoS) attacks against large American banks. The groups have been publicizing their planned operation for weeks now, and in their statement posted on the website Pastebin on April 21 they said that America will pay for the war crimes it has committed: “America you have committed multiple war crimes in Iraq, Afghanistan, Pakistan, and recently you have committed war crimes in your own country. You have killed hundreds of innocent children and families with drones, guns, and now bombs. America you have hit thousands of people where it hurts them, now it is our time for our Lulz. For this you shall pay.” For protection against your eCommerce site click here . Source: http://current.com/technology/94112350_anonymous-opusa-massive-cyber-attack-planned-for-wednesday-against-government-and-banks.htm

5 Tips for Fighting DDoS Attacks

It should be the busiest day of the year for your business, but your website has just disappeared off the Internet and orders have dried up. If this happens to you, then you’ve likely just become yet another victim of a distributed denial of service (DDoS) attack. A basic denial of service attack involves bombarding an IP address with large amounts of traffic. If the IP address points to a Web server, then it (or routers upstream of it) may be overwhelmed. Legitimate traffic heading for the Web server will be unable to contact it, and the site becomes unavailable. Service is denied. A distributed denial of service attack is a special type of denial of service attack. The principle is the same, but the malicious traffic is generated from multiple sources — although orchestrated from one central point. The fact that the traffic sources are distributed — often throughout the world — makes a DDoS attack much harder to block than one originating from a single IP address. DDoS Attacks Bigger and Badder DDoS attacks are becoming an increasingly significant problem. According to the latest Quarterly Global DDoS Attack Report commissioned by DDoS mitigation company Prolexic, there’s been a 22 percent increase in the number of DDoS attacks carried out over the last 12 months. The attacks have also lasted longer, up 21 percent from 28.5 hours to 34.5 hours. And attacks have become far more intense, with the average attack bandwidth rising a staggering 691 percent from 6.1Gbps to 48.25Gbps. A March DDoS attack against anti-spam organization Spamhaus may have reached as much as 300Gbps, according to some reports. Studies from Arbor Networks and Akamai Technologies found similar increases in the number and intensity of DDoS attacks. “The barrier to entry of DDoS attacks in terms of cost has largely gone,” says Tim Pat Dufficy, managing director of ServerSpace, a hosting company and Internet service provider (ISP). “That means anyone can launch an attack: organized crime, a group of blackmailers, or just a disgruntled ex-employee or a competitor. And anyone can be the victim. One of our customers is a very small company that does training for people in the construction business, yet they came under attack for two weeks.” It used to be technically difficult to launch a DDoS attack, but now it’s possible to rent a botnet of tens or even hundreds of thousands of infected or “zombie” machines relatively cheaply and use these zombies to launch an attack. And as the Internet develops, home or office computers that have become zombies can make use of increasingly high bandwidth Internet connections. There are also pre-packaged or Web-based DDoS toolkits like Low Orbit Ion Cannon and RussKill that anyone with a minimal amount of know-how can use. So what can you do to protect yourself against DDoS attacks? Identify a DDoS Attack Early If you run your own servers, then you need to be able to identify when you are under attack. That’s because the sooner you can establish that problems with your website are due to a DDoS attack, the sooner you can start to do something about it. To be in a position to do this, it’s a good idea to familiarize yourself with your typical inbound traffic profile; the more you know about what your normal traffic looks like, the easier it is to spot when its profile changes. Most DDoS attacks start as sharp spikes in traffic, and it’s helpful to be able to tell the difference between a sudden surge of legitimate visitors and the start of a DDoS attack. It’s also a good idea to nominate a DDoS leader in your company who is responsible for acting should you come under attack. Overprovision Bandwidth It generally makes sense to have more bandwidth available to your Web server than you ever think you are likely to need. That way, you can accommodate sudden and unexpected surges in traffic that could be a result of an advertising campaign, a special offer or even a mention of your company in the media. Even if you overprovision by 100 percent – or 500 percent – that likely won’t stop a DDoS attack. But it may give you a few extra minutes to act before your resources are overwhelmed. Defend at Network Perimeter (if You Run Your Own Web Server) There are a few technical measures that can be taken to partially mitigate the effect of an attack — especially in the first minutes — and some of these are quite simple. For example, you can: rate limit your router to prevent your Web server being overwhelmed add filters to tell your router to drop packets from obvious sources of attack timeout half-open connections more aggressively drop spoofed or malformed packages set lower SYN, ICMP, and UDP flood drop thresholds But the truth is that while these steps have been effective in the past, DDoS attacks are now usually too large for these measures to have any significant effect. Again, the most you can hope for is that they will buy you a little time as an attack ramps up. Call Your ISP or Hosting Provider The next step is to call your ISP (or hosting provider if you do not host your own web server), tell them you are under attack and ask for help. Keep emergency contacts for your ISP or hosting provider readily available, so you can do this quickly. Depending on the strength of the attack, the ISP or hoster may already have detected it, or they may themselves start to be overwhelmed by the attack. You stand a better chance of withstanding a DDoS attack if your Web server is located in a hosting center than if you run it yourself. That’s because its data center will likely have far higher bandwidth links and higher capacity routers than your company has itself, and its staff will probably have more experience dealing with attacks. Having your Web server located with a hoster will also keep DDoS traffic aimed at your Web server off your corporate LAN, so at least that part of your business — including email and possibly voice over IP services — should operate normally during an attack. If an attack is large enough, the first thing a hosting company or ISP is likely to do is “null route” your traffic — which results in packets destined for your Web server being dropped before they arrive. “It can be very costly for a hosting company to allow a DDoS on to their network because it consumes a lot of bandwidth and can affect other customers, so the first thing we might do is black hole you for a while,” says Liam Enticknap, a network operations engineer at PEER 1 hosting. Tim Pat Dufficy, managing director of ISP and hosting company ServerSpace, agrees. “The first thing we do when we see a customer under attack is log on to our routers and stop the traffic getting on to our network,” he says. “That takes about two minutes to propagate globally using BGP (border gateway protocol) and then traffic falls off.” If that was the end of the story, then the DDoS attack would be successful. To get the website back online, your ISP or hosting company may divert traffic to a “scrubber” where the malicious packets can be removed before the legitimate ones are be sent on to your Web server. “We use our experience, and various tools, to understand how the traffic to your site has changed from what it was receiving before and to identify malicious packets,” explains Enticknap. He says PEER 1 has the capacity to take in, scrub and send on very high levels of traffic — as much as 20Gbps. But with levels of traffic comparable to those experienced by Spamhaus, even this scrubbing effort would likely be overwhelmed. Do have a DDoS plan in place with your ISP or hoster so that it can begin mitigation or divert your traffic to a mitigation specialist with the minimum delay. Call a DDoS Specialist For very large attacks, it’s likely that your best chance of staying online is to use a specialist DDoS mitigation company. These organizations have large scale infrastructure and use a variety of technologies, including data scrubbing, to help keep your website online. You may need to contact a DDoS mitigation company directly, or your hosting company or service provider may have a partnership agreement with one to handle large attacks. “If a customer needs DDoS mitigation then we divert their traffic to (DDoS mitigation company) Black Lotus,” says Dufficy. ”We do this using BGP, so it only takes a few minutes.” Black Lotus’s scrubbing center can handle very high levels of traffic indeed, and sends on the cleaned traffic to its intended destination. This does result in higher latency for website users, but the alternative is that they can’t access the site at all. DDoS mitigation services are not free, so it’s up to you whether you want to pay to stay online or take the hit and wait for the DDoS attack to subside before continuing to do business. Subscribing to a DDoS mitigation service on an ongoing basis may cost a few hundred dollars a month. If you wait until you need one, however, expect to pay much more for the service and wait longer before it starts to work. DDoS mitigation specialists include: Arbor Networks Black Lotus DOSarrest Prolexic VeriSign Source: http://www.esecurityplanet.com/network-security/5-tips-for-fighting-ddos-attacks.html

Follow this link:
5 Tips for Fighting DDoS Attacks

Dutchman arrested in connection with large DDoS attack on Spamhaus

A 35-year-old Dutchman was arrested Thursday in Spain, as part of an investigation into a large-scale DDoS (distributed denial-of-service) attack that targeted a spam-fighting organization called the Spamhaus Project in March. The suspect was arrested by Spanish authorities in Barcelona based on a European arrest warrant and is expected to be transferred to the Netherlands soon, the Dutch Public Prosecution Service said Friday in a press release. The March DDoS attack against Spamhaus is noteworthy because of its very large scale and because it reportedly affected several Internet exchange nodes in Europe. Several sources, including CloudFlare, a San Francisco-based company that hosted Spamhaus’ website on its content distribution network, said at the time that the attack’s bandwidth peaked at over 300Gbps, making it the largest DDoS attack in history. However, the attack’s initially reported size was later challenged by other companies. A group called the Stophaus Movement, whose members include companies and individuals flagged as spammers by Spamhaus, took credit for the attack. The Dutch Prosecution Service did not reveal the full name of the suspect arrested Thursday in Spain and only referred to him by his initials, S. K., for privacy reasons. “He is suspected of a wide range of computer crimes,” said Wim de Bruin, a spokesman for the Dutch Public Prosecution Service. Among them is launching a DDoS attack against Spamhaus, which is a criminal offense under Dutch law. According to a source familiar with the investigation, the man arrested is Sven Kamphuis, who acted as a spokesman for the Stophaus Movement following the attack in March. However, at the time, Kamphuis denied his personal involvement in the attack and said that it was launched by Stophaus members from China and Russia. Kamphuis runs a network provider called CB3ROB that was blacklisted by Spamhaus for hosting spam botnets and extortion scams. CB3ROB provided services for a controversial Dutch hosting company called CyberBunker.com that allows its customers to “host any content they like, except child porn and anything related to terrorism.” For protection against your eCommerce site click here . Source: http://www.pcworld.com/article/2036494/dutchman-arrested-in-connection-with-large-ddos-attack-on-spamhaus.html

Read this article:
Dutchman arrested in connection with large DDoS attack on Spamhaus

Charles Schwab website recovers after second day of cyber attacks

Charles Schwab Corp said it was the target of a cyber attack that prevented access to its website intermittently for about an hour on Wednesday, the second such attack in as many days, but that the problem had been resolved. Schwab, one of the largest U.S. brokerages, said on Tuesday afternoon it was that target of a distributed denial of service attack – an attack that floods websites with traffic in order to block access – that left clients unable to trade through the site for two hours. Phone service was available during both attacks, although responses were slower than usual due to the large number of people calling in, said Schwab spokesman Greg Gable. He said clients who believe they were affected by the outage can call 1-800-435-4000 to talk with a Schwab representative. The attacks did not impact client data or accounts, Gable added. Schwab said it is actively investigating the attacks but could not provide further information. The San Francisco-based company had 8.9 million active brokerage accounts and $2.1 trillion in total client assets at the end of the last quarter. For protection against your eCommerce site click here . Source: http://www.csmonitor.com/Business/Latest-News-Wires/2013/0424/Schwab-website-recovers-after-second-day-of-cyber-attacks

Original post:
Charles Schwab website recovers after second day of cyber attacks