Tag Archives: internet

Tumblr outage reported in US and Europe; may be result of DDoS attack

Tumblr appears to the target of a distributed denial of service attack, with users unable to access the blogging site. The outage reportedly began just before 3:30pm ET, according to Down Detector. If the site manages to load anything, users receive a “service is temporarily unavailable” message.” Tumblr issued a jargon-filled tweet about 15 minutes into the outage, promising to fix the issue as soon as possible. Earlier on Wednesday, Tumblr hosted a question-and-answer on the humanitarian crisis in Aleppo, Syria. It’s unclear if the believed DDoS attack might be related to the ‘Answer Time’ discussion. Tumblr was one of more than 80 popular websites that were hit by three separate DDoS attacks on Dyn DNS, the internet traffic management company, on October 21. That targeted attack was believed to have been on the Internet of Things, or the multitude of smart devices such as webcams and thermostats that connect to the internet. A DDoS attack occurs when a server is overwhelmed with traffic in a targeted attack. Source: https://www.rt.com/usa/371183-tumbler-down-ddos-attack/

Continued here:
Tumblr outage reported in US and Europe; may be result of DDoS attack

Cyber criminals compromising virtual machines in cloud to increase scale of DDoS

The recently released Microsoft’s latest Security Intelligence Report states that cyber-criminals are compromising virtual machines in the cloud as a way to vastly increase the scale of Distributed Denial of Service Attacks (DDoS). Microsoft has warned of many new cyber risks faced by IT companies in the report. It says that hackers have learned how to use compromised virtual machines running in the cloud to launch massive cyber-attacks. The report says: “In the cloud weaponisation threat scenario, an attacker establishes a foothold within a cloud infrastructure by compromising and taking control of a few virtual machines. The attacker can then use these virtual machines to attack, compromise, and control thousands of virtual machines—some within the same public cloud service provider as the initial attack, and others inside other public cloud service providers.” Attackers can easily issue commands to launch DDoS attacks that cripple online services and websites or flood the internet with spam. Microsoft’s cloud computing platform, Azure, has witnessed attempts to exploit the cloud to establish communications with malicious IP addresses and brute force RDP, the Remote Desktop Protocol used by Microsoft to allow users to access their desktops over a network, representing 41% and 25.5% of all outbound attacks, respectively. Spam followed at just over 20% and DDoS attempts made up 7.6% of attacks. The company is also warning IT administrators to be on the lookout for targeted threats aimed at taking control of an email account that has a high probability of containing credentials that can be used to gain access to the public cloud administrator portal. If successful, the threats may open both their on-premises and cloud infrastructures to attack. The attacker, after logging into the administrator portal, can gather information and make changes to gain access to other cloud-based resources, execute ransomware, or even pivot back to the on-premises environment. They are also keeping tabs on GitHub and other public code repositories, hoping that developers will accidentally publish secret keys that can potentially grant access to cloud accounts and services. Microsoft has further warned of “Man in the Cloud” (MitC) attacks wherein victims are tricked into downloading and installing malware, typically with an email containing a malicious link. Once active, the malware searches for a cloud storage folder and replaces the victim’s synchronisation token with that of the attacker’s. After this, whenever a user adds a file to their cloud storage accounts each time, a copy is delivered to the attacker. http://www.cloudcomputing-news.net/news/2016/dec/16/cyber-criminals-compromising-virtual-machines-cloud-increase-scale-ddos/ http://www.eweek.com/security/microsoft-report-says-hackers-weaponizing-cloud-virtual-machines.html Source: https://www.ddosattacks.net/wp-admin/post-new.php

Continue Reading:
Cyber criminals compromising virtual machines in cloud to increase scale of DDoS

The new age of DDoS – And we ‘joked’ that toasters would one day take down our banks

The size of DDoS attacks has increased exponentially thanks to hackers and cyber criminals making use of the IoT. A few years ago, just as the ‘Internet of Things’ (IoT) was starting to form as a concept, some of us in the cyber security community joked that in future our toasters would be able to take down our banks. Within the last few months that joke has started to become a reality. In September 2016, US security researcher Brian Krebs had his website, Krebs on Security, taken offline by the largest Distributed Denial of Service (DDoS) attack yet seen. A short while later OVH, a French internet hosting company, was struck by an even bigger attack. Then, in October, Domain Name Server (DNS) company Dyn – essentially a part of the ‘internet phone book’ which directs users to websites – also fell victim to an attack in which tens of millions of different internet addresses bombarded the company’s servers with excessive data, causing popular sites like Twitter, Spotify and Reddit to go offline. The size of attacks has increased exponentially thanks to hackers and cyber criminals making use of the IoT. These devices – including the likes of webcams Digital Video Recorders, and even fridges, toasters and pressure cookers – are typically designed to be quick and cheap to produce, and inherently have very poor levels of security. The majority run variants of the Linux operating system and many have very simple or default administrator username and password combinations, or use standard encryption tools where the ‘key’ is widely available on the internet. There are some with no security features at all. Worryingly, the end user can do little to prevent their use by cyber criminals and hackers, even if they were to become aware that their device has been compromised. Other than turning it off and disconnecting it from any internet connection – which would pretty much leave the device as ‘dumb’, and remove the features they bought it for – there’s very little scope to prevent it from being recruited by hackers. The risk posed stems from a piece of malware called ‘Mirai’ (Japanese for ‘the future’). Developed by a coder who goes under the pseudonym of ‘Anna-senpai’, Mirai turns computer systems running Linux into remotely controlled ‘bots’ that can be used as part of a ‘botnet’ in large-scale network attacks. Mirai was first unleashed on September 20, 2016, with attacks on the Krebs website reaching up to 620 Gbps. Soon after, OVH was hit with an attack which reached a staggering 1 Tbps. Both these attacks used in the region of 150,000 infected IoT devices, and produced volumes of traffic in DDoS attacks never seen before. It is thought Krebs was targeted as he has exposed an Israeli group called ‘vDOS’ operating on the ‘Dark Web’ that rented out DDoS attacks (known as ‘DDoS-as-a-Service’). Soon after these attacks, the source code for Mirai was released on the Dark Web. This now gave other hackers and cyber criminals the opportunity to undertake massive DDoS attacks,which resulted in the Dyn incident. In a change of tactic, the hackers attempted to take down part of the key infrastructure of the internet rather than just focusing on a single website. This begs the question: Just how will DDoS attacks develop in 2017 and what will the future hold for internet security? Source: http://www.itproportal.com/features/the-new-age-of-ddos-and-we-joked-that-toasters-would-one-day-take-down-our-banks/

Read the original post:
The new age of DDoS – And we ‘joked’ that toasters would one day take down our banks

34 People Arrested in Global Crackdown on DDOS Attack Service Users

Today’s topics include the arrest of 34 individuals in 13 countries charged with using online services that provide denial-of-service attacks to order, Apple’s security patch for its macOS and iOS, the release of Facebook’s Certificate Transparency Monitoring tool and Google’s improvements to its machine learning technology through its Embedding Projector technology. International law enforcement agencies in more than dozen countries arrested 34 individuals in a cyber-crime sweep that focused on customers of online services that provide denial-of-service attacks to order. In the United States, the FBI arrested a 26-year-old University of Southern California graduate student allegedly linked to distributed denial-of-service (DDoS) attack that knocked a San Francisco chat-service company offline. The suspect, Sean Sharma, was charged on Dec. 9 with purchasing a DDoS tool used to mount the attack, the FBI stated in a release. Since last week, the FBI’s International Cyber Crime Coordination Cell, or IC4, and other law enforcement agencies—including Europol and the U.K.’s National Crime Agency—have arrested 34 suspects and conducted interviews with 101 individuals. Apple is updating both its desktop macOS Sierra and iOS mobile operating systems for multiple security vulnerabilities. The iOS 10.2 update was officially released on Dec. 12, while the macOS 10.12.2 update followed a day later on Dec. 13. Among the items fixed in iOS 10.2 is a vulnerability that was first publicly disclosed in a YouTube video on Nov. 16 that can enable a potential attacker to access a user’s photos and contacts from the iPhone’s lock screen. The vulnerability is identified as CVE-2016-7664 and was reported by Miguel Alvarado of iDeviceHelp. On Dec. 13, Facebook announced the launch of its freely-available Certificate Transparency Monitoring tool, providing users with a simple way to search for recently issued certificates and to be alerted when a new certificate is issued for a specific domain. SSL/TLS is the encryption standard used across the internet to secure websites. A best practice for SSL/TLS is for the security certificates to be issued by a known Certificate Authority (CA) to help guarantee authenticity and integrity. Defective Certificates can be accidentally or maliciously issued, which is a risk that the Certificate Transparency effort aims to help mitigate. Google initiated the Certificate Transparency initiative, which involves Certificate Authorities publishing newly issued certificates to a Certificate Transparency (CT) log. Facebook’s tool enables users to search CT logs for certificates as well as provides a mechanism to subscribe to alerts on domains. Google has open sourced its Embedding Projector, a web application that gives developers a way to visualize data that’s being used to train their machine learning systems. Embedding Projector is part of TensorFlow, the machine learning technology behind some popular Google services like image search, Smart Reply in Inbox and Google Translate. In a technical paper, Google researchers described the Embedding Projector as an interactive visualization tool that developers can use to interpret machine-learning models that rely on what are known as “embeddings.” “With the widespread adoption of ML systems, it is increasingly important for research scientists to be able to explore how the data is being interpreted by the models,” Google engineer Daniel Smilkov said in Google’s open source blog. Source: http://www.eweek.com/video/34-people-arrested-in-global-crackdown-on-ddos-attack-service-users.html?=large-video-widget

Read the original post:
34 People Arrested in Global Crackdown on DDOS Attack Service Users

The Difference Between Positive VS Negative WAF ?

The resurgence in Positive security of late has been a refreshing change to the security landscape dominated by anti-virus scanners, IDS/IPS, and antispam engines. The resurgence is most noticeable in the field of Web Application Security where Web Application Firewalls have been adopting a Positive Security model to combat the fast paced and ever changing threats they face. However even with the rise of Positive Model Security within the field of Web Application Security there are still divergent views on the best security method. Positive Model WAF looks to allow access to specific characters or via specific rules. This means that each rule added provides greater access and conversely having no rules in place will block everything by default. This model has the benefit of severely limiting the vectors an attacker can exploit simply because everything that is not expressly allowed is automatically blocked. The issue with this approach is that it tends to require a high level of care and input from the company implementing it to ensure that legitimate customers are not being blocked by overaggressive rules. This type of confusion can usually be eliminated after a few rounds of “whitelisting” (creating rules for legitimate actions) when the service is first implemented. Negative Model WAF works on the premise that most attackers are using exploits that have already been uncovered. By blocking these exploits and by creating patches or updates for new vulnerabilities that occur, the client will have to do very little besides ensuring that their WAF is up to date to remain secure. This model also alleviates stress over legitimate users being blocked as it is designed to prevent only known illegitimate actions from occurring. The issue with this model is that it depends on the team maintaining the WAF to stay up to date on exploits as they come out and allows attackers much greater freedom to find new vectors as anything that is not being expressly blocked is open for them to try. Given that there are new exploits discovered every day, you could become a victim as this new exploit has not reached your WAF administrator yet and therefore there is no rule in place to protect you. The negative model also referred to as a “Signature based “ WAF, must be constantly updated. In 2014 Symantec stated, after 2 weeks that the majority of anti virus software vendors had yet to update their software for zero day exploits. In other words a zero day attack should be renamed to 14 day attack, that’s scary ! In Summary Positive model: You decide what is valid, everything else is blocked Pros: Much Better protection compared to Negative Model Cons: Requires “Whitelisting” in order to not block legitimate visitors Negative Model: You decide what is not valid and allow everything else Pros: Easier to implement in most cases Cons: You are vulnerable to any vectors(zero day attacks) that don’t have signatures in your WAF. **At DOSarrest we employ a Cloud based Positive WAF model. Most of the other Cloud based WAF providers are using a negative model, whereby they have to manage 10’s of thousands of signatures. Ben Mina-Coull Quality Assurance DOSarrest Internet Security Source: https://www.dosarrest.com/ddos-blog/the-difference-between-positive-vs-negative-waf

Originally posted here:
The Difference Between Positive VS Negative WAF ?

UK police crack down on people paying for DDoS attacks

It’s all part of ‘Operation Tarpit’, a global crackdown co-ordinated by Europol. Distributed Denial of Service (DDoS) attacks are on the rise, affecting individuals, private businesses and government-funded institutions alike. As part of a large warning to cybercriminals, the UK’s National Crime Agency (NCA) has arrested 12 individuals for using a DDoS-for-hire service called Netspoof. “Operation Vulcanialia” targeted 60 citizens in total, and led to 30 cease and desist notices, and the seizure of equipment from 11 suspects. The NCA says it had two focuses: arresting repeat offenders and educating first-time users about the consequences of cybercrime. The work formed part of Operation Tarpit, a larger effort co-ordinated by Europol. Law enforcement agencies from Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Spain, Sweden, the UK and the US targeted users of DDoS tools together, resulting in 34 arrests and 101 suspects being interviewed and cautioned. The UK’s contribution was spearheaded by intelligence gathered by the West Midlands Regional Cyber Crime Unit, and executed by Regional Organised Crime Units under the watchful eye of the NCA. Some of the arrests were detailed in a press release — all but one was under the age of 30. Netspoof allowed anyone to initiate potentially devastating DDoS attacks from as little as £4. Packages soared to as much as £380, however, depending on the user’s requirements. It meant almost anyone, regardless of their technical background, could take down sites and services by flooding them with huge amounts of data. The trend is representative of the increase in cybercrime and how easy it is for people to wield such powers. DDoS attacks aren’t comparable to hacking, but they’re still a worrisome tactic for businesses. Knocking a service offline can affect a company’s finances and reputation, angering customers in the process. Twelve arrests is by no means insignificant, but it almost certainly represents a small number of DDoS users. Still, it’s a warning shot from the NCA — it’s aware of the problem, and officers are putting more resources into tracking those who both use and facilitate such attacks on the internet. Source: https://www.engadget.com/2016/12/13/uk-national-crime-agency-ddos-arrests/

Web attacks increase 71% in third quarter

Dubai: After a slight downturn in the second quarter of this year, the average number of Distributed Denial of Service (DDoS) attacks increased to an average of 30 attacks per target. Fact Box description starts here Fact Box description ends here This reflects that once an organisation has been attacked, there is a high probability of additional attacks, a cyber security expert said. Fact Box description starts here Fact Box description ends here “Cybercriminals have found new attack channels to disable resources as the total DDoS attacks increased by 71 per cent year over year in the third quarter. During the third quarter, we mitigated a total of 4,556 DDoS attacks, an eight per cent decrease from second quarter,” Dave Lewis, Global Security Advocate at Akamai Technologies, told Gulf News. Fact Box description starts here Fact Box description ends here DDoS attack means an attacker sends too much traffic to a server beyond it can handle and the server goes offline. Fact Box description starts here Fact Box description ends here “We are seeing more and more of short-based attacks with limited bandwidth and consequence. There were 19 mega attacks mitigated during the quarter that peaked at more than 100Gbps, matching the first quarter high point,” he said. It’s interesting that while the overall number of attacks fell by eight per cent quarter over quarter, he said the number of large attacks, as well as the size of the biggest attacks, grew significantly. Fact Box description starts here Fact Box description ends here In contrast to previous quarters, when reflection attacks generated the traffic in the largest attacks, a single family of botnets, Mirai, accounted for the traffic during these recent attacks. Rather than using reflectors, he said that Mirai uses compromised internet of Things systems and generates traffic directly from those nodes. Fact Box description starts here Fact Box description ends here The Mirai botnet was a source of the largest attacks Akamai mitigated to date, an attack that peaked at Fact Box description starts here Fact Box description ends here 623Gbps. Mirai did not come out of nowhere. What makes Mirai truly exceptional is its use of IoT devices and several capabilities that aren’t often seen in botnets. Fact Box description starts here Fact Box description ends here The two largest DDoS attacks this quarter, both leveraging the Mirai botnet, were the biggest observed by Akamai to-date — recorded at 623Gbps and 555Gbps. Fact Box description starts here Fact Box description ends here “Attackers are generally not looking for vulnerable systems in a specific location, they are scanning the entire internet for vulnerable systems. The Mirai botnet is especially noisy and aggressive while scanning for vulnerable systems,” he said. Fact Box description starts here Fact Box description ends here He said that some clients are almost always under attack. The top target organisations saw three to five attacks every day of the quarter. However, without defences in place, these attacks could have a “substantial cumulative effect” on an organisation’s’ reputation. Fact Box description starts here Fact Box description ends here “It is becoming easier for hackers to launch attacks on commoditised platforms for lesser price than a coffee cup. The internet of Things are very good at what they are good at but security is often left out. We see these devices like DVRs with default credentials with an insecure protocol,” he said. Fact Box description starts here Fact Box description ends here According to Akamai Technologies’ Third Quarter, 2016 State of the internet/Security Report, majority of web application attacks continued to take place over http (68 per cent) as opposed to https (32 per cent), which could afford attackers some modicum of protection by encrypting traffic in transit. Fact Box description starts here Fact Box description ends here The US remained the top target for web application attacks as many organisations are headquartered in the US, with the resultant infrastructure also hosted in-country, it is expected that the US will continue to be the top target for some time. Fact Box description starts here Fact Box description ends here Brazil, the top country of origin for all web application attacks in the second quarter, experienced a 79 per cent decrease in attacks this quarter. The United States (20 per cent) and Netherlands (18 per cent) were the countries with the most web application attacks. Source: http://gulfnews.com/business/sectors/technology/web-attacks-increase-71-in-third-quarter-1.1930487

See the original post:
Web attacks increase 71% in third quarter

BlackNurse Attack Lets Lone Computers Take Down Whole Networks

DDoS attacks generally rely on big numbers to get results. Hundreds of thousands of devices, millions of IP addresses all unleashing coordinated blasts of data at another device to bring it to its knees. A BlackNurse denial-of-service attack doesn’t need a massive army of zombies to be effective. The BlackNurse attack is much more efficient than the DDoS attacks that crippled security researcher Brian Krebs’ website and the DNS servers at Dyn. Some recent DDoS attacks have seen traffic peak at more than 1 Tbps. A BlackNurse attack has the ability to disrupt by sending just a fraction of that volume. As little as 21 Mbps can be enough to take down a firewall, according to security firm Netresec. What’s different about BlackNurse that allows it to inflict so much damage with so little effort? It’s the type of traffic it utilizes. BlackNurse directs Internet Control Message Protocol (ICMP) packets, which have been used in other DDoS attacks in the past. BlackNurse uses a specific type — ICMP type 3 code 3. An attack from a single laptop could, theoretically, knock an entire business offline, though it’s not likely to be a very large business. In their blog post, Netresec calls out firewalls made by Cisco, Palo Alto Networks, Sonicwall, and Zyxel as being at risk. Most of the devices Netresec reports as being vulnerable to a BlackNurse attack (like the Cisco ASA 5506 and Zyxel Zywall USG50) were designed for small office or home office use. That said, TDC, a Denmark-based company that offers DDoS protection services to businesses, has seen enterprise-grade gear impacted. “We had expected that professional firewall equipment would be able to handle the attack,” they wrote, adding that they’ve seen around 100 of these attacks launched against their customers. TDC also notes that BlackNurse has the potential to create a lot of havoc. In Denmark’s IP space alone they discovered 1.7 million devices that respond to the ICMP requests that the BlackNurse attack leverages. If even a small percentage of those 1.7 million devices are vulnerable, the effects of a coordinated, large-scale attack could be disastrous. And that’s just Denmark. Source: http://www.forbes.com/sites/leemathews/2016/11/14/blacknurse-attack-lets-lone-computers-take-down-whole-networks/#6d27bd961999

More:
BlackNurse Attack Lets Lone Computers Take Down Whole Networks

5 major Russian banks repel massive DDoS attack

At least five Russian major banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries. The attack began Tuesday afternoon, and continued for two days straight, according to a source close to Russia’s Central Bank quoted by RIA Novosti. Sberbank confirmed the DDoS attack on its online services. “The attacks are conducted from botnets, consisting of tens of thousands computers, which are located in tens of countries,” Sberbank’s press service told RIA. The initial attack was rather massive and its power intensified over the course of the day. “We registered a first attack early in the morning … the next attack in the evening involved several waves, each of them was twice as powerful as the previous one. Bank’s cybersecurity noticed and located the attack in time. There have been no problems in client online services,” Sberbank representative said. Alfabank has also confirmed the fact of the attack, but called it a “weak” one. “There was an attack, but it was relatively weak. It did not affect Alfabank’s business systems in any way,” the bank told RIA Novosti. According to Russian computer security company Kaspersky Lab, more than a half of the botnet devices were situated in the US, India, Taiwan and Israel, while the attack came from 30 countries. Each wave of attack lasted for at least one hour, while the longest one went on for 12 hours straight. The power of the attacks peaked at 660 thousands of requests per second. Some of the banks were attacked repeatedly. “Such attacks are complex, and almost cannot be repelled by standard means used by internet providers,” the news agency quoted Kaspersky Lab’s statement as saying. According to a source in Central Bank, the botnet behind the attack consists not only of computers, but also of the so-called Internet of Things (IoT) devices. Computer security experts note, that various devices ranging from CCTV cameras to microwaves, are prone to hacking and pose a significant threat when assembled into a botnet. Owners of such devices underestimate the risks and often do not even bother to change a default password. A massive botnet, able to send more than 1.5Tbps and consisting of almost 150 thousands of CCTV cameras has been reportedly uncovered in September. According to Kaspersky Lab, it was the first massive attack on Russian banks this year. The previous attack of such a scale came in October 2015, when eight major banks were affected. Source: https://www.rt.com/news/366172-russian-banks-ddos-attack/

Is government regulation the way to blunt DDoS attacks?

Government regulation is a sticky issue in any industry, perhaps even more in cyber security. Every time the government creates a rule or an obligation, goes the argument, it merely opens a hole to be exploited. Exhibit number one is the call for makers of any product with encryption to create a secure back door police and intelligence agencies can use to de-crypt possibly criminal communications. Of course there’s no such thing as an absolutely secure back door, so it will end up being used by criminals or nation states. I raise this because last week security expert Bruce Schneier again raised the issue of whether governments should step in to help give more protection against distributed denial of service DDoS attacks. It’s easy for attackers to build powerful DDoS botnets that leverage insecure Internet connected devices like consumer webcams, he argues, the most recent of which was the attack last month on U.S. domain name service provider Dyn Inc., which temporarily impaired the ability of a number of online businesses including Twitter. It doesn’t matter, Schneier argues, if DDoS attacks are state-based or not. The fact the software is so easily available to their build a botnot or buy it as a service that can pour 1 TB and more of data at a target is the threat. “The market can’t fix this because neither the buyer nor the seller cares,” he has written. One logical place to block DDoS attacks is on the Internet backbone, he says, but providers have no incentive to do it because “they don’t feel the pain when the attacks occur and they have no way of billing for the service when they provide it.” So when the market can’t provide discipline, Schneier says, government should. He offers two suggestions: –impose security regulations on manufacturers, forcing them to make their devices secure; –impose liabilities on manufacturers of insecure Internet connected devices, allowing victims to sue them. Either one of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure, he argues. I’m not sure. For one thing litigation is a long and expensive process. How do I sue a company headquartered in another country (say, China) that sells devices used by a person in a third country (say, Brazil) which is part of a botnet assembled by a person in another country (say, the U.S.) used to attack me in Canada? There’s also the problem of defining secure. What can a manufacturer do if it forces creation a long password for a device, but users insist on insecure passwords (like “password123456879.”) Still, we need to discuss short-term solutions because, as Schneier points out, with the huge number of insecure Internet connected devices out there the DDoS problem is only going to get worse. Let us know what you think in the comments section below. Source: http://www.itworldcanada.com/article/is-government-regulation-the-way-to-blunt-ddos-attacks/388238

Link:
Is government regulation the way to blunt DDoS attacks?